research-article

Public Access

Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information

Authors:

Antonio Bianchi,

Eric Gustafson,

Yanick Fratantonio,

Christopher Kruegel,

Giovanni VignaAuthors Info & Claims

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

Pages 16 - 27

https://doi.org/10.1145/3134600.3134615

Published: 04 December 2017 Publication History

Abstract

Today's mobile applications increasingly rely on communication with a remote backend service to perform many critical functions, including handling user-specific information. This implies that some form of authentication should be used to associate a user with their actions and data. Since schemes involving tedious account creation procedures can represent "friction" for users, many applications are moving toward alternative solutions, some of which, while increasing usability, sacrifice security.

This paper focuses on a new trend of authentication schemes based on what we call "device-public" information, which consists of properties and data that any application running on a device can obtain. While these schemes are convenient to users, since they require little to no interaction, they are vulnerable by design, since all the needed information to authenticate a user is available to any app installed on the device. An attacker with a malicious app on a user's device could easily hijack the user's account, steal private information, send (and receive) messages on behalf of the user, or steal valuable virtual goods.

To demonstrate how easily these vulnerabilities can be weaponized, we developed a generic exploitation technique that first mines all relevant data from a victim's phone, and then transfers and injects them into an attacker's phone to fool apps into granting access to the victim's account. Moreover, we developed a dynamic analysis detection system to automatically highlight problematic apps.

Using our tool, we analyzed 1,000 popular applications and found that 41 of them, including the popular messaging apps WhatsApp and Viber, were vulnerable. Finally, our work proposes solutions to this issue, based on modifications to the Android API.

References

[1]

Xposed Installer (framework). http://repo.xposed.info. (2015).

[2]

Guangdong Bai, Jun Sun, Jianliang Wu, Quanqi Ye, Li Li, Jin Song Dong, and Shan-qing Guo. 2015. All Your Sessions Are Belong to Us: Investigating Authenticator Leakage through Backup Channels on Android. In Proceedings of the 20th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS).

Digital Library

[3]

Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall. 2014. Brahmastra: Driving Apps to Test the Security of Third-Party Components. In Proceedings of the 23rd USENIX Security Symposium (USENIX Security).

Digital Library

[4]

Antonio Bianchi. Implementation of the proposed defense mechanisms. https://github.com/ucsb-seclab/android_device_public. (2017).

[5]

Johannes Buchner. Image Hash library. https://github.com/JohannesBuchner/imagehash. (2015).

[6]

International Advertising Bureau. Ad Unit Guidelines. http://www.iab.net/guidelines/508676/508767/ad_unit. (2015).

[7]

Eric Y Chen, Yutong Pei, Shuo Chen, Yuan Tian, Robert Kotcher, and Patrick Tague. 2014. OAuth Demystified for Mobile Application Developers. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[8]

Xiao Cong. uiautomator. https://github.com/xiaocong/uiautomator. (2015).

[9]

Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. 2017. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Proceedings of the 24th Network & Distributed System Security Symposium (NDSS).

[10]

Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, and Carl Gunter. 2016. Free for All! Assessing User Data Exposure to Advertising Libraries on Android. In Proceedings of the 23rd Network & Distributed System Security Symposium (NDSS).

[11]

W. Enck, P. Gilbert, B.G. Chun, L.P. Cox, J. Jung, P. McDaniel, and A.N. Sheth. 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI).

Digital Library

[12]

Chun Feng. 2008. Playing with shadows -- exposing the black market for online game password theft. In Virus Bulletin Conference.

[13]

Lorenzo Gomez, Iulian Neamtiu, Tanzirul Azim, and Todd Millstein. 2013. RERAN: Timing- and Touch-Sensitive Record and Replay for Android. In Proceedings of the 35th International Conference on Software Engineering (ICSE).

Digital Library

[14]

Google. AccountManager. https://developer.android.com/reference/android/accounts/AccountManager.html. (2016).

[15]

Google. Advertising ID. https://support.google.com/googleplay/android-developer/answer/6048248?hl=en. (2016).

[16]

Google. Android Documentation: SmsManager. https://developer.android.com/reference/android/telephony/SmsManager.html. (2016).

[17]

Google. Binder. https://developer.android.com/reference/android/os/Binder.html#getCallingUid(). (2016).

[18]

Google. Google Play Developer Program Policies. https://play.google.com/about/developer-content-policy.html. (2016).

[19]

Google. Implementing In-app Billing. https://developer.android.com/google/play/billing/billing_integrate.html. (2016).

[20]

Google. Platform Versions. https://web.archive.org/web/20160131030000/https://developer.android.com/about/dashboards/index.html. (2016).

[21]

Google. Testing Support Library. https://developer.android.com/tools/help/uiautomator/. (2016).

[22]

Google. Android O Behavior Changes. https://developer.android.com/preview/behavior-changes.html#privacy-all. (2017).

[23]

Google. Using the External Storage. https://developer.android.com/guide/topics/data/data-storage.html#filesExternal. (2017).

[24]

Matthew Halpern, Yuhao Zhu, Ramesh Peri, and Vijay Janapa Reddi. 2015. Mosaic: Cross-Platform User-Interaction Record and Replay for the Fragmented Android Ecosystem. In Proceedings of the 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS).

[25]

Yongjian Hu, Tanzirul Azim, and Iulian Neamtiu. 2015. Versatile yet Lightweight Record-and-Replay for Android. In ACM SIGPLAN Notices, Vol. 50.

Digital Library

[26]

Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed, XiaoFeng Wang, and Xinhui Han. 2014. Mayhem in the Push Clouds: Understanding and Mitigating Security Hazards in Mobile Push-Messaging Services. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[27]

Xiangyu Liu, Zhe Zhou, Wenrui Diao, Zhou Li, and Kehuan Zhang. 2015. An Empirical Study on Android for Saving Non-shared Data on Public Storage. In Proceedings of the IFIP International Information Security Conference.

[28]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps. In Proceedings of the 9th Joint Meeting on Foundations of Software Engineering (FSE).

Digital Library

[29]

Collin Mulliner, Ravishankar Borgaonkar, Patrick Stewin, and Jean-Pierre Seifert. 2013. SMS-Based One-Time Passwords: Attacks and Defense. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA).

Digital Library

[30]

Collin Mulliner, William Robertson, and Engin Kirda. 2014. VirtualSwindle:An Automated Attack Against In-App Billing on Android. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (Asia CCS).

Digital Library

[31]

NIST. Digital Authentication Guideline. https://pages.nist.gov/800-63-3/sp800-63b.html. (2016).

[32]

Zhengrui Qin, Yutao Tang, Ed Novak, and Qun Li. 2016. MobiPlay: a Remote Execution based Record-and-Replay Tool for Mobile Applications. In Proceedings of the 38th International Conference on Software Engineering (ICSE).

Digital Library

[33]

Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[34]

Sebastian Schrittwieser, Peter Frühwirt, Peter Kieseberg, Manuel Leithner, Martin Mulazzani, Markus Huber, and Edgar R Weippl. 2012. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications. In Proceedings of the 19th Network & Distributed System Security Symposium (NDSS).

[35]

Sooel Son, Daehyeok Kim, and Vitaly Shmatikov. 2016. What Mobile Ads Know About Mobile Users. In Proceedings of the 22nd Annual Network & Distributed System Security Symposium (NDSS).

[36]

StatCounter. Operating System Market Share Worldwide -- May 2017. http://gs.statcounter.com/os-market-share#monthly-201705-201705-bar. (2017).

[37]

Telegram. Keep Calm and Send Telegrams! https://telegram.org/blog/15million-reuters. (2016).

[38]

Thomas Fox-Brewster. Watch As Hackers Hijack WhatsApp Accounts Via Critical Telecoms Flaws. http://www.forbes.com/sites/thomasbrewster/2016/06/01/whatsapp-telegram-ss7-hacks/#43e6fc1c745e. (2016).

[39]

Rui Wang, Yuchen Zhou, Shuo Chen, Shaz Qadeer, David Evans, and Yuri Gurevich. 2013. Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization. In Proceedings of the 22nd USENIX Security Symposium (USENIX Security).

Digital Library

[40]

Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. Signing into One Billion Mobile App Accounts Effortlessly with OAuth2.0. BlackHat Europe. (2016).

[41]

Xiao Zhang, Kailiang Ying, Yousra Aafer, Zhenshen Qiu, and Wenliang Du. 2016. Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android. In Proceedings of the 23rd Network & Distributed System Security Symposium (NDSS).

[42]

Chaoshun Zuo, Wubing Wang, Rui Wang, and Zhiqiang Lin. 2016. Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services. In Proceedings of the 22nd Annual Network & Distributed System Security Symposium (NDSS).

Cited By

Li SYang ZYang GZhang HHua NHuang YYang MCalandrino JTroncoso C(2023)Notice the imposter! a study on user tag spoofing attack in mobile appsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620544(5485-5501)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620544
Cui ZCui BFu JBhargava B(2023)An Attack to One-Tap Authentication Services in Cellular NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330484018(5082-5095)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3304840
Hao QLuo LJan SWang GKim YKim JVigna GShi E(2021)It's Not What It Looks Like: Manipulating Perceptual Hashing based ApplicationsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484559(69-85)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484559
Show More Cited By

Index Terms

Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Mobile Device Exploitation Cookbook
Google authentication risks on iOS
Mobile! 2016: Proceedings of the 1st International Workshop on Mobile Development

The Google Identity Platform is a system that allows a user to sign in to applications and other services by using a Google account. Google Sign-In is one such method for providing one’s identity to the Google Identity Platform. Google Sign-In is ...
What the App is That? Deception and Countermeasures in the Android User Interface
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

Mobile applications are part of the everyday lives of billions of people, who often trust them with sensitive information. These users identify the currently focused app solely by its visual appearance, since the GUIs of the most popular mobile OSes do ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '17: Proceedings of the 33rd Annual Computer Security Applications Conference

December 2017

618 pages

ISBN:9781450353458

DOI:10.1145/3134600

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 December 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF
DARPA

Conference

ACSAC 2017

ACSAC 2017: 2017 Annual Computer Security Applications Conference

December 4 - 8, 2017

FL, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
559
Total Downloads

Downloads (Last 12 months)108
Downloads (Last 6 weeks)12

Reflects downloads up to 24 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li SYang ZYang GZhang HHua NHuang YYang MCalandrino JTroncoso C(2023)Notice the imposter! a study on user tag spoofing attack in mobile appsProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620544(5485-5501)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620544
Cui ZCui BFu JBhargava B(2023)An Attack to One-Tap Authentication Services in Cellular NetworksIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.330484018(5082-5095)Online publication date: 2023
https://doi.org/10.1109/TIFS.2023.3304840
Hao QLuo LJan SWang GKim YKim JVigna GShi E(2021)It's Not What It Looks Like: Manipulating Perceptual Hashing based ApplicationsProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484559(69-85)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484559
Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Song WMing JJiang LYan HXiang YChen YFu JPeng G(2021)App's Auto-Login Function Security Testing via Android OS-Level VirtualizationProceedings of the 43rd International Conference on Software Engineering10.1109/ICSE43902.2021.00149(1683-1694)Online publication date: 22-May-2021
https://dl.acm.org/doi/10.1109/ICSE43902.2021.00149
Zungur OBianchi AStringhini GEgele M(2021)AppJitsu: Investigating the Resiliency of Android Applications2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00038(457-471)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00038
Sihag VVardhan MSingh P(2021)A survey of android application and malware hardeningComputer Science Review10.1016/j.cosrev.2021.10036539(100365)Online publication date: Mar-2021
https://doi.org/10.1016/j.cosrev.2021.100365
Liang SWang YLei LJing JZhou Q(2020)SecureESFS: Sharing Android External Storage Files in a Securer Way2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00180(1339-1347)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00180
Song WJiang MYan HXiang YChen YLuo YHe KPeng G(2020)Android Data-Clone Attack via Operating System CustomizationIEEE Access10.1109/ACCESS.2020.30350898(199733-199746)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3035089
Altuwaijri HGhouzali S(2020)Android data storage security: A reviewJournal of King Saud University - Computer and Information Sciences10.1016/j.jksuci.2018.07.00432:5(543-552)Online publication date: Jun-2020
https://doi.org/10.1016/j.jksuci.2018.07.004
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents