Finding flaws from password authentication code in Android apps
Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay atta...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2019
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4511 https://ink.library.smu.edu.sg/context/sis_research/article/5514/viewcontent/esorics19.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5514 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-55142023-08-03T05:20:28Z Finding flaws from password authentication code in Android apps MA, Siqi BERTINO, Elisa NEPAL, Surya LI, Jianru DIETHELM, Ostry DENG, Robert H. JHA, Sanjay Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay attacks, and several protocols have been proposed to protect against this. However, we find that secure password authentication protocols are often implemented incorrectly in Android applications (apps). To detect the implementation flaws in password authentication code, we propose GLACIATE, a fully automated tool combining machine learning and program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically and accurately learns the common authentication flaws from a relatively small training dataset, and then identifies whether the authentication flaws exist in other apps. We collected 16,387 apps from Google Play for evaluation. GLACIATE successfully identified 4,105 of these with incorrect password authentication implementations. Examining these results, we observed that a significant proportion of them had multiple flaws in their authentication code. We further compared GLACIATE with the state-of-the-art techniques to assess its detection accuracy. 2019-09-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4511 info:doi/10.1007/978-3-030-29959-0_30 https://ink.library.smu.edu.sg/context/sis_research/article/5514/viewcontent/esorics19.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Authentication protocol flaws Automated program analysis Mobile application security Password authentication protocol Vulnerability detection Information Security |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Authentication protocol flaws Automated program analysis Mobile application security Password authentication protocol Vulnerability detection Information Security |
| spellingShingle |
Authentication protocol flaws Automated program analysis Mobile application security Password authentication protocol Vulnerability detection Information Security MA, Siqi BERTINO, Elisa NEPAL, Surya LI, Jianru DIETHELM, Ostry DENG, Robert H. JHA, Sanjay Finding flaws from password authentication code in Android apps |
| description |
Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay attacks, and several protocols have been proposed to protect against this. However, we find that secure password authentication protocols are often implemented incorrectly in Android applications (apps). To detect the implementation flaws in password authentication code, we propose GLACIATE, a fully automated tool combining machine learning and program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically and accurately learns the common authentication flaws from a relatively small training dataset, and then identifies whether the authentication flaws exist in other apps. We collected 16,387 apps from Google Play for evaluation. GLACIATE successfully identified 4,105 of these with incorrect password authentication implementations. Examining these results, we observed that a significant proportion of them had multiple flaws in their authentication code. We further compared GLACIATE with the state-of-the-art techniques to assess its detection accuracy. |
| format |
text |
| author |
MA, Siqi BERTINO, Elisa NEPAL, Surya LI, Jianru DIETHELM, Ostry DENG, Robert H. JHA, Sanjay |
| author_facet |
MA, Siqi BERTINO, Elisa NEPAL, Surya LI, Jianru DIETHELM, Ostry DENG, Robert H. JHA, Sanjay |
| author_sort |
MA, Siqi |
| title |
Finding flaws from password authentication code in Android apps |
| title_short |
Finding flaws from password authentication code in Android apps |
| title_full |
Finding flaws from password authentication code in Android apps |
| title_fullStr |
Finding flaws from password authentication code in Android apps |
| title_full_unstemmed |
Finding flaws from password authentication code in Android apps |
| title_sort |
finding flaws from password authentication code in android apps |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2019 |
| url |
https://ink.library.smu.edu.sg/sis_research/4511 https://ink.library.smu.edu.sg/context/sis_research/article/5514/viewcontent/esorics19.pdf |
| _version_ |
1773551427360129024 |