TagDroid: Hybrid SSL Certificate Verification in Android

SSL/TLS protocol is designed to protect the end-to-end communication by cryptographic means. However, the widely applied SSL/TLS protocol is facing many inadequacies on current mobile platform. Applications may suffer from MITM (Man-In-The-Middle) attacks when the certificate is not appropriately validated or local truststore is contaminated. In this paper, we present a hybrid certificate validation approach combining basic certificate validation against a predefined norm truststore with ways by virtue of aid from online social network friends. We conduct an analysis of official and third-party ROMs. The results show that some third-party ROMs add their own certificates in the truststore, while some do not remove compromised CA certificates from the truststore, which makes defining a norm truststore necessary. And the intuition to leverage social network friends to validate certificate is out of the distributed and “always online” feature of mobile social network. We implemented a prototype on Android, named TAGDROID. A thorough set of experiments assesses the validity of our approach in protecting SSL communication of mobile devices without introducing significant overhead.