Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

9-2019

Abstract

Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay attacks, and several protocols have been proposed to protect against this. However, we find that secure password authentication protocols are often implemented incorrectly in Android applications (apps). To detect the implementation flaws in password authentication code, we propose GLACIATE, a fully automated tool combining machine learning and program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically and accurately learns the common authentication flaws from a relatively small training dataset, and then identifies whether the authentication flaws exist in other apps. We collected 16,387 apps from Google Play for evaluation. GLACIATE successfully identified 4,105 of these with incorrect password authentication implementations. Examining these results, we observed that a significant proportion of them had multiple flaws in their authentication code. We further compared GLACIATE with the state-of-the-art techniques to assess its detection accuracy.

Keywords

Authentication protocol flaws, Automated program analysis, Mobile application security, Password authentication protocol, Vulnerability detection

Discipline

Information Security

Research Areas

Cybersecurity

Publication

Computer Security: ESORICS 2019: Proceedings of the European Symposium on Research in Computer Security, Luxembourg, September 15

Volume

11735

First Page

619

Last Page

637

ISBN

9783030299590

Identifier

10.1007/978-3-030-29959-0_30

Publisher

Springer

City or Country

Cham

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1007/978-3-030-29959-0_30

Download

Share

COinS