Research On Automatic Detection Of SSL Security Vulnerability In Network Communications Of Android Applications

In order to protect user privacy in the process of network communications,Android operating system has employed the Security Socket Layer(SSL)protocol.However,due to the fact that developers may misuse in SSL related interfaces,android applications face the risk of man-in-the-middle attacks and lead to privacy leaks.Current detection of SSL security vulnerabilities of Android applications depends on static decompile technology and thus can't copy with the gradually universal reinforced types of applications.Aiming at solving the problem,an automated dynamic method to detect SSL security vulnerabilities has been put forward.The main idea is to simulate the interaction between users and applications by UI traversal technology,and verify whether applications can effectively resist man-in-the-middle attacks during running to determine whether SSL related interfaces are implemented properly.For the purpose of triggering valid network requests to cover the suspicious vulnerability point in the process of UI traversal,optimization the tree of widgets based on GUI type and calculation of GUI state similarity based on widgets' path set have been presented for the first time.A general automatic traversal model has been designed and a heuristic depth-first traversal algorithm has been implemented.The form and the security threat of SSL security vulnerabilities in the Android applications are systematically studied.Then,a system named SSLTester for detecting SSL security vulnerabilities in Android applications,has been proposed and implemented.Firstly,it filters applications to build suspicious set based on feature matching.Secondly,suspicious applications are driven to automate running by means of custom UI traversal strategy.Last but not least,for more then one equipment running in parallel,extending the middle-agent plugin to perform attack test and feedback results timely.In order to validate the effectiveness of the SSLTester,we applied it to detect 2456 popular applications in some mainstream application markets and found 424 applications are suffering from SSL security vulnerabilities.Compared with the existing program SMV-HUNTER,its time efficiency increased by about 38.46% and detection rate accuracy increased by about 6.4%.