All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android

Security of authentication protocols heavily relies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate their authenticators into the persistent storage and entrust underlying Android OS for mediation. Consequently, these authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with internet and SD card permissions. With this exposure, the malicious apps can steal other apps' authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of the 117 tested top-ranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector.No Full Tex

Towards model checking Android applications

As feature-rich Android applications (apps for short) are increasingly popularized in security-sensitive scenarios, methods to verify their security properties are highly desirable. Existing approaches on verifying Android apps often have limited effectiveness. For instance, static analysis often suffers from a high false-positive rate, whereas approaches based on dynamic testing are limited in coverage. In this work, we propose an alternative approach, which is to apply the software model checking technique to verify Android apps. We have built a general framework named DroidPF upon Java PathFinder (JPF), towards model checking Android apps. In the framework, we craft an executable mock-up Android OS which enables JPF to dynamically explore the concrete state spaces of the tested apps; we construct programs to generate user interaction and environmental input so as to drive the dynamic execution of the apps; and we introduce Android specific reduction techniques to help alleviate the state space explosion. DroidPF focuses on common security vulnerabilities in Android apps including sensitive data leakage involving a non-trivial flow- and context-sensitive taint-style analysis. DroidPF has been evaluated with 131 apps, which include real-world apps, third-party libraries, malware samples and benchmarks for evaluating app analysis techniques like ours. DroidPF precisely identifies nearly all of the previously known security issues and nine previously unreported vulnerabilities/bugs.NRF (Natl Research Foundation, S’pore

ANALYSIS OF MOBILE SECURITY AND PRIVACY

Ph.DDOCTOR OF PHILOSOPH

Deep Review Sharing

Review-Based Software Improvement (RBSI for short) has drawn increasing research attentions in recent years. Relevant efforts focus on how to leverage the underlying information within reviews to obtain a better guidance for further updating. However, few efforts consider the Projects Without sufficient Reviews (PWR for short). Actually, PWR dominates the software projects, and the lack of PWR-based RBSI research severely blocks the improvement of certain software. In this paper, we make the first attempt to pave the road. Our goal is to establish a generic framework for sharing suitable and informative reviews to arbitrary PWR. To achieve this goal, we exploit techniques of code clone detection and review ranking. In order to improve the sharing precision, we introduce Convolutional Neural Network (CNN) into our clone detection, and design a novel CNN based clone searching module for our sharing system. Meanwhile, we adopt a heuristic filtering strategy to reduce the sharing time cost. We implement a prototype review sharing system RSharer and collect 72,440 code-review pairs as our ground knowledge. Empirical experiments on hundreds of real code fragments verify the effectiveness of RSharer. RSharer also achieves positive response and evaluation by expert developers