HTTPS to HTTP downgrade

Introduction

Are you interested in finding vulnerabilities in mobile apps? Did you already work with web APIs and wondered if they provide the same level of security as other HTTP clients, e.g., web browsers?

We performed studies on web API security in mobile apps and found that unprotected HTTP communication is very prevalent [1]. Even worse, many of the HTTPS security features supported by web browsers are not implemented in API clients. This project aims to find missing HTTPS feature support in web API clients, and to exploit apps using such insecure clients. Our goal is to raise awareness that HTTP is a generic and widely used communication protocol, but its security features are not yet supported accordingly.

Problems

A few problems you'll be confronted with:

State of the art

There exist various papers that explain attacks and remediation strategies for HTTPS in browsers [2] [3], however the discussion barely exists for other HTTPS clients such as web API client libraries. For instance, we found that one library had initial support for some security features, but the developers decided to not add that feature to their master branch.

Task

In this seminar project, we want to exploit apps through vulnerable web API communication.

Your task will consist of:

Guiding research questions

References

[1] Web APIs in Android through the Lens of Security
[2] Presentation: More Tricks For Defeating SSL In Practice
[3] Paper: Bypassing HTTP Strict Transport Security


Contact

Pascal Gadient PhD