A measurement and security analysis of SSL/TLS deployment in mobile applications

Abstract

Secure Socket Layer (SSL) and Transport Layer Security (TLS) have been widely used to provide security in communications. With the rapid development of mobile Internet, they are progressively applied in mobile applications. It is interesting to study the security of their usage. However, most of existed researches on SSL/TLS focus on the whole ecosystem, while few of them have in-depth study on the status quo of mobile security about SSL/TLS. In this paper, we measure the network behaviors of top 50 popular applications on Android and iOS platforms to reveal the security problems of SSL/TLS deployment in mobile Internet. A system is implemented which can extract the handshake parameters and inspect SSL deployment status. We also demonstrate some typical severe problems by performing man-in-the-middle (MITM) attacks against six applications. We believe our study is very consequential for SSL deployment on mobile platforms and the design of secure applications in the future.