InfoSec Seminar: Danger is My Middle Name - Experimenting with SSL Vulnerabilities on Android Apps

Speaker: Lucky Onwuzurike

Date/Time: 01-Jan-1970, 00:00 UTC




As the number and usage of always-on, always-connected smartphones increase, so does the amount of personal and sensitive information they transmit. This increased transmission of data between client and server therefore makes it crucial that information sent over the network is done securely. While browsers provide users with visual feedback that the communication is secured (via the lock symbol) and of certificate validation issues, apps do so less extensively and effectively. This talk presents a measurement study of information leakage and Secure Sockets Layer (SSL) vulnerabilities in popular Android apps. We performed static and dynamic analysis on 100 apps - downloaded at least 10 million times - that request full network access. Although prior work has drawn a lot of attention to SSL implementations on mobile apps, our experiments show that several popular apps are still vulnerable.


Lucky Onwuzurike is a first year PhD student at UCL under the supervision of Dr. Emiliano De Cristofaro. He is studying sensitive information leakage over network channels by Android applications and designing solutions to mitigate exploitable vulnerabilities. He is also working on ‘Like fraud’ associated to Facebook pages.



This page was last modified on 27 Mar 2014.