Skip to main content
Book cover

Asia-Pacific Web Conference

APWeb 2016: Web Technologies and Applications pp 483–487Cite as

Open Sesame! Web Authentication Cracking via Mobile App Analysis

  • 1527 Accesses

Part of the Lecture Notes in Computer Science book series (LNISA,volume 9932)

Abstract

Web authentication security can be undermined by flawed mobile web implementations. Mobile web implementations may use less secure transport channel and enforce less strict brute-force-proof measures, making web authentication services vulnerable to typical attacks such as password cracking. This paper presents an in-depth penetration testing based on a comprehensive dynamic app analysis focusing on vulnerable authentication implementations of Android apps. An analysis of Top 200 apps from China Android Market and Top 100 apps from Google Play Market is conducted. The result shows that 71.3 % apps we analyze fails to protect users’ password appropriately. And an experiment carried out among 20 volunteers indicates that 84.4 % passwords can be cracked with the knowledge of password transformation process.

Keywords

  • Android apps
  • Web authentication
  • Password cracking

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-45817-5_51
  • Chapter length: 5 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-45817-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   54.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.

Notes

  1. 1.

    During user authentication, an app typically receives a password, encodes or encrypts it, and sends the result together with other data to a remote web server. We let authenticator denote the result for the rest of this paper.

  2. 2.

    Other apps are either packed or involved with native APIs, in which case manual intervention is needed.

References

  1. Appium automation for apps. http://appium.io/. Accessed 20 Apr 2016

  2. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS (2012)

    Google Scholar 

  3. Cai, F., Hao, C., Yuanyi, W., Yuan, Z.: Appcracker: widespread vulnerabilities in user and session authentication in mobile apps. In: IEEE Mobile Security Technologies. IEEE (2015)

    Google Scholar 

  4. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve, mallory love android: an analysis of android ssl (in) security. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)

    Google Scholar 

Download references

Acknowledgments

This work is supported by the Major program of Shanghai Science and Technology Commission (15511103002).

Author information

Authors and Affiliations

  1. Computer Science and Engineering Department, Shanghai Jiao Tong University, Shanghai, China

    Hui Liu, Yuanyuan Zhang, Juanru Li, Hui Wang & Dawu Gu

Authors
  1. Hui Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuanyuan Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juanru Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hui Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dawu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hui Liu .

Editor information

Editors and Affiliations

  1. School of Computing, University of Utah, Salt Lake City, Utah, USA

    Feifei Li

  2. School of Electrical Engineering, Seoul National University, Seoul, Korea (Republic of)

    Kyuseok Shim

  3. Soochow University , Suzhou, China

    Kai Zheng

  4. Soochow University , Suzhou, China

    Guanfeng Liu

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Liu, H., Zhang, Y., Li, J., Wang, H., Gu, D. (2016). Open Sesame! Web Authentication Cracking via Mobile App Analysis. In: Li, F., Shim, K., Zheng, K., Liu, G. (eds) Web Technologies and Applications. APWeb 2016. Lecture Notes in Computer Science(), vol 9932. Springer, Cham. https://doi.org/10.1007/978-3-319-45817-5_51

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45817-5_51

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45816-8

  • Online ISBN: 978-3-319-45817-5

  • eBook Packages: Computer ScienceComputer Science (R0)