A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures
As more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use HTTPS or violate rules which protect user...
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Emerald Publishing
2017-07-01
|
| Series: | Applied Computing and Informatics |
| Subjects: | |
| Online Access: | http://www.sciencedirect.com/science/article/pii/S2210832716300722 |
| _version_ | 1797716567502356480 |
|---|---|
| author | Xuetao Wei Michael Wolf |
| author_facet | Xuetao Wei Michael Wolf |
| author_sort | Xuetao Wei |
| collection | DOAJ |
| description | As more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use HTTPS or violate rules which protect user data from man-in-the-middle attacks. This paper seeks to find a root cause of the disparities between theoretical HTTPS usage and in-the-wild implementation of the protocol by looking into Android applications, online resources, and papers published by HTTPS and Android security researchers. From these resources, we extract a set of barrier categories that exist in the path of proper TLS use. These barriers not only include improper developer practices, but also server misconfiguration, lacking documentation, flaws in libraries, the fundamentally complex TLS PKI system, and a lack of consumer understanding of the importance of HTTPS. Following this discussion, we compile a set of potential solutions and patches to better secure Android HTTPS and the TLS/SSL protocol in general. We conclude our survey with gaps in current understanding of the environment and suggestions for further research. |
| first_indexed | 2024-03-12T08:23:22Z |
| format | Article |
| id | doaj.art-1104058919274a7b8d6d13136ec7be8b |
| institution | Directory Open Access Journal |
| issn | 2210-8327 |
| language | English |
| last_indexed | 2024-03-12T08:23:22Z |
| publishDate | 2017-07-01 |
| publisher | Emerald Publishing |
| record_format | Article |
| series | Applied Computing and Informatics |
| spelling | doaj.art-1104058919274a7b8d6d13136ec7be8b2023-09-02T18:16:35ZengEmerald PublishingApplied Computing and Informatics2210-83272017-07-0113210111710.1016/j.aci.2016.10.001A Survey on HTTPS Implementation by Android Apps: Issues and CountermeasuresXuetao WeiMichael WolfAs more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use HTTPS or violate rules which protect user data from man-in-the-middle attacks. This paper seeks to find a root cause of the disparities between theoretical HTTPS usage and in-the-wild implementation of the protocol by looking into Android applications, online resources, and papers published by HTTPS and Android security researchers. From these resources, we extract a set of barrier categories that exist in the path of proper TLS use. These barriers not only include improper developer practices, but also server misconfiguration, lacking documentation, flaws in libraries, the fundamentally complex TLS PKI system, and a lack of consumer understanding of the importance of HTTPS. Following this discussion, we compile a set of potential solutions and patches to better secure Android HTTPS and the TLS/SSL protocol in general. We conclude our survey with gaps in current understanding of the environment and suggestions for further research.http://www.sciencedirect.com/science/article/pii/S2210832716300722HTTPSAndroidMobile securityTLS/SSLMobile development |
| spellingShingle | Xuetao Wei Michael Wolf A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures Applied Computing and Informatics HTTPS Android Mobile security TLS/SSL Mobile development |
| title | A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures |
| title_full | A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures |
| title_fullStr | A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures |
| title_full_unstemmed | A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures |
| title_short | A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures |
| title_sort | survey on https implementation by android apps issues and countermeasures |
| topic | HTTPS Android Mobile security TLS/SSL Mobile development |
| url | http://www.sciencedirect.com/science/article/pii/S2210832716300722 |
| work_keys_str_mv | AT xuetaowei asurveyonhttpsimplementationbyandroidappsissuesandcountermeasures AT michaelwolf asurveyonhttpsimplementationbyandroidappsissuesandcountermeasures AT xuetaowei surveyonhttpsimplementationbyandroidappsissuesandcountermeasures AT michaelwolf surveyonhttpsimplementationbyandroidappsissuesandcountermeasures |