Pin it! Improving Android network security at runtime
作者: Damjan Buhov , Markus Huber , Georg Merzdovnik , Edgar Weippl , None
DOI: 10.1109/IFIPNETWORKING.2016.7497238
关键词:
摘要: Smartphones are increasingly used worldwide and now an essential tool for our everyday tasks. These tasks supported by smartphone applications (apps) which commonly rely on network communication to provide a certain utility such as online banking. From security privacy point of view properly secured (encrypted) channel is important in order protect sensitive information against passive active attacks. Previous research outlined that developers often fail implement proper certificate validation their custom SSL/TLS implementations thus secure the communication. however proposed solutions not affected users. This global growth introduced drastic changes utilization. In this paper we discuss issue basis Android apps. We analyzed over 50,000 apps, collected during two consecutive years, regarding correct use protocols. Furthermore, current situation. propose dynamic pinning, device-based solution overcomes problem broken To best knowledge, first solve combining established techniques pinning with instrumentation tackle one major challenges applications.
sci-hub.se 参考文章(20)
Ji-Soo Oh, Min-Woo Park, Tai-Myoung Chung, The Multi-level Security for the Android OS international conference on computational science and its applications. pp. 743- 754 ,(2014) , 10.1007/978-3-319-09147-1_54
Peter Saint-Andre, Jeff Hodges, Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) RFC. ,vol. 6125, pp. 1- 57 ,(2011)
Damjan Buhov, Markus Huber, Georg Merzdovnik, Edgar Weippl, Vesna Dimitrova, None, Network Security Challenges in Android Applications availability, reliability and security. pp. 327- 332 ,(2015) , 10.1109/ARES.2015.59
Chaoshun Zuo, Jianliang Wu, Shanqing Guo, Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps computer and communications security. pp. 591- 596 ,(2015) , 10.1145/2714576.2714583
David Sounthiraraj, Justin Sahs, Garrett Greenwood, Zhiqiang Lin, Latifur Khan, SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps network and distributed system security symposium. ,(2014) , 10.14722/NDSS.2014.23205
Lucky Onwuzurike, Emiliano De Cristofaro, Danger is my middle name: experimenting with SSL vulnerabilities in Android apps wireless network security. pp. 15- ,(2015) , 10.1145/2766498.2766522
Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos, Permission evolution in the Android ecosystem Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC '12. pp. 31- 40 ,(2012) , 10.1145/2420950.2420956
William Enck, Machigar Ongtang, Patrick McDaniel, Understanding Android Security ieee symposium on security and privacy. ,vol. 7, pp. 50- 57 ,(2009) , 10.1109/MSP.2009.26
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, Bernd Freisleben, Why eve and mallory love android Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 50- 61 ,(2012) , 10.1145/2382196.2382205
Sascha Fahl, Marian Harbach, Henning Perl, Markus Koetter, Matthew Smith, Rethinking SSL development in an appified world computer and communications security. pp. 49- 60 ,(2013) , 10.1145/2508859.2516655