| Android provides SSL mechanism to protect the security of the connection, but developers’ incorrect implementation might cause SSL break down. In hybrid apps there are many WebViews, they employ HTTPS to transmit sensitive information securely. But in the implementation of HTTPS developers may cause vulnerability which leaving these hybrid apps vulnerable to Man-In-The-Middle or phishing attacks. In this paper, we find some implementations are truly vulnerable, and we presented a system for automatic, large-scale detection of such vulnerabilities which is combined with static and dynamic analysis. Static analyzing module identifies potential vulnerable apps which override the certificate verification error handling method, extracts information that guides the dynamic analysis later. Dynamic analyzing module runs the potential vulnerable apps on emulator, finds paths real-time and simulates human operations guiding the app following the path jump to the target Activity and trigger the vulnerability under an attack environment finally, in this module we analyze and test both Android UI and webpage UI which is out reach of existing tools. We have implemented the system and evaluated on 13,820 real world apps from 360 markets, of which 1,360 are detected as potential vulnerable during static analyzing process, with an average overhead of 3.5 seconds per app and totally 13.5 hours, running on 3 threads concurrently. Among these potential vulnerable apps,645 are confirmed vulnerable in the dynamic analyzing process, with an average overhead of 60.8 seconds per app and totally 23 hours, running on 4 emulators in parallel. |
PDF Full Text Request