E-SSL: An SSL Security-Enhanced Method for Bypassing MITM Attacks in Mobile Internet

In mobile internet, the Secure Sockets Layer SSL validation vulnerabilities of applications can be easily exploited through SSL Man-in-the-Middle MITM attacks, which are difficult to defeat. In this paper, an SSL Security-Enhanced method E-SSL is proposed to detect and defeat SSL MITM attacks, which improves the security of internet communication under malicious attacks. SSL proxy is used to find SSL certificate validation vulnerabilities and detect SSL MITM attacks. Based on randomness and hash theory, an SSL shared service with random port mapping is implemented to bypass SSL MITM attacks, the spatio-temporal randomization will increase the difficulty of attacker's correct guessing. We implement a prototype on Android platform, and verify its effectiveness and reliability with 650 apps under realistic SSL MITM attacks. Using the E-SSL approach, 185 apps out of 650 are detected with SSL certificate validation vulnerabilities. Furthermore, evaluation results show that the E-SSL approach enables these SSL certificate validation vulnerabilities apps to successfully bypass SSL MITM attacks, thus significantly increases the security of user data privacy in public mobile internet.

[1]  Chao Yang,et al.  Who is peeping at your passwords at Starbucks? — To catch an evil twin access point , 2010, 2010 IEEE/IFIP International Conference on Dependable Systems & Networks (DSN).

[2]  Maciej Koutny,et al.  Framed temporal logic programming , 2008, Sci. Comput. Program..

[3]  Li Zhang,et al.  A decision procedure for propositional projection temporal logic with infinite models , 2008, Acta Informatica.

[4]  Guofei Gu,et al.  SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications , 2012, SPSM '12.

[5]  J. Alex Halderman,et al.  Analysis of the HTTPS certificate ecosystem , 2013, Internet Measurement Conference.

[6]  William Enck,et al.  An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities , 2014, ArXiv.

[7]  Robin Sommer,et al.  Here's my cert, so trust me, maybe?: understanding TLS errors on the web , 2013, WWW.

[8]  Jeremy Clark,et al.  2013 IEEE Symposium on Security and Privacy SoK: SSL and HTTPS: Revisiting past challenges and evaluating certificate trust model enhancements , 2022 .

[9]  Zhenhua Duan,et al.  An efficient approach for abstraction-refinement in model checking , 2012, Theor. Comput. Sci..

[10]  Kevin Benton,et al.  SignatureCheck: a protocol to detect man-in-the-middle attack in SSL , 2011, CSIIRW '11.

[11]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[12]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[13]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[14]  Ulrike Meyer,et al.  Messing with Android's Permission Model , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Shanqing Guo,et al.  Automatically Detecting SSL Error-Handling Vulnerabilities in Hybrid Mobile Web Apps , 2015, AsiaCCS.

[16]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[17]  Mauro Conti,et al.  MITHYS: Mind The Hand You Shake - Protecting mobile devices from SSL usage vulnerabilities , 2013, STM.

[18]  Georg Carle,et al.  The SSL landscape: a thorough analysis of the x.509 PKI using active and passive measurements , 2011, IMC '11.

[19]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[20]  Felix C. Freiling,et al.  Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices , 2011, 2011 IEEE Symposium on Security and Privacy.

[21]  Matthew Smith,et al.  Rethinking SSL development in an appified world , 2013, CCS.

[22]  Hui Liu,et al.  TagDroid: Hybrid SSL Certificate Verification in Android , 2014, ICICS.

[23]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[24]  Kevin R. B. Butler,et al.  Securing SSL Certificate Verification through Dynamic Linking , 2014, CCS.

[25]  Collin Jackson,et al.  Analyzing Forged SSL Certificates in the Wild , 2014, 2014 IEEE Symposium on Security and Privacy.