Show simple item record

dc.contributor.authorRazaghpanah, Abbas
dc.contributor.authorNiaki, Arian Akhavan
dc.contributor.authorVallina-Rodriguez, Narseo 
dc.contributor.authorSundaresan, Srikanth
dc.contributor.authorAmann, Johanna
dc.contributor.authorGill, Phillipa
dc.date.accessioned2021-07-13T09:31:18Z
dc.date.available2021-07-13T09:31:18Z
dc.date.issued2017-12-12
dc.identifier.urihttp://hdl.handle.net/20.500.12761/462
dc.description.abstractTransport Layer Security (TLS), has become the {\em de-facto} standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of security. Numerous efforts have studied the adoption of TLS (and its predecessor, SSL) and its use in the desktop ecosystem, attacks, and vulnerabilities in both desktop clients and servers. However, there is a dearth of knowledge of how TLS is used in mobile platforms. In this paper we use data collected by Lumen, a mobile measurement platform, to analyze how Android apps use TLS in the wild. We analyze and fingerprint handshake messages to characterize the TLS APIs and libraries that apps use, and also evaluate weaknesses. We see that about 84% of apps use default OS APIs for TLS. Many apps use third party libraries; in some cases they are forced to do so because of restricted Android capabilities. Our analysis shows that both approaches have limitations, and that improving TLS security in mobile is not straightforward. Apps that use their own TLS configurations have vulnerabilities due to developer inexperience, but apps that use OS defaults are vulnerable to certain attacks if the OS is out of date, even if the apps themselves are up to date. We also study certificate verification and third-party libraries used in Android apps, and see low prevalence of security measures such as certificate pinning, even among high-risk apps such as those providing financial services, though we did observe major tracking and advertisement services deploying certificate pinning. We have made our dataset, which is the first of its kind, available to download to the public.
dc.language.isoeng
dc.titleStudying TLS Usage in Android Appsen
dc.typeconference object
dc.conference.date12-15 December 2017
dc.conference.placeSeoul, South Korea
dc.conference.titleThe 13th International Conference on emerging Networking EXperiments and Technologies (ACM CoNEXT 2017)*
dc.event.typeconference
dc.pres.typepaper
dc.type.hasVersionVoR
dc.rights.accessRightsopen access
dc.subject.keywordSecurity Protocols
dc.subject.keywordAndroid
dc.subject.keywordMobile
dc.subject.keywordNetwork Measurements
dc.subject.keywordTransport Layer Security
dc.subject.keywordSecure Sockets Layer
dc.subject.keywordSSL
dc.subject.keywordTLS
dc.subject.keywordTransport Layer Protocols
dc.subject.keywordMobile Security
dc.description.refereedTRUE
dc.description.statuspub
dc.eprint.idhttp://eprints.networks.imdea.org/id/eprint/1690


Files in this item

This item appears in the following Collection(s)

Show simple item record