Automatic Detection Of Digital Certificate Verification Vulnerability In Android Applications

With the development of mobile Internet,smartphones have become important devices in people's life.Android operating system(OS),as an open source OS,occupies a large market share of communication devices.Most of applications will establish a network connection with the server,so the protection of applications' sensitive data is vital to the users' privacy directly.Traditional HTTP communication protocols transmit data with clear text,which is easy for the attacker to obtain sensitive information.It can protect the network data by adding SSL protocol between HTTP and transport layer,however,many applications have serious mistakes in the process of implementing SSL protocol,the improper implementation of digital certificate check is one of them,which will cause a serious threat to the user's privacy data and account security.Traditional detection methods does not define comprehensive vulnerability code,rely on manual analysis and need a lot of time and work,besides,the results are not very accuracy,so it is difficult to achieve large-scale detection of applications.To solve these problems,the thesis proposes an automatic method to detect the digital certificate verification vulnerability of Android applications based on the combination of static analysis and dynamic analysis.It guides the dynamic detection with the information generated by static detection,and uses the dynamic detection results to confirm whether the application are vulnerable.Through the combination of static and dynamic methods,it can determine whether the application really exists vulnerability effectively and reliably.The main research work is as follows:(1)This thesis proposes an automatic detection method of digital certificate verification vulnerability in Android application by combining static detection with dynamic detection.In the static detection phase,four kinds of digital certificate verification vulnerabilities are proposed.In the dynamic detection phase,the static detection is used to guide the dynamic detection.By building Method Call Graph,Class Call Graph and Activity Call Graph,the vulnerable code can be triggered quickly,and the detection efficiency and accuracy are improved.(2)This thesis makes a systematic study on the digital certificates verification of Android applications.We download 5547 applications from Google play and 360 application market.With the proposed method,1035 of them were found to have potential vulnerabilities through static detection,accounting for 18.66% of the total applications.Through dynamic detection,the traffic is decrypted on Man-In-The-Middle attack tool,and 485 applications real have digital certificate verification vulnerabilities,accounting for 8.47% of the total applications.The experimental results show that the method proposed in this thesis can discover the digital certificate verification vulnerability effectively in Android applications.(3)This thesis systematically studies digital certificate verification vulnerabilities of Android applications,analyzes their classification,version evolution and market ranking,reveals the internal and external causes of digital certificate verification vulnerabilities,and puts forward relevant suggestions for developers.(4)Based on the B/S architecture,an automatic system to detect vulnerability of digital certificate is developed.Users can upload APK files through the graphical interface to detect and view the detection results.