Hunting Password Leaks in Android Applications

Johannes Feichtner

doi:10.1007/978-3-319-99828-2_20

Hunting Password Leaks in Android Applications

Johannes Feichtner

Research output: Chapter in Book/Report/Conference proceeding › Conference paper › peer-review

Abstract

A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.

Original language	English
Title of host publication	ICT Systems Security and Privacy Protection
Editors	Lech Jan Janczewski, Mirosław Kutyłowski
Place of Publication	Cham
Publisher	Springer International Publishing AG
Pages	278-292
Number of pages	14
Volume	529
ISBN (Electronic)	978-3-319-99828-2
ISBN (Print)	978-3-319-99827-5
DOIs	https://doi.org/10.1007/978-3-319-99828-2_20
Publication status	Published - 2018
Event	33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection - Poznań, Poland Duration: 18 Sept 2018 → 20 Sept 2018

Conference

Conference	33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection
Abbreviated title	IFIP SEC 2018
Country/Territory	Poland
City	Poznań
Period	18/09/18 → 20/09/18

Keywords

Android security
Password input
Static analysis

Access to Document

10.1007/978-3-319-99828-2_20

mainFinal published version, 210 KB

A-SIT - Secure Information Technology Center Austria
Stranacher, K., Dominikus, S., Leitold, H., Marsalek, A., Teufl, P., Bauer, W., Aigner, M. J., Rössler, T., Neuherz, E., Dietrich, K., Zefferer, T., Mangard, S., Payer, U., Orthacker, C., Lipp, P., Reiter, A., Knall, T., Bratko, H., Bonato, M., Suzic, B., Zwattendorfer, B., Kreuzhuber, S., Oswald, M. E., Tauber, A., Posch, R., Bratko, D., Feichtner, J., Ivkovic, M., Reimair, F., Wolkerstorfer, J. & Scheibelhofer, K.
21/05/99 → 6/08/20
Project: Research area

Cite this

Feichtner, J 2018, Hunting Password Leaks in Android Applications. in L Jan Janczewski & M Kutyłowski (eds), ICT Systems Security and Privacy Protection. vol. 529, Springer International Publishing AG , Cham, pp. 278-292,
33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection , Poznań, Poland, 18/09/18. https://doi.org/10.1007/978-3-319-99828-2_20

@inproceedings{c465b5f19a834ef69875b5da06b01006,

title = "Hunting Password Leaks in Android Applications",

abstract = "A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.",

keywords = "Android security, Password input, Static analysis",

author = "Johannes Feichtner",

year = "2018",

doi = "10.1007/978-3-319-99828-2_20",

language = "English",

isbn = "978-3-319-99827-5",

volume = "529",

pages = "278--292",

editor = "{Jan Janczewski}, Lech and Miros{\l}aw Kuty{\l}owski",

booktitle = "ICT Systems Security and Privacy Protection",

publisher = "Springer International Publishing AG ",

address = "Switzerland",

note = "<br/>33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection , IFIP SEC 2018 ; Conference date: 18-09-2018 Through 20-09-2018",

}

TY - GEN

T1 - Hunting Password Leaks in Android Applications

AU - Feichtner, Johannes

PY - 2018

Y1 - 2018

N2 - A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.

AB - A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.

KW - Android security

KW - Password input

KW - Static analysis

U2 - 10.1007/978-3-319-99828-2_20

DO - 10.1007/978-3-319-99828-2_20

M3 - Conference paper

SN - 978-3-319-99827-5

VL - 529

SP - 278

EP - 292

BT - ICT Systems Security and Privacy Protection

A2 - Jan Janczewski, Lech

A2 - Kutyłowski, Mirosław

PB - Springer International Publishing AG

CY - Cham

T2 - <br/>33rd IFIP TC-11 SEC 2018 International Conference on Information Security and Privacy Protection

Y2 - 18 September 2018 through 20 September 2018

ER -

Hunting Password Leaks in Android Applications

Abstract

Conference

Keywords

Access to Document

Fingerprint

Projects

A-SIT - Secure Information Technology Center Austria

Cite this