Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Racing for TLS Certificate Validation: A Hijacker's Guide to the Android TLS Galaxy

USENIX via YouTube

Overview

Watch a 13-minute conference presentation from USENIX Security '24 exploring critical security vulnerabilities in Android TLS certificate validation. Discover how researchers analyzed improper TLS certificate validation in popular Android apps, uncovering a widespread practice called validation hijacking where global default validation functions are overridden with improper or non-existent validation logic. Learn about Marvin, an automated dynamic analysis tool developed to identify TLS validation failures and trace responsible parties, which revealed concerning statistics - 55.7% of analyzed Chinese apps and 4.6% of Google Play apps showed insecure validation instances. Understand how these vulnerabilities, primarily stemming from third-party libraries and Google's modifications to the OkHttp library, can be exploited by attackers to compromise personal information, credentials, and launch various attacks. Gain insights into the technical root causes and implications for Android app security presented by researchers from Concordia University and Carleton University.

Syllabus

USENIX Security '24 - Racing for TLS Certificate Validation: A Hijacker's Guide to the Android...

Taught by

USENIX

Reviews

Start your review of Racing for TLS Certificate Validation: A Hijacker's Guide to the Android TLS Galaxy

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.