Abstract
The majority of mobile apps use credentials to provide an automatic login function. Credentials are security tokens based on a user’s ID and password information. They are created for initial authentication, and this credential authentication then replaces user verification. However, because the credential management of most Android apps is currently very insecure, the duplication and use of another user’s credentials would allow an attacker to view personal information stored on the server. Therefore, in this paper, we analyze the vulnerability of some major mobile SNS apps to credential duplication that would enable access to personal information. To address the identified weaknesses, we propose a secure credential management scheme. The proposed scheme first differentiates the credential from the smart device using an external device. Using a security mechanism, the credential is then linked with the smart device. This ensures that the credential will be verified by the special smart device. Furthermore, based on experimental results using a prototype security mechanism, the proposed scheme is shown to be a very useful solution because of its minimal additional overhead.
Similar content being viewed by others
References
Bhoraskar R, Han S, Jeon J, Azim T, Chen S, Jung J, Nath S, Wang R, Wetherall D (2014) Brahmastra: driving apps to test the security of third-party components. In: Proceedings of the 23rd USENIX conference on Security Symposium, pp 1021–1036. USENIX Association
Chen QA, Qian Z, Mao ZM (2014) Peeking into your app without actually seeing it: Ui state inference and novel android attacks. In: Proceedings of the 23rd USENIX Security Symposium (SEC14). USENIX Association
Davi L, Dmitrienko A, Sadeghi A-R, Winandy M (2011) Privilege escalation attacks on android. In: Information Security. Springer, pp 346–360
Enck W, Ongtang M, McDaniel P (2009) Understanding android security. IEEE Secur Priv 1:50–57
Hoffmann J, Ussath M, Holz T, Spreitzenbarth M (2013) Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp 1844–1851. ACM
Jeon J, Micinski KK, Vaughan JA, Fogel A, Reddy N, Foster JS, Millstein T (2012) Dr. android and mr. hide: fine-grained permissions in android applications. In: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pp 3–14. ACM
Jung J-H, Kim JY, Lee H-C, Yi JH (2013) Repackaging attack on android banking applications and its countermeasures. Wirel Pers Commun 73(4):1421–1437
Long L, Li Z, Zhenyu W, Lee W, Jiang G (2012) Chex: statically vetting android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp 229–240. ACM
Rastogi V, Chen Y, Enck W (2013) Appsplayground: automatic security analysis of smartphone applications. In: Proceedings of the third ACM conference on Data and application security and privacy, pp 209–220. ACM
Shin D-H (2010) The effects of trust, security and privacy in social networking: A security-based approach to understand the pattern of adoption. Interact Comput 22(5):428–438
Wang R, Zhou Y, Chen S, Qadeer S, Evans D, Gurevich Y (2013) Explicating sdks: Uncovering assumptions underlying secure authentication and authorization. In: USENIX Security, pp 399–314
Wei T-E, Jeng AB, Lee H-M, Chen C-H, Tien C-W (2012) Android privacy. In: 2012 International Conference on Machine Learning and Cybernetics (ICMLC), vol 5, pp 1830–1837. IEEE
Yang Z, Yang M, Zhang Y, Guofei G, Ning P, Wang XS (2013) Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp 1043–1054. ACM
Acknowledgments
This research was supported by the Global Research Laboratory (GRL) program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT, and Future Planning (NRF-2014K1A1A2043029).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Choi, J., Na, G. & Yi, J.H. Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks. Multimed Tools Appl 75, 14833–14848 (2016). https://doi.org/10.1007/s11042-016-3271-z
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-016-3271-z