Android Uygulamalarında SSL/TLS Uygulama Hatalarının Tespiti

Year 2021, Volume: 9 Issue: 2, 211 - 219, 27.06.2021

Kaya Emre Cibalık Cemal Koçak

https://doi.org/10.29109/gujsc.878053

Abstract

Güvenlik Soket Katmanı (SSL) / Taşıma Katmanı Güvenliği (TLS) protokolleri, ağ iletişimini (örneğin, kullanıcı verilerini iletmek gibi.) güvenli hale getirmek için kullanılır. Uygulama geliştirme sırasında SSL/TLS yapılandırmasının doğru şekilde uygulanmaması güvenlik risklerine neden olur. Zayıf uygulama örnekleri, tüm ana bilgisayar adlarına güvenmeyi, tüm sertifikalara güvenmeyi, sertifika doğrulama hatalarını görmezden gelmeyi, hatta SSL açık anahtar sabitleme kullanımının olmadığı durumları içermektedir. Bu güvenli olmayan yapılandırma durumları Man-In-The-Middle (Ortadaki Adam) saldırılarına neden olabilir. Bu araştırmanın temel amacı, Android uygulamalarında SSL/TLS uygulamasının yapılandırma hatalarını tespit etmektir. Mevcut açık kaynak araçlarının ortak kullanımı ve analiz sürecini, dinamik analizi manuel yöntemle ve otomatikleştirilmiş statik analiz ile birleştirilmesinden oluşmaktadır. Statik analiz aşamasında dört tür güvenlik açığı taranmakta, ve dinamik analiz aşamasında SSL/TLS'nin kötüye kullanımını durumunu doğrulamak için kullanılmaktadır. Dinamik analiz, statik analiz aşamasında oluşan yanlış pozitifleri ortadan kaldırmak için gereklidir. Google Play Store'dan indirilen 109 uygulama analiz edildi ve deneysel sonuçlar 45 (% 41,28) uygulamanın SSL/TLS uygulamasında potansiyel güvenlik hataları içerdiğini göstermektedir. 109 uygulamadan 19'unun (% 17.43) MITM saldırılarına açık olduğu yapılan son testlerle doğrulanmıştır.

Keywords

Android, Uygulama Güvenliği, SSL/TLS, Mobil Güvenlik

Detection of SSL/TLS Implementation Errors in Android Applications

Abstract

Security Socket Layer (SSL) / Transport Layer Security (TLS) protocols are utilized to secure network communication (e.g., transmitting user data). Failing to properly implement SSL/TLS configuration during the app development results in security risks. The weak implementations include trusting all host names, trusting all certificates, ignoring certificate verification errors, even lack of SSL public key pinning usage. These unsecured implementations may cause Man-In-The-Middle (MITM) attacks. The major aim of this research is to detect configuration errors of SSL/TLS implementation in Android apps. We combine existing open-source tools and streamline the analysis process with the combination of automated static analysis and dynamic analysis with manual assistance. We scan for four types of vulnerabilities in the static analysis phase and verify misuse of SSL/TLS in the dynamic analysis phase. The dynamic analysis is essential for eliminating false positives generated at the static analysis stage. We analyze 109 apps from Google Play Store and the experimental results show that 45 (41.28%) apps contain potential security errors in the application of SSL/TLS. We verify that 19 (17.43%) out of 109 apps are vulnerable to MITM attacks.

Keywords

Android, Application Security, SSL/TLS, Mobile Security

References

• “Smartphone users 2020”, (2020). Statista. https://www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/ (accessed Feb. 09, 2021).
• “Android versions market share 2019”, (2020). Statista, https://www.statista.com/statistics/271774/share-of-android-platforms-on-mobile-devices-with-android-os/ (accessed Feb. 09, 2021).
• “Google Play Store: number of apps 2020”, (2020). Statista. https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/ (accessed Feb. 09, 2021).
• E. Rescorla, “HTTP Over TLS”. https://tools.ietf.org/html/rfc2818 (accessed Feb. 09, 2021).
• D. Akhawe and A. Felt, (2013). “Alice in warningland: A large-scale field study of browser security warning effectiveness”, Proceedings of the 22nd USENIX conference on Security, ss. 257-272.
• A. P. Felt vd., (2015). “Improving SSL Warnings: Comprehension and Adherence”, Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, Seoul Republic of Korea, ss. 2893-2902, doi: 10.1145/2702123.2702442.
• J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. F. Cranor, (2009). “Crying Wolf: An Empirical Study of SSL Warning Effectiveness”, 18th USENIX Security Symposium, Montreal, Canada, August 10-14, s. 18.
• S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith, (2012). “Why Eve and Mallory love Android: An analysis of Android SSL (in)security”, CCS '12: Proceedings of the 2012 ACM conference on Computer and Communications Security, doi: 10.1145/2382196.2382205.
• D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan, (2014). “SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps”, Network and Distributed System Security Symposium, doi: 10.14722/ndss.2014.23205.
• Y. Liu, C. Zuo, Z. Zhang, S. Guo, and X. Xu, (2018). “An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps”, World Wide Web, c. 21, sy 1, ss. 127-150, doi: 10.1007/s11280-017-0458-9.
• Y. Wang, X. Liu, W. Mao, and W. Wang, (2019). “DCDroid: automated detection of SSL/TLS certificate verification vulnerabilities in Android apps”, Proceedings of the ACM Turing Celebration Conference - China, New York, NY, USA, ss. 1-9, doi: 10.1145/3321408.3326665
• “Security with HTTPS and SSL”, Android Developers. https://developer.android.com/training/articles/security-ssl (accessed Feb. 09, 2021).
• “Changes to Trusted Certificate Authorities in Android Nougat”, Android Developers Blog. https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html (accessed Feb. 09, 2021).
• “Behavior changes: all apps”, Android Developers. https://developer.android.com/about/versions/pie/android-9.0-changes-all (accessed Feb. 09, 2021).
• X. Wei and M. Wolf, (2017). “A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures”, Applied Computing and Informatics, c. 13, sy 2, ss. 101-117, doi: 10.1016/j.aci.2016.10.001.
• Y.-C. Lin, AndroBugs/AndroBugs_Framework. GitHub, 2021.
• “GitHub-MobSF/Mobile-Security-Framework-MobSF:” https://github.com/MobSF/Mobile-Security-Framework-MobSF (accessed Feb. 09, 2021).
• “monkeyrunner”, Android Developers. https://developer.android.com/studio/test/monkeyrunner (accessed Feb. 09, 2021).
• S. Arzt vd., (2014). “FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps”, SIGPLAN Not., c. 49, sy 6, ss. 259-269, doi: 10.1145/2666356.2594299.
• L. K. Yan and H. Yin, (2012). “DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis”, Proceedings of the 21st USENIX conference on Security Symposium, USA, s. 29.
• “Android Debug Bridge (adb)”, Android Developers. https://developer.android.com/studio/command-line/adb (accessed Feb. 09, 2021).
• D. T. Milano, dtmilano/AndroidViewClient, GitHub, https://github.com/dtmilano/AndroidViewClient 2021, (accessed Feb. 09, 2021).
• D. T. Milano, “dtmilano/AndroidViewClient”, GitHub, https://github.com/dtmilano/AndroidViewClient/wiki/culebra (accessed Feb. 09, 2021).
• “Burp Suite - Application Security Testing Software”.https://portswigger.net/burp (accessed Feb. 09, 2021).
• “mitmproxy - an interactive HTTPS proxy”. https://mitmproxy.org/ (accessed Feb. 09, 2021).
• “Offensive Security Introduces Kali Linux”. https://www.kali.org/offensive-security-introduces-kali-linux/ (accessed Feb. 09, 2021).