SSL implantation Vulnerability Lab


SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. However, SSL certificate validation has been shown completely broken in many security-applications and libraries. Flawed certificate validation renders these software vulnerable to man-in-the-middle attack.

On the smartphone app market, apps are developed by developers with various level of security knowledge and many of them are suspected to be flawed in certificate validation. In this lab, students will be expected to conduct a serial of experiments to find flawed apps and further analyze the cause. They will learn how to set up the proxy, monitor the HTTPS package, identify the sensitive information in the package and distinguish malicious application.

2.  Pre-lab Reading

There are two excellent articles on SSL security on mobile operating system. “The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software” by Georgiev et al. [1] demonstrated that even the standard SSL libraries such as JSSE, OpenSSL, GnuTLS, etc. which are used in applications may have the certificate validation incorrectly problem. The authors of this paper presented that using SSL in no-browser software is a surprisingly challenging task.


The other one is “Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security” by Fahl et al. [2] focus on SSL problem in Android platform. The authors demonstrated an investigation of the current usage of SSL/TLS usage in Android and the security threats.

3.   Experiment

The basic experiment is designed to find whether an app is flawed in its certificate verification process. A malicious proxy server is used to issue a fake certificate when an app tries to set a SSL-connection with a legitimate server. In normal situation, the verification process should fail and the secure connection cannot be setup. However, in the case of flawed apps, a fake certificate can pass a flawed verification process or the verification failure is ignored when the fake certificate failed during the verification process. In either case, a secure channel is setup between the app and the malicious proxy server — hence all future communications between the app and the legitimate server will be monitored by the malicious proxy server.

There are three parts in our experiment. The first one is the applications’ server, the second one is the malicious proxy server, last but not least, the third part is client part. In this lab experiment, our work will focus on the proxy server and the client part. The applications’ server will not be discussed in this lab experiments. It is should be point out that client type will not be limited by mobile device. For students’ convenience, the client type could be smartphone (Android), iOS phone, or emulator.

In the following, brief instructions are given on:

  1. How to setup the malicious proxy server (mitmproxy);
  2. how to set the malicious proxy server as your smartphone’s proxy server
    1. Android phone
    2. Apple phone
    3. Android virtual device

how to test whether an app is flawed or not.


Leave Comment

Your email address will not be published. Required fields are marked *