How to Detect SSL Leakage in Mobile Apps
LinkedIn researchers find piles of SSL configuration flaws in mobile apps and so can you.
The Secure Sockets Layer protocol (SSL) is a foundational technology on the modern Internet, enabling data in transit to be encrypted and travel securely. Yet according to security researchers Tony Trummer and Tushar Dalvi, many popular mobile apps do not properly implement SSL.
Trummer and Tushar, both security researchers working at LinkedIn, detailed their finding in a session at the Defcon security conference over the weekend. The research was not sponsored or endorsed by their employer and was done on their own time.
In many of the mobile apps they tested across both iOS and Android, the two researchers found that app developers had disabled certificate authority (CA) validation. This validation is a best practice to ensure that an SSL certificate is authentic and valid.
Checking for CAs
Trummer and Tushar suggested a simple test that can be used to see if a CA is being contacted. They recommend that researchers install BurpSuite software, a Web application security testing toolkit that has both free and paid editions. Burpsuite can be used as a proxy for Web traffic and can generate a CA signed per-host certificate.
The end-user device with the mobile app should be configured to point to the proxy. If secure SSL traffic from the device is still able to get through, that is an indication that CA validation is not properly working.
Checking for Hostnames
With SSL it's also important that the name on the certificate matches the name of the site being contacted. To test that proper hostname checking is in place, get a valid certificate for a domain different than the target domain being tested.
Trummer and Tushar suggest that BurpSuite then be configured to use the test certificate. If secure SSL traffic is still able to flow through from the mobile app, then there is a potential problem.
Trummer noted that there are also apps that send sensitive information like credit card data without any SSL or encryption at all. Mobile app developers need to be trained on proper SSL security implementation, he said. He added that vendors should have policies in place to make sure data in transit is secured.
Trummer suggested that Android developers be especially careful with TrustManager, SSLSocket and HostName Verifier attributes in mobile application code.
For iOS developers, the areas that need to be emphasized and scrutinized are the _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_, SetAllowsAnyHTTPSCertificate and kCFStreamSSLAllowsAnyRoot functions in mobile app code.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.
By Jeff Goldman
June 20, 2014
The malware, also called Dyreza, is designed to bypass SSL and steal login credentials.