Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models
Okara is a comprehensive framework for detecting and analyzing TLS MitM vulnerabilities in Android applications. The framework consists of two primary components: TMV-Hunter and TMV-ORCA, as elaraboted below.
A dynamic analysis tool for large-scale TMV detection that leverages foundation model-driven GUI agents.
Key Features:
- Foundation model-driven GUI automation (supports multiple VLMs)
- Automated MitM proxy configuration
- Frida-based dynamic instrumentation
- Comprehensive vulnerability reporting
An automated root cause analysis tool that combines dynamic instrumentation with LLM-based classification.
Key Features:
- Automated vulnerable code extraction
- LLM-powered vulnerability classification
- Batch processing capabilities
Our dataset is available on Google Drive. The benchmark dataset containing sensitive vulnerability details is available upon request.
If you use Okara in your research, please cite our paper:
@misc{yang2026okaradetectionattributiontls,
title={Okara: Detection and Attribution of TLS Man-in-the-Middle Vulnerabilities in Android Apps with Foundation Models},
author={Haoyun Yang and Ronghong Huang and Yong Fang and Beizeng Zhang and Junpu Guo and Zhanyu Wu and Xianghang Mi},
year={2026},
eprint={2601.22770},
archivePrefix={arXiv},
primaryClass={cs.CR},
url={https://arxiv.org/abs/2601.22770},
}We thank the Android security research community and the developers of the foundation models that made this work possible.