Skip to main content

Open Sesame! Web Authentication Cracking via Mobile App Analysis

  • 1527 Accesses

Part of the Lecture Notes in Computer Science book series (LNISA,volume 9932)


Web authentication security can be undermined by flawed mobile web implementations. Mobile web implementations may use less secure transport channel and enforce less strict brute-force-proof measures, making web authentication services vulnerable to typical attacks such as password cracking. This paper presents an in-depth penetration testing based on a comprehensive dynamic app analysis focusing on vulnerable authentication implementations of Android apps. An analysis of Top 200 apps from China Android Market and Top 100 apps from Google Play Market is conducted. The result shows that 71.3 % apps we analyze fails to protect users’ password appropriately. And an experiment carried out among 20 volunteers indicates that 84.4 % passwords can be cracked with the knowledge of password transformation process.


  • Android apps
  • Web authentication
  • Password cracking

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-45817-5_51
  • Chapter length: 5 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-45817-5
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   54.99
Price excludes VAT (USA)
Fig. 1.


  1. 1.

    During user authentication, an app typically receives a password, encodes or encrypts it, and sends the result together with other data to a remote web server. We let authenticator denote the result for the rest of this paper.

  2. 2.

    Other apps are either packed or involved with native APIs, in which case manual intervention is needed.


  1. Appium automation for apps. Accessed 20 Apr 2016

  2. Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A., Shastry, B.: Towards taming privilege-escalation attacks on android. In: NDSS (2012)

    Google Scholar 

  3. Cai, F., Hao, C., Yuanyi, W., Yuan, Z.: Appcracker: widespread vulnerabilities in user and session authentication in mobile apps. In: IEEE Mobile Security Technologies. IEEE (2015)

    Google Scholar 

  4. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve, mallory love android: an analysis of android ssl (in) security. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)

    Google Scholar 

Download references


This work is supported by the Major program of Shanghai Science and Technology Commission (15511103002).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Hui Liu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Liu, H., Zhang, Y., Li, J., Wang, H., Gu, D. (2016). Open Sesame! Web Authentication Cracking via Mobile App Analysis. In: Li, F., Shim, K., Zheng, K., Liu, G. (eds) Web Technologies and Applications. APWeb 2016. Lecture Notes in Computer Science(), vol 9932. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45816-8

  • Online ISBN: 978-3-319-45817-5

  • eBook Packages: Computer ScienceComputer Science (R0)