如今,移动设备的使用不断增加,进行着和过去不到十年前习惯在 Web 服务上进行的相同的的操作[1,2]。但是,有必要在这两个环境中提供相同的安全解决方案,因为两种操作都同样重要。SSL/TLS(安全套接字协议/安全传输层协议)技术已经被广泛地用作保护互联网许多方面的基础,例如保护 HTTP 协议[3]。
本节介绍了一些基本概念,以确定本文的背景。首先,介绍了面向移动应用程序的 OWASP 移动测试指南,证明了将其用作 Web 应用程序的安全模型是合理的。其次,简要地介绍了 SSL/TLS 的操作。SSL/TLS 已被使用多年,用来增加一个额外的安全层。最后会介绍一些 SSL/TLS 漏洞,从而证明本文研究的必要性。
2.1. OWASP Mobile
OWASP 是一个负责制定 Web 应用程序安全标准的全球组织[14]。这样,我们可以在 OWASP 的文档中找到一些信息和方法论的来源。最著名的方法论是所谓的 Top 10,显示了最常见的漏洞。OWASP 组织针对 web、mobile 和 IoT 软件制定了安全风险 Top 10[15]。根据我们的实践,我们选择 OWASP Top 10 Mobile 作为我们的开始点。表1显示了2016年12月 OWASP Mobile Top 10,这是最新的更新[13]。
图2显示了 SSL pinning 的实现过程,该过程分为两个阶段。在第一阶段,移动设备必须启动与服务器的通信。无论服务器是否处于活动状态,都会做出响应(图2中的 server hello)。然后,当服务器回答其证书和公钥信息的内容时(图2中的 server certficate),客户端请求服务器的证书。
Li, D.; Guo, B.; Shen, Y.; Li, J.; Huang, Y. The evolution of open-source mobile applications: An empirical study. J. Softw. Evol. Process. 2017, 29, e1855. [Google Scholar] [CrossRef]
Unal, P.; Temizel, T.T.; Eren, P.E. What installed mobile applications tell about their owners and how they affect users’ download behavior. Telemat. Inform. 2017, 34, 1153–1165. [Google Scholar] [CrossRef]
Kumar, R.; Perti, A. Security issues with self-signed SSL certificates. Int. J. Innov. Technol. Explor. Eng. (IJITEE) 2019, 8, 7S2. [Google Scholar]
Lindgren, A.; Lindoff, B. On Estimating the Number of Worldwide LTE Cell-IDs and WiFi Aps. 2018. Available online: https://combain.com/uploads/Whitepaper_WorldWide_LTE_CellID_and_WiFi_APs_A.pdf (accessed on 3 September 2019).
Anthi, E.; Theodorakopoulos, G. Sensitive data in Smartphone Applications: Where does it go? Can it be intercepted? In International Conference on Security and Privacy in Communication Systems; Springer: Berlin/Heidelberg, Germany, 2017; pp. 301–319. [Google Scholar]
Khan, J.; Abbas, H.; Al-Muhtadi, J. Survey on mobile user’s data privacy threats and defense mechanisms. In Proceedings of the 12th Iberian Conference on Information Systems Technolo-Gies (CISTI), Lisbon, Portugal, 14–17 June 2017. No. 7975981. [Google Scholar]
D’Orazio, C.J.; Choo, K.-K.R. A technique to circumvent SSL/TLS validations on iOS devices. Future Gener. Comput. Syst. 2017, 74, 366–374. [Google Scholar]
Razaghpanah, A.; Sundaresan, S.; Niaki, A.A.; Amann, J.; Vallina-Rodriguez, N.; Gill, P. Studying TLS usage in Android apps. In Proceedings of the 13th International Conference on Emerging Technologies (CoNEXT 2017), Ingeon, Korea, 12–15 December 2017; pp. 350–362. [Google Scholar]
Fahl, S.; Harbach, M.; Perl, H.; Koetter, M.; Smith, M. Rethinking SSL development in an appified world. In Proceedings of the ACM SIGSAG Conference on Computer & Communications Security (CCS 2013), Berlin, Germany, 4–8 November 2013; pp. 49–60. [Google Scholar]
De los Santos, S.; Torres, J. Analysing HSTS and HPKP implementation in both browsers and servers. IET Inf. Secur. 2017, 12, 275–284. [Google Scholar] [CrossRef]
Mueller, B.; Schleier, S. OWASP Mobile Application Security Verification Standard v 1.1.4. Available online: https://www.owasp.org/index.php/OWASP_Mobile_Security_Testing_Guide (accessed on 21 November 2019).
Dhawale, C.A.; Misra, S.; Jambhekar, N.D.; Thakur, S.U. Mobile computing security threats and solution. Int. J. Pharm. Technol. 2016, 8, 23075–23086. [Google Scholar]
OWASP Mobile Top 10. 2016. Available online: https://www.owasp.org/index.php/Mobile_Top_10_2016-Top_10 (accessed on 22 February 2017).
Kim, S.; Han, H.; Shin, D.; Jeun, I.; Jeong, H. A study of International Trend Analysis on Web Service Vulnerabilities in OWASP and WASC. In Proceedings of the 3rd International Conference on Information Security and Assurance (ISA 2009), Seoul, Korea, 25–27 June 2009; Springer: Heidelberg, Germany; Volume 5576, pp. 788–796. [Google Scholar]
Szczepanik, M.; Jozwiak, I. Security of mobile banking applications. Adv. Intell. Syst. Comput. 2018, 635, 412–419. [Google Scholar]
Hickman, K. The SSL Protocol; Netscape Communications Corp: Mountain View, CA, USA, 1995. [Google Scholar]
Dierks, T.; Rescorla, E. The TLS Protocol Version 1.2. RFC 5246. Available online: https://tools.ietf.org/html/rfc5246 (accessed on 21 November 2019).
Gu, X.; Gu, X. On the detection of fake certificates via attribute correlation. Entropy 2015, 17, 3806–3837. [Google Scholar] [CrossRef]
Varela-Vaca, A.J.; Gasca, R.M. Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach. Inf. Softw. Technol. 2013, 55, 1948–1973. [Google Scholar] [CrossRef]
Oracle—Java Secure Socket Extension (JSSE) Reference Guide. 2018. Available online: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html (accessed on 3 September 2019).
OpenSSL. Available online: https://www.openssl.org/ (accessed on 3 September 2019).
LibreSSL. Available online: http://www.libressl.org/ (accessed on 3 September 2019).
GNUTLS. Available online: https://www.gnutls.org/ (accessed on 3 September 2019).
Al-Qershi, F.; Al-Qurishi, M.; Md Mizanur Rahman, S.; Al-Amri, A. Android vs. iOS: The security battle. In Proceedings of the 2014 World Congress on Computer Applications and Information Systems (WCCAIS), Hammamet, Tunisia, 17–19 January 2014; pp. 1–8. [Google Scholar] [CrossRef]
Onwuzurike, L.; de Cristofaro, E. Danger is my middle name: Experimenting with SSL vulnerabilities in Android apps. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec’ 15), New York, NY, USA, 22–26 June 2015; ACM: New York, NY, USA, 2015. [Google Scholar] [CrossRef]
Fahl, S.; Harbach, M.; Muders, T.; Baumgärtner, L.; Freisleben, B.; Smith, M. Why eve and mallory love android: An analysis of android SSL (in)security. In Proceedings of the 2012 ACM conference on Computer and Communications Security (CCS’ 12), Raleigh, NC, USA, 16–18 October 2012; ACM: New York, NY, USA, 2012; pp. 50–61. [Google Scholar] [CrossRef]
Tendulkar, V.; Enck, W. An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities. arXiv 2014, arXiv:1410.7745. [Google Scholar]
Moonsamy, V.; Batten, L. Mitigating Man-In-the-Middle Attacks on Smartphones—A Discussion of SSL Pinning and DNSSec. In Proceedings of the 12th Australian Information Security Management Conference; Edith Cowan University: Perth, Australia, 2014. [Google Scholar]
Graves, J. SSL Pinning for Increased App Security. 2013. Available online: https://possiblemobile.com/2013/03/ssl-pinning-forincreased-app-security/ (accessed on 18 October 2019).
Andzakovic, D. Bypassing SSL Pinning on Android via Reverse Engineering. 2014. Available online: https://security-assessment.com/files/documents/whitepapers/BypassingSSLPinningonAndroidviaReverseEngineering.pdf (accessed on 16 September 2019).
Sierra, F.; Ramirez, A. Defending your android app. In Proceedings of the ACM Conference on Research in Information Technology, Chicago, IL, USA, 30 September–3 October 2015; pp. 29–34. [Google Scholar]
OWASP—Mobile Security Testing Guide—Android Anti-Reversing Defenses. Available online: https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05j-testing-resiliency-against-reverse-engineering (accessed on 16 September 2019).
Apple Inc. Security Transforms Programming Guide. Available online: https://developer.apple.com/library/content/documentation/Security/Conceptual/SecTransformPG/SigningandVerifying/SigningandVerifying.html (accessed on 3 September 2019).
ProGuard. Available online: https://www.guardsquare.com/en/proguard (accessed on 3 September 2019).
iXGuard. Available online: https://www.guardsquare.com/en/ixguard (accessed on 3 September 2019).
APKtool. Available online: https://ibotpeaches.github.io/Apktool (accessed on 3 September 2019).
Penetration Testing Tool: Dex2jar Package. Available online: https://tools.kali.org/reverse-engineering/dex2jar (accessed on 3 September 2019).
Android Developer: Logcat. Available online: https://developer.android.com/studio/command-line/logcat (accessed on 3 September 2019).
SSLUnpinning—Certificate Pinning Bypass. Available online: https://repo.xposed.info/module/mobi.acpm.sslunpinning (accessed on 16 September 2019).
Frida. Available online: https://www.frida.re/ (accessed on 3 September 2019).
Objection. Available online: https://github.com/sensepost/objection (accessed on 3 September 2019).