App's Auto-Login Function Security Testing via Android OS-Level Virtualization

by   Wenna Song, et al.

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks. In this paper, we develop VPDroid, a transparent Android OS-level virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environments show that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.


page 1

page 7

page 9


A First Look at On-device Models in iOS Apps

Powered by the rising popularity of deep learning techniques on smartpho...

SonarSnoop: Active Acoustic Side-Channel Attacks

We report the first active acoustic side-channel attack. Speakers are us...

Mascara: A Novel Attack Leveraging Android Virtualization

Android virtualization enables an app to create a virtual environment, i...

Simple Spyware: Androids Invisible Foreground Services and How to (Ab)use Them

With the releases of Android Oreo and Pie, Android introduced some backg...

A Large-scale Temporal Measurement of Android Malicious Apps: Persistence, Migration, and Lessons Learned

We study the temporal dynamics of potentially harmful apps (PHAs) on And...

Smart App Attack: Hacking Deep Learning Models in Android Apps

On-device deep learning is rapidly gaining popularity in mobile applicat...

Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs

Mobile mini-programs in WeChat have gained significant popularity since ...

Please sign up or login with your details

Forgot password? Click here to reset