Skip to main content
SpringerLink
Log in

Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10176))

Included in the following conference series:

Abstract

As we move into the mobile era, many functionalities in standard web services are being re-implemented in mobile apps and services, including many security-related functionalities. However, it has been observed that security features that are standardized in the PC and web space are often not implemented correctly by app developers resulting in serious security vulnerabilities. For instance, prior work has shown that the standard SSL/TLS certificate validation logic in browsers is not implemented securely in mobile apps. In this paper, we study a related question: given that many web services are offered both via browsers/webpages and mobile apps, are there any discrepancies between the security policies of the two?

To answer the above question, we perform a comprehensive study on 100 popular app-web pairs. Surprisingly, we find many discrepancies – we observe that often the app security policies are much weaker than their website counterparts. We find that one can perform unlimited number of login attempts at a high rate (e.g., 600 requests per second) from a single IP address by following the app protocol whereas the website counterpart typically blocks such attempts. We also find that the cookies used in mobile apps are generally more valuable as they do not expire as quickly as the ones used for websites and they are often stored in plaintext on mobile devices. In addition, we find that apps often do not update the libraries they use and hence vulnerabilities are often left unpatched. Through a study of 6400 popular apps, we identify 31 apps that use one or more vulnerable (unpatched) libraries. We responsibly disclosed all of our findings to the corresponding vendors and have received positive acknowledgements from them. This result is a vivid demonstration of “security is only as good as its weakest link”.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. The Hacker News. Warning: 18,000 android apps contains code that spy on your text messages. http://thehackernews.com/2015/10/android-apps-steal-sms.html. Accessed 10 Nov 2016

  2. Authentication Policy Table. http://www.cs.ucr.edu/~aalav003/authtable.html. Accessed 10 Nov 2016

  3. FFmpeg. https://ffmpeg.org/. Accessed 10 Nov 2016

  4. Hacker Selling 200 Million Yahoo Accounts On Dark Web. http://thehackernews.com/2016/08/hack-yahoo-account.html. Accessed 10 Nov 2016

  5. Red Hat Bugzilla Bug 1204676. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2331. Accessed 10 Nov 2016

  6. Amber. Some Best Practices for Web App Authentication. http://codingkilledthecat.wordpress.com/2012/09/04/some-best-practices-for-web-app-authentication/. Accessed 10 Nov 2016

  7. Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR, abs/1303.0857 (2013)

    Google Scholar 

  8. De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Secsess: keeping your session tucked away in your browser. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC 2015) (2015)

    Google Scholar 

  9. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: ACM CCS (2012)

    Google Scholar 

  10. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: 2014 Network and Distributed System Security (NDSS 2014), San Diego, February 2014

    Google Scholar 

  11. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: WiSeC (2012)

    Google Scholar 

  12. Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA (CCS 2015) (2015)

    Google Scholar 

  13. Leung, C., Ren, J., Choffnes, D., Wilson, C.: Should you use the app for that?: Comparing the privacy implications of app- and web-based online services. In: Proceedings of the 2016 ACM on Internet Measurement Conference (IMC 2016), New York, NY, USA, pp. 365–372. ACM (2016)

    Google Scholar 

  14. Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of the 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (2003)

    Google Scholar 

  15. OWASP. Blocking Brute Force Attacks. http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks. Accessed 10 Nov 2016

  16. OWASP. Testing for Captcha (OWASP-AT-012). http://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012). Accessed 10 Nov 2016

  17. Sivakorn, S., Polakis, I., Keromyti, A.D.: The cracked cookie jar: http cookie hijacking and the exposure of private information. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE (2016)

    Google Scholar 

  18. Tam, J., Simsa, J., Hyde, S., Ahn, L.V.: Breaking audio captchas. In: Koller, D., Schuurmans, D., Bengio, Y., Bottou, L., (eds.) Advances in Neural Information Processing Systems, vol. 21, pp. 1625–1632 (2008)

    Google Scholar 

  19. Wolverton, T.: Hackers find new way to milk eBay users. In: Proceedings of the 1998 Network and Distributed System Security Symposium (2002)

    Google Scholar 

  20. Wright, J.: How Browsers Store Your Passwords (and Why You Shouldn’t Let Them). http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html/. Accessed 10 Nov 2016

  21. Zuo, C., Wang, W., Wang, R., Lin, Z.: Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In: NDSS (2016)

    Google Scholar 

Download references

Acknowledgments

We would like to thank our shepherd Kanchana Thilakarathna for his feedback in revising the paper. This work is supported by NSF grant CNS-1617424 to UC Riverside.

Author information

Authors and Affiliations

  1. University of California, Riverside, Riverside, USA

    Arash Alavi, Alan Quach, Hang Zhang, Bryan Marsh, Zhiyun Qian & Rajiv Gupta

  2. Stony Brook University, Stony Brook, USA

    Farhan Ul Haq & Long Lu

Authors
  1. Arash Alavi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alan Quach
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bryan Marsh
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Farhan Ul Haq
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Zhiyun Qian
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Long Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Rajiv Gupta
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Arash Alavi .

Editor information

Editors and Affiliations

  1. CSIRO, Sydney, New South Wales, Australia

    Mohamed Ali Kaafar

  2. Queen Mary University of London, London, United Kingdom

    Steve Uhlig

  3. International Computer Science Institute, Berkeley, California, USA

    Johanna Amann

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Alavi, A. et al. (2017). Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham. https://doi.org/10.1007/978-3-319-54328-4_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54328-4_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54327-7

  • Online ISBN: 978-3-319-54328-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation