An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities

Computing platforms such as smartphones frequently access Web content using many separate applications rather than a single Web browser application. These applications often deal with sensitive user information such as financial data or passwords, and use Secure Sockets Layer (SSL) to protect it from unauthorized eavesdropping. However, recent studies have confirmed a wide-spread misconfiguration of SSL verification in applications. This paper considers the difficulty faced by Android application developers when modifying SSL code for using common features like pinning or using a self-signed SSL certificate. For example, developing an application that accesses a test Web server with a self-signed certificate requires additional code to remove SSL verification; however, this code is not always removed in production versions of the application. To mitigate vulnerabilities introduced because of the complexity of customizing SSL code in Android applications, we propose that common SSL configuration should be specified in the application's package manifest. We provide two concrete suggestions: 1) linking the application's debug state to SSL verification, and 2) pinning certificates and CAs in the manifest. We evaluate the appropriateness of these two suggestions on over 13,000 applications from Google's Play Store, of which 3,302 use SSL in non-advertisement code, and find that 1,889 (57.20%) of these SSL applications would benefit.