[cryptography] OT: Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security

Jeffrey Walton noloader at gmail.com
Sat Oct 20 18:41:42 PDT 2012


Hot off the presses (but its not limited to Android): "Why Eve and
Mallory Love Android: An Analysis of Android SSL (In)Security",
http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf. Or
should it be "The Case for Public Key Pinning"?

"...The most common approach to protect data during communication on
the Android platform is to use the Secure Sockets Layer (SSL) or
Transport Layer Security (TLS) protocols. To evaluate the state of SSL
use in Android apps, we downloaded 13,500 popular free apps from
Googlebs Play Market and studied their properties with respect to the
usage of SSL. In particular, we analyzed the appsb vulnerabilities
against Man-in-the-Middle (MITM) attacks due to the inadequate or
incorrect use of SSL.

For this purpose, we created MalloDroid, an Androguard extension that
performs static code analysis to a) analyze the networking API calls
and extract valid HTTP(S) URLs from the decompiled apps; b) check the
validity of the SSL certificates of all extracted HTTPS hosts; and c)
identify apps that contain API calls that differ from Androidbs
default SSL usage, e.g., contain non-default trust managers, SSL
socket factories or hostname verifiers with permissive verification
strategies. Based on the results of the static code analysis, we
selected 100 apps for manual audit to investigate various forms of SSL
use and misuse: accepting all SSL certificates, allowing all hostnames
regardless of the certificatebs Common Name (CN), neglecting
precautions against SSL stripping, trusting all available Certificate
Authorities (CAs), not using SSL pinning, and misinforming users about
SSL usage."
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list