Orchestration or Automation Authentication Flaw Detection in Android Apps
Abstract : Passwords are pervasively used to authenticate users' identities in mobile apps. To secure passwords against attacks, protection is applied to the password authentication protocol (PAP). The implementation of the protection scheme becomes an important factor in protecting PAP against attacks. We focus on two basic protection in Android, i.e., SSL/TLS-based PAP and timestamp-based PAP. Previously, we proposed an automated tool, GLACIATE, to detect authentication flaws. We were curious whether orchestration (i.e., involving manual-effort) works better than automation. To answer this question, we propose an orchestrated approach, AUTH-EYE in this paper and compare its effectiveness GLACIATE. We study requirements for correct implementation of PAP and then apply GLACIATE to identify protection enhancements automatically. Through dependency analysis, GLACIATE matches the implementations against the abstracted flaws to recognise defective apps. To evaluate AUTH-EYE, we collected 1,200 Android apps from Google Play. We compared AUTH-EYE with the automation tool, GLACIATE, and two other orchestration tools, MalloDroid and SMV-Hunter. The results demonstrated that orchestration tools detect flaws more precisely although F1 of GLACIATE is higher than AUTH-EYE. Further analysis of the results reveals that highly popular apps and e-commerce apps are not more secure than other apps.
? We also report the percentage of code that is dynamically loaded by apps by examining the API calls that exist in the dynamic traces but not in the apk.
? The larger the number of estimators, the longer the time taken to train and classify samples but the better the classifier.
? Although, beyond a certain number of estimators, there exists no significant increase in the prediction results of the classifier.
? The existence of both SEND SMS permission and the android.Hardware.telephony component in an app might indicate an attempt to send premium SMS messages, and this combination can eventually constitute a detection pattern.
? To address the issue of GLACIATE, we construct an orchestrated approach, AUTHEXPLOIT, to by using expert predefined templates (human expert is involved).
? However, an interesting issue is whether machine learning techniques are “smarter” than humans in generating such patterns.
? The above detection approaches which use machine learning/data mining have the desirable property of working automatically and we investigated their application to our problem.
? Our observations show that the main difficulties in using these approaches for our problem is the question of how to filter the useful features and how to build a model accurately from limited data.
• A survey of other proposed solutions to detecting and fixing the SSL vulnerabilities, and general SSL usage in Android apps, readers can see and respectively.
• The research community has proposed a number of techniques to detect and block malware based on either static or dynamic analysis.
• In particular, a few approaches have been recently proposed aiming to improve accuracy of malware detection.
• We propose abstracting the API calls and evaluate how our system performs using datasets spanning several years.
• Recall that in the browser context, the lock icon informs users that their connection is secure and that extensive research has analyzed (and proposed improvements to) SSL warnings.
? To evaluate the performance of AUTHEXPLOIT, we generated an evaluation matrix of Precision, Recall, and F1 metrics.
? As GLACIATE relies on agglomerative hierarchical clustering to learn flaw patterns automatically, we used 10-fold cross validation to evaluate the performance.
? However, the detection performance relies on how well user inputs are created, and some vulnerabilities cannot be identified since they are not triggered by the MTIM attacks.
? According to the results generated by GLACIATE, we were interested in whether the performance can be improved by involving the manual effort (i.e., orchestration approach).
? Orchestration approaches might be inefficient because of the involvement of manual efforts.
|