This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2013 conference days. You’ll find the schedule for the training days at http://trainings2013.appsec.eu
View analytic
Thursday, August 22 • 2:40pm - 3:25pm
MalloDroid, Hunting Down Broken SSL in Android Apps

Sign up or log in to save this to your schedule and see who's attending!

In a study [1], we investigated the SSL/TLS security of 13,500 free Android apps from Google's Play Market and identified serious security threats for their users. Our analysis revealed that 1,074 (8.0 %) of the examined apps contained SSL/TLS code that was potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. 

From these 41 apps, we captured amongst others credentials for American Express, Diners Club, Paypal, bank accounts, Facebook, Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote servers, arbitrary email accounts, and IBM Sametime.

During our investigation, we conducted static code analysis to identify apps that applied inappropriate SSL certificate validation strategies. In this work, we present our tool MalloDroid and make it available to the public. MalloDroid is based on the Androguard [2] reverse engineering framework and provides a comfortable and easy-to-use command line interface for developers of apps, security auditors and all other interested parties to identify Android apps that include customized TrustManager and HostnameVerifier implementations. It also discovers if apps overwrite the onReceivedSSLError method in Android's WebViewClient used by many apps. Additionally, MalloDroid includes a signature database of known implementations that apply broken SSL certificate validation and reports a risk-level for customized SSL implementations. With the help of MalloDroid, code that breaks effective SSL certificate validation can be easily identified.

As a second contribution, we present results of interviews we conducted with 15 developers of vulnerable apps with the intention to identify the reasons behind the broken SSL certificate validation in Android apps. We asked developers why they implemented SSL certificate validation the way they did it and if they were aware of security implications of their decisions. Based on the interviews, we were able to identify some common problems Android app developers seem to have with using SSL in a secure way. We even found developers who stated that they apply code security audits that check whether SSL is used, but these audits did not check correct SSL certificate validation.

We hope that both, MalloDroid and the interview results, will help Android developers understand the problems that can occur in SSL code and help them create truly secure SSL connections. We also believe this work can support security auditors and penetration testers in their efforts.

[1] Fahl, S., Harbach, M., Muders, T., Smith, M., Baumgartner, L., and Freisleben, B. "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)security." In Proc. of CCS 2012 pp. 50 - 61.
[2] cf. https://code.google.com/p/androguard/


Sascha Fahl

Sascha Fahl is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg where he received his Diplom in 2011. His current research is focused on usability challenges for security and privacy technologies in the context of Mobile Computing and SSL. He also works towards understanding and improving the usability of... Read More →

Marian Harbach

Marian Harbach is a PhD student and research assistant at the Distributed Computing & Security Group at Leibniz University Hannover, Germany. He studied Computer Science at Philipps University Marburg and Monash University Melbourne until 2011. His current research is focused on usability challenges and the acceptance of novel security and privacy technologies. He also investigates risk communication and education. 
avatar for Matthew Smith

Matthew Smith

Prof. Smith is a Professor of Computer Science at Leibniz University Hannover, Germany where he leads the Distributed Computing & Security Group. He studied Computer Science at the University of Siegen and received a PhD from Philipps University Marburg in 2008. His current research is focused on the usability aspects of security and privacy mechanisms with a wide range of application areas. These areas include Mobile and Cloud computing... Read More →

Thursday August 22, 2013 2:40pm - 3:25pm