User Credential Cloning Attacks in Android Applications: Exploiting Automatic Login on Android Apps and Mitigating Strategies

Cho, Junsung; Kim, Da-Yeon; Kim, Hyoungshick

doi:10.1109/mce.2018.2797618

Cited by 6 publications

(13 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Recent papers have exploited the pervasive auto-login feature in Android apps [16]- [18]. These studies share two common assumptions:…”

Section: B Exploiting Auto-login Function Work and Limitationsmentioning

confidence: 99%

“…Besides, according to the official Android security report [26], large families of harmful applications use privilege escalation exploits to root devices. These papers [16]- [18] demonstrated the feasibility of data-clone attacks with a very small number of apps-only six apps in total. However, none of them take device-consistency checks into consideration.…”

Section: Oem-made Phone Clone Appsmentioning

confidence: 99%

“…We still take WeChat as an example to explain the limitation of existing work [16]- [18]. We clone all of the data under "/data/data/MicroMsg/" to a new smartphone, but we still cannot automatically log in to WeChat.…”

Section: Oem-made Phone Clone Appsmentioning

confidence: 99%

“…There are three ways to collect backup data from victim users for launching a data-clone attack. (1) Like the assumption held by related work [16], [18], attackers either have physical access to the victim's rooted device or the malware to steal credential data has been installed on the rooted device.…”

Section: Experiments With Most-downloaded Appsmentioning

confidence: 99%

“…In this paper, the meaning of "credential" or the auto-login depended data is a token or user identity. Initial investigations have studied this threat [16]- [18], but all of them are limited to victim identity theft on a rooted device. Furthermore, they missed an important fact: an increasing number of apps check device consistency to prevent client-side tampering; if they detect any device-specific discrepancies, their auto-login functions will be disabled.…”

mentioning

confidence: 99%

See 4 more Smart Citations

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Song

Jiang

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.In this paper, we develop VPDroid, a transparent Android OSlevel virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environmentsshow that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack. I. In t r o d u c t io nWith the prosperous development of the Android system and mobile networks [1], [2], the apps running on Android keep updating constantly to meet the fast-growing demand of smartphone users. In addition to the standard functionalities such as communication and entertainment, apps are now performing various critical tasks such as social networking [3], GPS navigation [4], IoT device remote control [5], and mobile payment [6]. Inevitably large amounts of private data (e.g., user credentials) are stored in the smartphone. Therefore, the

show abstract

“…Recent papers have exploited the pervasive auto-login feature in Android apps [16]- [18]. These studies share two common assumptions:…”

Section: B Exploiting Auto-login Function Work and Limitationsmentioning

confidence: 99%

Section: Oem-made Phone Clone Appsmentioning

confidence: 99%