VirtualSwindle: an automated attack against in-app billing on android
作者: Collin Mulliner , William Robertson , Engin Kirda
关键词: Android (operating system) 、 Financial transaction 、 Mobile apps 、 Payment 、 Computer security 、 Computer science 、 World Wide Web
摘要: Since its introduction, Android's in-app billing service has quickly gained popularity. The allows users to pay for options, services, subscriptions, and virtual goods from within mobile apps themselves. In-app is attractive developers because it easy integrate, the advantage that developer does not need be concerned with managing financial transactions. In this paper, we present first fully-automated attack against on Android. Using our prototype, conducted a robustness study attack, analyzing 85 of most popular Android make use billing. We found 60% these were easily automatically crackable. able bypass highly prominent games such as Angry Birds Temple Run, each which have millions users. Based study, developed defensive technique specifically counters automated attacks Our lightweight can added existing applications.
acm.org
mulliner.org 参考文章(12)
William A. Arbaugh, Timothy Fraser, Nick L. Petroni, AAron Walters, An architecture for specification-based detection of semantic integrity violations in kernel dynamic data usenix security symposium. pp. 20- ,(2006)
Robert N. M. Watson, TrustedBSD: Adding Trusted Operating System Features to FreeBSD usenix annual technical conference. pp. 15- 28 ,(2001)
Ross Anderson, Hassen Saïdi, Rubin Xu, Aurasium: practical policy enforcement for Android applications usenix security symposium. pp. 27- 27 ,(2012)
Manuel Egele, Christopher Kruegel, Engin Kirda, Giovanni Vigna, PiOS : Detecting privacy leaks in iOS applications network and distributed system security symposium. ,(2011)
Lok Kwong Yan, Heng Yin, DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis usenix security symposium. pp. 29- 29 ,(2012)
William Enck, Patrick McDaniel, Jaeyeon Jung, Byung-Gon Chun, Peter Gilbert, Anmol N. Sheth, Landon P. Cox, TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones operating systems design and implementation. pp. 393- 407 ,(2010) , 10.5555/1924943.1924971
Adrian Spalka, Armin B. Cremers, Hanno Langweg, Trojan Horse Attacks on Software for Electronic Signatures Informatica (slovenia). ,vol. 26, ,(2002)
Arvind Seshadri, Mark Luk, Elaine Shi, Adrian Perrig, Leendert van Doorn, Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems symposium on operating systems principles. ,vol. 39, pp. 1- 16 ,(2005) , 10.1145/1095809.1095812
Stefan Mitterhofer, Christopher Kruegel, Engin Kirda, Christian Platzer, Server-Side Bot Detection in Massively Multiplayer Online Games ieee symposium on security and privacy. ,vol. 7, pp. 29- 36 ,(2009) , 10.1109/MSP.2009.78
Elie Bursztein, Mike Hamburg, Jocelyn Lagarenne, Dan Boneh, OpenConflict: Preventing Real Time Map Hacks in Online Games ieee symposium on security and privacy. pp. 506- 520 ,(2011) , 10.1109/SP.2011.28