mobile apps often need to talk to a remote server
play

Mobile Apps Often Need to Talk to a Remote server Internet Internet - PowerPoint PPT Presentation

Dec 31, 2022 •7 likes •347 views

Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services Chaoshun Zuo , Wubing Wang

  1. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services Chaoshun Zuo † , Wubing Wang † , Rui Wang ∗ , Zhiqiang Lin † † University of Texas at Dallas ∗ AppBugs Inc. Feb 24 th , 2016

  2. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Mobile Apps Often Need to Talk to a Remote server Internet Internet Saving resources (e.g., energy, and storage) on mobile Providing customized data (e.g., only retrieving the weather where you live)

  3. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Users Have to be Authenticated to Use the Service Internet Internet Server needs to know who you are, then push the data of your interest Crucial to ensure the authentication process is secure

  4. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Various Ways Used for the Authentication Security HTTPS HTTPS Encryption, hashing, signing App developers have been using Encryption of crucial data (e.g., user name, password) 1 Hashing (e.g., through MD5, SHA1) the user password 2 Signing (e.g., through HMAC) each message 3

  5. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Are They Enough? HTTPS HTTPS Encryption, hashing, signing Can a malicious client forge a valid message? Completely control a client app execution Reverse engineer how a valid message is generated Forge new valid authentication messages

  6. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Security Implications HTTPS HTTPS Encryption, hashing, signing Testing Various Vulnerabilities at Server Side Password brute forcing attack Leaked password probing (password reuse practice) Access token hijacking, SQL injection

  7. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Solutions in Web Applications Limiting the number of login attempts . One simple 1 solution app developers can adopt is to keep a login attempt state at server side and limit the number of login attempts within a certain time window. Using CAPTCHA . Password brute forcing is not a new 2 attack, and there are already solutions to mitigate this. One way that has been widely used on the desktop is the CAPTCHA [VABHL03]. Two-factor authentication . The most effective way to 3 defeat all these malicious login attacks, we believe, is to adopt two-factor authentication [Wei88].

  8. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Introducing A UTO F ORGE HTTPS HTTPS Encryption, hashing, signing A UTO F ORGE Given a mobile app, and few inputs A system that can automatically generate legal request messages via protocol field inference and crypto API replay Test various security vulnerabilities at mobile app’s server side

  9. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References A Running Example: Mini Online Shopping App “Mini offers a convenient way for customers around the world to shop for a wide variety of cool gadgets, electronic accessories, watches and lifestyle products at affordable prices, all with FREE SHIPPING!” Installs : 1,000,000 - 5,000,000 (according to Google Play)

  10. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Observation of a Traced Network Packet GET /api/rest/app_server.php?sign_method=md5&client=android&app_key=A4H0P4JN&format=json&cv=3.9. 0&country_code=US&country=USA&currency=USD&timestamp=2015-08- 01%2013%3A00%3A59&v=1.2&pwd=695409430D3127CB969820016CB308F5&email=testappserver%40gmail.com &method=vela.user.login&app_secret=4ce19ca8fcd150a4w4pj9llah24991ut&language=en&sign=424978B 759DA07CF8C8C41CCB5B8E718&keys=app_key%2Capp_secret%2Cclient%2Ccountry%2Ccountry_code%2Ccurr ency%2Ccv%2Cemail%2Cformat%2Clanguage%2Cmethod%2Cpwd%2Csign_method%2Ctimestamp%2Cv&sid=1d3a4 0c25a86417c979fd847d7173e33 HTTP/1.1 x-newrelic-id: XAYCV1ZADgsAUFRTBQ== User agent: LightInTheBox 3 9 0(Android; 16; 4 1 1; 480 752; WIFI; generic; M353; en) User-agent: LightInTheBox 3.9.0(Android; 16; 4.1.1; 480_752; WIFI; generic; M353; en) Host: api.miniinthebox.com Connection: Keep-Alive Accept-Encoding: gzip Cookie: cookie_test=please_accept_for_session; AKAMAI_FEO_TEST=B; ASRV=A_201505081100 {"result":"fail","code":"1001001","info":[],"error_msg":["Invalid email or password (User)"]} Many fields in a request message (18). We are interested in just a few of them, timestamp , pwd , email , sign

  11. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Challenges GET /api/rest/app_server.php?sign_method=md5&client=android&app_key=A4H0P4JN&format=json&cv=3.9. 0&country_code=US&country=USA&currency=USD&timestamp=2015-08- 01%2013%3A00%3A59&v=1.2&pwd=695409430D3127CB969820016CB308F5&email=testappserver%40gmail.com &method=vela.user.login&app_secret=4ce19ca8fcd150a4w4pj9llah24991ut&language=en&sign=424978B 759DA07CF8C8C41CCB5B8E718&keys=app_key%2Capp_secret%2Cclient%2Ccountry%2Ccountry_code%2Ccurr ency%2Ccv%2Cemail%2Cformat%2Clanguage%2Cmethod%2Cpwd%2Csign_method%2Ctimestamp%2Cv&sid=1d3a4 0c25a86417c979fd847d7173e33 HTTP/1.1 x-newrelic-id: XAYCV1ZADgsAUFRTBQ== User agent: LightInTheBox 3 9 0(Android; 16; 4 1 1; 480 752; WIFI; generic; M353; en) User-agent: LightInTheBox 3.9.0(Android; 16; 4.1.1; 480_752; WIFI; generic; M353; en) Host: api.miniinthebox.com Connection: Keep-Alive Accept-Encoding: gzip Cookie: cookie_test=please_accept_for_session; AKAMAI_FEO_TEST=B; ASRV=A_201505081100 {"result":"fail","code":"1001001","info":[],"error_msg":["Invalid email or password (User)"]} Recognizing the protocol fields Identifying the cryptographic functions Deciding when to terminate Generating the valid messages

  12. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Key Insights Inferring the message fields with diffed input Dynamically hooking well-known cryptographic APIs Labeling response message with controlled input Replaying the cryptographic function execution

  13. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Overview of A UTO F ORGE 5 6 6 Request Request Message Generation API Traces Message i 2 Request Request Input 0 Message 0 Messageg 0 1 1 2 2 2 2 3 3 3 3 API Hooking Message Field Inference Request Request Input 1 Message 1 Message 1 4 4 Response Android App Response Message Labeling Message Man ‐ in ‐ the ‐ Middle Proxy App Server Android Emulator Android Emulator

  14. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Overview of A UTO F ORGE 5 6 6 Request Request Message Generation API Traces Message i 2 Request Request Input 0 Message 0 Messageg 0 1 1 2 2 2 2 3 3 3 3 API Hooking Message Field Inference Request Request Input 1 Message 1 Message 1 4 4 Response Android App Response Message Labeling Message Man ‐ in ‐ the ‐ Middle Proxy App Server Android Emulator Android Emulator HTTPS Since we control the client, we installed a root certificate on the emulator to make sure the proxy can get HTTPS messages.

  15. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References API Hooking 5 6 6 Request Request Message Generation API Traces Message i 2 Request Request Input 0 Message 0 Messageg 0 1 1 2 2 2 2 3 3 3 3 API Hooking Message Field Inference Request Request Input 1 Message 1 Message 1 4 Response 4 Android App Response Message Labeling Message Man ‐ in ‐ the ‐ Middle Proxy App Server Android Emulator Android Emulator Run the app and type in the inputs Hooks the well-known cryptographic functions [Sch99]

  16. Introduction Overview Detailed Design Evaluation Discussion Related Work Summary References Message Field Inference 5 6 6 Request Request Message Generation API Traces Message i 2 Request Request Input 0 Message 0 Messageg 0 1 1 2 2 2 2 3 3 3 3 API Hooking Message Field Inference Request Request Input 1 Message 1 Message 1 4 Response 4 Android App Response Message Labeling Message Man ‐ in ‐ the ‐ Middle Proxy App Server Android Emulator Android Emulator Message field identification that splits the messages into a set of fields Field semantic inference that infers the meaning of the identified fields

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

RICH HTML/JS APPS with KNOCKOUT.JS, MOBILE SERVICES and no web server STEVEN SANDERSON,

RICH HTML/JS APPS with KNOCKOUT.JS, MOBILE SERVICES and no web server STEVEN SANDERSON,

RICH HTML/JS APPS with KNOCKOUT.JS, MOBILE SERVICES and no web server STEVEN SANDERSON, MICROSOFT @STEVENSANDERSON WHATS IN THIS TALK? SPA VIEWS 1. KNOCKOUT.JS MODELS VIEWMODELS NO WEB BUZZWORDS MAGIC SERVER 2. CLOUD BACKENDS FUN

509 views • 12 slides
Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

599 views • 20 slides
Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1

Using Node.js to improve the performance of Mobile apps and Mobile web Tom Hughes-Croucher @sh 1 mmer Scalable Server-Side Code with JavaScript Who is Tom? Wrote W3C Standards 10+ years in the web industry Node Worked on projects

705 views • 58 slides
S MART G EN : Exposing Server URLs of Mobile Apps with Selective Symbolic Execution Chaoshun Zuo

S MART G EN : Exposing Server URLs of Mobile Apps with Selective Symbolic Execution Chaoshun Zuo

Motivation S MART G EN Design Applications Evaluation Related Work Conclusion References S MART G EN : Exposing Server URLs of Mobile Apps with Selective Symbolic Execution Chaoshun Zuo Zhiqiang Lin Department of Computer Science

620 views • 44 slides
Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps

Educational Mobile Apps Dr. Agnieszka (Aga) Palalas October 2013 1 Educational Mobile Apps Outcome : To determine the key benefits and uses of mobile apps inside and outside the classroom. To identify the main issues to be considered when

620 views • 14 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides
A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile

A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile

A Lap Around NativeScript TJ VanToll | @tjvantoll Server-Side Code Desktop applications Mobile apps What is NativeScript? A runtime for building and running native iOS and Android apps with a single, JavaScript code base != != No DOM

522 views • 18 slides
Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the

Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the

Mobile Apps in the Phone: (248) 470-3257 Email: Linda@GoMobileMichigan.org Marketplace Twitter: twitter.com/GoMobileMI Mobile Apps in the Marketplace Mobile Technology Association of Michigan 1 Mobile Apps in the Phone: (248)

611 views • 32 slides
Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015

Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015

Delivering Delight to Mobile App Customers Our Apps. PRESENTATION NAME GOES HERE 2013 2015 2016/2017 New features in Adobe Mobile The Lott Mobile Apps are Tatts.com Mobile Apps Services are released to launched (Tatts.com

396 views • 24 slides
Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of

WELCOME Small Business Apps WHAT ARE MOBI LE APPS ? W h a t are mob i le apps ? A little bit of information An App is a piece of so ware (a program) that needs to be installed on Mobile Apps are device specific, meaning that an App that runs

268 views • 12 slides
Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its

Binding: Connecting From Procedure to Client and Server Remote Procedure Server exports its interface Three main concerns Identifies itself to network name server Parameter passing Tells local runtime its dispatcher address Failure cases Import

115 views • 7 slides
10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil

10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil

10 th Stakeholders Forum Harnessing mobile apps and social media for product safety Phil Tregunno, MHRA WEB-RADR Consortium Mobile Apps Mobile technology Apps Launched Package under development for other MS by the end of the project

368 views • 17 slides
Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile

Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile

Responsive Webapps & Mobile Apps Mobile-friendly CSS frameworks and introduction to mobile apps CS 370 SE Practicum, Cengiz Gnay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Gnay (Emory) Responsive Webapps &

1.21k views • 67 slides
Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team

Building Pinterests Mobile Apps Mike Beltzner Product Manager Garrett Moon Mobile Team (iOS) Discover Pinterest Engineers Building Pinterests Mobile Apps Pinterest and mobile Launched iPhone app in 2011 Summer of Apps in

625 views • 36 slides
Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote...

Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote...

Mobile Goes Remote 25. september 2012 1 onsdag den 26. september 12 Before going remote... Enablers Purpose Execution 2 onsdag den 26. september 12 Market perspective Check: Critical mass on mobile In your pocket Used everywhere

263 views • 23 slides
Rich Media Ads in Mobile Apps Sumanth S Mobile Developer Conference June 2012 What to expect

Rich Media Ads in Mobile Apps Sumanth S Mobile Developer Conference June 2012 What to expect

Rich Media Ads in Mobile Apps Sumanth S Mobile Developer Conference June 2012 What to expect in this talk In-App Ads vs Ads in browser In-App Ad SDK What is MRAID? Whats in it for creative (Ad) authors? authors? MRAID spec

262 views • 11 slides
Building High Performance Microservices with Apache Thrift Rethinking service APIs in a Cloud

Building High Performance Microservices with Apache Thrift Rethinking service APIs in a Cloud

Building High Performance Microservices with Apache Thrift Rethinking service APIs in a Cloud Native environment Presenters Randy Abernethy ra@apache.org, randy.abernethy@rx-m.com Apache Thrift PMC CNCF member RX-M Cloud

206 views • 16 slides
Alice and Bob in Love: Cryptographic Communication Using Natural Entropy Joseph Bonneau

Alice and Bob in Love: Cryptographic Communication Using Natural Entropy Joseph Bonneau

Natural Entropy Protocol Experimental Results Discussion Questions Alice and Bob in Love: Cryptographic Communication Using Natural Entropy Joseph Bonneau University of Cambridge Computer Laboratory 17 th International Workshop on Security

1.2k views • 40 slides
Computer Communication Networks Transport ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Where

Computer Communication Networks Transport ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Where

Computer Communication Networks Transport ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Where to find in book? Materials covered in this section are in Chapter 5 and 6 of "Computer Networks: A Systems Approach", Larry Peterson

1.5k views • 123 slides
CSC290A Network Security Hofstra University Network Security Course, CSC290A 1 01/30/06

CSC290A Network Security Hofstra University Network Security Course, CSC290A 1 01/30/06

CSC290A Network Security Hofstra University Network Security Course, CSC290A 1 01/30/06 FAQs How Do Corporations Prevent Intrusions Into There Networks? What Does SHA1 And MD5 Mean When You Download? What Is A Certificate And How

1.07k views • 44 slides
StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of

StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of

StatVerif: Modelling protocols that involve persistent state Mark D. Ryan University of Birmingham Joint work with Myrto Arapinis, St ephanie Delaune, Steve Kremer, Joshua Phillips and Graham Steel 78 December 2011 Outline The ProVerif

345 views • 32 slides
NASA Sounder Science Team Meeting November 3-5, 2010 Greenbelt, MD Bruce Vollmer

NASA Sounder Science Team Meeting November 3-5, 2010 Greenbelt, MD Bruce Vollmer

NASA Sounder Science Team Meeting November 3-5, 2010 Greenbelt, MD Bruce Vollmer Bruce.E.Vollmer@nasa.gov 1 Operation Summary AIRS Data Holdings AIRS Data Distribution Metrics AIRS Data Services Ongoing Support Recent

400 views • 16 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA Karthikeyan.Bhargavan@inria.fr IIT Delhi, Fall 2010 Lecture 2: A

530 views • 41 slides
Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A

Cryptographic Security for Mobile Code Sean Kugele CS 6204, Spring 2005 1 Mobile Code A program produced by one entity, called the originator, and transferred to a different entity, called the host, where it is immediately executed

601 views • 23 slides

More recommend