Abstract
Android usually employs the Secure Socket Layer (SSL) protocol to protect the user’s privacy in network transmission. However, developers may misuse SSL-related APIs, which would lead attackers to steal user’s privacy through man-in-the-middle attacks. Existing methods based on static decompiling technology to detect SSL security vulnerabilities of Android applications cannot cope with the increasingly common packed applications. Meanwhile, dynamic analysis approaches have the disadvantages of excessive resource consumption and time-consuming. In this paper, we propose a dynamic method to solve this issue based on our novel automatic traversal model. At first, we propose several new traversal strategies to optimize the widget tree according to the user interface (UI) types and the interface state similarity. Furthermore, we develop a more granular traversal model by refining the traversal level from the Activity component to the Widget and implement a heuristic depth-first traversal algorithm in combination with our customized traversal strategy. In addition, the man-in-the-middle agent plug-in is extended to implement real-time attack test and return the attack results. Based on the above ideas, we have implemented SSLDetecter, an efficient automated detection system of Android application SSL security vulnerability. We apply it on multiple devices in parallel to detect 2456 popular applications in several mainstream application markets and find that 424 applications are suffering from SSL security vulnerabilities. Compared with the existing system SMV-HUNTER, the time efficiency of our system increases by 38% and the average detection rate increases by 6.39 percentage points, with many types of SSL vulnerabilities detected.
Highlights
With the rapid development of mobile Internet, smartphones can help users to obtain information and services from the Internet anytime and anywhere
E main contributions of this paper are as follows: (1) We propose a new traversal strategy by optimizing the widget tree according to the user interface (UI) types and calculating the interface state similarity based on the widget path set. is detection method does not rely on static decompression technology to build a collection of Activity components that contains vulnerability points, but adopts heuristic search to realize automatic detection of vulnerability points
To balance the efficiency and accuracy and test the influence of different similarity thresholds on the number of GUI nodes and Activity components traversed, we randomly select 6 popular applications of different categories from the application markets for testing. e specific information of the six applications is shown in Table 4, including the application name, the size of the application, the collection of Activity components extracted from the AndroidManifest.xml file, and the total number of activities after removing the third-party library
Summary
With the rapid development of mobile Internet, smartphones can help users to obtain information and services from the Internet anytime and anywhere. Users’ sensitive information may be transmitted during network communications, which may cause privacy leakage. To protect users’ privacy in network communications, the applications can use encryption-based functions and SSL protocols. SSL protocol implementation involves encryption and decryption, identity authentication, certi cate management, and other various technologies. E user interface of Android applications is mainly displayed through the Activity component. Users can interact with the screens they provide. Each Activity gets a window to draw its user interface, usually the same size as the screen, but sometimes smaller and floating on top of other windows. Erefore, view objects are the smallest units of user interface. A widget in an Android application is essentially a view that represents a UI, such as a Button, EditText, and TextView
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
