logo资料库

Android英文论文.pdf

发布时间:2022-06-07 发布人:admin 分类:说明书 资料大小:0.52M 资料格式:pdf 举报 版权申诉
第1页 / 共66页
第2页 / 共66页
第3页 / 共66页
第4页 / 共66页
第5页 / 共66页
第6页 / 共66页
第7页 / 共66页
第8页 / 共66页
资料共66页,剩余部分请下载后查看
    LIST OF FIGURES
    Introduction
    Background
    Secure Sockets Layer (SSL)
    The Handshake
    Chain of Trust
    Hostname Verification
    Certificate Revocation
    MITM Attack
    SSL in Android
    Creating connections using built-in APIs
    Using a URLConnection
    Using an HttpsURLConnection
    Using a Webview
    Reasons for writing custom SSL code
    Testing/Debugging the application
    Using one certificate for multiple domains
    SSL Pinning
    Creating custom SSL code in Android
    Correct implementation for custom SSL code in Android
    Incorrect use of SSL
    No Certificate Validation (Trusting all certificates)
    No Hostname Verification (Allowing All Hostnames)
    Ignoring SSL Error
    Motivation
    The need for secure data transport
    Analysis of Open-source Applications
    Methods for incorrectly implementing SSL
    Trust All TrustManager
    Allow All HostnameVerifier
    Ignoring SSL Error
    Analysis of SSL usage in Android
    Methodology
    Manual Analysis of 200 Closed Source apps
    Analysis of Closed-Source Applications
    Evaluation
    Discussion
    Limitations
    Related Work
    Conclusion
    REFERENCES
    APPENDICES
    Correct Implementation of SSL
    WebViewClient
    TrustManager
    Hostname Verifier
    Control Flow Diagrams representing SSL Use
    WebViewClient
    TrustManager
    Hostname Verifier
    Known Classes which implement SSL incorrectly
    Incorrect implementations of HostnameVerifier
    Incorrect implementations of TrustManager
    ABSTRACT TENDULKAR, VASANT SUDHAKAR. Mitigating Android Application SSL Vulnerabilities using Configuration Policies. (Under the direction of Dr. William Enck.) Android apps are becoming more and more personalizable, dealing with a user’s personally identifiable information. Such apps have a responsibility to protect this sensitive information that they send over the Internet. Recent research has showed that many applications are not protecting this information in transit. This work shows that developers are not implementing SSL correctly, thus leaving applications vulnerable to Man-In-The-Middle attack. This work identifies multiple reasons why developers use SSL incorrectly. We present an analysis of 240 open source and 13,000 popular free Android applications downloaded from the official Google Play Store. We show that a majority of SSL vulnerabilities in Android applications arise from incorrect implementation of SSL Pinning and residual active debug code in the deployed version of the application. We present solutions based on specification of SSL verification policy in the Android Manifest file. Our results show that using such configuration based solutions is a effective approach to mitigate SSL vulnerabilities in Android applications.
    © Copyright 2013 by Vasant Sudhakar Tendulkar All Rights Reserved
    Mitigating Android Application SSL Vulnerabilities using Configuration Policies by Vasant Sudhakar Tendulkar A thesis submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Master of Science Computer Science Raleigh, North Carolina 2013 APPROVED BY: Dr. Emerson Murphy-Hill Dr. Tao Xie Dr. William Enck Chair of Advisory Committee
    DEDICATION To my Aai, Baba, Sameer, Niharika ... And to NC State for the opportunity. ii
    BIOGRAPHY The author completed his Bachelors Degree in Computer Engineering from St. Francis Institute of Technology, University of Mumbai, India and joined NC State University as a Master’s student (MR-CS) in Fall 2011. iii
    ACKNOWLEDGEMENTS First and foremost I express my gratitude to my advisor, Dr. William Enck for his guidance and support. I consider myself fortunate to have the opportunity to work and learn under his guidance. I am thankful for his positive outlook and constant encouragement that has helped me throughout this endeavor. This thesis would not have been possible without his help and guidance. I also thank Dr. Emerson Murphy-Hill and Dr. Tao Xie for taking the time to be on my committee and for being supportive of my research. I thank Ashwin Shashidharan, Adwait Nadkarni, Anson Ho and Sigmund Gorski for their valuable inputs on this work. I also thank Meghambari, Kunal, Vinay and Arya for their support. Finally, I thank my family for their support. I am grateful to my parents Sudhakar and Smita Tendulkar for their hard work, sacrifices and commitment to family and education that have provided me with the opportunity to pursue my dreams and made this journey possible. I also thank my brother Sameer Tendulkar for his tremendous patience, help and support. iv
    TABLE OF CONTENTS LIST OF FIGURES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Chapter 2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1 Secure Sockets Layer (SSL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1 The Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2 Chain of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3 Hostname Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.4 Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6 6 7 9 9 2.2 MITM Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Chapter 3 SSL in Android . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1 Creating connections using built-in APIs . . . . . . . . . . . . . . . . . . . . . . . 12 3.1.1 Using a URLConnection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1.2 Using an HttpsURLConnection . . . . . . . . . . . . . . . . . . . . . . . . 13 3.1.3 Using a Webview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 3.2 Reasons for writing custom SSL code . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.2.1 Testing/Debugging the application . . . . . . . . . . . . . . . . . . . . . . 14 3.2.2 Using one certificate for multiple domains . . . . . . . . . . . . . . . . . . 15 3.2.3 SSL Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 3.3 Creating custom SSL code in Android . . . . . . . . . . . . . . . . . . . . . . . . 16 3.4 Correct implementation for custom SSL code in Android . . . . . . . . . . . . . . 17 Incorrect use of SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 3.5 3.5.1 No Certificate Validation (Trusting all certificates) . . . . . . . . . . . . . 18 3.5.2 No Hostname Verification (Allowing All Hostnames) . . . . . . . . . . . . 19 3.5.3 Ignoring SSL Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Chapter 4 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.1 The need for secure data transport . . . . . . . . . . . . . . . . . . . . . . . . . . 22 4.2 Analysis of Open-source Applications . . . . . . . . . . . . . . . . . . . . . . . . . 23 4.3 Methods for incorrectly implementing SSL . . . . . . . . . . . . . . . . . . . . . . 26 4.3.1 Trust All TrustManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.3.2 Allow All HostnameVerifier . . . . . . . . . . . . . . . . . . . . . . . . . . 26 4.3.3 Ignoring SSL Error . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Chapter 5 Analysis of SSL usage in Android . . . . . . . . . . . . . . . . . . . . . . 30 5.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5.2 Manual Analysis of 200 Closed Source apps . . . . . . . . . . . . . . . . . . . . . 31 5.3 Analysis of Closed-Source Applications . . . . . . . . . . . . . . . . . . . . . . . . 33 5.4 Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 v
    Chapter 6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 6.1 Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Chapter 7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Chapter 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Appendix B Control Flow Diagrams representing SSL Use APPENDICES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Appendix A Correct Implementation of SSL . . . . . . . . . . . . . . . . . . . . . . . 48 A.1 WebViewClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 A.2 TrustManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 A.3 Hostname Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 . . . . . . . . . . . . . . 52 B.1 WebViewClient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 B.2 TrustManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 B.3 Hostname Verifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Appendix C Known Classes which implement SSL incorrectly . . . . . . . . . . . . . 56 . . . . . . . . . . . . . . . . 56 C.1 Incorrect implementations of HostnameVerifier C.2 Incorrect implementations of TrustManager . . . . . . . . . . . . . . . . . . 57 vi
    分享到:
    收藏

    相关推荐

    资料库

    操作系统

    共收录1433份资料,累计11个分类,关注成员有19位,主要包括:CentOS,MacOS,DOS,Solaris,Ubuntu,Unix,OS,桌面系统,其它,Windows Server,Linux

    热门标签

    CentOS MacOS DOS Solaris Ubuntu Unix OS 桌面系统 其它 Windows Server Linux

    最新资料