Rethinking SSL Development in an Appified World


Research Paper

Rethinking SSL Development in an Appified World
Sascha Fahl, Marian Harbach, Henning Perl, Markus Kötter and Matthew Smith
DCSEC, Leibniz University Hannover
Proceedings of the 2013 ACM Conference on Computer and Communications Security

Abstract
The Secure Sockets Layer (SSL) is widely used to secure data transfers on the Internet. Previous studies have shown that the state of non-browser SSL code is catastrophic across a large variety of desktop applications and libraries as well as a large selection of Android apps, leaving users vulnerable to Man-in-the-Middle attacks (MITMAs). To determine possible causes of SSL problems on all major appified platforms, we extended the analysis to the walled-garden ecosystem of iOS, analyzed software developer forums and conducted interviews with developers of vulnerable apps. Our results show that the root causes are not simply careless developers, but also limitations and issues of the current SSL development paradigm. Based on our findings, we derive a proposal to rethink the handling of SSL in the appified world and present a set of countermeasures to improve the handling of SSL using Android as a blueprint for other platforms. Our countermeasures prevent developers from willfully or accidentally breaking SSL certificate validation, offer support for extended features such as SSL Pinning and different SSL validation infrastructures, and protect users. We evaluated our solution against 13,500 popular Android apps and con- ducted developer interviews to judge the acceptance of our approach and found that our solution works well for all investigated apps and developers.

Our Related Work

This work is based in part on our recent related work:

Why Eve and Mallory Love Android: An Analysis of SSL (In)Security on Android
Sascha Fahl, Marian Harbach, Thomas Muders and Matthew Smith
DCSEC, Leibniz University Hannover
Lars Baumgärtner and Bernd Freisleben
Phillips University Marburg
Proceedings of the 2012 ACM Conference on Computer and Communications Security



Downloads

You can download a patch with our changes for Android 4.3 here
A patched version of the ADT is available for: Linux | OS X | Windows