A Measurement and Security Analysis of SSL/TLS Deployment in Mobile Applications

Guo, Yu; Cao, Zigang; Yang, Weiyong; Xiong, Gang

doi:10.1007/978-3-319-66625-9_19

A Measurement and Security Analysis of SSL/TLS Deployment in Mobile Applications

Yu Guo¹⁸,
Zigang Cao¹⁸,
Weiyong Yang¹⁹ &
…
Gang Xiong¹⁸

Conference paper
First Online: 01 October 2017

1110 Accesses

Part of the book series: Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering ((LNICST,volume 209))

Abstract

Secure Socket Layer (SSL) and Transport Layer Security (TLS) have been widely used to provide security in communications. With the rapid development of mobile Internet, they are progressively applied in mobile applications. It is interesting to study the security of their usage. However, most of existed researches on SSL/TLS focus on the whole ecosystem, while few of them have in-depth study on the status quo of mobile security about SSL/TLS. In this paper, we measure the network behaviors of top 50 popular applications on Android and iOS platforms to reveal the security problems of SSL/TLS deployment in mobile Internet. A system is implemented which can extract the handshake parameters and inspect SSL deployment status. We also demonstrate some typical severe problems by performing man-in-the-middle (MITM) attacks against six applications. We believe our study is very consequential for SSL deployment on mobile platforms and the design of secure applications in the future.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

CNNIC 37th Statistical Report on Chinese Internet. http://tech.sina.com.cn/z/CNNIC37/
Ren, J., Rao, A., Lindorfer, M., et al.: Recon: revealing and controlling privacy leaks in mobile network traffic. arXiv preprint arXiv:1507.00255 (2015)
Trummer, T., Dalvi, T.: Mobile SSL failures (2015)
Google Scholar
He, B., Rastogi, V., Cao, Y., et al.: Vetting SSL usage in applications with SSLINT. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 519–534. IEEE (2015)
Google Scholar
Sounthiraraj, D., Sahs, J., Greenwood, G., et al.: SMV-hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)
Google Scholar
Balebako, R., Jung, J., Lu, W., et al.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 12. ACM (2013)
Google Scholar
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 12. USENIX Association (2012)
Google Scholar
Egele, M., Kruegel, C., Kirda, E., et al.: PiOS: detecting privacy leaks in iOS applications. In: NDSS Network and Distributed System Security Symposium (2011)
Google Scholar
Levillain, O., Ébalard, A., Morin, B., et al.: One year of SSL internet measurement. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 11–20. ACM (2012)
Google Scholar
Pukkawanna, S., Kadobayashi, Y., Blanc, G., et al.: Classification of SSL servers based on their SSL handshake for automated security assessment (2014)
Google Scholar
Georgiev, M., Iyengar, S., Jana, S. et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM (2012)
Google Scholar
Transparent SSL/TLS interception. http://www.roe.ch/SSLsplit
Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS) (2015)
Google Scholar

Download references

Acknowledgments

This work is supported by the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06030200), Xinjiang Uygur Autonomous Region Science and Technology Project (No. 201230123), and Beijing Natural Science Foundation (4164089).

Author information

Authors and Affiliations

Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China
Yu Guo, Zigang Cao & Gang Xiong
NARI Group Corporation, Nanjing, China
Weiyong Yang

Authors

Yu Guo
View author publications
You can also search for this author in PubMed Google Scholar
Zigang Cao
View author publications
You can also search for this author in PubMed Google Scholar
Weiyong Yang
View author publications
You can also search for this author in PubMed Google Scholar
Gang Xiong
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zigang Cao .

Editor information

Editors and Affiliations

Post and Telecommunications, Chongqing University, Chongqing, China
Qianbin Chen
Harbin Institute of Technology (HIT), Harbin, China
Weixiao Meng
Xidian University, Xi’an, China
Liqiang Zhao

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Guo, Y., Cao, Z., Yang, W., Xiong, G. (2018). A Measurement and Security Analysis of SSL/TLS Deployment in Mobile Applications. In: Chen, Q., Meng, W., Zhao, L. (eds) Communications and Networking. ChinaCom 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 209. Springer, Cham. https://doi.org/10.1007/978-3-319-66625-9_19

Download citation

DOI: https://doi.org/10.1007/978-3-319-66625-9_19
Published: 01 October 2017
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66624-2
Online ISBN: 978-3-319-66625-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics