Advertisement

AndroSSL: A Platform to Test Android Applications Connection Security

  • François GagnonEmail author
  • Marc-Antoine Ferland
  • Marc-Antoine Fortier
  • Simon Desloges
  • Jonathan Ouellet
  • Catherine Boileau
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9482)

Abstract

Developing secure mobile applications is not an easy task; especially when dealing with SSL/TLS since very few developers possess experience with those protocols. This paper presents AndroSSL, an automated platform to assess the security of (SSL/TLS) connections established by Android applications. AndroSSL assists mobile application developers by testing their applications for man-in-the-middle attacks, and, successful, pinpoints the reason why the application is vulnerable.

Keywords

Privacy SSL MitM Android Test-Bed Automated experiment 

References

  1. 1.
    Brubaker, C., Jana, S., Ray, B., Khurshid, S., Shmatikov, V.: Using frankencerts for automated adversarial testing of certificate validation in SSL/TLS implementations. In: Proceedings of the 2014 IEEE Symposium on Security and Privacy (SP) (2014)Google Scholar
  2. 2.
    Brubaker, C., Klyubin, A., Condra, G.: nogotofail (2014). https://github.com/google/nogotofail
  3. 3.
    Dierks, T., Rescorla, E.: Rfc5246 tls v1.2 (2008). https://tools.ietf.org/html/rfc5246
  4. 4.
    Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., Freisleben, B.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CSS 2012), pp. 50–61 (2012)Google Scholar
  5. 5.
    Fahl, S., Harbach, M., Perl, H., Koetter, M., Smith, M.: Rethinking SSL development in an appified world. In: Proceedings of the 2013 ACM Conference on Computer and Communications Security (CSS 2013), pp. 49–60 (2013)Google Scholar
  6. 6.
    Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificate in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CSS 2012), pp. 38–49 (2012)Google Scholar
  7. 7.
    Onwuzurike, L., Cristofaro, E.D.: Danger is my middle name: experimenting with SSL vulnerabilities in android apps. In: Proceedings of the 2015 ACM WiSec (2015)Google Scholar
  8. 8.
  9. 9.
    Sounthiraraj, D., Sahs, J., Lin, Z., Khan, L., Greenwood, G.: SMV-Hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 2014 Network and Distributed System Security Symposium (NDSS 2014) (2014)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • François Gagnon
    • 1
    Email author
  • Marc-Antoine Ferland
    • 1
  • Marc-Antoine Fortier
    • 1
  • Simon Desloges
    • 1
  • Jonathan Ouellet
    • 1
  • Catherine Boileau
    • 1
  1. 1.Cybersecurity Research LabCégep de Sainte-FoyQuébecCanada

Personalised recommendations