cispa_all_3321.pdf (402.92 kB)

Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications

Download (402.92 kB)
conference contribution
posted on 2023-11-29, 18:15 authored by Marten OltroggeMarten Oltrogge, Nicolas Huaman, Sabrina AmftSabrina Amft, Yasemin Acar, Michael BackesMichael Backes, Sascha FahlSascha Fahl
Android applications have a long history of being vulnerable to man-in-the-middle attacks due to insecure custom TLS certificate validation implementations. To resolve this, Google deployed the Network Security Configuration (NSC), a configuration-based approach to increase custom certificate validation logic security, and implemented safeguards in Google Play to block insecure applications. In this paper, we perform a large-scale in-depth investigation of the effectiveness of these countermeasures: First, we investigate the security of 99,212 NSC settings files in 1,335,322 Google Play apps using static code and manual analysis techniques. We find that 88.87% of the apps using custom NSC settings downgrade security compared to the default settings, and only 0.67% implement certificate pinning. Second, we penetrate Google Play’s protection mechanisms by trying to publish apps that are vulnerable to man-in-the-middle attacks. In contrast to official announcements by Google, we found that Play does not effectively block vulnerable apps. Finally, we performed a static code analysis study of 15,000 apps and find that 5,511 recently published apps still contain vulnerable certificate validation code. Overall, we attribute most of the problems we find to insufficient support for developers, missing clarification of security risks in official documentation, and inadequate security checks for vulnerable applications in Google Play.


Preferred Citation

Marten Oltrogge, Nicolas Huaman, Sabrina Amft, Yasemin Acar, Michael Backes and Sascha Fahl. Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications. In: Usenix Security Symposium (USENIX-Security). 2021.

Primary Research Area

  • Secure Connected and Mobile Systems

Secondary Research Area

  • Reliable Security Guarantees

Name of Conference

Usenix Security Symposium (USENIX-Security)

Legacy Posted Date


Open Access Type

  • Gold


@inproceedings{cispa_all_3321, title = "Why Eve and Mallory Still Love Android: Revisiting TLS (In)Security in Android Applications", author = "Oltrogge, Marten and Huaman, Nicolas and Amft, Sabrina and Acar, Yasemin and Backes, Michael and Fahl, Sascha", booktitle="{Usenix Security Symposium (USENIX-Security)}", year="2021", }

Usage metrics


    No categories selected


    Ref. manager