EmphaSSL: Towards emphasis as a mechanism to harden networking security in android apps
The use of secure HTTP calls is a first and critical step toward securing the Android application data when the app interacts with the Internet. However, one of the major causes for the unencrypted communication is app developer's errors or ignorance. Could the paradigm of literally repetitive and ineffective emphasis shift towards emphasis as a mechanism? This paper introduces emphaSSL, a simple, practical and readily-deployable way to harden networking security in Android applications. Our emphaSSL could guide app developer's security development decisions via real-time feedback, informative warnings and suggestions. At its core of emphaSSL, we use a set of rigorous security rules, which are obtained through an in-depth SSL/TLS security analysis based on security requirements engineering techniques. We implement emphaSSL via the PMD and evaluate it against 75 open- source Android applications. Our results show that emphaSSL is effective at detecting security violations in HTTPS calls with a very low false positive rate, around 2%. Furthermore, we identified 164 substantial SSL mistakes in these testing apps, 40% of which are potentially vulnerable to man-in-the-middle attacks. In each of these instances, the vulnerabilities could be quickly resolved with the assistance of our highlighting messages in emphaSSL. Upon notifying developers of our findings in their applications, we received positive responses and interest in this approach.
