TLS is the de-facto standard for encrypting network communications. Today, upwards of 80% of pages loaded on Firefox, Chrome, and Safari are encrypted with TLS. This might be the story for web, but what about mobile? Existing measurements of mobile network encryption fall short: they often focus on the Google Play ecosystem, which necessarily excludes mobile users in China, who comprise a massive portion of the global Internet.

This thesis demonstrates that HTTPS is, in fact, not everywhere, and that a massive portion of mobile network communications remains poorly encrypted and accessible to systems of mass surveillance. These issues are particularly concentrated in mobile applications developed in China, which have been overlooked by the global security community despite their massive popularity and influence.

Three studies provide different perspectives that demonstrate both the (1) massive popularity of proprietary network encryption protocols in top mobile applications, and (2) the insecurity of such homegrown protocols. First, I present our reverse-engineering of WeChat’ s proprietary transport encryption protocol and subsequent privacy analysis of the WeChat Mini Program ecosystem. Then, I review the network encryption used by popular Chinese keyboards to encrypt user keystrokes. Finally, I present a large-scale study of encryption protocols used by thousands of popular mobile applications.

I discovered severe vulnerabilities enabling network attackers to decrypt sensitive data in the vast majority of the proprietary encryption protocols we analyzed. Through the vulnerabilities fixed as a result of this work, this research has directly improved the network security of over one billion people.