Finding flaws from password authentication code in Android apps
作者: Siqi Ma , Elisa Bertino , Surya Nepal , Juanru Li , Diethelm Ostry
DOI: 10.1007/978-3-030-29959-0_30
关键词:
摘要: Password authentication is widely used to validate users’ identities because it convenient use, easy for users remember, and simple implement. The password protocol transmits passwords in plaintext, which makes the vulnerable eavesdropping replay attacks, several protocols have been proposed protect against this. However, we find that secure are often implemented incorrectly Android applications (apps). To detect implementation flaws code, propose GLACIATE, a fully automated tool combining machine learning program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically accurately learns common from relatively small training dataset, then identifies whether exist other apps. We collected 16,387 apps Google Play evaluation. successfully identified 4,105 these with incorrect implementations. Examining results, observed significant proportion them had multiple their code. further compared state-of-the-art techniques assess its accuracy.
springer.com
smu.edu.sg参考文章(33)
Brice Canvel, Alain Hiltgen, Serge Vaudenay, Martin Vuagnoux, Password Interception in a SSL/TLS Channel Advances in Cryptology - CRYPTO 2003. ,vol. 2729, pp. 583- 599 ,(2003) , 10.1007/978-3-540-45146-4_34
Ron Kohavi, A study of cross-validation and bootstrap for accuracy estimation and model selection international joint conference on artificial intelligence. ,vol. 2, pp. 1137- 1143 ,(1995)
Michael G. Burke, Ron K. Cytron, Interprocedural dependence analysis and parallelization ACM SIGPLAN Notices. ,vol. 39, pp. 139- 154 ,(2004) , 10.1145/989393.989411
J Barzilai, Deriving weights from pairwise comparison matrices Journal of the Operational Research Society. ,vol. 48, pp. 1226- 1232 ,(1997) , 10.1057/PALGRAVE.JORS.2600474
Manuel Egele, David Brumley, Yanick Fratantonio, Christopher Kruegel, An empirical study of cryptographic misuse in android applications computer and communications security. pp. 73- 84 ,(2013) , 10.1145/2508859.2516693
David Sounthiraraj, Justin Sahs, Garrett Greenwood, Zhiqiang Lin, Latifur Khan, SMV-HUNTER: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps network and distributed system security symposium. ,(2014) , 10.14722/NDSS.2014.23205
Patrick Lam, Eric Bodden, Ondrej Lhoták, Laurie Hendren, Soot: a Java bytecode optimization framework conference of the centre for advanced studies on collaborative research. pp. 214- 224 ,(2010) , 10.1145/1925805.1925818
John Hubbard, Ken Weimer, Yu Chen, A study of SSL Proxy attacks on Android and iOS mobile applications consumer communications and networking conference. pp. 86- 91 ,(2014) , 10.1109/CCNC.2014.6866553
Sascha Fahl, Marian Harbach, Thomas Muders, Matthew Smith, Lars Baumgärtner, Bernd Freisleben, Why eve and mallory love android Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 50- 61 ,(2012) , 10.1145/2382196.2382205
David Lo, Hong Cheng, Jiawei Han, Siau-Cheng Khoo, Chengnian Sun, Classification of software behaviors for failure detection Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining - KDD '09. pp. 557- 566 ,(2009) , 10.1145/1557019.1557083