Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps

Chaoshun Zuo, Jianliang Wu, Shanqing Guo
2015 Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security - ASIA CCS '15  
Today, there are many hybrid apps in which both native Android app UI and WebView UI are used. To protect the security and privacy of the communications, these hybrid apps all use HTTPS by WebView, a key component in modern web browser. In this paper, we show there is another type of SSL vulnerability that stems from the error-handling code in the hybrid mobile web apps. At a high level, this errorhandling code should have stopped the communication but it still proceeds regardless of
more » ... dless of certificate errors, thereby leading to the MITM attacks. To automatically identify these vulnerable apps, we present a hybrid approach that combines both static analysis and dynamic analysis. We have implemented our approach and evaluated with 13,820 real world mobile web apps from a third party market, of which 645 are confirmed truly vulnerable, with an average overhead of 60.8 seconds per app.
doi:10.1145/2714576.2714583 dblp:conf/ccs/ZuoWG15 fatcat:3bim2mcpjvc4xenrnt6rbws34u