The Secure Sockets Layer protocol (SSL) is a foundational technology on the modern Internet, enabling data in transit to be encrypted and travel securely. Yet according to security researchers Tony Trummer and Tushar Dalvi, many popular mobile apps do not properly implement SSL.
Trummer and Tushar, both security researchers working at LinkedIn, detailed their finding in a session at the Defcon security conference over the weekend. The research was not sponsored or endorsed by their employer and was done on their own time.
In many of the mobile apps they tested across both iOS and Android, the two researchers found that app developers had disabled certificate authority (CA) validation. This validation is a best practice to ensure that an SSL certificate is authentic and valid.
Checking for CAs
Trummer and Tushar suggested a simple test that can be used to see if a CA is being contacted. They recommend that researchers install BurpSuite software, a Web application security testing toolkit that has both free and paid editions. Burpsuite can be used as a proxy for Web traffic and can generate a CA signed per-host certificate.The end-user device with the mobile app should be configured to point to the proxy. If secure SSL traffic from the device is still able to get through, that is an indication that CA validation is not properly working.
eSecurityPlanet/ full article here/ http://www.esecurityplanet.com/mobile-security/how-to-detect-ssl-leakage-in-mobile-apps.html