Short: Danger is my middle name - Experimenting with SSL vulnerabilities in android apps

Proceedings of the 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2015

Volumn , Issue , 2015, Pages

  Onwuzurike, Lucky ^a   De Cristofaro, Emiliano ^a  

^a UNIVERSITY COLLEGE LONDON   (United Kingdom)

Author keywords

Android security; Information leakage; Privacy

Indexed keywords

EID: 84962014059     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2766498.2766522     Document Type: Conference Paper

References (34)

1. Android Advertising ID. https://developer.android.com/google/play-services/id.html.
2. AndroidRank. http://www.androidrank.org/.
3. dex2jar. https://code.google.com/p/dex2jar/.
4. Fiddler. http://www.telerik.com/fiddler.
5. Java decompiler. http://jd.benow.ca/.
6. Wireshark. https://www.wireshark.org/.
7. D. Akhawe and A. P. Felt. Alice in Warningland: A Large-Scale Field Study of Browser Security Warning Effectiveness. In USENIX Security, 2013.
8. C. Amrutkar, P. Traynor, and P. C. van Oorschot. Measuring SSL indicators on mobile browsers: extended life, or end of the road? In ISC, 2012.
9. K. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In CCS, 2012.
10. D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji. A methodology for Empirical Analysis of Permission-based Security Models and Its Application to Android. In CCS, 2010.
11. A. Bates, J. Pletcher, T. Nichols, B. Hollembaek, D. Tian, K. R. Butler, and A. Alkhelaifi. Securing SSL Certificate Verification through Dynamic Linking. In CCS, 2014.
12. C. Brubaker, S. Jana, B. Ray, S. Khurshid, and V. Shmatikov. Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations. In S&P, 2014.
13. S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards Taming Privilege-Escalation Attacks on Android. In NDSS, 2012.
14. M. Conti, N. Dragoni, and S. Gottardo. Mithys: Mind the Hand you Shake-Protecting Mobile Devices from SSL Usage Vulnerabilities. In STM, 2013.
15. A. Das, J. Bonneau, M. Caesar, N. Borisov, and X. Wang. The Tangled Web of Password Reuse. In NDSS, 2014.
16. L. Davi, A. Dmitrienko, A.-R. Sadeghi, and M. Winandy. Privilege escalation attacks on android. In ISC, 2011.
17. M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An Empirical Study of Cryptographic Misuse in Android Applications. In CCS, 2013.
18. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information Flow Tracking System for Real-Time Privacy Monitoring on Smartphones. CACM, 57(3), 2014.
19. S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In CCS, 2012.
20. S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith. Rethinking SSL Development in an Appified World. In CCS, 2013.
21. A. P. Felt et al. Improving SSL Warnings: Comprehension and Adherence. In CHI, 2015.
22. T. Fox-Brewster. Check the permissions: Android flashlight apps criticised over privacy. http://gu.com/p/425gm/stw, 2015.
23. M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In CCS, 2012.
24. Google. Google Play Developer Program Policies. https://play.google.com/about/developer-content-policy.html, 2015.
25. M. Kranch and J. Bonneau. Upgrading https in mid-air: An empirical study of strict transport security and key pinning. In NDSS, 2015.
26. M. Miettinen, S. Heuser, W. Kronz, A.-R. Sadeghi, and N. Asokan. ConXsense: Automated Context Classification for Context-aware Access Control. In ASIACCS, 2014.
27. L. Onwuzurike and E. De Cristofaro. Danger is my middle name - Experimenting with SSL Vulnerabilities in Android Apps (Full Version). http://arxiv.org/pdf/1505.00589.pdf, 2015.
28. D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In NDSS, 2014.
29. S.-T. Sun and K. Beznosov. The devil is in the (implementation) details: An empirical analysis of OAuth SSO systems. In CCS, 2012.
30. J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In USENIX Security, 2009.
31. N. Viennot, E. Garcia, and J. Nieh. A Measurement Study of Google Play. In SIGMETRICS, 2014.
32. X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Malicious Android applications in the enterprise: What do they do and how do we fix it? In Data Engineering Workshops, 2012.
33. Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS, 2012.
34. Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming information-stealing smartphone applications (on android). In TRUST, 2011.