A study of SSL Proxy attacks on Android and iOS mobile applications

Author

Hubbard, John ; Weimer, Ken ; Yu Chen

Author_Institution

Dept. of Electr. & Comput. Eng., Binghamton Univ., Binghamton, NY, USA

fYear

2014

fDate

10-13 Jan. 2014

Firstpage

86

Lastpage

91

Abstract

According to recent articles in popular technology websites, some mobile applications function in an insecure manner when presented with untrusted SSL certificates. These non-browser based applications seem to, in the absence of a standard way of alerting a user of an SSL error, accept any certificate presented to it. This paper intends to research these claims and show whether or not an invisible proxy based SSL attack can indeed steal user´s credentials from mobile applications, and which types applications are most likely to be vulnerable to this attack vector. To ensure coverage of the most popular platforms, applications on both Android 4.2 and iOS 6 are tested. The results of our study showed that stealing credentials is indeed possible using invisible proxy man in the middle attacks.

Keywords

Android (operating system); iOS (operating system); mobile computing; security of data; Android 4.2; SSL error; SSL proxy attacks; attack vector; iOS 6; iOS mobile applications; invisible proxy man; middle attacks; untrusted SSL certificates; user credentials; Androids; Humanoid robots; Mobile communication; Security; Servers; Smart phones; Android; Man-in-the-middle; Mobile Devices; Proxy; SSL; Security; TLS; iOS;

fLanguage

English

Publisher

ieee

Conference_Titel

Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th

Conference_Location

Las Vegas, NV

Print_ISBN

978-1-4799-2356-4

Type

conf

DOI

10.1109/CCNC.2014.6866553

Filename

6866553