Identifying vulnerabilities of SSL/TLS certificate verification in Android apps with static and dynamic analysis

Highlights

• Develop an automated tool called DCDroid to detect SSL/TLS vulnerabilities.

• DCDroid is more effective and efficient than other related methods and tools.

• DCDroid works with the combination of static and dynamic analysis.

• Design a mechanism to avoid crashes when executing the Activity of vulnerable code.

• Develop a tool to identify the traffic generated by an app.

Abstract

Many Android developers fail to properly implement SSL/TLS during the development of an app, which may result in Man-In-The-Middle (MITM) attacks or phishing attacks. In this work, we design and implement a tool called DCDroid to detect these vulnerabilities with the combination of static and dynamic analysis. In static analysis, we focus on four types of vulnerable schema and locate the potential vulnerable code snippets in apps. In dynamic analysis, we prioritize the triggering of User Interface (UI) components based on the results obtained with static analysis to confirm the misuse of SSL/TLS. With DCDroid we analyze 2213 apps from Google Play and 360app. The experimental results show that 457 (20.65%) apps contain potential vulnerable code. We run apps with DCDroid on two Android smart phones and confirm that 245 (11.07%) of 2213 apps are truly vulnerable to MITM and phishing attacks. We propose several strategies to reduce the number of crashes and shorten the execution time in dynamic analysis. Comparing with our previous work, DCDroid decreases 57.18% of the number of apps’ crash and 32.47% of the execution time on average. It also outperforms other three tools, namely, AndroBugs, kingkong and appscan, in terms of detection accuracy.

Introduction

Smartphones are now widely used in people’s daily life. Android has become the most popular mobile operating systems (OS), accounting for around 74.13% of the smart phone’s market in the world (Mobile Operating System, 2020). According to Google’s statistics, there are over 2.9 million Android apps that are downloaded for over hundreds of billions times from Google Play as of December 2019 (Google Play Store, 2020). These apps cover a range from life, entertainment to finance or business. In order to secure the transmission of sensitive data for avoiding data leakage or attacks, many apps use HTTPS (HTTP over Security Socket Layer (SSL)/Transport Layer Security (TLS)) protocol to transmit sensitive data (Google, 2020). Unfortunately, improper implementation of SSL/TLS certificates can lead to Man-In-The-Middle (MITM) attacks (Clark and van Oorschot, 2013) and phishing attacks (He et al., 2015). In the process of MITM attack or phishing attack, attackers impersonate the server to intercept and even modify app traffic to obtain sensitive data. In general, an attacker is not able to decrypt network traffic. However, if the client blindly trusts any certificate without checking the signatures, or does not verify the host name, or ignores the verification error prompts, the attacker can impersonate the server to gain the trust of the client using a fake certificate, and then decrypt the traffic to obtain sensitive data during the attack.

Existing efforts have been made on the detection of malicious apps. Our previous work detected malicious apps (Wang, Gao, Zhao, Li, Liu, Zhang, 2018, Su, Liu, Wang, Wang, 2019, Wang, Zhao, Gao, Xu, Xian, Li, Zhang, 2019, Xie, Wang, Wang, Liu, 2019), analyzed privacy leakage (Liu, Liu, Wang, Zhu, 2018, Liu, Liu, Zhu, Wang, Zhang, 2019) and detected (Wang, Battiti, 2006, Wang, Guyet, Quiniou, Cordier, Masseglia, Zhang, 2014, Wang, Zhang, Pitsilis, 2010, Wang, Liu, Pitsilis, Zhang, 2018, Xu, Guo, Su, Zheng, Liang, Wong, Wang, 2020, Wang, Guan, Zhang, Yang, 2006, Wang, He, Liu, Gombault, 2015, Feng, Wang, Zhu, Zhang, 2009, Wang, Guan, Zhang, 2008, Wang, Shang, He, Li, Liu, 2020, Guan, Wang, Zhang, 2009, Wang, Zhang, Gombault, Knapskog, 2009, Wang, Guan, Zhang, 2004, Wang, Zhang, Gombault, 2009) or prevented (Xu, Wang, Jiao, Li, Liang, Zheng, Lian, Xian, Gao, 2019, Li, Xu, Jiao, Li, Wang, Hu, Xian, Lian, gao, 2019, Wang, Guan, Zhang, 2004) intrusions with different methods. There also exist related work (Fahl, Harbach, Muders, Smith, Baumgärtner, Freisleben, 2012, Brubaker, Jana, Ray, Khurshid, Shmatikov, 2014, Sounthiraraj, Sahs, Greenwood, Lin, Khan, 2014, Liu, Zuo, Zhang, Guo, Xu, 2018) on Android MITM attacks caused by improper implementation of SSL/TLS in Android’s apps. However, these methods require manual analysis to confirm vulnerabilities. Most of the related work aimed at the detection of malicious apps, rather than the detection of vulnerabilities. They often focus on a specific kind of Android apps, and the vulnerabilities detected are not comprehensive enough. In addition, some existing work started Activity directly in the process of detection, which may lead to apps’ crash.

In order to solve these problems, in our previous work (Wang et al., 2019c), we propose an automatic method to detect apps with SSL/TLS certificate verification vulnerabilities. It contains the following steps: definition of the vulnerable code, detecting the vulnerability of Smali code and running app dynamically under the MITM attack with fake certificates. Finally, by analyzing the traffic between an app and the server to confirm the vulnerability (that is, an app is confirmed to have this kind of vulnerability when it is successfully attacked). However, we find that some apps crashed during the detect process, and some apps were run too long time. In addition, a number of false positives exist with our previous method. Through comprehensive analysis, we summarize the following reasons for the problems:

• Some Activities of an app cannot start directly. They must be run in a certain order from one Activity to another.

• Some apps have many similar UI elements, and these elements are different while the code logic is the same (such as some tabs).

• Some HTTPS connections of an app are mixed with others because some apps are run in the background (such as some system services).

In order to deal with these problems and detect the vulnerabilities stably, fast and accurately, we re-design our tool called DCDroid (Detecting vulnerable Certificates in Android apps) that contains static analysis, dynamic analysis and traffic analysis. In static detection, we define vulnerable code, disassemble an app to get Smali code and search the code to locate the vulnerable point. We then get the entry point by analyzing the invocation relationship of the method. In dynamic detection, the apps are run under the guide of static analysis. An activity with vulnerable code does not start directly so that the tool is more stable in the detection. Besides, duplication is reduced in execution phase with some strategies. Next we set up proxy servers to carry out MITM attacks. We develop an app to capture traffic on the smart phone so that we can get the pure traffic of apps and reduce the false positives. With these measures, we have achieved higher accuracy, stability and execution efficiency.

We make the following contributions:

• We develop an automated tool called DCDroid to detect SSL/TLS vulnerabilities with the combination of static and dynamic analysis. With DCDroid, we analyze 2213 apps and find that 457 apps are vulnerable through static analysis. After dynamic analysis we find that 245 apps are truly vulnerable. There are over 10% of apps that have vulnerabilities of SSL/TLS. We analyze the categories and version evolution of vulnerable apps and provide our suggestions to developers based on the detection results.

• We start executing the Activity of the vulnerable code from the Main Activity of an app instead of starting it directly. By dynamic execution, DCDroid is more stable than previous work with few crashes. Compared with starting Activity directly, the number of crashes decreased by 3.39 (57.18%) times per app on average.

• We reduce some meaningless execution during the detection processes. We detect vulnerable but similar views with some strategies, and the running time for each app decreases by 88 seconds (32.47%).

• We develop an app to capture traffic on Android smart phones to mark the relationships between traffic and apps. We find that the traffic is more reliable in the experiments and we identify 3 false positives with DCDroid.

The remainder of this paper is organized as follows. In Section 2, we introduce the background. We introduce the research statement and main challenges in Section 3. In Section 4, we present DCDroid based on the static analysis and the dynamic analysis. We describe the data sets and give our experimental results in Section 5. In Section 6, we discuss the limitations of DCDroid. We introduce related work in Section 7. Finally we conclude this paper in Section 8.