Orchestration or automation: Authentication flaw detection in Android apps
Passwords are pervasively used to authenticate users' identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. W...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2022
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/7651 https://ink.library.smu.edu.sg/context/sis_research/article/8654/viewcontent/09317767.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-8654 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-86542023-01-10T03:48:50Z Orchestration or automation: Authentication flaw detection in Android apps MA, Siqi LI, Juanru NEPAL, Surya OSTRY, Diethelm LO, David JHA, Sanjay K. DENG, Robert H. BERTINO, Elisa Passwords are pervasively used to authenticate users' identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool, GLACIATE, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach, AUTHEXPLOIT and compare its effectiveness GLACIATE. We study requirements for correct implementation of PAP and then apply GLACIATE to identify protection enhancements automatically. Through dependency analysis, GLACIATE matches the implementations against the abstracted flaws to recognise defective apps. To evaluate AUTHEXPLOIT, we collected 1,200 Android apps from Google Play. We compared AUTHEXPLOIT with the automation tool, GLACIATE, and two other orchestration tools, MalloDroid and SMV-Hunter. The results demonstrated that orchestration tools detect flaws more precisely although the F1 score of GLACIATE is higher than AUTHEXPLOIT. Further analysis of the results reveals that highly popular apps and e-commerce apps are not more secure than other apps. 2022-01-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7651 info:doi/10.1109/TDSC.2021.3050188 https://ink.library.smu.edu.sg/context/sis_research/article/8654/viewcontent/09317767.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Vulnerability detection password authentication mobile security Databases and Information Systems Information Security Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Vulnerability detection password authentication mobile security Databases and Information Systems Information Security Software Engineering |
| spellingShingle |
Vulnerability detection password authentication mobile security Databases and Information Systems Information Security Software Engineering MA, Siqi LI, Juanru NEPAL, Surya OSTRY, Diethelm LO, David JHA, Sanjay K. DENG, Robert H. BERTINO, Elisa Orchestration or automation: Authentication flaw detection in Android apps |
| description |
Passwords are pervasively used to authenticate users' identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool, GLACIATE, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach, AUTHEXPLOIT and compare its effectiveness GLACIATE. We study requirements for correct implementation of PAP and then apply GLACIATE to identify protection enhancements automatically. Through dependency analysis, GLACIATE matches the implementations against the abstracted flaws to recognise defective apps. To evaluate AUTHEXPLOIT, we collected 1,200 Android apps from Google Play. We compared AUTHEXPLOIT with the automation tool, GLACIATE, and two other orchestration tools, MalloDroid and SMV-Hunter. The results demonstrated that orchestration tools detect flaws more precisely although the F1 score of GLACIATE is higher than AUTHEXPLOIT. Further analysis of the results reveals that highly popular apps and e-commerce apps are not more secure than other apps. |
| format |
text |
| author |
MA, Siqi LI, Juanru NEPAL, Surya OSTRY, Diethelm LO, David JHA, Sanjay K. DENG, Robert H. BERTINO, Elisa |
| author_facet |
MA, Siqi LI, Juanru NEPAL, Surya OSTRY, Diethelm LO, David JHA, Sanjay K. DENG, Robert H. BERTINO, Elisa |
| author_sort |
MA, Siqi |
| title |
Orchestration or automation: Authentication flaw detection in Android apps |
| title_short |
Orchestration or automation: Authentication flaw detection in Android apps |
| title_full |
Orchestration or automation: Authentication flaw detection in Android apps |
| title_fullStr |
Orchestration or automation: Authentication flaw detection in Android apps |
| title_full_unstemmed |
Orchestration or automation: Authentication flaw detection in Android apps |
| title_sort |
orchestration or automation: authentication flaw detection in android apps |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2022 |
| url |
https://ink.library.smu.edu.sg/sis_research/7651 https://ink.library.smu.edu.sg/context/sis_research/article/8654/viewcontent/09317767.pdf |
| _version_ |
1770576409140396032 |