Racing for TLS Certificate Validation: A Hijacker's Guide to the Android TLS Galaxy

Watch a 13-minute conference presentation from USENIX Security '24 exploring critical security vulnerabilities in Android TLS certificate validation. Discover how researchers analyzed improper TLS certificate validation in popular Android apps, uncovering a widespread practice called validation hijacking where global default validation functions are overridden with improper or non-existent validation logic. Learn about Marvin, an automated dynamic analysis tool developed to identify TLS validation failures and trace responsible parties, which revealed concerning statistics - 55.7% of analyzed Chinese apps and 4.6% of Google Play apps showed insecure validation instances. Understand how these vulnerabilities, primarily stemming from third-party libraries and Google's modifications to the OkHttp library, can be exploited by attackers to compromise personal information, credentials, and launch various attacks. Gain insights into the technical root causes and implications for Android app security presented by researchers from Concordia University and Carleton University.