论文信息 - Security tests for mobile applications — Why using TLS/SSL is not enough

Security tests for mobile applications — Why using TLS/SSL is not enough

Security testing is a fundamental aspect in many common practices in the field of software testing. Still, the used standard security protocols are typically not questioned and not further analyzed in the testing scenarios. In this work we show that due to this practice, essential potential threats are not detected throughout the testing phase and the quality assurance process. We put our focus mainly on two fundamental problems in the area of security: The definition of the correct attacker model, as well as trusting the client when applying cryptographic algorithms.

Edgar R. Weippl | Peter Frühwirt | Peter Kieseberg | Sebastian Schrittwieser

[1] Tim Dierks,et al. The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[2] Christopher Allen,et al. The TLS Protocol Version 1.0 , 1999, RFC.

[3] Bruce Schneier,et al. Analysis of the SSL 3.0 protocol , 1996 .

[4] Eric Rescorla,et al. The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[5] Edgar R. Weippl,et al. What's new with WhatsApp & Co.? Revisiting the Security of Smartphone Messaging Applications , 2014, iiWAS.

[6] 권태경,et al. SSL Protocol 기반의 서버인증 , 2003 .

[7] Edgar R. Weippl,et al. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.