Graduate School and Research Center in Digital Sciences

Towards HTTPS everywhere on Android: We are not there yet

Posssemato, Andrea; Fratantonio, Yanick

USENIX Security 2020, 29th USENIX Security Symposium, 12-14 August 2020, Boston, MA, USA (Virtual Conference)

Nowadays, virtually all mobile apps rely on communicating with a network backend. Given the sensitive nature of the data exchanged between apps and their backends, securing these network communications is of growing importance. In recent years, Google has developed a number of security mechanisms for Android apps, ranging from multiple KeyStores to the recent introduction of the new Network Security Policy, an XML-based configuration file that allows apps to define their network security posture. In this paper, we perform the first comprehensive study on these new network defense mechanisms. In particular, we present them in detail, we discuss the attacks they are defending from, and the relevant threat models. We then discuss the first large-scale analysis on this aspect. During June and July 2019, we crawled 125,419 applications and we found how only 16,332 apps adopt this new security feature. We then focus on these apps, and we uncover how developers adopt weak and potentially vulnerable network security configurations. We note that, in November 2019, Google then made the default policy stricter, which would help the adoption. We thus opted to re-crawl the same dataset (from April to June 2020) and we repeated the experiments: while more apps do adopt this new security mechanism, a significant portion of them still do not take fully advantage of it (e.g., by allowing usage of insecure protocols). We then set out to explore the root cause of these weaknesses (i.e., the why). Our analysis showed that app developers often copy-paste vulnerable policies from popular developer websites (e.g., StackOverflow). We also found that several popular ad libraries require apps to weaken their security policy, the key problem lying in the vast complexity of the ad ecosystem. As a last contribution, we propose a new extension of the Network Security Policy, so to allow app developers to embed problematic ad libraries without the need to weaken the security of their entire app.

Document Bibtex

Title:Towards HTTPS everywhere on Android: We are not there yet
Department:Digital Security
Eurecom ref:6299
Copyright: Copyright Usenix. Personal use of this material is permitted. The definitive version of this paper was published in USENIX Security 2020, 29th USENIX Security Symposium, 12-14 August 2020, Boston, MA, USA (Virtual Conference) and is available at :
Bibtex: @inproceedings{EURECOM+6299, year = {2020}, title = {{T}owards {HTTPS} everywhere on {A}ndroid: {W}e are not there yet}, author = {{P}osssemato, {A}ndrea and {F}ratantonio, {Y}anick}, booktitle = {{USENIX} {S}ecurity 2020, 29th {USENIX} {S}ecurity {S}ymposium, 12-14 {A}ugust 2020, {B}oston, {MA}, {USA} ({V}irtual {C}onference) }, address = {{B}oston, {UNITED} {STATES}}, month = {08}, url = {} }
See also: