All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android
Security of authentication protocols heavily relies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own managemen...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2015
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4950 https://ink.library.smu.edu.sg/context/sis_research/article/5953/viewcontent/ICECCS2015a.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5953 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-59532020-02-27T03:19:52Z All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android BAI, Guangdong SUN, Jun WU, Jianliang YE, Quanqi LI, Li DONG, Jin Song GUO, Shanqing Security of authentication protocols heavily relies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate their authenticators into the persistent storage and entrust underlying Android OS for mediation. Consequently, these authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with internet and SD card permissions. With this exposure, the malicious apps can steal other apps’ authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of the 117 tested topranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector. 2015-12-12T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4950 info:doi/10.1109/ICECCS.2015.17 https://ink.library.smu.edu.sg/context/sis_research/article/5953/viewcontent/ICECCS2015a.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Computer and Systems Architecture Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Computer and Systems Architecture Software Engineering |
| spellingShingle |
Computer and Systems Architecture Software Engineering BAI, Guangdong SUN, Jun WU, Jianliang YE, Quanqi LI, Li DONG, Jin Song GUO, Shanqing All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| description |
Security of authentication protocols heavily relies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate their authenticators into the persistent storage and entrust underlying Android OS for mediation. Consequently, these authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with internet and SD card permissions. With this exposure, the malicious apps can steal other apps’ authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of the 117 tested topranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector. |
| format |
text |
| author |
BAI, Guangdong SUN, Jun WU, Jianliang YE, Quanqi LI, Li DONG, Jin Song GUO, Shanqing |
| author_facet |
BAI, Guangdong SUN, Jun WU, Jianliang YE, Quanqi LI, Li DONG, Jin Song GUO, Shanqing |
| author_sort |
BAI, Guangdong |
| title |
All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| title_short |
All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| title_full |
All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| title_fullStr |
All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| title_full_unstemmed |
All your sessions are belong to us: Investigating authenticator leakage through backup channels on Android |
| title_sort |
all your sessions are belong to us: investigating authenticator leakage through backup channels on android |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2015 |
| url |
https://ink.library.smu.edu.sg/sis_research/4950 https://ink.library.smu.edu.sg/context/sis_research/article/5953/viewcontent/ICECCS2015a.pdf |
| _version_ |
1770575156183302144 |