Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models
Haoyun Yang, Ronghong Huang, Yong Fang, Beizeng Zhang, Junpu Guo, Zhanyu Wu, Xianghang Mi
TL;DR
Okara tackles TLS MitM vulnerabilities in Android by separating detection and root-cause analysis into TMV-Hunter and TMV-ORCA. TMV-Hunter uses foundation-model-driven GUI agents and per-app VPN-based MitM testing to achieve high coverage and scalable vulnerability discovery across tens of thousands of apps. TMV-ORCA automates root-cause analysis through dynamic instrumentation and an LLM-based classifier, attributing vulnerabilities to app developers or third-party libraries with a fine-grained taxonomy. The large-scale study reveals TMVs are widespread and persistent, with a notable role for third-party libraries, and demonstrates the practical potential of automated disclosure and reproducible research for mitigation and policy-making.
Abstract
Transport Layer Security (TLS) is fundamental to secure online communication, yet vulnerabilities in certificate validation that enable Man-in-the-Middle (MitM) attacks remain a pervasive threat in Android apps. Existing detection tools are hampered by low-coverage UI interaction, costly instrumentation, and a lack of scalable root-cause analysis. We present Okara, a framework that leverages foundation models to automate the detection and deep attribution of TLS MitM Vulnerabilities (TMVs). Okara's detection component, TMV-Hunter, employs foundation model-driven GUI agents to achieve high-coverage app interaction, enabling efficient vulnerability discovery at scale. Deploying TMV-Hunter on 37,349 apps from Google Play and a third-party store revealed 8,374 (22.42%) vulnerable apps. Our measurement shows these vulnerabilities are widespread across all popularity levels, affect critical functionalities like authentication and code delivery, and are highly persistent with a median vulnerable lifespan of over 1,300 days. Okara's attribution component, TMV-ORCA, combines dynamic instrumentation with a novel LLM-based classifier to locate and categorize vulnerable code according to a comprehensive new taxonomy. This analysis attributes 41% of vulnerabilities to third-party libraries and identifies recurring insecure patterns, such as empty trust managers and flawed hostname verification. We have initiated a large-scale responsible disclosure effort and will release our tools and datasets to support further research and mitigation.
