Abstract
Secure Socket Layer (SSL) and Transport Layer Security (TLS) have been widely used to provide security in communications. With the rapid development of mobile Internet, they are progressively applied in mobile applications. It is interesting to study the security of their usage. However, most of existed researches on SSL/TLS focus on the whole ecosystem, while few of them have in-depth study on the status quo of mobile security about SSL/TLS. In this paper, we measure the network behaviors of top 50 popular applications on Android and iOS platforms to reveal the security problems of SSL/TLS deployment in mobile Internet. A system is implemented which can extract the handshake parameters and inspect SSL deployment status. We also demonstrate some typical severe problems by performing man-in-the-middle (MITM) attacks against six applications. We believe our study is very consequential for SSL deployment on mobile platforms and the design of secure applications in the future.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CNNIC 37th Statistical Report on Chinese Internet. http://tech.sina.com.cn/z/CNNIC37/
Ren, J., Rao, A., Lindorfer, M., et al.: Recon: revealing and controlling privacy leaks in mobile network traffic. arXiv preprint arXiv:1507.00255 (2015)
Trummer, T., Dalvi, T.: Mobile SSL failures (2015)
He, B., Rastogi, V., Cao, Y., et al.: Vetting SSL usage in applications with SSLINT. In: 2015 IEEE Symposium on Security and Privacy (SP), pp. 519–534. IEEE (2015)
Sounthiraraj, D., Sahs, J., Greenwood, G., et al.: SMV-hunter: large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)
Balebako, R., Jung, J., Lu, W., et al.: Little brothers watching you: raising awareness of data leaks on smartphones. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 12. ACM (2013)
Roesner, F., Kohno, T., Wetherall, D.: Detecting and defending against third-party tracking on the web. In: Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, p. 12. USENIX Association (2012)
Egele, M., Kruegel, C., Kirda, E., et al.: PiOS: detecting privacy leaks in iOS applications. In: NDSS Network and Distributed System Security Symposium (2011)
Levillain, O., Ébalard, A., Morin, B., et al.: One year of SSL internet measurement. In: Proceedings of the 28th Annual Computer Security Applications Conference, pp. 11–20. ACM (2012)
Pukkawanna, S., Kadobayashi, Y., Blanc, G., et al.: Classification of SSL servers based on their SSL handshake for automated security assessment (2014)
Georgiev, M., Iyengar, S., Jana, S. et al.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 38–49. ACM (2012)
Transparent SSL/TLS interception. http://www.roe.ch/SSLsplit
Sheffer, Y., Holz, R., Saint-Andre, P.: Summarizing known attacks on transport layer security (TLS) and datagram TLS (DTLS) (2015)
Acknowledgments
This work is supported by the Strategic Priority Research Program of the Chinese Academy of Sciences (No. XDA06030200), Xinjiang Uygur Autonomous Region Science and Technology Project (No. 201230123), and Beijing Natural Science Foundation (4164089).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Guo, Y., Cao, Z., Yang, W., Xiong, G. (2018). A Measurement and Security Analysis of SSL/TLS Deployment in Mobile Applications. In: Chen, Q., Meng, W., Zhao, L. (eds) Communications and Networking. ChinaCom 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 209. Springer, Cham. https://doi.org/10.1007/978-3-319-66625-9_19
Download citation
DOI: https://doi.org/10.1007/978-3-319-66625-9_19
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66624-2
Online ISBN: 978-3-319-66625-9
eBook Packages: Computer ScienceComputer Science (R0)