skip to main content
10.1145/2714576.2714583acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
short-paper

Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps

Published: 14 April 2015 Publication History

Abstract

Today, there are many hybrid apps in which both native Android app UI and WebView UI are used. To protect the security and privacy of the communications, these hybrid apps all use HTTPS by WebView, a key component in modern web browser. In this paper, we show there is another type of SSL vulnerability that stems from the error-handling code in the hybrid mobile web apps. At a high level, this error-handling code should have stopped the communication but it still proceeds regardless of certificate errors, thereby leading to the MITM attacks. To automatically identify these vulnerable apps, we present a hybrid approach that combines both static analysis and dynamic analysis. We have implemented our approach and evaluated with 13,820 real world mobile web apps from a third party market, of which 645 are confirmed truly vulnerable, with an average overhead of 60.8 seconds per app.

References

[1]
D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan, "Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps," in Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, California, USA, 2014.
[2]
J. Clark and P. C. van Oorschot, "Sok: Ssl and https: Revisiting past challenges and evaluating certificate trust model enhancements," in Proceedings of the Security and Privacy. IEEE, 2013.
[3]
https://code.google.com/p/androguard/.
[4]
C. Zheng, S. Zhu, S. Dai, G. Gu, X. Gong, X. Han, and W. Zou, "Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications," in Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2012, pp. 93--104.
[5]
https://code.google.com/p/android_apktool/.
[6]
M. C. Grace, Y. Zhou, Z. Wang, and X. Jiang, "Systematic detection of capability leaks in stock android smartphones." in Proceedings of the 19th Annual Symposium on Network and Distributed System Security, 2012.
[7]
https://developer.android.com/reference/android/app/Instrumentation.html.
[8]
R. Bhoraskar, S. Han, J. Jeon, T. Azim, S. Chen, J. Jung, S. Nath, R. Wang, D. Wetherall, D. Langenegger et al., "Brahmastra: Driving apps to test the security of third-party components." in Proceedings of the 23rd USENIX conference on Security Symposium, 2014.
[9]
S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith, "Why eve and mallory love android: An analysis of android ssl (in) security," in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012.
[10]
V. Tendulkar and W. Enck, "An application package configuration approach to mitigating android ssl vulnerabilities," in Proceedings of the 2014 Mobile Security Technologies Conference, 2014.

Cited By

View all
  • (2023)A Data Flow-Based Approach for Classification and Risk Estimation of Android Apps2023 IEEE International Conference on Recent Advances in Systems Science and Engineering (RASSE)10.1109/RASSE60029.2023.10363478(1-6)Online publication date: 8-Nov-2023
  • (2022)Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833582(614-631)Online publication date: May-2022
  • (2021)Understanding the Evolution of Android App VulnerabilitiesIEEE Transactions on Reliability10.1109/TR.2019.295669070:1(212-230)Online publication date: Mar-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security
April 2015
698 pages
ISBN:9781450332453
DOI:10.1145/2714576
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2015

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android security
  2. https
  3. ssl
  4. webview

Qualifiers

  • Short-paper

Funding Sources

  • the Independent Innovation Foundation of Shandong Province
  • the Shandong Provincial Natural Science Foundation
  • the Key Science Technology Project of Shandong Province
  • Program for New Century Excellent Talents in University of the Ministry of Education
  • National Natural Science Foundation of China

Conference

ASIA CCS '15
Sponsor:
ASIA CCS '15: 10th ACM Symposium on Information, Computer and Communications Security
April 14 - March 17, 2015
Singapore, Republic of Singapore

Acceptance Rates

ASIA CCS '15 Paper Acceptance Rate 48 of 269 submissions, 18%;
Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)1
Reflects downloads up to 22 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)A Data Flow-Based Approach for Classification and Risk Estimation of Android Apps2023 IEEE International Conference on Recent Advances in Systems Science and Engineering (RASSE)10.1109/RASSE60029.2023.10363478(1-6)Online publication date: 8-Nov-2023
  • (2022)Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques2022 IEEE Symposium on Security and Privacy (SP)10.1109/SP46214.2022.9833582(614-631)Online publication date: May-2022
  • (2021)Understanding the Evolution of Android App VulnerabilitiesIEEE Transactions on Reliability10.1109/TR.2019.295669070:1(212-230)Online publication date: Mar-2021
  • (2020)Fuzzing error handling code using context-sensitive software fault injectionProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489358(2595-2612)Online publication date: 12-Aug-2020
  • (2019)An empirical study of SMS one-time password authentication in Android appsProceedings of the 35th Annual Computer Security Applications Conference10.1145/3359789.3359828(339-354)Online publication date: 9-Dec-2019
  • (2019)The Android OS stack and its vulnerabilitiesEmpirical Software Engineering10.1007/s10664-019-09689-724:4(2056-2101)Online publication date: 1-Aug-2019
  • (2018)An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web appsWorld Wide Web10.1007/s11280-017-0458-921:1(127-150)Online publication date: 1-Jan-2018
  • (2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
  • (2017)An empirical study on Android-related vulnerabilitiesProceedings of the 14th International Conference on Mining Software Repositories10.1109/MSR.2017.60(2-13)Online publication date: 20-May-2017
  • (2016)Risk Analysis of Exposed Methods to JavaScript in Hybrid Apps2016 IEEE Trustcom/BigDataSE/ISPA10.1109/TrustCom.2016.0097(458-464)Online publication date: Aug-2016
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media