The "go to fail" bug was a shock for all security-aware apple users. A simple coding error lead to a missing check in SSL validation with grave consequences. Many applications rely on SSL, but only few recognize that all of its helpful mechanisms (encryption, integrity protection, replay protection) are not worth a penny without proper authentication of communication peers. We suspected that many programs, especially mobile apps, do not fully validate the certificate of the server they send confidential information to. Could "go to fail" and similar insufficient certificate validation checks be tested for, without having access to the source code? To test this out, we developed SVF - the "SSL-Validation-Fuzzer" for easier certificate validation check testing in cooperation with University of Applied Sciences St. Poelten. SVF is written in python and based on the well-known mitm proxy software. For testing, it is placed between the test target (e.g mobile app) and the server. SVF will 1.) capture the SSL handshake 2.) generate several mutation certificates based on the original server certificate according to a range of test cases 3.) allow the user to apply those mutation certificates in the encryption in order to 4.) test if the client starts/continues data transfer with a forged certificate, thereby allowing testing of client-side certificate validation logic. Though currently still a simple yet powerful prototype, we used SVF on a bunch of iOS, Android, and Windows Mobile apps. The first range of testing candidates were mobile banking applications, as we expected strong validation checks here. We started with mobile banking apps from our home country Austria, then moved on to banking apps from other countries too, giving us some very interesting results and a glimpse on the state of certificate checks overall. Vendors affected by the discovered vulnerabilities are informed in a coordinated disclosure process. In our talk, both the SVF tool, as well as the results from our field study, will be presented. We believe that although still in a prototype stage with just a bunch of test-cases, SVF-type checks could be valuable not only for app-developers, but anyone trying to test the SSL-validation checks of an app, thereby testing its susceptibility to crafted man-in-the-middle attacks.