SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps

21st Annual Network and Distributed System Security Symposium, NDSS 2014

Volumn , Issue , 2014, Pages

  Sounthiraraj, David ^a   Sahs, Justin ^a   Greenwood, Garret ^a   Lin, Zhiqiang ^a   Khan, Latifur ^a  

^a The University of Texas at Dallas   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

NETWORK SECURITY; PROGRAM DEBUGGING; STATIC ANALYSIS; USER INTERFACES;

ANDROID APPS; AUTOMATED DETECTION; CERTIFICATE VALIDATIONS; DYNAMICS ANALYSIS; LARGE-SCALES; MAN IN THE MIDDLE; SELF-SIGNED CERTIFICATE; SENSITIVE INFORMATIONS; SSL/TLS; VALIDATION PROCESS;

ANDROID (OPERATING SYSTEM);

EID: 85180622320     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.14722/ndss/2014.23205     Document Type: Conference Paper

References (43)

1. Activities. http://developer.android.com/guide/components/activities. html.
2. android-apktool. http://code.google.com/p/android-apktool/.
3. Android debug bridge. https://developer.android.com/tools/help/adb. html.
4. Android emulator. https://developer.android.com/tools/help/emulator. html.
5. Android open source project. http://source.android.com/.
6. Glossary. http://developer.android.com/guide/appendix/glossary.html.
7. Hadoop. https://hadoop.apache.org/.
8. Issue 10255: Adb hangs intermittently. http://code.google.com/p/android/issues/detail?id=10255.
9. Issue 1946: javax.net.ssl.sslexception: Not trusted server certificate. http://code.google.com/p/android/issues/detail?id=1946.
10. Issue 38315: Devices are going in offline state in “adb devices” after random time. http://code.google.com/p/android/issues/detail?id=38315.
11. Monkeydevice. http://developer.android.com/tools/help/MonkeyDevice. html.
12. Monkeyrunner. https://developer.android.com/tools/help/MonkeyRunner.html.
13. Pickers. https://developer.android.com/design/building-blocks/pickers. html.
14. Robotium. https://code.google.com/p/robotium/.
15. Services. https://developer.android.com/guide/components/services. html.
16. Spinners. https://developer.android.com/design/building-blocks/spinners.html.
17. Ui/application exerciser monkey. https://developer.android.com/tools/help/monkey.html.
18. Httpclient - httpclient ssl guide. http://hc.apache.org/httpclient-3.x/sslguide.html, 2008.
19. Mallory: Transparent tcp and udp proxy. http://intrepidusgroup.com/insight/mallory/, 2010.
20. android: Single activity, multiple views. http://stackoverflow.com/questions/10862052/android-single-activity-multiple-views, 2012.
21. Burp suite. http://www.portswigger.net/burp/, 2012.
22. Class allowallhostnameverifier. http://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/conn/ ssl/AllowAllHostnameVerifier.html, 2012.
23. smali. http://code.google.com/p/smali/, 2012.
24. ARTZI, S., DOLBY, J., JENSEN, S. H., MØLLER, A., AND TIP, F. A framework for automated testing of javascript web applications. In Proceedings of the 33rd International Conference on Software Engineering (2011).
25. AYUSO, P. N. netfilter/iptables project homepage - the netfilter.org “iptables” project. http://www.netfilter.org/projects/iptables/.
26. CHRISTODORESCU, M., AND JHA, S. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12 (2003).
27. CLARK, J., AND VAN OORSCHOT, P. C. Sok: Ssl and https: Revisiting past challenges and evaluating certificate trust model enhancements. 2013 IEEE Symposium on Security and Privacy 0 (2013), 511–525.
28. DESNOS, A. androguard. https://code.google.com/p/androguard/.
29. ENCK, W., GILBERT, P., CHUN, B.-G., COX, L. P., JUNG, J., MCDANIEL, P., AND SHETH, A. N. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation (2010).
30. FAHL, S., HARBACH, M., MUDERS, T., SMITH, M., BAUMGÄRTNER, L., AND FREISLEBEN, B. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In 19th ACM Conference on Computer and Communications Security (2012).
31. FELT, A. P., FINIFTER, M., CHIN, E., HANNA, S., AND WAGNER, D. A survey of mobile malware in the wild. Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM’11 (2011).
32. GEORGIEV, M., IYENGAR, S., JANA, S., ANUBHAI, R., BONEH, D., AND SHMATIKOV, V. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In 19th ACM Conference on Computer and Communications Security (2012).
33. HU, C., AND NEAMTIU, I. Automating GUI testing for Android applications. In Proceedings of the 6th International Workshop on Automation of Software Test (2011).
34. KOLTER, J. Z., AND MALOOF, M. A. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res. 7 (2006).
35. OCTEAU, D., ENCK, W., AND MCDANIEL, P. The ded Decompiler. Tech. Rep. NAS-TR-0140-2010, Network and Security Research Center, Department of Computer Science and Engineering, Pennsylvania State University, 2010.
36. PORTOKALIDIS, G., HOMBURG, P., ANAGNOSTAKIS, K., AND BOS, H. Paranoid Android: Versatile Protection For Smartphones. In Annual Computer Security Applications Conference (2010).
37. RASTOGI, V., CHEN, Y., AND ENCK, W. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Third ACM Conference on Data and Application Security and Privacy (2013).
38. TAM, D. Google forecasts 70 million android tablet activations by year’s end. http://news.cnet.com/8301-1023_3-57595262-93/google-forecasts70-million-android-tablet-activations-by-years-end/, 2013.
39. TEITELBAUM, D. Posts tagged ‘viewserver’. http://blog.apkudo.com/tag/viewserver/, 2012.
40. YAN, L. K., AND YIN, H. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In Proceedings of the 21st USENIX conference on Security symposium (2012).
41. ZHENG, C., ZHU, S., DAI, S., GU, G., GONG, X., HAN, X., AND ZOU, W. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices (2012).
42. ZHOU, W., ZHOU, Y., JIANG, X., AND NING, P. Detecting repackaged smartphone applications in third-party android marketplaces. In Proceedings of the second ACM conference on Data and Application Security and Privacy (2012).
43. ZHOU, Y., WANG, Z., ZHOU, W., AND JIANG, X. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In 19th Network and Distributed System Security Symposium (2012).