| Over the past few years, as the proliferation of always-on, always-connected smart-phones,users have gotten a good application experience.Naturally, as the number and the usage of always-on, always-connected smart-phones increase, so does the amount of personal and sensitive information they transmit.Thus, it is crucial to secure traffic exchanged by these devices, especially considering that mobile users might connect to open Wifi networks or even fake cell towers.The primary goal of the SSL Protocol is to provide data confidentiality and integrity between two communicating applications.However, in the real life, the custom implementations of SSL in the Android mobile applications often have errors, posing a serious security threat to the users,including financial accounts and social relationship information leakage.In this work, a method has been designed and implemented to detect SSL implementation flaw on Android applications.SSL man-in-the-middle vulnerabilities were analyzed.Firstly, the thesis studies the concept of the SSL protocol and how to implement SSL man-in-the-middle attack, discusses the Android system architecture and security mechanism and analyzes the key technologies for analyzing Android applications.Techniques that may be used by websites to detect network interceptions at present are also introduced.Secondly, according to the characteristics of SSL communication protocol, the thesis introduces machine learning technology.The scheme makes full use of the characteristics of the X.509 certificates, including the certificate chain sizes, certificate chain depths, public key sizes,common name, etc. By the decision tree classification, the scheme can determine whether an application is vulnerable in SSL implementation or not.Finally, for the purpose of evaluating the safety of SSL on Android mobile applications, the thesis evaluates our method on 1000 commonly used Android applications and 150 financial samples, and summarized four types of security flaws of these applications.Experimental results showed that quite serious security vulnerabilities in SSL implementation are existed in Android App Stores in China, a comprehensive evaluation on mobile banking & financial software that involving user’s money are in urgent need. |