Honey, I Shrunk Your App Security: The State of Android App Hardening

Haupert, Vincent; Maier, Dominik; Schneider, Niklas; Kirsch, Julian; Müller, Tilo

doi:10.1007/978-3-319-93411-2_4

Cited by 13 publications

(5 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Haupert et al [15] evaluated the state of Android app hardening and identified vulnerabilities in a leading Runtime Application Self-Protection (RASP) product. Their work demonstrated the need for continuous improvement in security mechanisms to protect sensitive data from emerging threats.…”

Section: B Sensitive Data Encryptionmentioning

confidence: 99%

Elevating Android Privacy: A Blockchain-Powered Paradigm for Secure Data Management

Le,

Nguyen,

Huynh

et al. 2023

IJACSA

View full text Add to dashboard Cite

The significance of medical test records in diagnosing and treating illnesses cannot be overstated. These records serve as the foundation upon which medical professionals craft precise treatment strategies tailored to a patient's unique health condition and ailment. However, in several developing nations, such as Vietnam, a concerning trend persists: medical test records predominantly exist in vulnerable paper format, entrusted to patients for safekeeping. When patients transition between healthcare facilities, the responsibility of carrying these paper-based medical histories rests with them, introducing a significant risk factor due to the inherent fragility of paper documents, which can be easily damaged by fire or water. The loss of these crucial records can lead to severe disruptions in the diagnostic and therapeutic journey of patients, potentially compromising their well-being. Despite the emergence of various alternatives to address this vulnerability, Vietnam faces multifaceted challenges. These challenges encompass low technological literacy among patients and substantial infrastructural limitations. In response to these pressing issues, this study endeavors to harness the transformative potential of blockchain technology, smart contracts, and Non-Fungible Tokens (NFTs) to effectively mitigate the drawbacks associated with paper-based medical test records. Our comprehensive approach includes meticulous cataloging of current hospital practices, the introduction of a purpose-built blueprint for decentralized record sharing, the proposal of an innovative NFT-backed authentication model, the development of a practical proof-of-concept, and comprehensive platform testing. Through these efforts, we aim to revolutionize the management of medical test records in Vietnam, enhancing accessibility, security, and reliability for both patients and healthcare providers.

show abstract

Section: B Sensitive Data Encryptionmentioning

confidence: 99%

Elevating Android Privacy: A Blockchain-Powered Paradigm for Secure Data Management

Le,

Nguyen,

Huynh

et al. 2023

IJACSA

View full text Add to dashboard Cite

show abstract

“…In the ideal case, RASP agents can be deployed in a plug and play manner, requiring only an initial configuration as Haupert et al [12] describes regarding the deployment of Promon SHIELD RASP [22]. In cases where an agent does not require any configuration or a learning phase, attacks are detected using techniques that, e.g., combine taint-tracking with lexical analysis [2] or that monitor common input sinks and output sources for known malicious behavior and signatures [23].…”

Section: Runtime Environment and Binary Instrumentationmentioning

confidence: 99%

A Taxonomy of Approaches for Integrating Attack Awareness in Applications

Unlu

Shepherd

Coull

et al. 2020

2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

View full text Add to dashboard Cite

Software applications are subject to an increasing number of attacks, resulting in data breaches and financial damage. Many solutions have been considered to help mitigate these attacks, such as the integration of attack-awareness techniques. In this paper, we propose a taxonomy illustrating how existing attack awareness techniques can be integrated into applications. This work provides a guide for security researchers and developers, aiding them when choosing the approach which best fits the needs of their application.

show abstract

“…A banking app is considered insecure and customers should refrain from using it, whenever an attacker succeeds in intercepting user input, such as login credentials or transaction authentication numbers (TANs), often used as second factor of authentication [11,33]. We begin by categorizing the banking apps in our dataset based on the type of user input that is used for interaction: (1) System keyboard events, used for entering user credentials, (2) touch events, that are necessary to implement custom keyboards and (3) camera events, as used to scan a security QR-code or photoTAN.…”

Section: A Interception Of User Inputmentioning

confidence: 99%

“…To this end, many have focused on Android systems for analyzing apps [40][41][42][43], detecting malware and attacks [44][45][46][47], or finding and describing vulnerabilities [48][49][50]-among many other topics. Moreover, jailbreaking or rooting Android devices is discussed both from an offensive [23,51,52] as well as a defensive point of view [11,33,[53][54][55][56]. In this section, we however focus on the iOS platform for which we first discuss attacks on unmodified as well as jailbroken systems.…”

Section: Related Workmentioning

confidence: 99%

“…Apps that attempt to detect a jailbroken device fail in doing so in all but one of the cases and can be evaded by rather simplistic means: We dynamically hook function calls responsible for common detection mechanisms using a widely spread toolkit, Cydia Substrate, and alter the outcome to lead the app to believe in running on a vanilla (no jailbreak applied) iOS. Note, that this functionality comes packaged with Cydia and does neither require any reverse-engineering or manipulations of the app [11], nor sophisticated attacks against TLS pinning [12] or similar. This enables us to record user input from keyboards, such as user credentials (name and password), but also to intercept photos from the built-in camera as used, for instance, for PhotoTANs to verify banking transactions, often used as second factor of authentication.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps

Kellner

Micha

Rieck

et al. 2019

2019 IEEE European Symposium on Security and Privacy (EuroS&P)

View full text Add to dashboard Cite

People increasingly rely on mobile devices for banking transactions or two-factor authentication (2FA) and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among regular users for customizing their devices. In this paper, we show that both do not go well together: Jailbreaks remove vital security mechanisms, which are necessary to ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking app, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Even worse, 44 % of the banking apps do not even try to detect jailbreaks, revealing the prevalent, errant trust in the operating system's security. This study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.

show abstract

Honey, I Shrunk Your App Security: The State of Android App Hardening

Cited by 13 publications

References 24 publications

Elevating Android Privacy: A Blockchain-Powered Paradigm for Secure Data Management

Elevating Android Privacy: A Blockchain-Powered Paradigm for Secure Data Management

A Taxonomy of Approaches for Integrating Attack Awareness in Applications

False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps

Contact Info

Product

Resources

About