Skip to main content
Log in

An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

A large set of diverse hybrid mobile apps, which use both native Android app UIs and Web UIs, are widely available in today’s smartphones. These hybrid apps usually use SSL or TLS to secure HTTP based communication. However, researchers show that incorrect implementation of SSL or TLS may lead to serious security problems, such as Man-In-The-Middle (MITM) attacks and phishing attacks. This paper investigates a particular SSL vulnerability that results from error-handling code in the hybrid mobile Web apps. Usually such error-handling code is used to terminate an ongoing communication, but the vulnerability of interest is able to make the communication proceed regardless of SSL certificate verification failures, eventually lead to MITM attacks. To identify those vulnerable apps, we develop a hybrid approach, which combines both static analysis and dynamic analysis to (1) automatically distinguish the native Android UIs and Web UIs, and execute the Web UIs to trigger the error-handling code; (2) accurately select the correct paths from the app entry-point to the targeted code, meanwhile avoiding the crash of apps, and populate messaging objects for the communication between components. Specifically, we construct inter-component call graphs to model the connections, and design algorithms to select the paths from the established graph and determine the parameters by backtracing. To evaluate our approach, we have implemented and tested it with 13,820 real world mobile Web apps from Google Play. The experimental results demonstrate that 1,360 apps are detected as potentially vulnerable ones solely using the static analysis. The dynamic analysis process further confirms that 711 apps are truly vulnerable among the potentially vulnerable set.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6

Similar content being viewed by others

Notes

  1. An Activity is an application component that provides a screen with which users can interact in order to perform a task, such as dial the phone, take a photo, send an email, or view a map (http://developer.android.com/guide/components/activities.html).

References

  1. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: ACM SIGPLAN Notices, vol. 49, pp. 259–269. ACM (2014)

  2. Bhoraskar, R., Han, S., Jeon, J., Azim, T., Chen, S., Jung, J., Nath, S., Wang, R., Wetherall, D., Langenegger, D., et al.: Brahmastra: driving apps to test the security of third-party components

  3. Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using frankencerts for automated adversarial testing of certificate validation in ssl/tls implementations

  4. Clark, J., van Oorschot, P.C.: Sok: Ssl and https: revisiting past challenges and evaluating certificate trust model enhancements. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 511–525. IEEE (2013)

  5. Desnos, A.: Androguard: Reverse engineering, malware and goodware analysis of android applications... and more (ninja!)

  6. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones. Commun. ACM 57(3), 99–106 (2014)

    Article  Google Scholar 

  7. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android ssl (in) security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)

  8. Felt, A.P., Wagner, D: Phishing on mobile devices, na (2011)

  9. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating ssl certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM. http://dl.acm.org/citation.cfm?id=2382204 (2012)

  10. Green, I.: Dns spoofing by the man in the middle

  11. Housley, R., Ford, W., Polk, W., Solo, D.: Rfc 5280: Internet x. 509 public key infrastructure certificate and crl profile (2008)

  12. MacHiry, A., Tahiliani, R., Naik, M.: Dynodroid: an input generation system for android apps. In: Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, pp. 224–234. ACM (2013)

  13. Rastogi, V., Chen, Y., Enck, W.: Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy, pp. 209–220. ACM (2013)

  14. Sounthiraraj, D., Sahs, J., Greenwood, G., Lin, Z., Khan, L.: Smv-Hunter: large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 19th Network and Distributed System Security Symposium. San Diego

  15. Yan, L.-K., Yin, H.: Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In: USENIX Security Symposium, pp. 569–584 (2012)

  16. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 93–104. ACM (2012)

  17. Zuo, C., Wu, J., Guo, S.: Automatically detecting ssl error-handling vulnerabilities in hybrid mobile web apps. In: Proceedings of ASIA CCS ’15 the 10th ACM Symposium on Information, Computer and Communications Security, pp. 591–596. ACM (2015)

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their comments on previous drafts of this paper. This work is partially supported by National Natural Science Foundation of China (91546203,61173068,61572295,61573212), Program for New Century Excellent Talents in University of the Ministry of Education, the Key Science Technology Project of Shandong Province (2014GGD01063,2015GGE27033), the Independent Innovation Foundation of Shandong Province (2014CGZH1106) and the Shandong Provincial Natural Science Foundation (ZR2014FM020).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Shanqing Guo.

Additional information

This article belongs to the Topical Collection: Special Issue on Security and Privacy of IoT

Guest Editors: Tarik Taleb, Zonghua Zhang, and Hua Wang

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, Y., Zuo, C., Zhang, Z. et al. An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps. World Wide Web 21, 127–150 (2018). https://doi.org/10.1007/s11280-017-0458-9

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-017-0458-9

Keywords

Navigation