Table of Contents
Fetching ...

Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models

Haoyun Yang, Ronghong Huang, Yong Fang, Beizeng Zhang, Junpu Guo, Zhanyu Wu, Xianghang Mi

TL;DR

Okara tackles TLS MitM vulnerabilities in Android by separating detection and root-cause analysis into TMV-Hunter and TMV-ORCA. TMV-Hunter uses foundation-model-driven GUI agents and per-app VPN-based MitM testing to achieve high coverage and scalable vulnerability discovery across tens of thousands of apps. TMV-ORCA automates root-cause analysis through dynamic instrumentation and an LLM-based classifier, attributing vulnerabilities to app developers or third-party libraries with a fine-grained taxonomy. The large-scale study reveals TMVs are widespread and persistent, with a notable role for third-party libraries, and demonstrates the practical potential of automated disclosure and reproducible research for mitigation and policy-making.

Abstract

Transport Layer Security (TLS) is fundamental to secure online communication, yet vulnerabilities in certificate validation that enable Man-in-the-Middle (MitM) attacks remain a pervasive threat in Android apps. Existing detection tools are hampered by low-coverage UI interaction, costly instrumentation, and a lack of scalable root-cause analysis. We present Okara, a framework that leverages foundation models to automate the detection and deep attribution of TLS MitM Vulnerabilities (TMVs). Okara's detection component, TMV-Hunter, employs foundation model-driven GUI agents to achieve high-coverage app interaction, enabling efficient vulnerability discovery at scale. Deploying TMV-Hunter on 37,349 apps from Google Play and a third-party store revealed 8,374 (22.42%) vulnerable apps. Our measurement shows these vulnerabilities are widespread across all popularity levels, affect critical functionalities like authentication and code delivery, and are highly persistent with a median vulnerable lifespan of over 1,300 days. Okara's attribution component, TMV-ORCA, combines dynamic instrumentation with a novel LLM-based classifier to locate and categorize vulnerable code according to a comprehensive new taxonomy. This analysis attributes 41% of vulnerabilities to third-party libraries and identifies recurring insecure patterns, such as empty trust managers and flawed hostname verification. We have initiated a large-scale responsible disclosure effort and will release our tools and datasets to support further research and mitigation.

Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models

TL;DR

Okara tackles TLS MitM vulnerabilities in Android by separating detection and root-cause analysis into TMV-Hunter and TMV-ORCA. TMV-Hunter uses foundation-model-driven GUI agents and per-app VPN-based MitM testing to achieve high coverage and scalable vulnerability discovery across tens of thousands of apps. TMV-ORCA automates root-cause analysis through dynamic instrumentation and an LLM-based classifier, attributing vulnerabilities to app developers or third-party libraries with a fine-grained taxonomy. The large-scale study reveals TMVs are widespread and persistent, with a notable role for third-party libraries, and demonstrates the practical potential of automated disclosure and reproducible research for mitigation and policy-making.

Abstract

Transport Layer Security (TLS) is fundamental to secure online communication, yet vulnerabilities in certificate validation that enable Man-in-the-Middle (MitM) attacks remain a pervasive threat in Android apps. Existing detection tools are hampered by low-coverage UI interaction, costly instrumentation, and a lack of scalable root-cause analysis. We present Okara, a framework that leverages foundation models to automate the detection and deep attribution of TLS MitM Vulnerabilities (TMVs). Okara's detection component, TMV-Hunter, employs foundation model-driven GUI agents to achieve high-coverage app interaction, enabling efficient vulnerability discovery at scale. Deploying TMV-Hunter on 37,349 apps from Google Play and a third-party store revealed 8,374 (22.42%) vulnerable apps. Our measurement shows these vulnerabilities are widespread across all popularity levels, affect critical functionalities like authentication and code delivery, and are highly persistent with a median vulnerable lifespan of over 1,300 days. Okara's attribution component, TMV-ORCA, combines dynamic instrumentation with a novel LLM-based classifier to locate and categorize vulnerable code according to a comprehensive new taxonomy. This analysis attributes 41% of vulnerabilities to third-party libraries and identifies recurring insecure patterns, such as empty trust managers and flawed hostname verification. We have initiated a large-scale responsible disclosure effort and will release our tools and datasets to support further research and mitigation.
Paper Structure (27 sections, 3 equations, 19 figures, 17 tables)

This paper contains 27 sections, 3 equations, 19 figures, 17 tables.

Figures (19)

  • Figure 1: The design of TMV-Hunter.
  • Figure 2: Cumulative distribution functions (CDFs) of vulnerable apps (TMVs) and all apps over log-scaled popularity metrics. Subfigure \ref{['fig:cdf_downloads']} shows the distribution by download volume, while Subfigure \ref{['fig:cdf_reviews']} shows it by review volume. Notably, as the download volume is not available for the AppChina dataset, Subfigure \ref{['fig:cdf_downloads']} depicts only AndroZoo.
  • Figure 3: Cumulative distribution of vulnerable TLS FQDNs over log-scaled apex domain popularity (Tranco ranking).
  • Figure 4: Cumulative distribution of the ratio of vulnerable TLS flows per app in AppChina and Androzoo datasets.
  • Figure 5: Distribution of vulnerable TLS flows by functional category across 100 popular apps: (C) Content Delivery, (T) Telemetry/Analytics, (E) Executable Code, (A) Authentication, and (F) Financial Transaction.
  • ...and 14 more figures