Web authentication security can be undermined by flawed mobile web implementations. Mobile web implementations may use less secure transport channel and enforce less strict brute-force-proof measures, making web authentication services vulnerable to typical attacks such as password cracking. This paper presents an in-depth penetration testing based on a comprehensive dynamic app analysis focusing on vulnerable authentication implementations of Android apps. An analysis of Top 200 apps from China Android Market and Top 100 apps from Google Play Market is conducted. The result shows that 71.3 % apps we analyze fails to protect users’ password appropriately. And an experiment carried out among 20 volunteers indicates that 84.4 % passwords can be cracked with the knowledge of password transformation process.
- Android apps
- Web authentication
- Password cracking
This is a preview of subscription content, access via your institution.
During user authentication, an app typically receives a password, encodes or encrypts it, and sends the result together with other data to a remote web server. We let authenticator denote the result for the rest of this paper.
Other apps are either packed or involved with native APIs, in which case manual intervention is needed.
Appium automation for apps. http://appium.io/. Accessed 20 Apr 2016
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS (2012)
Cai, F., Hao, C., Yuanyi, W., Yuan, Z.: Appcracker: widespread vulnerabilities in user and session authentication in mobile apps. In: IEEE Mobile Security Technologies. IEEE (2015)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve, mallory love android: an analysis of android ssl (in) security. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)
This work is supported by the Major program of Shanghai Science and Technology Commission (15511103002).
Editors and Affiliations
Rights and permissions
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Liu, H., Zhang, Y., Li, J., Wang, H., Gu, D. (2016). Open Sesame! Web Authentication Cracking via Mobile App Analysis. In: Li, F., Shim, K., Zheng, K., Liu, G. (eds) Web Technologies and Applications. APWeb 2016. Lecture Notes in Computer Science(), vol 9932. Springer, Cham. https://doi.org/10.1007/978-3-319-45817-5_51
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-45816-8
Online ISBN: 978-3-319-45817-5
eBook Packages: Computer ScienceComputer Science (R0)