中文摘要：

SSL协议已经成为保护通信安全的重要手段。在移动互联网环境下，移动智能终端应用软件也大量使用SSL协议对网络数据进行安全保护。为了评估移动智能终端应用软件的安全性，对国内6万个Android应用软件的SSL实现安全性进行分析，发现这些应用软件SSL实现方面的四类安全缺陷：可信证书链认证不完整、域名认证不完整、WebView错误忽略和证书绑定不完整。提出相应的检测方法，进而实现了分析和检测工具SSLGuard。对150个银行、金融类样本进行深入分析，实验结果表明：目前国内市场的Android应用软件存在较严重的SSL实现安全缺陷，亟需对手机银行等重要应用软件进行全面测评和认证。

英文摘要：

SSL protocol has become the important means of protecting communications security. In the environment of mobile Internet, the applications of smart mobile terminals also employ the SSL protocol to a great deal to achieve the security protection of network data. In order to evaluate the safety of smart mobile terminal applications, we analysed the security of SSL implementation on nearly 60 000 domestic Android applications, and found four types of security vulnerabilities in the SSL implementation of these applications： the incompletion of trusted certificate chain, the incompletion of domain authentication, the ignorance of WebView errors, and the incompletion of certificate binding. We also presented the corresponding detection method, and the further realised the analysis and detection tool SSLGuard. We conducted thorough analyses on the financial samples from more than 150 banks. Experimental results showed that： there are quite serious security vulnerabilities in SSL implementation of Android applications in domestic market, the comprehensive evaluation and authentication on critical applications such as mobile banking software are the urgent need.