UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

Danger is my middle name: experimenting with SSL vulnerabilities in Android apps

Onwuzurike, L; Cristofaro, ED; (2015) Danger is my middle name: experimenting with SSL vulnerabilities in Android apps. In: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM publishing: New York, NY, USA. Green open access

[thumbnail of 1505.00589v1.pdf]
Preview
Text
1505.00589v1.pdf - Accepted version

Download (571kB) | Preview

Abstract

This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.

Type: Proceedings paper
Title: Danger is my middle name: experimenting with SSL vulnerabilities in Android apps
Event: 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks
ISBN-13: 978-1-4503-3623-9
Open access status: An open access version is available from UCL Discovery
DOI: 10.1145/2766498.2766522
Publisher version: http://dx.doi.org/10.1145/2766498.2766522
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
Keywords: cs.CR, cs.CR, cs.SE
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/1508476
Downloads since deposit
545Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item