Hot off the presses (but its not limited to Android): "Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security", http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf. Or should it be "The Case for Public Key Pinning"?
"...The most common approach to protect data during communication on the Android platform is to use the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocols. To evaluate the state of SSL use in Android apps, we downloaded 13,500 popular free apps from Google’s Play Market and studied their properties with respect to the usage of SSL. In particular, we analyzed the apps’ vulnerabilities against Man-in-the-Middle (MITM) attacks due to the inadequate or incorrect use of SSL. For this purpose, we created MalloDroid, an Androguard extension that performs static code analysis to a) analyze the networking API calls and extract valid HTTP(S) URLs from the decompiled apps; b) check the validity of the SSL certificates of all extracted HTTPS hosts; and c) identify apps that contain API calls that differ from Android’s default SSL usage, e.g., contain non-default trust managers, SSL socket factories or hostname verifiers with permissive verification strategies. Based on the results of the static code analysis, we selected 100 apps for manual audit to investigate various forms of SSL use and misuse: accepting all SSL certificates, allowing all hostnames regardless of the certificate’s Common Name (CN), neglecting precautions against SSL stripping, trusting all available Certificate Authorities (CAs), not using SSL pinning, and misinforming users about SSL usage." _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography