Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
9-2019
Abstract
Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay attacks, and several protocols have been proposed to protect against this. However, we find that secure password authentication protocols are often implemented incorrectly in Android applications (apps). To detect the implementation flaws in password authentication code, we propose GLACIATE, a fully automated tool combining machine learning and program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically and accurately learns the common authentication flaws from a relatively small training dataset, and then identifies whether the authentication flaws exist in other apps. We collected 16,387 apps from Google Play for evaluation. GLACIATE successfully identified 4,105 of these with incorrect password authentication implementations. Examining these results, we observed that a significant proportion of them had multiple flaws in their authentication code. We further compared GLACIATE with the state-of-the-art techniques to assess its detection accuracy.
Keywords
Authentication protocol flaws, Automated program analysis, Mobile application security, Password authentication protocol, Vulnerability detection
Discipline
Information Security
Research Areas
Cybersecurity
Publication
Computer Security: ESORICS 2019: Proceedings of the European Symposium on Research in Computer Security, Luxembourg, September 15
Volume
11735
First Page
619
Last Page
637
ISBN
9783030299590
Identifier
10.1007/978-3-030-29959-0_30
Publisher
Springer
City or Country
Cham
Citation
MA, Siqi; BERTINO, Elisa; NEPAL, Surya; LI, Jianru; DIETHELM, Ostry; DENG, Robert H.; and JHA, Sanjay.
Finding flaws from password authentication code in Android apps. (2019). Computer Security: ESORICS 2019: Proceedings of the European Symposium on Research in Computer Security, Luxembourg, September 15. 11735, 619-637.
Available at: https://ink.library.smu.edu.sg/sis_research/4511
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1007/978-3-030-29959-0_30