[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1109/ICSE43902.2021.00149acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

App's Auto-Login Function Security Testing via Android OS-Level Virtualization

Published: 05 November 2021 Publication History

Abstract

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of device-specific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.
In this paper, we develop VPDroid, a transparent Android OS-level virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environments show that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.

References

[1]
John Callaham. The history of Android OS: its name,origin and more. https://www.androidauthority.com/history-android-os-name-789433/, August 2019.
[2]
Sascha Segan. Fastest Mobile Networks 2019. https://www.pcmag.com/Fastest-Mobile-Networks, June 2019.
[3]
Monica S. Lam. Omlet: A Revolution against Big-Brother Social Networks (Invited Talk). In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE'14), 2014.
[4]
Anthony Canino, Yu David Liu, and Hidehiko Masuhara. Stochastic Energy Optimization for Mobile GPS Applications. In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE'18), 2018.
[5]
Eric Ruiz, Richard Avelar, and Xiaoyin Wang. Protecting Remote Controlling Apps of Smart-Home-Oriented IOT Devices. In Proceedings of the 40th International Conference on Software Engineering: Companion Proceeedings (ICSE'18), 2018.
[6]
Mark Sherman. An Introduction to Mobile Payments: Market Drivers, Applications, and Inhibitors. In Proceedings of the 1st International Conference on Mobile Software Engineering and Systems, 2014.
[7]
Verizon Wireless. 2019 Data Breach Investigations Report. https://enterprise.verizon.com/resources/reports/dbir/, June 2019.
[8]
Stephan Huber, Siegfried Rasthofer, and Steven Arzt. Extracting All Your Secrets: Vulnerabilities in Android Password Managers. HackInTheBox 2017, 2017.
[9]
Tamjid Al Rahat, Yu Feng, and Yuan Tian. OAuthLint: An Empirical Study on OAuth Bugs in Android Applications. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE'19), 2019.
[10]
Nethanel Gelernter, Senia Kalma, Bar Magnezi, and Hen Porcilan. The Password Reset MitM Attack. In Proceedings of the 38th IEEE Symposium on Security and Privacy (S&P'17), 2017.
[11]
Dong Wang, Jiang Ming, Ting Chen, Xiaosong Zhang, and Chao Wang. Cracking IoT Device User Account via Brute-force Attack to SMS Authentication Code. In Proceedings of the 1st Workshop on Radical and Experiential Security (RESEC'18), 2018.
[12]
Luman Shi, Jianming Fu, Zhengwei Guo, and Jiang Ming. "Jekyll and Hyde" is Risky: Shared-Everything Threat Mitigation in Dual-Instance Apps. In Proceedings of the 17th ACM International Conference on Mobile Systems, Applications, and Services (MobiSys'19), 2019.
[13]
Lei Zhang, Zhemin Yang, Yuyu He, Mingqi Li, Sen Yang, Min Yang, Yuan Zhang, and Zhiyun Qian. App in the Middle: Demystify Application Virtualization in Android and its Security Threats. In Proceedings of the 2019 ACM on Measurement and Analysis of Computing Systems (SIGMETRICS'19), 2019.
[14]
Deshun Dai, Ruixuan Li, Junwei Tang, Ali Davanian, and Heng Yin. Parallel Space Traveling: A Security Analysis of App-Level Virtualization in Android. In Proceedings of the 25th ACM Symposium on Access Control Models and Technologies (SACMAT'20), 2020.
[15]
I Luk Kim, Yunhui Zheng, Hogun Park, Weihang Wang, Wei You, Yousra Aafer, and Xiangyu Zhang. Finding Client-side Business Flow Tampering Vulnerabilities. In Proceedings of the 42nd International Conference on Software Engineering (ICSE'20), 2020.
[16]
Junsung Cho, Dayeon Kim, and Hyoungshick Kim. User Credential Cloning Attacks in Android Applications: Exploiting Automatic Login on Android Apps and Mitigating Strategies. IEEE Consumer Electronics Magazine, 7(3), 2018.
[17]
Jongwon Choi adn Haehyun Cho and Jeong Hyun Yi. Personal Information Leaks with Automatic Login in Mobile Social Network Services. Entropy, 17(6), 2015.
[18]
Suwan Park, Changho Seo, and Jeong Hyun Yi. Cyber Threats To Mobile Messenger Apps From Identity Cloning. Intelligent Automation and Soft Computing, 22(3), 2016.
[19]
Richard Harris. The subscription based app model is working and here's proof. https://appdevelopermagazine.com/the-subscription-based-app-model-is-working-and-here's-proof/, November 2018.
[20]
iStarsoft. Top Three Phone Clone App To Copy Phone Data in 2019. https://www.android-data-recovery.org/phone-clone-app.html, June 2019.
[21]
Xposed Module Repository. https://repo.xposed.info/, [online].
[22]
Jeremy Andrus, Christoffer Dall, Alexander Van't Hof, Oren Laadan, and Jason Nieh. Cells: A Virtual Mobile Smartphone Architecture. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP'11), 2011.
[23]
Android Developers. Data and file storage overview. https://developer.android.com/guide/topics/data/data-storage, [online].
[24]
Cyrus Lee. Daily active users for WeChat exceeds 1 billion. https://www.zdnet.com/article/daily-active-user-of-messaging-app-wechat-exceeds- 1-billion/, January 2019.
[25]
NuData Security. Rooted Devices: It's Not the Device That's the Problem. https://nudatasecurity.com/resources/blog/rooted-devices-not-device-thats-problem/, January 2017.
[26]
Android. Android Security & Privacy 2018 Year In Review. https://source.android.com/security/reports/Google_Android_Security_2018_Report_Final.pdf, March 2019.
[27]
Antonio Bianchi, Eric Gustafson, Yanick Fratantonio, Christopher Kruegel, and Giovanni Vigna. Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information. In Proceedings of the 33rd Annual Computer Security Applications Conference (AC-SAC'17) 2017.
[28]
AppBrain. Top Android phone manufacturers. https://www.appbrain.com/stats/top-manufacturers, January 2020.
[29]
Android Developers. Data backup overview. https://developer.android.google.cn/guide/topics/data/backup.html, [online].
[30]
Ken Barr, Prashanth Bungale, Stephen Deasy, Viktor Gyuris, Perry Hung, Craig Newell, Harvey Tuch, and Bruno Zoppis. The VMware Mobile Virtualization Platform: Is That a Hypervisor in Your Pocket? ACM SIGOPS Operating Systems Review, 44(4), 2010.
[31]
Christoffer Dall and Jason Nieh. KVM/ARM: The Design and Implementation of the Linux ARM Hypervisor. In Proceedings of the 19th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS'14), 2014.
[32]
Stephen Soltesz, Herbert Pötzl, Marc E. Fiuczynski, Andy Bavier, and Larry Peterson. Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors. In Proceedings of the 2nd ACM SIGOPS/EuroSys European Conference on Computer Systems (EuroSys07), 2007.
[33]
Wes Felter, Alexandre Ferreira, Ram Rajamony, and Juan Rubio. An Updated Performance Comparison of Virtual Machines and Linux Containers. In Proceedings of the 2015 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS'15), 2015.
[34]
Siqi Ma, Hehao Li, Wenbo Yang, Juanru Li, Surya Nepal, and Elisa Bertino. Certified Copy? Understanding Security Risks of Wi-Fi Hotspot based Android Data Clone Services. In Proceedings of the 36th Annual Computer Security Applications Conference (ACSAC '20), 2020.
[35]
XxsqManage. The Best Tool to Change Android Phone's Configuration. http://www.javaer.xyz/XxsqManager/html/index.html, 2019.
[36]
Aethaellyn. Detection of Xposed Framework. https://programmer.group/detection-of-xposed-framework.html, April 2019.
[37]
Iliyan Malchev. Here comes Treble: A modular base for Android. https://android-developers.googleblog.com/2017/05/here-comes-treble-modular-base-for.html, May 2017.
[38]
Sileshi Demesie Yalew, Pedro Mendonca, Gerald Q. Maguire Jr., Seif Haridi, and Miguel Correia. TruApp: A TrustZone-based Authenticity Detection Service for Mobile Apps. In Proceedings of the 13th IEEE International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob'17), 2017.
[39]
Chen Tian, Yazhe Wang, Peng Liu, Qihui Zhou, Chengyi Zhang, and Zhen Xu. IM-Visor: A Pre-IME Guard to Prevent IME Apps from Stealing Sensitive Keystrokes Using TrustZone. In Proceedings of the 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'16), 2017.
[40]
Konstantin Rubinov, Lucia Rosculete, Tulika Mitra, and Abhik Roychoudhury. Automated Partitioning of Android Applications for Trusted Execution Environments. In Proceedings of the 38th International Conference on Software Engineering (ICSE'16), 2016.

Cited By

View all
  • (2022)What did you pack in my app? a systematic analysis of commercial Android packersProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3558969(1430-1440)Online publication date: 7-Nov-2022

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
ICSE '21: Proceedings of the 43rd International Conference on Software Engineering
May 2021
1768 pages
ISBN:9781450390859

Sponsors

Publisher

IEEE Press

Publication History

Published: 05 November 2021

Check for updates

Qualifiers

  • Research-article
  • Research
  • Refereed limited

Conference

ICSE '21
Sponsor:

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)37
  • Downloads (Last 6 weeks)2
Reflects downloads up to 19 Dec 2024

Other Metrics

Citations

Cited By

View all
  • (2022)What did you pack in my app? a systematic analysis of commercial Android packersProceedings of the 30th ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3540250.3558969(1430-1440)Online publication date: 7-Nov-2022

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media