POSTER: Android + Open Wi-Fis = Broken SSL?

In previous work [1] we demonstrated severe problems with the way Android applications use SSL. We performed an in-depth study of 13,500 Android apps and discovered that a large number of apps did not use SSL correctly and thus, were vulnerable to Man-In-The-Middle attacks. To make these threats a reality, an attacker needs to execute an active man-in-the-middle attack (MITMA). While MITMAs are a threat against desktop systems as well, MITMAs against mobile devices are easier to mount, since the use of mobile devices frequently occurs in changing and untrusted environments. In this work, we evaluate the severity of the threat of MITMAs against Android devices which use public Wi-Fis and show how the problems with SSL and the CA infrastructure not only do not protect from MITMAs but can actually facilitate them. While the use of open access points and the evil twin attack [2] are already well known threats against open Wi-Fis, we also show how attackers can even bypass apps that implement secure SSL certificate verification. We conducted an initial Amazon MTurk based study of our attack for Android users which can be used to set up future MITMAs even when SSL is implemented correctly.