Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps

TL;DR

This study analyzes SSL vulnerabilities in popular Android apps, revealing widespread acceptance of all certificates and hostnames, and demonstrating susceptibility to man-in-the-middle attacks that can expose sensitive user data.

Contribution

It provides a comprehensive measurement of SSL implementation flaws in popular Android apps and demonstrates their vulnerability to MITM attacks through static and dynamic analysis.

Findings

32 out of 100 apps accept all certificates and hostnames

Four apps transmit sensitive data unencrypted

Up to 91% vulnerability when a malicious certificate is installed

Abstract

This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an experimental testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.