Publication Type
Journal Article
Version
publishedVersion
Publication Date
1-2022
Abstract
Passwords are pervasively used to authenticate users' identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool, GLACIATE, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach, AUTHEXPLOIT and compare its effectiveness GLACIATE. We study requirements for correct implementation of PAP and then apply GLACIATE to identify protection enhancements automatically. Through dependency analysis, GLACIATE matches the implementations against the abstracted flaws to recognise defective apps. To evaluate AUTHEXPLOIT, we collected 1,200 Android apps from Google Play. We compared AUTHEXPLOIT with the automation tool, GLACIATE, and two other orchestration tools, MalloDroid and SMV-Hunter. The results demonstrated that orchestration tools detect flaws more precisely although the F1 score of GLACIATE is higher than AUTHEXPLOIT. Further analysis of the results reveals that highly popular apps and e-commerce apps are not more secure than other apps.
Keywords
Vulnerability detection, password authentication, mobile security
Discipline
Databases and Information Systems | Information Security | Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
IEEE Transactions on Dependable and Secure Computing
Volume
19
Issue
4
First Page
2165
Last Page
2178
ISSN
1545-5971
Identifier
10.1109/TDSC.2021.3050188
Publisher
Institute of Electrical and Electronics Engineers
Citation
MA, Siqi; LI, Juanru; NEPAL, Surya; OSTRY, Diethelm; LO, David; JHA, Sanjay K.; DENG, Robert H.; and BERTINO, Elisa.
Orchestration or automation: Authentication flaw detection in Android apps. (2022). IEEE Transactions on Dependable and Secure Computing. 19, (4), 2165-2178.
Available at: https://ink.library.smu.edu.sg/sis_research/7651
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/TDSC.2021.3050188
Included in
Databases and Information Systems Commons, Information Security Commons, Software Engineering Commons