Okara：基于基础模型的Android应用TLS中间人漏洞检测与归因 (Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models)

Transport Layer Security (TLS) is fundamental to secure online communication, yet vulnerabilities in certificate validation that enable Man-in-the-Middle (MitM) attacks remain a pervasive threat in Android apps. Existing detection tools are hampered by low-coverage UI interaction, costly instrumentation, and a lack of scalable root-cause analysis. We present Okara, a framework that leverages foundation models to automate the detection and deep attribution of TLS MitM Vulnerabilities (TMVs). Okara's detection component, TMV-Hunter, employs foundation model-driven GUI agents to achieve high-coverage app interaction, enabling efficient vulnerability discovery at scale. Deploying TMV-Hunter on 37,349 apps from Google Play and a third-party store revealed 8,374 (22.42%) vulnerable apps. Our measurement shows these vulnerabilities are widespread across all popularity levels, affect critical functionalities like authentication and code delivery, and are highly persistent with a median vulnerable lifespan of over 1,300 days. Okara's attribution component, TMV-ORCA, combines dynamic instrumentation with a novel LLM-based classifier to locate and categorize vulnerable code according to a comprehensive new taxonomy. This analysis attributes 41% of vulnerabilities to third-party libraries and identifies recurring insecure patterns, such as empty trust managers and flawed hostname verification. We have initiated a large-scale responsible disclosure effort and will release our tools and datasets to support further research and mitigation.

翻译：传输层安全性（TLS）是保障在线通信安全的基础，然而证书验证中的漏洞所导致的中间人（MitM）攻击，在Android应用中仍然是一个普遍存在的威胁。现有检测工具受限于低覆盖率的用户界面交互、高昂的插桩成本以及缺乏可扩展的根因分析。本文提出Okara，一个利用基础模型来自动化检测并深度归因TLS中间人漏洞（TMV）的框架。Okara的检测组件TMV-Hunter采用基础模型驱动的图形用户界面（GUI）智能体，实现高覆盖率的应用交互，从而支持大规模高效漏洞发现。在来自Google Play及第三方应用商店的37,349个应用上部署TMV-Hunter，共发现8,374个（22.42%）存在漏洞的应用。我们的测量结果表明，这些漏洞在所有流行度级别的应用中广泛存在，影响认证和代码交付等关键功能，并且具有高度持久性，漏洞存在的中位寿命超过1,300天。Okara的归因组件TMV-ORCA，将动态插桩与一种新颖的基于大语言模型（LLM）的分类器相结合，依据一个全面新分类法来定位和分类存在漏洞的代码。该分析将41%的漏洞归因于第三方库，并识别出反复出现的不安全模式，例如空信任管理器及有缺陷的主机名验证。我们已经启动了一项大规模负责任的漏洞披露工作，并将发布我们的工具和数据集，以支持进一步的研究和缓解措施。