Abstract
In mobile internet, the Secure Sockets Layer (SSL) validation vulnerabilities of applications can be easily exploited through SSL Man-in-the-Middle (MITM) attacks, which are difficult to defeat. In this paper, an SSL Security-Enhanced method (E-SSL) is proposed to detect and defeat SSL MITM attacks, which improves the security of internet communication under malicious attacks. SSL proxy is used to find SSL certificate validation vulnerabilities and detect SSL MITM attacks. Based on randomness and hash theory, an SSL shared service with random port mapping is implemented to bypass SSL MITM attacks, the spatio-temporal randomization will increase the difficulty of attacker’s correct guessing. We implement a prototype on Android platform, and verify its effectiveness and reliability with 650 apps under realistic SSL MITM attacks. Using the E-SSL approach, 185 apps out of 650 are detected with SSL certificate validation vulnerabilities. Furthermore, evaluation results show that the E-SSL approach enables these SSL certificate validation vulnerabilities apps to successfully bypass SSL MITM attacks, thus significantly increases the security of user data privacy in public mobile internet.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Song, Y., Yang, C., Gu, G.: Who is peeping at your passwords at Starbucks? To catch an evil twin access point. In: IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 323–332. IEEE (2010)
Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0 (2011)
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2 (2008)
Fahl, S., Harbach, M., Muders, T.: Why eve and mallory love android: an analysis of android SSL (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)
Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Security and Privacy (SP), pp. 511–525. IEEE (2013)
Duan, Z.: Temporal Logic and Temporal Logic Programming. Science Press, Beijing (2005)
Duan, Z., Tian, C., Zhang, L.: A decision procedure for propositional projection temporal logic with infinite models. Acta Informatica 45(1), 43–78 (2008)
Egners, A., Marschollek, B., Meyer, U.: Messing with Android’s permission model. In: Proceedings of the IEEE TrustCom, pp. 1–22 (2012)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards taming privilege-escalation attacks on android. In: Proceedings of NDSS (2012)
Becher, M., Freiling, F., Hoffmann, J., Holz, T., Uellenbeck, S., Wolf, C.: Mobile security catching up? revealing the nuts and bolts of the security of mobile devices. In: IEEE Security and Privacy (SP), pp. 96–111 (2011)
Marlinspike, M.: New tricks for defeating SSL in practice. In: BlackHat DC, February 2009
Liu, H., Zhang, Y., Wang, H., Yang, W., Li, J., Gu, D.: TagDroid: hybrid SSL certificate verification in android. In: Hui, L.C.K., Qing, S.H., Shi, E., Yiu, S.M. (eds.) ICICS 2014. LNCS, vol. 8958, pp. 120–131. Springer, Cham (2015). doi:10.1007/978-3-319-21966-0_9. 16th International Conference, ICICS 2014, Hong Kong, China, December 16-17, 2014
Sounthiraraj, D., Sahs, J., Greenwood, G.: Smv-hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium (2014)
Durumeric, Z., Kasten, J., Bailey, M.: Analysis of the HTTPS certificate ecosystem. In: Proceedings of the 2013 Conference on Internet Measurement Conference, pp. 291–304. ACM (2013)
Holz, R., Braun, L., Kammenhuber, N.: The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 427–444. ACM (2011)
Akhawe, D., Amann, B., Vallentin, M.: Here’s my cert, so trust me, maybe? understanding TLS errors on the web. In: Proceedings of the 22nd International Conference on World Wide Web, pp. 59–70. International World Wide Web Conferences Steering Committee (2013)
Huang, L.S., Rice, A., Ellingsen, E.: Analyzing forged SSL certificates in the wild. In: Security and Privacy (SP), pp. 83–97. IEEE (2014)
Georgiev, M., Iyengar, S., Jana, S.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM (2012)
Zheng, C., Zhu, S., Dai, S.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–104. ACM (2012)
Zuo, C., Wu, J., Guo, S.: Automatically detecting SSL error-handling vulnerabilities in hybrid mobile web apps. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, pp. 591–596. ACM (2015)
Duan, Z., Yang, X., Koutny, M.: Framed temporal logic programming. Sci. Comput. Program. 70(1), 31–61 (2008)
Tian, C., Duan, Z., Zhang, N.: An efficient approach for abstraction-refinement in model checking. Theoret. Comput. Sci. 461, 76–85 (2012)
Benton, K., Jo, J., Kim, Y.: Signaturecheck: a protocol to detect man-in-the-middle attack in SSL. In: Proceedings of the Seventh Annual Workshop on Cyber Security and Information Intelligence Research, p. 60. ACM (2011)
Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41098-7_5. 9th International Workshop, STM 2013, Egham, UK, September 12-13, 2013
Bates, A., Pletcher, J., Nichols, T.: Securing SSL certificate verification through dynamic linking. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 394–405. ACM (2014)
Fahl, S., Harbach, M., Perl, H.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, pp. 49–60. ACM (2013)
Tendulkar, V., Enck, W.: An application package configuration approach to mitigating android SSL vulnerabilities (2014)
tcpdump. http://www.tcpdump.org
hostapd. http://w1.fi/hostapd
SSLsplit. http://www.roe.ch/SSLsplit
wireshark, https://www.wireshark.org
Acknowledgement
This work has partially been sponsored by the National Science Foundation of China (No. 61572349, 61272106, 61572355), Tianjin Research Program of Application Foundation and Advanced Technology under grant No. 15JCYBJC15700, and Tianjin Key Laboratory of Advanced Networking.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Zhao, R., Li, X., Xu, G., Feng, Z., Hao, J. (2017). E-SSL: An SSL Security-Enhanced Method for Bypassing MITM Attacks in Mobile Internet. In: Liu, S., Duan, Z., Tian, C., Nagoya, F. (eds) Structured Object-Oriented Formal Language and Method. SOFL+MSVL 2016. Lecture Notes in Computer Science(), vol 10189. Springer, Cham. https://doi.org/10.1007/978-3-319-57708-1_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-57708-1_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57707-4
Online ISBN: 978-3-319-57708-1
eBook Packages: Computer ScienceComputer Science (R0)