Skip to main content
SpringerLink
Log in

Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks

  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

The majority of mobile apps use credentials to provide an automatic login function. Credentials are security tokens based on a user’s ID and password information. They are created for initial authentication, and this credential authentication then replaces user verification. However, because the credential management of most Android apps is currently very insecure, the duplication and use of another user’s credentials would allow an attacker to view personal information stored on the server. Therefore, in this paper, we analyze the vulnerability of some major mobile SNS apps to credential duplication that would enable access to personal information. To address the identified weaknesses, we propose a secure credential management scheme. The proposed scheme first differentiates the credential from the smart device using an external device. Using a security mechanism, the credential is then linked with the smart device. This ensures that the credential will be verified by the special smart device. Furthermore, based on experimental results using a prototype security mechanism, the proposed scheme is shown to be a very useful solution because of its minimal additional overhead.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Bhoraskar R, Han S, Jeon J, Azim T, Chen S, Jung J, Nath S, Wang R, Wetherall D (2014) Brahmastra: driving apps to test the security of third-party components. In: Proceedings of the 23rd USENIX conference on Security Symposium, pp 1021–1036. USENIX Association

  2. Chen QA, Qian Z, Mao ZM (2014) Peeking into your app without actually seeing it: Ui state inference and novel android attacks. In: Proceedings of the 23rd USENIX Security Symposium (SEC14). USENIX Association

  3. Davi L, Dmitrienko A, Sadeghi A-R, Winandy M (2011) Privilege escalation attacks on android. In: Information Security. Springer, pp 346–360

  4. Enck W, Ongtang M, McDaniel P (2009) Understanding android security. IEEE Secur Priv 1:50–57

    Article  Google Scholar 

  5. Hoffmann J, Ussath M, Holz T, Spreitzenbarth M (2013) Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp 1844–1851. ACM

  6. Jeon J, Micinski KK, Vaughan JA, Fogel A, Reddy N, Foster JS, Millstein T (2012) Dr. android and mr. hide: fine-grained permissions in android applications. In: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pp 3–14. ACM

  7. Jung J-H, Kim JY, Lee H-C, Yi JH (2013) Repackaging attack on android banking applications and its countermeasures. Wirel Pers Commun 73(4):1421–1437

    Article  Google Scholar 

  8. Long L, Li Z, Zhenyu W, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp 229–240. ACM

  9. Rastogi V, Chen Y, Enck W (2013) Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the third ACM conference on Data and application security and privacy, pp 209–220. ACM

  10. Shin D-H (2010) The effects of trust, security and privacy in social networking: A security-based approach to understand the pattern of adoption. Interact Comput 22(5):428–438

    Article  Google Scholar 

  11. Wang R, Zhou Y, Chen S, Qadeer S, Evans D, Gurevich Y (2013) Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In: USENIX Security, pp 399–314

  12. Wei T-E, Jeng AB, Lee H-M, Chen C-H, Tien C-W (2012) Android privacy. In: 2012 International Conference on Machine Learning and Cybernetics (ICMLC), vol 5, pp 1830–1837. IEEE

  13. Yang Z, Yang M, Zhang Y, Guofei G, Ning P, Wang XS (2013) Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp 1043–1054. ACM

Download references

Acknowledgments

This research was supported by the Global Research Laboratory (GRL) program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (NRF-2014K1A1A2043029).

Author information

Authors and Affiliations

  1. School of Computer and Engineering, Soongsil University, Seoul, 156-743, Korea

    Jongwon Choi, Geonbae Na & Jeong Hyun Yi

Authors
  1. Jongwon Choi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Geonbae Na
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jeong Hyun Yi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jeong Hyun Yi.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Choi, J., Na, G. & Yi, J.H. Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks. Multimed Tools Appl 75, 14833–14848 (2016). https://doi.org/10.1007/s11042-016-3271-z

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-016-3271-z

Keywords

Search

Navigation