research-article

Rethinking SSL development in an appified world

Authors:

Marian Harbach,

Markus Koetter,

Matthew SmithAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 49 - 60

https://doi.org/10.1145/2508859.2516655

Published: 04 November 2013 Publication History

Abstract

The Secure Sockets Layer (SSL) is widely used to secure data transfers on the Internet. Previous studies have shown that the state of non-browser SSL code is catastrophic across a large variety of desktop applications and libraries as well as a large selection of Android apps, leaving users vulnerable to Man-in-the-Middle attacks (MITMAs). To determine possible causes of SSL problems on all major appified platforms, we extended the analysis to the walled-garden ecosystem of iOS, analyzed software developer forums and conducted interviews with developers of vulnerable apps. Our results show that the root causes are not simply careless developers, but also limitations and issues of the current SSL development paradigm. Based on our findings, we derive a proposal to rethink the handling of SSL in the appified world and present a set of countermeasures to improve the handling of SSL using Android as a blueprint for other platforms. Our countermeasures prevent developers from willfully or accidentally breaking SSL certificate validation, offer support for extended features such as SSL Pinning and different SSL validation infrastructures, and protect users. We evaluated our solution against 13,500 popular Android apps and conducted developer interviews to judge the acceptance of our approach and found that our solution works well for all investigated apps and developers.

References

[1]

P. P. F. Chan, L. C. K. Hui, and S. M. Yiu. DroidChecker: Analyzing Android Applications for Capability Leaks. In WISEC '12: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. ACM Press, Apr. 2012.

Digital Library

[2]

L. Davi, A. Dmitrienko, A. Sadeghi, and M. Winandy. Privilege Escalation Attacks on Android. In Proceedings of the 13th International Conference on Information Security, pages 346--360, 2011.

Digital Library

[3]

P. Eckersley. Sovereign Key Cryptography for Internet Domains. https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=master.

[4]

A. Egners, B. Marschollek, and U. Meyer. Messing with Android's Permission Model. In Proceedings of the IEEE TrustCom, pages 1--22, Apr. 2012.

Digital Library

[5]

S. Fahl, M. Harbach, T. Muders, L. Baumg\"artner, B. Freisleben, and M. Smith. Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security. In Proceedings of the 19th ACM Conference on Computer and Communications Security. ACM Press, Oct. 2012.

Digital Library

[6]

A. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM Press, 2012.

Digital Library

[7]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM Press, Oct. 2011.

Digital Library

[8]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software. In Proceedings of the 2012 ACM Conference on Computer and Communications security. ACM Press, Oct. 2012.

Digital Library

[9]

P. Hoffman and J. Schlyter. The DNS-Based Authentication of Named Entities (DANE) Protocol for Transport Layer Security (TLS): TLSA . https://tools.ietf.org/html/rfc6698, Aug. 2012.

[10]

T. Hyun-Jin Kim, L.-S. Huang, A. Perrig, C. Jackson, and V. Gligor. Accountable Key Infrastructure (AKI): A Proposal for a Public-Key Validation Infrastructure. In Proceedings of the 2013 Conference on World Wide Web, to appear, 2013.

Digital Library

[11]

B. Laurie, A. Langley, and E. Kasper. Certificate Transparency. Network Working Group Internet-Draft, v12, work in progress. http://tools.ietf.org/html/draft-laurie-pki-sunlight-12, Apr. 2013.

[12]

M. Marlinspike. TACK: Trust Assertions for Certificate Keys. http://tack.io/draft.html.

[13]

M. Marlinspike. SSL And The Future Of Authenticity. In BlackHat USA 2011, 2011.

[14]

P. Saint-Andre and J. Hodges. RFC 6125, Mar. 2011.

[15]

R. Schlegel, K. Zhang, X. Zhou, M. Intwala, and e. al. Soundcomber: A Stealthy and Context-aware Sound Trojan for Smartphones. Proceedings of the Network and Distributed System Security Symposium, 2011.

[16]

J. Sunshine, S. Egelman, H. Almuhimedi, N. Atri, and L. Cranor. Crying Wolf: An Empirical Study of SSL Warning Effectiveness. In Proceedings of the 18th USENIX Security Symposium, pages 399--416, 2009.

Digital Library

[17]

T. Vidas, D. Votipka, and N. Christin. All Your Droid Are Belong To Us: A Survey Of Current Android Attacks. In Proceedings of the 5th USENIX Workshop on Offensive Technologies, pages 10--10, 2011.

Digital Library

[18]

D. Wendlandt, D. G. Andersen, and A. Perrig. Perspectives: improving ssh-style host authentication with multi-path probing. In USENIX 2008 Annual Technical Conference on Annual Technical Conference, ATC'08, pages 321--334, Berkeley, CA, USA, 2008. USENIX Association.

Digital Library

[19]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 95--109, 2012.

Digital Library

Cited By

de Hoz Diego JMadi TKonstantinou C(2024)CMXsafe: A Proxy Layer for Securing Internet-of-Things CommunicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340425819(5767-5782)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3404258
Jallow ASchilling MBackes MBugiel S(2024)Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00022(1083-1101)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00022
Nash AStudiawan HGrispos GChoo K(2024)Security Analysis of Google Authenticator, Microsoft Authenticator, and AuthyDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_13(197-206)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_13
Show More Cited By

Index Terms

Rethinking SSL development in an appified world

Recommendations

Why eve and mallory love android: an analysis of android SSL (in)security
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Many Android apps have a legitimate need to communicate over the Internet and are then responsible for protecting potentially sensitive data during transit. This paper seeks to better understand the potential security threats posed by benign Android ...
Smart smartphone development: iOS versus android
SIGCSE '11: Proceedings of the 42nd ACM technical symposium on Computer science education

In a remarkably short timeframe, developing apps for smartphones has gone from an arcane curiosity to an essential skill set. Employers are scrambling to find developers capable of transforming their ideas into apps. Educators interested in filling that ...
Hey, NSA: Stay Away from my Market! Future Proofing App Markets against Powerful Attackers
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Mobile devices are evolving as the dominant computing platform and consequently application repositories and app markets are becoming the prevalent paradigm for deploying software. Due to their central and trusted position in the software ecosystem, ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

115
Total Citations
View Citations
1,575
Total Downloads

Downloads (Last 12 months)73
Downloads (Last 6 weeks)11

Reflects downloads up to 24 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

de Hoz Diego JMadi TKonstantinou C(2024)CMXsafe: A Proxy Layer for Securing Internet-of-Things CommunicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340425819(5767-5782)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3404258
Jallow ASchilling MBackes MBugiel S(2024)Measuring the Effects of Stack Overflow Code Snippet Evolution on Open-Source Software Security2024 IEEE Symposium on Security and Privacy (SP)10.1109/SP54263.2024.00022(1083-1101)Online publication date: 19-May-2024
https://doi.org/10.1109/SP54263.2024.00022
Nash AStudiawan HGrispos GChoo K(2024)Security Analysis of Google Authenticator, Microsoft Authenticator, and AuthyDigital Forensics and Cyber Crime10.1007/978-3-031-56583-0_13(197-206)Online publication date: 3-Apr-2024
https://doi.org/10.1007/978-3-031-56583-0_13
Fischer-Hübner SKaregar FFischer-Hübner SKaregar F(2024)Overview of Usable Privacy Research: Major Themes and Research DirectionsThe Curious Case of Usable Privacy10.1007/978-3-031-54158-2_3(43-102)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-54158-2_3
Ortloff ATiefenau CSmith MKelley PKapadia A(2023)SoKProceedings of the Nineteenth USENIX Conference on Usable Privacy and Security10.5555/3632186.3632205(341-359)Online publication date: 7-Aug-2023
https://dl.acm.org/doi/10.5555/3632186.3632205
Shrestha ASharma TSaha PAhmed SAl-Ameen M(2023)A First Look into Software Security Practices in BangladeshACM Journal on Computing and Sustainable Societies10.1145/36163831:1(1-24)Online publication date: 22-Sep-2023
https://dl.acm.org/doi/10.1145/3616383
Nurgalieva LFrik ADoherty G(2023)A Narrative Review of Factors Affecting the Implementation of Privacy and Security Practices in Software DevelopmentACM Computing Surveys10.1145/358995155:14s(1-27)Online publication date: 4-Apr-2023
https://dl.acm.org/doi/10.1145/3589951
Draschbacher FFeichtner J(2023)CryptoShield - Automatic On-Device Mitigation for Crypto API Misuse in Android ApplicationsProceedings of the 2023 ACM Asia Conference on Computer and Communications Security10.1145/3579856.3582832(899-912)Online publication date: 10-Jul-2023
https://dl.acm.org/doi/10.1145/3579856.3582832
Horvath AMacvean AMyers B(2023)Support for Long-Form Documentation Authoring and Maintenance2023 IEEE Symposium on Visual Languages and Human-Centric Computing (VL/HCC)10.1109/VL-HCC57772.2023.00020(109-114)Online publication date: 3-Oct-2023
https://doi.org/10.1109/VL-HCC57772.2023.00020
Sahin SRoomi SPoteat TLi F(2023)Investigating the Password Policy Practices of Website Administrators2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179288(552-569)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179288
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents