AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps

MoST'15

原文链接
作者信息：Fangda Cai, Hao Chen【上海科技大学】，Yuanyi Wu【浙江理工大学】，Yuan Zhang【复旦大学】

Insight：We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks.
【1. 虽然看似是app的所有网络通信，但大部分工作以及重要性的体现都是通过表明应用会造成login credential泄露和session劫持，与我们的工作关注点相同】
【2. 文章有一段专门解释了为什么选择中国市场应用】
【3. 分析的结果是发现了100个vulnerable的应用，文章讲了为何This finding is significant in several ways，对比之下我们的审稿意见中给出了The results do not show valuable findings的评价，今后应该注意】
【4. 文章在描述应用存在的问题时，明确分为主动攻击和被动攻击的场景，尽管主动攻击和被动攻击中应用存在的问题会有重叠，但这样的分类表述会更清晰，在主动攻击中只突出SSL证书验证的问题，应该学习】

Contribution

• We are the first to study the user and session authentication vulnerabilities in top mobile apps in major categories. We found that 100 popular apps are vulnerable. Note that this is a conservative number, as we report an app as vulnerable only after we successfully attack it using AppCracker.
• We describe the diverse vulnerabilities found in these apps.
• We design a mini-language for describing these vulnerabilities and develop a tool, AppCracker, for performing passive and active attacks to validate these vulnerabilities.
• We discuss lessons learned during our investigation, which would help app developers avoid similar vulnerabilities.
• We hope that our findings will raise awareness of these vulnerabilities among both the research community and app developers, and will encourage research in automated tools for detecting these vulnerabilities.

【几乎同样的工作，这样写感觉contribution不那么weak】

Description： We found several types of vulnerabilities during user authentication. The simplest one is that many apps transmit username and password in plaintext or encoded form (e.g., Base64). Some apps do use cryptography to protect their data on the network; however, instead of using standard secure channels such as SSL, they use home-grown protocols and fall victim to various cryptographic pitfalls, such as insecure selection of symmetric and public keys, insecure distribution of keys, insecure modes of operation, insecure message authentication code, or security by obscurity. Besides user authentication, session authentication is also vulnerable in some apps, as they fail to protect their session IDs in the HTTP request body or cookie.
【发现的问题和我们的基本相同，但在描述上更加准确，特别是security by obscurity】

lesson learned： The primary lesson learned from our investigation is the importance of end-to-end security in mobile apps. We also show that developers should avoid home-grown cryptographic protocols whenever possible, hide no secret in apps, avoid security by obscurity, and build security into apps from the very beginning.
【关于lesson learned，审稿意见觉得我们的描述merely indicate that app developers should be more cautious when implementing their own authentication process. The suggestions given are also commonly known. 可能是因为我们的文章里写的比较散，没有这样总结性的语句】

Dataset：We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization.【百度市场】
【文章有一段专门讲了为什么选择中国市场应用。文章结果是100个有问题的应用】

Methodology
offline：android-apktool，dex2jar，jd-gui，procyon，人工看
online：AppCraker，处理请求中字段的识别和替换【主要部分】

Results
Plaintext or Encoded Data
Encryption: Insecure key selection, Insecure key distribution, Insecure modes of operation
Public Key Encryption：Insecure key selection
Message Integrity：MAC，Obfuscated message authentication code
Sessions：Session ID in request body；Session ID in cookie
【风格类似，每个分类下面是具体的案例。在攻击无padding的RSA加密时，文中提到在e为3，公钥长度为1024bit时，明文少于42（1024/3/8）个字节时，攻击者可以简单计算密文的立方根获得明文】

Lessons Learned

1. Use Standard Cryptograpic Protocols；
2. No Place to Hide in the App；
3. Security through Obscurity doesn’t Work；
4. Build Security into Apps from the Beginning