You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Forcehttps: protecting high-security web sites from network attacks
Proceedings of the 17th international conference on World Wide Web
Understanding Android Security
IEEE Security and Privacy
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Apex: extending Android permission model and enforcement with user-defined runtime constraints
ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Google Android: A Comprehensive Security Assessment
IEEE Security and Privacy
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Not So Great Expectations: Why Application Markets Haven't Failed Security
IEEE Security and Privacy
Paranoid Android: versatile protection for smartphones
Proceedings of the 26th Annual Computer Security Applications Conference
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Privilege escalation attacks on android
ISC'10 Proceedings of the 13th international conference on Information security
All your droid are belong to us: a survey of current android attacks
WOOT'11 Proceedings of the 5th USENIX conference on Offensive technologies
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
An empirical study of visual security cues to prevent the SSLstripping attack
Proceedings of the 27th Annual Computer Security Applications Conference
Proceedings of the Seventh Symposium on Usable Privacy and Security
Android permissions: user attention, comprehension, and behavior
Proceedings of the Eighth Symposium on Usable Privacy and Security
Messing with Android's Permission Model
TRUSTCOM '12 Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications
RetroSkeleton: retrofitting android apps
Proceeding of the 11th annual international conference on Mobile systems, applications, and services
Supporting visual security cues for WebView-based Android apps
Proceedings of the 28th Annual ACM Symposium on Applied Computing
Here's my cert, so trust me, maybe?: understanding TLS errors on the web
Proceedings of the 22nd international conference on World Wide Web
Rethinking SSL development in an appified world
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
An empirical study of cryptographic misuse in android applications
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Predictability of Android OpenSSL's pseudo random number generator
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
MinimaLT: minimal-latency networking through better security
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Breaking cell phone authentication: vulnerabilities in AKA, IMS and Android
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
Can Smartphone Users Turn Off Tracking Service Settings?
Proceedings of International Conference on Advances in Mobile Computing & Multimedia
Hi-index | 0.00 |
Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android apps that use the SSL/TLS protocols to protect data they transmit. Since the lack of visual security indicators for SSL/TLS usage and the inadequate use of SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks, an analysis of 13,500 popular free apps downloaded from Google's Play Market is presented. We introduce MalloDroid, a tool to detect potential vulnerability against MITM attacks. Our analysis revealed that 1,074 (8.0%) of the apps examined contain SSL/TLS code that is potentially vulnerable to MITM attacks. Various forms of SSL/TLS misuse were discovered during a further manual audit of 100 selected apps that allowed us to successfully launch MITM attacks against 41 apps and gather a large variety of sensitive data. Furthermore, an online survey was conducted to evaluate users' perceptions of certificate warnings and HTTPS visual security indicators in Android's browser, showing that half of the 754 participating users were not able to correctly judge whether their browser session was protected by SSL/TLS or not. We conclude by considering the implications of these findings and discuss several countermeasures with which these problems could be alleviated.