Hot off the presses (but its not limited to Android): "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security", http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf. Or should it be "The Case for Public Key Pinning"? "...The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. To evaluate the state of SSL use in Android apps, we downloaded 13,500 popular free apps from Googlebs Play Market and studied their properties with respect to the usage of SSL. In particular, we analyzed the appsb vulnerabilities against Man-in-the-Middle (MITM) attacks due to the inadequate or incorrect use of SSL. For this purpose, we created MalloDroid, an Androguard extension that performs static code analysis to a) analyze the networking API calls and extract valid HTTP(S) URLs from the decompiled apps; b) check the validity of the SSL certificates of all extracted HTTPS hosts; and c) identify apps that contain API calls that differ from Androidbs default SSL usage, e.g., contain non-default trust managers, SSL socket factories or hostname verifiers with permissive verification strategies. Based on the results of the static code analysis, we selected 100 apps for manual audit to investigate various forms of SSL use and misuse: accepting all SSL certificates, allowing all hostnames regardless of the certificatebs Common Name (CN), neglecting precautions against SSL stripping, trusting all available Certificate Authorities (CAs), not using SSL pinning, and misinforming users about SSL usage." _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE