An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps

in news •  7 years ago 

By a News Reporter-Staff News Editor at Internet Weekly News -- Researchers detail new data in Internet and World Wide Web. According to news originating from Shandong, People’s Republic of China, by VerticalNews correspondents, research stated, “A large set of diverse hybrid mobile apps, which use both native Android app UIs and Web UIs, are widely available in today’s smartphones. These hybrid apps usually use SSL or TLS to secure HTTP based communication.”

Our news journalists obtained a quote from the research from Shandong University, “However, researchers show that incorrect implementation of SSL or TLS may lead to serious security problems, such as Man-In-The-Middle (MITM) attacks and phishing attacks. This paper investigates a particular SSL vulnerability that results from error-handling code in the hybrid mobile Web apps. Usually such error-handling code is used to terminate an ongoing communication, but the vulnerability of interest is able to make the communication proceed regardless of SSL certificate verification failures, eventually lead to MITM attacks. To identify those vulnerable apps, we develop a hybrid approach, which combines both static analysis and dynamic analysis to (1) automatically distinguish the native Android UIs and Web UIs, and execute the Web UIs to trigger the error-handling code; (2) accurately select the correct paths from the app entry-point to the targeted code, meanwhile avoiding the crash of apps, and populate messaging objects for the communication between components. Specifically, we construct inter-component call graphs to model the connections, and design algorithms to select the paths from the established graph and determine the parameters by backtracing. To evaluate our approach, we have implemented and tested it with 13,820 real world mobile Web apps from Google Play. The experimental results demonstrate that 1,360 apps are detected as potentially vulnerable ones solely using the static analysis.”

According to the news editors, the research concluded: “The dynamic analysis process further confirms that 711 apps are truly vulnerable among the potentially vulnerable set.”

For more information on this research see: An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps. World Wide Web-Internet and Web Information Systems , 2018;21(1):127-150. World Wide Web-Internet and Web Information Systems can be contacted at: Springer, 233 Spring St, New York, NY 10013, USA.

The news correspondents report that additional information may be obtained from Y. Liu, Shandong University, Jinan, Shandong, People’s Republic of China. Additional authors for this research include C.S. Zuo, Z.H. Zhang, S.Q. Guo and X.S. Xu.

The direct object identifier (DOI) for that additional information is: https://doi.org/10.1007/s11280-017-0458-9. This DOI is a link to an online electronic document that is either free or for purchase, and can be your direct source for a journal article and its citation.

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2018, NewsRx LLC

CITATION: (2018-02-12), Findings from Shandong University Provides New Data on Internet and World Wide Web (An automatically vetting mechanism for SSL error-handling vulnerability in android hybrid Web apps), Internet Weekly News, 7, ISSN: 1944-2335, BUTTER® ID: 015136485

From the newsletter Internet Weekly News.
https://www.newsrx.com/Butter/#!Search:a=15136485

This is a NewsRx® article created by NewsRx® and posted by NewsRx®. As proof that we are NewsRx® posting NewsRx® content, we have added a link to this steemit page on our main corporate website. The link is at the bottom left under "site links" at https://www.newsrx.com/NewsRxCorp/.

We have been in business for more than 20 years and our full contact information is available on our main corporate website.

We only upvote our posts after at least one other user has upvoted the article to increase the curation awards of upvoters.

NewsRx® offers 195 weekly newsletters providing comprehensive information on all professional topics, ranging from health, pharma and life science to business, tech, energy, law, and finance. Our newsletters report only the most relevant and authoritative information from qualified sources.

View Newsletter Titles

About NewsRx® and Contact Information

news asia shandong
7 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.02
  • Past Payouts $0.02
  • - Author $0.02
  • - Curators $0.00
2 votes
1
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  • Trending
    • [-]
      ·  7 years ago 

    Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
    https://link.springer.com/article/10.1007/s11280-017-0458-9

    Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

    • Disagreement on rewards
    • Fraud or plagiarism
    • Hate speech or trolling
    • Miscategorized content or spam

    Submit
    $0.00