Hello,
We’ve recently been evaluating with CERT Tapioca
<http://www.cert.org/blogs/certcc/post.cfm?EntryID=203> the use of SSL
by Android apps. Through automated testing, we are logging apps that
cause traffic to be sent or received over an HTTPS connection that has
an invalid SSL certificate chain.
The following application has demonstrated this incorrect behavior:
com.xxx
Due to the sheer volume of affected applications, we are currently
unable to manually inspect every affected application. However, we
are sending notifications to the application authors for further
investigation.
Included with this email are the following files:
com.xxx.apk.flows.log.bin : The mitmproxy <http://mitmproxy.org/> log file
for the session where com.xxx was invoked. Open this file using the
mitmproxy software:
mitmproxy -r com.xxx.apk.flows.log.bin
com.xxx.apk.uris.txt : URIs that were requested by the application during
its invocation
com.xxx.apk.mallodroid.txt : mallodroid
<https://github.com/sfahl/mallodroid> SSL static analysis output,
which may help determine possible code locations for faulty SSL
handling.
Some caveats that may affect the impact of the test results:
- We have not yet investigated the content that is sent over HTTPS
with an invalid SSL certificate chain. If the information is not
sensitive, one might argue that the vulnerability does not really
have an impact. However, the other argument is that the use of
unvalidated SSL is a vulnerability that needs to be corrected,
regardless of the content sent or received. - It could be that your application itself uses SSL properly, but it
includes a third-party library that itself does improper SSL
validation. In such a case, this third-party library would need to
be updated. Or if a fix isn’t available, the library’s author
should be notified to let them know that they need to fix the
library. - Due to the UI automation used in the dynamic testing that we
performed, there is a small chance that the application or the
browser components used by the application did correctly warn the
user before proceeding. If the UI automation did happen to click
the button required to proceed despite an invalid certificate, then
this could be considered a false positive. If you believe this to
be the case, please respond and let us know.
But despite the above caveats, it is important that you are aware of the
flaws that are potentially present in your application. Failure to check
SSL certificates can put your users’ information at risk. Furthermore,
improper checking of certificates has been cited in prior cases brought by
the Federal Trade Commission (FTC). For example:
<http://www.ftc.gov/…/fandango-credit-karma-settle-ftc-charg…>
I just received email from
CERT Coordination Center , I don’t know what is happen ???