Toward Discovering and Exploiting Private Server-Side Web APIs

Many service providers including large enterprises have released their own applications (apps) that incorporate HTTP clients to facilitate the communications with their servers. The workflows of and APIs used by a web app and its corresponding mobile app are not always the same. We call the APIs found in apps private web APIs in that they are only supposed to be invoked by apps that developed by the service providers themselves. However, checking the origin of an HTTP request is very difficult, and private web APIs can be easily invoked by other entities. Hence, it is imperative to study if private web APIs provide the same level of security checks and validations as their public counterparts. To automatically discover the undocumented private APIs in Android apps, we design a system that uses static analysis to find the activities that invoke web APIs. Our system then runs the discovered activities on a customized Android system to monitor its HTTP requests and responses. We evaluated our system on 76 popular apps on the Google Play market. Our system successfully run 48 apps and discovered many private server-side APIs from more than 30 apps. Further manual investigation discovered that 9 of the apps have vulnerabilities that would enable API misuse and session hijacking.

[1]  Porfirio Tramontana,et al.  Using GUI ripping for automated testing of Android applications , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[2]  Heng Yin,et al.  Attacks on WebView in the Android system , 2011, ACSAC '11.

[3]  Rui Wang,et al.  Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services , 2016, NDSS.

[4]  Xingmin Cui,et al.  WeChecker: efficient and precise detection of privilege escalation vulnerabilities in Android apps , 2015, WISEC.

[5]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[6]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[7]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[8]  Latifur Khan,et al.  SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps , 2014, NDSS.

[9]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[10]  Hao Chen,et al.  AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps * , 2014 .

[11]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[12]  Mayur Naik,et al.  Dynodroid: an input generation system for Android apps , 2013, ESEC/FSE 2013.

[13]  Hongseok Yang,et al.  Automated concolic testing of smartphone apps , 2012, SIGSOFT FSE.

[14]  Sam Malek,et al.  EvoDroid: segmented evolutionary testing of Android apps , 2014, SIGSOFT FSE.

[15]  Tao Xie,et al.  A Grey-Box Approach for Automated GUI-Model Generation of Mobile Applications , 2013, FASE.

[16]  Siu-Ming Yiu,et al.  CoChecker: Detecting Capability and Sensitive Data Leaks from Component Chains in Android , 2014, ACISP.

[17]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[18]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[19]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.