Analysis on Android HTTPS man-in-the-middle hijacking Vulnerability

Analysis on Android HTTPS man-in-the-middle hijacking Vulnerability
1. Android HTTPS man-in-the-middle hijacking vulnerability description

In the field of cryptography and computer security, Man-in-the-middle attack (MITM) refers to the creation of independent connections between attackers and the two ends of communication, and exchange the received data so that the two ends of the Communication think that they are directly talking to each other through a private connection, but in fact the entire session is completely controlled by the attacker. In man-in-the-middle attacks, attackers can intercept calls from both parties and insert new content [1].

Android HTTPS man-in-the-middle attack vulnerability is caused by: 1. SSL certificate verification is not performed; 2. domain name verification is not performed; 3. Certificate Authority is attacked, resulting in private key leakage. Attackers can use man-in-the-middle attacks to steal sensitive information such as account passwords, chat content, mailing addresses, phone numbers, and credit card payment information, even through man-in-the-middle hijacking, the original information is replaced with malicious links or malicious code programs to achieve the intention of remote control, malicious fee deduction, and other attacks.

On the wooyun vulnerability platform, there are a large number of vulnerabilities that do not validate HTTPS certificates, for example, a vast majority of Android apps in China have the vulnerability of trusting all certificates [2], a vulnerability of trusting all certificates in the latest official android version of Amazon [3], and an SSL man-in-the-middle attack on Yahoo! access in China [4 ]. Ctrip's latest android client https has not verified the certificate, causing https communication content to be fully captured [5].

2. Affected scope of Android HTTPS man-in-the-middle attack Vulnerability

Android system

3. Android HTTPS man-in-the-middle attack vulnerability details 1) Man-in-the-middle attack vulnerability location:

X509TrustManager, HostnameVerifier, and setHostnameVerifier (X509HostnameVerifier hostnameVerifier)

2) Prerequisites for vulnerability triggering:

The custom X509TrustManager does not verify the certificate;

Or the implemented custom HostnameVerifier does not verify the domain name and accepts any domain name;

Or use

Default

setHostnameVerifier (ALLOW_ALL_HOSTNAME_VERIFIER)；

3) vulnerability principle:

Because the client does not verify the server certificate, attackers can create independent connections with both ends of the communication and exchange the data they receive, the two ends of the Communication think that they are directly talking to each other through a private connection, but in fact the entire session is completely controlled by attackers. In man-in-the-middle attacks, attackers can intercept calls from both parties and insert new content [1].

4. Android HTTPS man-in-the-middle attack vulnerability proof

1) the client does not verify the SSL Certificate (including whether the signature CA is valid, whether the domain name matches, whether the self-signed certificate, and whether the certificate expires) and contains the following encoding errors:

A. Self-implemented Java code snippet of the X509TrustManager interface that does not verify the certificate (the checkServerTrusted () method is implemented as null, that is, it does not check whether the server is trusted ):

B. Java code snippets that do not check whether the domain name of the site domain name matches the domain name of the site certificate:

C. Accept Java code snippets for any domain name:

Default

SSLSocketFactory sf;……sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

 

2) A man-in-the-middle attack is performed on a client that does not verify the SSL certificate. As shown in, the user name and password can be obtained through man-in-the-middle hijacking (this password parameter only performs MD5 once for the plaintext password):

5. Android HTTPS man-in-the-middle attack vulnerability repair suggestions 1. Strong validation of SSL certificates

For security reasons, Alibaba Cloud universal security recommends that you perform strong validation on the SSL Certificate (whether the signature CA is valid, whether the certificate is self-signed, whether the host domain name matches, and whether the certificate expires)