AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services

When accessing online private resources (e.g., user profiles, photos, shopping carts) from a client (e.g., a desktop web-browser or a mobile app), the service providers must implement proper access control, which typically involves both authentication and authorization. However, not all of the service providers follow the best practice, resulting in various access control vulnerabilities. To understand such a threat in a large scale, and identify the vulnerable access control implementations in online services, this paper introduces AuthScope, a tool that is able to automatically execute a mobile app and pinpoint the vulnerable access control implementations, particularly the vulnerable authorizations, in the corresponding online service. The key idea is to use differential traffic analysis to recognize the protocol fields and then automatically substitute the fields and observe the server response. One of the key challenges for a large scale study lies in how to obtain the post-authentication request-and-response messages for a given app. We have thus developed a targeted dynamic activity explorer to perform an in-context analysis and drive the app execution to automatically log in the service. We have tested AuthScope with 4,838 popular mobile apps from Google Play, and identified 597 0-day vulnerable authorizations that map to 306 apps.

[1]  Yuri Gurevich,et al.  Explicating SDKs: Uncovering Assumptions Underlying Secure Authentication and Authorization , 2013, USENIX Security Symposium.

[2]  Xiangyu Zhang,et al.  Deriving input syntactic structure from execution , 2008, SIGSOFT '08/FSE-16.

[3]  XiaoFeng Wang,et al.  Upgrading Your Android, Elevating My Malware: Privilege Escalation through Mobile OS Updating , 2014, 2014 IEEE Symposium on Security and Privacy.

[4]  Polyglot : Automatic Extraction of Protocol Format using Dynamic Binary Analysis , 2007 .

[5]  Zhiqiang Lin,et al.  SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution , 2017, WWW.

[6]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[7]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[8]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[9]  Konstantin Beznosov,et al.  The devil is in the (implementation) details: an empirical analysis of OAuth SSO systems , 2012, CCS.

[10]  Xuxian Jiang,et al.  Automatic Protocol Format Reverse Engineering through Context-Aware Monitored Execution , 2008, NDSS.

[11]  Christoforos E. Kozyrakis,et al.  Nemesis: Preventing Authentication & Access Control Vulnerabilities in Web Applications , 2009, USENIX Security Symposium.

[12]  Jun Sun,et al.  AUTHSCAN: Automatic Extraction of Web Authentication Protocols from Implementations , 2013, NDSS.

[13]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[14]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[15]  Zhiqiang Lin,et al.  Half a Century of Practice: Who Is Still Storing Plaintext Passwords? , 2015, ISPEC.

[16]  Helen J. Wang,et al.  Tupni: automatic reverse engineering of input formats , 2008, CCS.

[17]  Rui Wang,et al.  How to Shop for Free Online -- Security Analysis of Cashier-as-a-Service Based Web Stores , 2011, 2011 IEEE Symposium on Security and Privacy.

[18]  S. B. Needleman,et al.  A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins , 1989 .

[19]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.

[20]  Collin Jackson,et al.  Robust defenses for cross-site request forgery , 2008, CCS.

[21]  Christus,et al.  A General Method Applicable to the Search for Similarities in the Amino Acid Sequence of Two Proteins , 2022 .

[22]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[23]  Yuchen Zhou,et al.  SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities , 2014, USENIX Security Symposium.

[24]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[25]  Davide Balzarotti,et al.  Toward Black-Box Detection of Logic Flaws in Web Applications , 2014, NDSS.

[26]  Sam Malek,et al.  Testing android apps through symbolic execution , 2012, ACM SIGSOFT Softw. Eng. Notes.

[27]  Atif M. Memon,et al.  GUI ripping: reverse engineering of graphical user interfaces for testing , 2003, 10th Working Conference on Reverse Engineering, 2003. WCRE 2003. Proceedings..

[28]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[29]  Atif M. Memon,et al.  GUITAR: an innovative tool for automated testing of GUI-driven software , 2014, Automated Software Engineering.

[30]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[31]  Zhenkai Liang,et al.  Polyglot: automatic extraction of protocol message format using dynamic binary analysis , 2007, CCS '07.

[32]  Yuan Tian,et al.  OAuth Demystified for Mobile Application Developers , 2014, CCS.

[33]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[34]  Helen J. Wang,et al.  Discoverer: Automatic Protocol Reverse Engineering from Network Traces , 2007, USENIX Security Symposium.

[35]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[36]  XiaoFeng Wang,et al.  InteGuard: Toward Automatic Protection of Third-Party Web Service Integrations , 2013, NDSS.

[37]  Christopher Krügel,et al.  Automatic Network Protocol Analysis , 2008, NDSS.

[38]  XiaoFeng Wang,et al.  Signing Me onto Your Accounts through Facebook and Google: A Traffic-Guided Security Study of Commercially Deployed Single-Sign-On Web Services , 2012, 2012 IEEE Symposium on Security and Privacy.

[39]  Rui Wang,et al.  Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services , 2016, NDSS.

[40]  Christopher Krügel,et al.  Prospex: Protocol Specification Extraction , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[41]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.