{"id":18055992,"url":"https://github.com/grahamedgecombe/android-ssl","last_synced_at":"2026-03-27T01:55:55.394Z","repository":{"id":16792776,"uuid":"19551343","full_name":"grahamedgecombe/android-ssl","owner":"grahamedgecombe","description":"Android SSL certificate validation vulnerability detection tools.","archived":false,"fork":false,"pushed_at":"2014-05-10T14:29:58.000Z","size":10824,"stargazers_count":20,"open_issues_count":1,"forks_count":4,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-04-11T02:04:54.748Z","etag":null,"topics":["android","java","ssl"],"latest_commit_sha":null,"homepage":"http://grahamedgecombe.com/projects/android-ssl","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/grahamedgecombe.png","metadata":{"files":{"readme":"README.markdown","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2014-05-07T21:42:07.000Z","updated_at":"2024-09-28T03:24:18.000Z","dependencies_parsed_at":"2022-09-03T14:30:46.603Z","dependency_job_id":null,"html_url":"https://github.com/grahamedgecombe/android-ssl","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/grahamedgecombe/android-ssl","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grahamedgecombe%2Fandroid-ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grahamedgecombe%2Fandroid-ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grahamedgecombe%2Fandroid-ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grahamedgecombe%2Fandroid-ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/grahamedgecombe","download_url":"https://codeload.github.com/grahamedgecombe/android-ssl/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/grahamedgecombe%2Fandroid-ssl/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31008440,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-27T01:50:43.500Z","status":"ssl_error","status_checked_at":"2026-03-27T01:50:41.231Z","response_time":114,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["android","java","ssl"],"created_at":"2024-10-31T01:13:10.948Z","updated_at":"2026-03-27T01:55:55.369Z","avatar_url":"https://github.com/grahamedgecombe.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"Android SSL Vulnerability Detection Tools\n=========================================\n\nIntroduction\n------------\n\nA set of tools for detecting if Android applications are vulnerable to common\nSSL certificate validation security vulnerabilities which allow\nman-in-the-middle attackers to intercept and modify encrypted network traffic.\n\nOne tool uses static analysis to try to detect potentially vulnerable SSL\ncertificate validation code. The other tool actually tries to carry out a\nman-in-the-middle attack to actively exploit certificate validation\nvulnerabilities.\n\nThese tools should be useful for developers who want to check if their own\napplications use SSL securely on a private network that they own. They are not\nintended for malicious use on public networks.\n\nI developed these tools as part of my [Part II project][project] at Cambridge.\nThanks to [Dr Alastair Beresford][arb] for supervising the project.\n\nNote: I have done some rewriting of the repository with `git filter-branch` to\ntidy it up. Some of the commit messages may therefore not make much sense.\n\nBuilding\n--------\n\n[Gradle][gradle] is used as the build system. Java 8 ([Oracle Java][oracle] or\n[OpenJDK][openjdk]) on Linux is required.\n\nRun `gradle` to build the tools and run the unit tests.\n\nThere's also a separate set of integration tests for the man-in-the-middle tool\nwhich can be run by typing `./mitm-test/run`. Warning: the integration tests\nwill modify your iptables configuration and might not restore it properly\n(especially if they fail).\n\nStatic Analysis\n---------------\n\nThe static analysis tool assumes the Android SDK is installed in\n`/opt/android`.\n\nRun `./analysis/static-analyser /path/to/the.apk` to analyse an application. If\nyou get SPARK-related exceptions from Soot, you can pass the `--paddle` option\nto use Paddle (an alternative to SPARK) which might fix it.\n\nMan-in-the-Middle\n-----------------\n\nThe `./mitm/mitm` script runs the man-in-the-middle tool. `./mitm/mitm-gui`\nruns it with a GUI, which is useful if many connections are being intercepted\nat the same time as it makes figuring out which data was sent by which\nconnection easier.\n\nBefore running the man-in-the-middle tool for the first time you must generate\na trusted and untrusted certificate authority, and install the trust\ncertificate on your phone. Run `cd mitm; ./make-ca; ./install-ca` to do so.\nYour phone must be rooted to install the trusted certificate in this manner.\nThe Android SDK's `tools` and `platform-tools` directories must also be in your\n`$PATH` environment variable.\n\nSeveral required options must be specified on the command line (even with the\nGUI mode):\n\n### Interception Mode\n\nThis is set to indicate how you are passing the intercepted traffic to the\nMITM program with iptables.\n\n * `--nat`: if you are using the iptables REDIRECT target.\n * `--tproxy`: if you are using the iptables [transparent proxying][tproxy]\n   support.\n * `--fixed \u003caddress\u003e:\u003cport\u003e`: if you aren't actually intercepting traffic at\n   all. Allows you to proxy traffic to a fixed address and port for testing\n   purposes.\n\nYou'll probably want to use the MITM tool in conjunction with some software\nsuch as [hostapd][hostapd], which turns your computer into a WiFi hotspot, or\ndsniff's [arpspoof][dsniff] command, which uses ARP spoofing to intercept\ntraffic on an existing WiFi hotspot or network.\n\nFor both the `--nat` and `--tproxy` modes you'll need to enable IP forwarding:\n\n    sysctl -w net.ipv4.ip_forward=1\n\n(This turns your machine into a router, so you might want to be careful with\nyour configuration if you are connecting to the Internet through a network you\ndon't control or you might annoy your local sysadmin if you make a mistake!)\n\nFor IPv6, the equivalent sysctl is:\n\n    sysctl -w net.ipv6.conf.all.forwarding=1\n\n#### Example iptables commands for `--nat` mode\n\nAssuming hostapd is running on `wlan0`:\n\n    iptables -t nat -A PREROUTING -i wlan0 -p tcp -j REDIRECT --to-port 8443\n\nIf you want to intercept local connections from your own machine, then you will\nneed to run the MITM tool as a different user (`nobody` in this example) to\nprevent it intercepting the connections it opens itself:\n\n    iptables -t nat -A OUTPUT -p tcp -m owner --uid-owner nobody -j ACCEPT\n    iptables -t nat -A OUTPUT -p tcp -j REDIRECT --to-port 8443\n\nI haven't had any luck in getting ARP spoofing working together with the NAT\nmode, therefore the tool also supports transparent proxying which I have managed\nto get working with ARP spoofing.\n\nChange `iptables` to `ip6tables` if you want to use IPv6 instead. Note that\nIPv6 NAT requires Linux 3.7 or above (and a recent enough version of the\nuser-space iptables tools too).\n\n#### Example iptables commands for `--tproxy` mode\n\nAssuming 192.168.0.1 is the gateway and 192.168.0.100 is the computer whose\ntraffic you wish to intercept, first start up two `arpspoof` instances:\n\n    arpspoof -t 192.168.0.1 192.168.0.100\n    arpspoof -t 192.168.0.100 192.168.0.1\n\nDisable reverse path filtering (again, be careful, lest you annoy a sysadmin):\n\n    sysctl -w net.ipv4.conf.all.rp_filter=0\n\nAdd a separate routing table for 'marked' packets which delivers them locally:\n\n    ip rule add fwmark 1 lookup 100\n    ip route add local default dev lo table 100\n\nAdd iptables rules which transparently proxy any incoming connections passing\nthrough the machine:\n\n    iptables -t mangle -N DIVERT\n    iptables -t mangle -A DIVERT -j MARK --set-mark 1\n    iptables -t mangle -A DIVERT -j ACCEPT\n    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT\n    iptables -t mangle -A PREROUTING -p tcp -j TPROXY --tproxy-mark 0x1/0x1 --on-port 8443\n\nThe transparent proxying configuration is tricky to set up, the Squid website\nhas [some tips][squid] which are applicable. If possible, stick with `--nat`\nmode.\n\nAs with `--nat` mode, you can replace `iptables` with `ip6tables` if you want\nto use IPv6. You'll also need to pass the `-6` flag to the `ip` command.\nChanging the `rp_filter` sysctl is not required for IPv6.\n\n### Certificate Hostname Mode\n\nThis is set to determine the value of the Common Name and Subject Alternative\nName fields in the generated certificates.\n\n * `--matching-hostname`: use the same CN and SAN as the real certificate.\n * `--unmatching-hostname`: use a CN which does not match the one in the real\n   certificate.\n\n### Certificate Trust Mode\n\nThis is set to determine if the generate certificates are signed with the\ntrusted certificate authority (whose certificate is installed on the phone) or\nthe untrusted certificate authority (whose certificate is not installed on the\nphone).\n\n * `--trusted`\n * `--untrusted`\n\nTypes of Vulnerability\n----------------------\n\nFor each combination of hostname and trust mode, if the client accepts a\nconnection which the MITM tool has intercepted then the following vulnerability\nis present:\n\n| Hostname Mode | Trust Mode | Vulnerability                              |\n| ------------- | ---------- | ------------------------------------------ |\n| matching      | trusted    | Client does not use certificate pinning.   |\n| matching      | untrusted  | Client uses a permissive X509TrustManager. |\n| unmatching    | trusted    | Client uses a permissive HostnameVerifier. |\n| unmatching    | untrusted  | Client performs no certificate validation. |\n\nDependencies\n------------\n\nThe following Java libraries are used by the tools:\n\n* [Soot][soot]\n* [Paddle][paddle] (optional)\n* [Jedd][jedd] (optional)\n* [JOpt Simple][jopt-simple]\n* [Bouncy Castle][bc]\n* [Java Native Access][jna]\n\nLicense\n-------\n\nThe tools are available under Version 2.0 of the [Apache License][apache]. The\nfull terms of the Apache License are available in the `LICENSE` file.\n\n[project]: http://www.cl.cam.ac.uk/teaching/projects/\n[gradle]: http://www.gradle.org/\n[hostapd]: http://hostap.epitest.fi/hostapd/\n[oracle]: http://www.oracle.com/technetwork/java/javase/downloads/index.html\n[openjdk]: http://openjdk.java.net/\n[apache]: https://www.apache.org/licenses/LICENSE-2.0.html\n[tproxy]: https://www.kernel.org/doc/Documentation/networking/tproxy.txt\n[soot]: http://www.sable.mcgill.ca/soot/\n[paddle]: http://www.sable.mcgill.ca/paddle/\n[jedd]: http://www.sable.mcgill.ca/jedd/\n[jopt-simple]: https://pholser.github.io/jopt-simple/\n[bc]: https://www.bouncycastle.org/java.html\n[jna]: https://github.com/twall/jna\n[squid]: http://wiki.squid-cache.org/Features/Tproxy4\n[arb]: http://www.cl.cam.ac.uk/~arb33/\n[dsniff]: http://www.monkey.org/~dugsong/dsniff/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrahamedgecombe%2Fandroid-ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgrahamedgecombe%2Fandroid-ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgrahamedgecombe%2Fandroid-ssl/lists"}