Hunting Password Leaks in Android Applications

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Abstract

A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.
Original languageEnglish
Title of host publicationICT Systems Security and Privacy Protection
EditorsLech Jan Janczewski, Mirosław Kutyłowski
Place of PublicationCham
PublisherSpringer International Publishing AG
Pages278-292
Number of pages14
Volume529
ISBN (Electronic)978-3-319-99828-2
ISBN (Print)978-3-319-99827-5
DOIs
Publication statusPublished - 2018
Event
33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection
- Poznań, Poland
Duration: 18 Sep 201820 Sep 2018

Conference

Conference
33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection
Abbreviated titleIFIP SEC 2018
CountryPoland
CityPoznań
Period18/09/1820/09/18

Fingerprint

Inspection

Keywords

  • Android security
  • Password input
  • Static analysis

Cite this

Feichtner, J. (2018). Hunting Password Leaks in Android Applications. In L. Jan Janczewski, & M. Kutyłowski (Eds.), ICT Systems Security and Privacy Protection (Vol. 529, pp. 278-292). Cham: Springer International Publishing AG . https://doi.org/10.1007/978-3-319-99828-2_20

Hunting Password Leaks in Android Applications. / Feichtner, Johannes.

ICT Systems Security and Privacy Protection. ed. / Lech Jan Janczewski; Mirosław Kutyłowski. Vol. 529 Cham : Springer International Publishing AG , 2018. p. 278-292.

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

Feichtner, J 2018, Hunting Password Leaks in Android Applications. in L Jan Janczewski & M Kutyłowski (eds), ICT Systems Security and Privacy Protection. vol. 529, Springer International Publishing AG , Cham, pp. 278-292,
33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection , Poznań, Poland, 18/09/18. https://doi.org/10.1007/978-3-319-99828-2_20
Feichtner J. Hunting Password Leaks in Android Applications. In Jan Janczewski L, Kutyłowski M, editors, ICT Systems Security and Privacy Protection. Vol. 529. Cham: Springer International Publishing AG . 2018. p. 278-292 https://doi.org/10.1007/978-3-319-99828-2_20
Feichtner, Johannes. / Hunting Password Leaks in Android Applications. ICT Systems Security and Privacy Protection. editor / Lech Jan Janczewski ; Mirosław Kutyłowski. Vol. 529 Cham : Springer International Publishing AG , 2018. pp. 278-292
@inproceedings{c465b5f19a834ef69875b5da06b01006,
title = "Hunting Password Leaks in Android Applications",
abstract = "A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36{\%}) applications insecurely store given credentials in files or pass them to a log output.",
keywords = "Android security, Password input, Static analysis",
author = "Johannes Feichtner",
year = "2018",
doi = "10.1007/978-3-319-99828-2_20",
language = "English",
isbn = "978-3-319-99827-5",
volume = "529",
pages = "278--292",
editor = "{Jan Janczewski}, Lech and Mirosław Kutyłowski",
booktitle = "ICT Systems Security and Privacy Protection",
publisher = "Springer International Publishing AG",
address = "Switzerland",

}

TY - GEN

T1 - Hunting Password Leaks in Android Applications

AU - Feichtner, Johannes

PY - 2018

Y1 - 2018

N2 - A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.

AB - A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.

KW - Android security

KW - Password input

KW - Static analysis

U2 - 10.1007/978-3-319-99828-2_20

DO - 10.1007/978-3-319-99828-2_20

M3 - Conference contribution

SN - 978-3-319-99827-5

VL - 529

SP - 278

EP - 292

BT - ICT Systems Security and Privacy Protection

A2 - Jan Janczewski, Lech

A2 - Kutyłowski, Mirosław

PB - Springer International Publishing AG

CY - Cham

ER -