Orchestration or Automation: Authentication Flaw Detection in Android Apps
IEEE Transactions on Dependable and Secure Computing(2022)
摘要
Passwords are pervasively used to authenticate users’ identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool,
GLACIATE
, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach,
AuthExploit
and compare its effectiveness
GLACIATE
. We study requirements for correct implementation of PAP and then apply
GLACIATE
to identify protection enhancements automatically. Through dependency analysis,
GLACIATE
matches the implementations against the abstracted flaws to recognise defective apps. To evaluate
AuthExploit
, we collected 1,200 Android apps from Google Play. We compared
AuthExploit
with the automation tool,
GLACIATE
, and two other orchestration tools,
${\sf MalloDroid}$
and
${\sf SMV-Hunter}$
. The results demonstrated that orchestration tools detect flaws more precisely although the F1 score of
GLACIATE
is higher than
AuthExploit
. Further analysis of the results reveals that highly popular apps and e-commerce apps are not more secure than other apps.
更多查看译文
关键词
Vulnerability detection,password authentication,mobile security
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要