Auditing encrypted communications in Android
In order to safeguard their users’ privacy certain Android applications include security measures to protect their communications with external servers e.g. by means of certificate pinning.
In 2011, Google was the first to begin applying certificate pinning to its Android device communications. This procedure consists in pinning a list with the certificates in which an app trusts when setting a secured communication: each time a new secured connection is to be stablished, the client, preconfigured to know which server certificate to expect, checks whether it is or is not on the list. If the server certificate does not match the pinned certificates, the client prevents the session from proceeding. Certificate pinning relies on implementations introduced in the Android SDK, in the app AndroidManifest.xml or through third party libraries.
Sometimes, researches need to bypass certificate pinning protections e.g. to audit communications, to know what mobile applications do with our personal information and to check if they comply with privacy regulations. Apps can be instrumented to override the functionality of certificate pinning methods in real time, breaking communications and visualizing the personal data they carry. For the time being we have been able to override the following libraries and methods.
Library | Method |
Trustmanager | void init(KeyManager KeyManager, TrustManager TrustManager, SecureRandom SecureRandom) |
OkHttp3 | Not an explicit method: Overriding of Certificate Pinner class as an ArrayList. |
Android WebViewClient | void onReceivedError(WebView view, WebResourceRequest request, WebResourceError error) |
OkHttpClient | void $init(OkHttpClient$Builder okhttpclientbuilder) OkHttpClient build() |
As a result, taking as a baseline our previous implementations, it has been possible to double the number of communications interceptions, double the number of applications whose communications have been intercepted and improve by more than 10% the identification of privacy leaks.
This post has been authored by Antonio Javier de Lucas, who is carrying out his undergraduate thesis entitled “Desarrollo e implementación de mecanismos de auditoría de comunicaciones cifradas en Android” under the supervision of José M. del Álamo.
About Jose M. Del Alamo
I am Associate Professor at UPM, affiliated with the Departamento de Ingeniería de Sistemas Telemáticos and the Information Processing and Telecommunications R&D Center. My research work focuses on issues related to privacy, identity and trust management, and considering these aspects to advance the software and systems engineering methodologies applying technological approaches by-design and by-default.
- Web |
- More Posts(16)
Auditing encrypted communications in Android por jmdelalamo está licenciado bajo una Licencia Creative Commons Atribución-NoComercial-SinDerivar 4.0 Internacional.