Close Menu
Technotification
    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    Technotification
    • Home
    • News
    • How To
    • Explained
    • Facts
    • Lists
    • Programming
    • Security
    • Gaming
    Technotification
    Home › Security › How to Detect SSL flaws in Mobile Apps

    How to Detect SSL flaws in Mobile Apps

    By Vikram Singh RaoJuly 6, 2017
    Facebook Twitter Reddit LinkedIn
    SSL leakage

    The Secure Sockets Layer protocol (SSL) is a foundational technology on the modern Internet, enabling data in transit to be encrypted and travel securely. Yet according to security researchers Tony Trummer and Tushar Dalvi, many popular mobile apps do not properly implement SSL.

    Trummer and Tushar, both security researchers working at LinkedIn, detailed their finding in a session at the Defcon security conference over the weekend. The research was not sponsored or endorsed by their employer and was done on their own time.

    In many of the mobile apps they tested across both iOS and Android, the two researchers found that app developers had disabled certificate authority (CA) validation. This validation is a best practice to ensure that an SSL certificate is authentic and valid.

    Checking for CAs

    Trummer and Tushar suggested a simple test that can be used to see if a CA is being contacted. They recommend that researchers install BurpSuite software, a Web application security testing toolkit that has both free and paid editions. Burpsuite can be used as a proxy for Web traffic and can generate a CA signed per-host certificate.

    The end-user device with the mobile app should be configured to point to the proxy. If secure SSL traffic from the device is still able to get through, that is an indication that CA validation is not properly working.

    Checking for Host names

    With SSL it’s also important that the name on the certificate matches the name of the site being contacted. To test that proper hostname checking is in place, get a valid certificate for a domain different than the target domain being tested.

    Trummer and Tushar suggest that BurpSuite then be configured to use the test certificate. If secure SSL traffic is still able to flow through from the mobile app, then there is a potential problem.

    Trummer noted that there are also apps that send sensitive information like credit card data without any SSL or encryption at all. Mobile app developers need to be trained on proper SSL security implementation, he said. He added that vendors should have policies in place to make sure data in transit is secured.

    Trummer suggested that Android developers be especially careful with TrustManager, SSLSocket and HostName Verifier attributes in mobile application code.

    For iOS developers, the areas that need to be emphasized and scrutinized are the _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_, SetAllowsAnyHTTPSCertificate and kCFStreamSSLAllowsAnyRoot functions in mobile app code.

     

    BY: Sean Michael Kerner via esecurityplanet.com

    Share. Facebook Twitter LinkedIn Tumblr Reddit Telegram WhatsApp
    Vikram Singh Rao
    • Website
    • Facebook
    • X (Twitter)
    • LinkedIn

    I am an entrepreneur at heart who has made his hobby turned a passion, his profession now.

    Related Posts

    The Psychology of a Phishing Email: How Scammers Play with Your Mind

    July 16, 2024

    9 Essential Elements of a Strong Cyber Security Management System

    July 3, 2024

    Common Cyber Attacks and How to Prevent Them

    July 3, 2024

    Comparing Traditional vs. Digital Metrology Tools

    June 27, 2024

    How Cyber Security Paid Training Prepares You for Real-World Threats

    June 13, 2024

    The Role of Security in Server Colocation Environments

    March 12, 2024
    Lists You May Like

    10 Best RARBG Alternative Sites in April 2025 [Working Links]

    April 1, 2025

    10 Sites to Watch Free Korean Drama [2025 Edition]

    January 2, 2025

    The Pirate Bay Proxy List in 2025 [Updated List]

    January 2, 2025

    10 Best Torrent Search Engine Sites (2025 Edition)

    February 12, 2025

    10 Best GTA V Roleplay Servers in 2025 (Updated List)

    January 6, 2025

    5 Best Torrent Sites for Software in 2025

    January 2, 2025

    1337x Alternatives, Proxies, and Mirror Sites in 2025

    January 2, 2025

    10 Best Torrent Sites for eBooks in 2025 [Working]

    January 2, 2025

    10 Best Anime Torrent Sites in 2025 [Working Sites]

    January 6, 2025

    Top Free Photo Editing Software For PC in 2025

    January 2, 2025
    Pages
    • About
    • Contact
    • Privacy
    • Careers
    Privacy

    Information such as the type of browser being used, its operating system, and your IP address is gathered in order to enhance your online experience.

    © 2013 - 2025 Technotification | All rights reserved.

    Type above and press Enter to search. Press Esc to cancel.