Presented by Hussein Almulla

Slides:



Advertisements
Similar presentations
Why Eve & Mallory Love Android
Advertisements

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.
Internet of Things Security Architecture
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
OWASP Mobile Top 10 Why They Matter and What We Can Do
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Presentation By Deepak Katta
Course 201 – Administration, Content Inspection and SSL VPN
LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.
Data Security.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Session 11: Security with ASP.NET
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
EVALUATING SECURITY OF SMART PHONE MESSAGING APPLICATIONS PRESENTED BY SUDHEER AKURATHI.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.
TCS Internal Security. 2 TCS Internal Objective Objective :  Android Platform Security Architecture.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.
“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
WHAT THE APP IS THAT? DECEPTION AND COUNTERMEASURES IN THE ANDROID USER INTERFACE.
ClickOnce Deployment (One-click Deployment)
Identities Exposed How Design Flaws in Authentication Solutions May Compromise Your Privacy.
Chapter 40 Internet Security.
BUILD SECURE PRODUCTS AND SERVICES
TOPIC: HTTPS (Security protocol)
Setting and Upload Products
Chapter 5 Electronic Commerce | Security Threats - Solution
Web Application Vulnerabilities
Tonga Institute of Higher Education IT 141: Information Systems
Data Virtualization Tutorial… SSL with CIS Web Data Sources
DATA SECURITY FOR MEDICAL RESEARCH
Manuel Brugnoli, Elisa Heymann UAB
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Chapter 8 Building the Transaction Database
Chapter 5 Electronic Commerce | Security Threats - Solution
How to Check if a site's connection is secure ?
CS 465 Secure Last Updated: Nov 30, 2017.
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Cross-Site Request Forgeries: Exploitation and Prevention
Using SSL – Secure Socket Layer
Call AVG Antivirus Support | Fix Your PC
Shopping experience! Is it safe to pay online? Ian Ramsey
Nessus Vulnerability Scanning
The Application Lifecycle
Tonga Institute of Higher Education IT 141: Information Systems
Tonga Institute of Higher Education IT 141: Information Systems
Unit 8 Network Security.
Electronic Payment Security Technologies
ClickOnce Deployment (One-click Deployment)
Exploring DOM-Based Cross Site Attacks
Fast-Track UiPath Developer Module 10: Sensitive Data Handling
INTERNET SECURITY.
Transport Layer Security
MicroToken Exchange Data Security Solutions
Presentation transcript:

Presented by Hussein Almulla Why Eve And Mallory Love Android: An Analysis Of Android SSL (In)security Presented by Hussein Almulla

Outline Introduction Background Evaluating Android SSL Usage MITMA Test Environment Online Survey Results of the Survey Countermeasures Conclusion

Purpose In this paper, the authors investigated potential security threats that some Android apps could cause during process privacy data. They also seek to better understand how these apps are using the SSL/TLS protocols to protect a transmitted data. Lacking in usage SSL/TLS can be exploited to launch Man-in-the-Middle (MITM) attacks. They choose Android because: It is most used OS. It has 48% of market and has more than 400,000 apps Google Play .Market are relatively open and unrestricted

What They Did In order to discover apps’ vulnerabilities, they create Mallodroid. Mallodroid perform code analysis to: Analyze the networking API and validate HTTP(S) URLs Check the validity of the SSL certificates Identify apps that using SSL differently from default SSL. Based on result, they select 100 apps to investigate SSL misuse.

SSL It is cryptographic protocol that is used to protect network communication from eavesdropping and tempering. To establish SSL, client must get the server’s public key that is included in server certificate. This certificate is signed by Certification Authority. this certification is transferred when client connect to the server. After that client should validate it by checking: Does the subject of the certificate match the destination selected by the client? Is the signing CA a trusted? Is the signature correct? Is the certificate expire? Check a revocation of certificates The evaluation depending on this list.

Android & SSL Because developer can customize their SSL usage, that can cause misuse. Apps can use broken SSL to transmit information as following cases: Trusting all Certificates: TrustManager interface can be implemented to trust all certificates does not matter who sign them. Allowing all Hostnames: accept all certificates whether issue for the destination or not. Trusting many CAs. Mixed-Mode/No SSL.

MITM Attack (MITMA), the attacker is in a position to intercept messages sent between communication partners. The mixed-mode/no SSL case allows adversery to eavesdrop on non-protected communication. SSL stripping is another method by which a MITMA can be launched against an SSL connection. SSL stripping relies on redirected from non-SSL-protect site to protect one. During this redirection adversary may be able to the secure link with unsecure one successfully if users does not notice that.

EVALUATING ANDROID SSL USAGE They built MalloDroid to evaluate SSL usage. MalloDroid performs following analysis steps: Permissions: checks which apps request the INTERNET or privacy-related permission, Networking API Calls: analyzes the use of HTTP transport and Non-HTTP transport HTTP vs HTTPS: checks the validity of URLs HTTPS Available: tries to establish a secure connection to HTTP URLs found in apps. Deployed Certificates: downloads and evaluates SSL certificates SSL Validation: examines apps with respect to inadequate SSL validation such as accepts all certificates.

Permission The result of checking apps request No. of apps No. of total app 13,500 Internet permission 12,534 No. of apps that actually perform networking related API calls. 11,938 Internet and privacy permission. 6,907 They also found that 91.7% of apps that perform networking API calls are related to HTTP or HTTPS. They focus on using HTTP or HTTPS to find which one is using.

MalloDroid extracted 254,022 URLs HTTP vs. HTTPS MalloDroid extracted 254,022 URLs 29,685 of the URLs (15.2%) pointing to 1,725 unique hosts (6.6%) are HTTPS URLs 6,214 of the apps contain HTTPS and HTTP URLs simultaneously 5,810 do not contain HTTPS URLs at all. 111 apps exclusively contained HTTPS URLs.

HTTP vs. HTTPS Top 10 host based on occurrences

Deployed SSL Certificates They downloaded 1,887 unique SSL certificates 162 failed the verification Android’s default verification strategies, include668 apps 42 of these certificates failed SSL verification because they were self- signed, 271 apps. 21 of these certificates were expired, 43 apps.

Custom SSL Validation Using MalloDroid, they found 1,074 apps 790 contain code that bypasses SSL verification by accepting all certificates. 284 contain code that accepts all hostnames for a certificate. They found 86 custom trust managers and SSL socket factories in 878 apps. 22 classes implementing the TrustManager interface and 16 classes extending the SSLSocketFactory that accept all SSL certificates. in 78 apps, MalloDroid found a SSLSocketFactory provided by a developer library that accepts all certificates. 313 apps contained calls to the NaiveTrustManager class. In 90 apps, MalloDroid found the NonValidatingTrustManager

MITMA STUDY The perform MITMA against 266 apps containing broken SSL or hostName verifies (Finance: 45, Social: 94, Communication: 49,Business: 60, Tools: 18). They wanted to find what kind of information send through these broken SSL.

Test Environment They selected the top 100 apps for manual auditing. These apps have between 39.5 and 185 million users. For the manual app auditing, we used a Samsung Galaxy Nexus smartphone with Android 4.0. They installed the potentially vulnerable apps on the phone. Set up a WiFi access point with a MITM SSL proxy. 41 apps are vulnerable. So it possible to gather bank account information, payment credentials, Facebook, email and cloud storage credentials.

Trusting All Certificates In this attack they gave their MITMA proxy a self-signed certificate for the attack. 21 apps among the 100 selected apps were vulnerable to this attack. Installed base between 100,000 and half a million users. The apps leaked information such as login credentials, webcam access or banking data. 24 of the 43 banks supported were not protected from our MITMA. Windows Live Messenger service app also vulnerable for this attack. has 10 to 50 million users it is in the top 20 apps for the communication. Username and password are both sent via a broken SSL channel.

Allowing All Hostnames They found 20 apps that accepted certificates irrespective of the subject name. if the app wants to connect to X.com, it would also accept a certificate issued to Y.com. The apps leaked information such as credentials for different services, emails, text messages, etc. An anti-virus app updated its virus signatures file via a broken SSL connection. No validation of the signature files. First, they sent an empty signature database and it was accepted, so the anti-virus protection turning off without informing the user. Second, they created a virus signature for the anti-virus app itself and sent it. This signature was accepted by the app. Then anti-virus recognized itself as a virus and delete itself.

SSL Stripping SSL stripping can occur if a browsing session begins using HTTP and switches to HTTPS via a link or a redirect. Two noteworthy examples vulnerable to this attack are a social networking app and an online services client app.

Lazy SSL Use Although the Android SDK does not support SSL pinning. user, many Android apps focus on a limited number of hosts picked by the app developer To implement SSL pinning, an app can use its own KeyStore of trusted root CA certificates or implement a TrustManager that only trusts specic public key fingerprints. They investigate the usage of SSL pinning in 20 high apps against MITMA. Only 2 apps make use of SSL pinning and were safe from this attack. Other apps trust all root CA signatures.

Lazy SSL Use

Missing Feedback Android OS does not provide any visual feedback to the user whether or not communication channel is secure. Email apps installed between 10 - 50 million users Handling registration and login via a secure SSL connection. The default settings for sending and receiving email are set to HTTP. There was no indication that the emails were not protected. An instant messaging app installed100,000 to 500,000 users transfers login credentials via a non-SSL protected channel, without inform users.

Framework for graphical app builder Missing Feedback Framework for graphical app builder allowing users to create apps for Android. Apps created with this framework can load code from remote servers. Downloading remote code perform via plain HTTP. Because downloaded code is not verified before execution, it is possible to inject and execute java code. Also they found 53 apps were not vulnerable for MITMA but they did not give meaningful warning messages to the users who are under attack.

Limitation of the Analysis The studied applications were selected depend on popularity. They only checked 100 apps manually to detect vulnerability against MITMA. They did not check the rest of apps that have unsafe SSL implementation. Static code analysis might fail in some apps. The applications that selected for manual audit were chosen base on popularity and handling sensitive data.

Online Survey They made survey in find out whether users can evaluate the security connection or not Used default Android browser as example to find out: Users can distinguish a HTTPS connection from a regular HTTP connection . How users perceives an SSL warning message. accessed directly from an Android phone. Half user get the survey via HTTPS and another half via HTTP.

Online Survey Users were asked about, 754 participants Whether they had seen this warning before. If they had completely read its text and How much risk they felt. 47.5% of non-IT experts and 34.7% of participant with IT education though that they used a secure connection, but the survey was over HTTP. In both groups, 22.4% were unsure about security of their connection. 58.9% of experts and 44.3% of non-experts correctly identified whether they were using a secure or insecure connection. 57.6% of non-IT experts and 52.3% of IT experts state that they had not seen such a certificate warning before 24.0% of participants read the warning, and 4.5% did not read it at all They rated the risk of this warning with 2.86 from 5.

Limitation of Online Survey They did not digitally sign the emails. The URL that sent with the survey was not linked to the university. The emails could have been spoofed. Most of the participants who complete the survey were students.

Countermeasures OS Solutions : App Market Solutions: that are integrated into the Android OS. App Market Solutions: that are integrated into app markets Standalone Solution: The MalloDroid App & Service

OS Solutions This can be achieved by forcing developers to use the standard library implementations provided by Android's APIs. HTTPS-Everywhere: integrated into the communication APIs. This would prevent most SSL stripping attacks. Improved Permissions and Policies: apps indicate which type of connections is used INTERNET_SSL or INTERNET_PLAIN. In order to get users permission. Visual Security Feedback: The operating system should provide visual feedback on whether or not apps are using secure channel. MalloDroid Installation Protection: MalloDroid could be integrated into app installers to perform static code analysis at install time.

MalloDroid Solutions App Market Solutions : MalloDroid could be integrated into app markets Automated checking apps before add to the market. And either reject apps from entering the market or warnings could be added to the app's description. Standalone Solution: The MalloDroid App & Service They offer MalloDroid tool. This allow users to perform checks on apps before they install them. This solution does not require to modified a OS.

Conclusion They investigate SSL/TLS usage in Android. They built MalloDroid that use for static code analysis in order to detect apps that use SSL/TLS incorrectly and vulnerable to MITM attacks. They manually perform MITM attacks against 100 selected apps from that set. They captured credentials for American Express, Paypal, Facebook, … They did online survey with 754 participants to find out what users react about security warning. They offer MalloDroid as a first countermeasure to identify vulnerable apps.

Thank you Question?