Abstract

Smartphones are increasingly used worldwide and are now an essential tool for our everyday tasks. These tasks are supported by smartphone applications (apps) which commonly rely on network communication to provide a certain utility such as online banking. From a security and privacy point of view a properly secured (encrypted) communication channel is important in order to protect sensitive information against passive and active attacks. Previous research outlined that developers often fail to implement proper certificate validation in their custom SSL/TLS implementations and thus fail to secure the network communication. Previous research however proposed solutions for developers and not for the affected users. This global growth introduced drastic changes to the network utilization. In this paper we discuss this issue on the basis of Android apps. We analyzed over 50,000 Android apps, collected during two consecutive years, regarding the correct use of SSL/TLS protocols. Furthermore, we discuss the current situation. We propose dynamic certificate pinning, a device-based solution that overcomes the problem of broken SSL/TLS implementations in Android apps. To the best of our knowledge, we are the first to solve this problem by combining established techniques such as certificate pinning with dynamic instrumentation techniques to tackle one of the major security challenges in the network communication of smartphone applications.