A Survey on HTTPS Implementation by Android Apps: Issues and Countermeasures

As more and more sensitive data is transferred from mobile applications across unsecured channels, it seems imperative that transport layer encryption should be used in any non-trivial instance. Yet, research indicates that many Android developers do not use HTTPS or violate rules which protect user data from man-in-the-middle attacks. This paper seeks to find a root cause of the disparities between theoretical HTTPS usage and in-the-wild implementation of the protocol by looking into Android applications, online resources, and papers published by HTTPS and Android security researchers. From these resources, we extract a set of barrier categories that exist in the path of proper TLS use. These barriers not only include improper developer practices, but also server misconfiguration, lacking documentation, flaws in libraries, the fundamentally complex TLS PKI system, and a lack of consumer understanding of the importance of HTTPS. Following this discussion, we compile a set of potential solutions and patches to better secure Android HTTPS and the TLS/SSL protocol in general. We conclude our survey with gaps in current understanding of the environment and suggestions for further research.