Why Does Your Data Leak? Uncovering the Data Leakage in Cloud from Mobile Apps

Increasingly, more and more mobile applications (apps for short) are using the cloud as the back-end, in particular the cloud APIs, for data storage, data analytics, message notification, and monitoring. Unfortunately, we have recently witnessed massive data leaks from the cloud, ranging from personally identifiable information to corporate secrets. In this paper, we seek to understand why such significant leaks occur and design tools to automatically identify them. To our surprise, our study reveals that lack of authentication, misuse of various keys (e.g., normal user keys and superuser keys) in authentication, or misconfiguration of user permissions in authorization are the root causes. Then, we design a set of automated program analysis techniques including obfuscation-resilient cloud API identification and string value analysis, and implement them in a tool called LeakScope to identify the potential data leakage vulnerabilities from mobile apps based on how the cloud APIs are used. Our evaluation with over 1.6 million mobile apps from the Google Play Store has uncovered 15, 098 app servers managed by mainstream cloud providers such as Amazon, Google, and Microsoft that are subject to data leakage attacks. We have made responsible disclosure to each of the cloud service providers, and they have all confirmed the vulnerabilities we have identified and are actively working with the mobile app developers to patch their vulnerable services.

[1]  Mu Zhang,et al.  AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications , 2014, NDSS.

[2]  Zhiqiang Lin,et al.  SMARTGEN: Exposing Server URLs of Mobile Apps With Selective Symbolic Execution , 2017, WWW.

[3]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[4]  Xiao Zhang,et al.  Hare Hunting in the Wild Android: A Study on the Threat of Hanging Attribute References , 2015, CCS.

[5]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[6]  Mona Attariyan,et al.  Automating Configuration Troubleshooting with Dynamic Information Flow Analysis , 2010, OSDI.

[7]  Sencun Zhu,et al.  ViewDroid: towards obfuscation-resilient mobile application repackaging detection , 2014, WiSec '14.

[8]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[9]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[10]  Lorenzo Keller,et al.  ConfErr: A tool for assessing resilience to human configuration errors , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[11]  XianPing Tao,et al.  RepDroid: An Automated Tool for Android Application Repackaging Detection , 2017, 2017 IEEE/ACM 25th International Conference on Program Comprehension (ICPC).

[12]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[13]  Ziming Zhao,et al.  Toward Discovering and Exploiting Private Server-Side Web APIs , 2016, 2016 IEEE International Conference on Web Services (ICWS).

[14]  Lujo Bauer,et al.  Detecting and resolving policy misconfigurations in access-control systems , 2011, TSEC.

[15]  Heng Yin,et al.  Code Injection Attacks on HTML5-based Mobile Apps: Characterization, Detection and Mitigation , 2014, CCS.

[16]  Ranjita Bhagwan,et al.  Baaz: A System for Detecting Access Control Misconfigurations , 2010, USENIX Security Symposium.

[17]  Yuanyuan Zhou,et al.  Do not blame users for misconfigurations , 2013, SOSP.

[18]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[19]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[20]  Zhiqiang Lin,et al.  AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services , 2017, CCS.

[21]  Rui Wang,et al.  Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services , 2016, NDSS.

[22]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[23]  Peng Ning,et al.  Automatic diagnosis and response to memory corruption vulnerabilities , 2005, CCS '05.

[24]  Qing Wang,et al.  Show Me the Money! Finding Flawed Implementations of Third-party In-app Payment in Android Apps , 2017, NDSS.

[25]  Daniel M. Roy,et al.  Enhancing Server Availability and Security Through Failure-Oblivious Computing , 2004, OSDI.

[26]  Thomas W. Reps,et al.  Analyzing Memory Accesses in x86 Executables , 2004, CC.