Danger is my middle name

Lucky Onwuzurike, Emiliano De Cristofaro
2015 Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks - WiSec '15  
This paper presents a measurement study of information leakage and SSL vulnerabilities in popular Android apps. We perform static and dynamic analysis on 100 apps, downloaded at least 10M times, that request full network access. Our experiments show that, although prior work has drawn a lot of attention to SSL implementations on mobile platforms, several popular apps (32/100) accept all certificates and all hostnames, and four actually transmit sensitive data unencrypted. We set up an
more » ... al testbed simulating man-in-the-middle attacks and find that many apps (up to 91% when the adversary has a certificate installed on the victim's device) are vulnerable, allowing the attacker to access sensitive information, including credentials, files, personal details, and credit card numbers. Finally, we provide a few recommendations to app developers and highlight several open research problems.
doi:10.1145/2766498.2766522 dblp:conf/wisec/OnwuzurikeC15 fatcat:qcdwsm3bczf37mmmyaos3lac7y