Skip to main content

Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts

Part of the Lecture Notes in Computer Science book series (LNCCN,volume 10176)


As we move into the mobile era, many functionalities in standard web services are being re-implemented in mobile apps and services, including many security-related functionalities. However, it has been observed that security features that are standardized in the PC and web space are often not implemented correctly by app developers resulting in serious security vulnerabilities. For instance, prior work has shown that the standard SSL/TLS certificate validation logic in browsers is not implemented securely in mobile apps. In this paper, we study a related question: given that many web services are offered both via browsers/webpages and mobile apps, are there any discrepancies between the security policies of the two?

To answer the above question, we perform a comprehensive study on 100 popular app-web pairs. Surprisingly, we find many discrepancies – we observe that often the app security policies are much weaker than their website counterparts. We find that one can perform unlimited number of login attempts at a high rate (e.g., 600 requests per second) from a single IP address by following the app protocol whereas the website counterpart typically blocks such attempts. We also find that the cookies used in mobile apps are generally more valuable as they do not expire as quickly as the ones used for websites and they are often stored in plaintext on mobile devices. In addition, we find that apps often do not update the libraries they use and hence vulnerabilities are often left unpatched. Through a study of 6400 popular apps, we identify 31 apps that use one or more vulnerable (unpatched) libraries. We responsibly disclosed all of our findings to the corresponding vendors and have received positive acknowledgements from them. This result is a vivid demonstration of “security is only as good as its weakest link”.


  • Security Policy
  • Login Request
  • Security Protection
  • Dictionary Attack
  • Correct Password

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-54328-4_8
  • Chapter length: 13 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   54.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-54328-4
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   69.99
Price excludes VAT (USA)
Fig. 1.


  1. The Hacker News. Warning: 18,000 android apps contains code that spy on your text messages. Accessed 10 Nov 2016

  2. Authentication Policy Table. Accessed 10 Nov 2016

  3. FFmpeg. Accessed 10 Nov 2016

  4. Hacker Selling 200 Million Yahoo Accounts On Dark Web. Accessed 10 Nov 2016

  5. Red Hat Bugzilla Bug 1204676. Accessed 10 Nov 2016

  6. Amber. Some Best Practices for Web App Authentication. Accessed 10 Nov 2016

  7. Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR, abs/1303.0857 (2013)

    Google Scholar 

  8. De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Secsess: keeping your session tucked away in your browser. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC 2015) (2015)

    Google Scholar 

  9. Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: ACM CCS (2012)

    Google Scholar 

  10. Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: 2014 Network and Distributed System Security (NDSS 2014), San Diego, February 2014

    Google Scholar 

  11. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: WiSeC (2012)

    Google Scholar 

  12. Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA (CCS 2015) (2015)

    Google Scholar 

  13. Leung, C., Ren, J., Choffnes, D., Wilson, C.: Should you use the app for that?: Comparing the privacy implications of app- and web-based online services. In: Proceedings of the 2016 ACM on Internet Measurement Conference (IMC 2016), New York, NY, USA, pp. 365–372. ACM (2016)

    Google Scholar 

  14. Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of the 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (2003)

    Google Scholar 

  15. OWASP. Blocking Brute Force Attacks. Accessed 10 Nov 2016

  16. OWASP. Testing for Captcha (OWASP-AT-012). Accessed 10 Nov 2016

  17. Sivakorn, S., Polakis, I., Keromyti, A.D.: The cracked cookie jar: http cookie hijacking and the exposure of private information. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE (2016)

    Google Scholar 

  18. Tam, J., Simsa, J., Hyde, S., Ahn, L.V.: Breaking audio captchas. In: Koller, D., Schuurmans, D., Bengio, Y., Bottou, L., (eds.) Advances in Neural Information Processing Systems, vol. 21, pp. 1625–1632 (2008)

    Google Scholar 

  19. Wolverton, T.: Hackers find new way to milk eBay users. In: Proceedings of the 1998 Network and Distributed System Security Symposium (2002)

    Google Scholar 

  20. Wright, J.: How Browsers Store Your Passwords (and Why You Shouldn’t Let Them). Accessed 10 Nov 2016

  21. Zuo, C., Wang, W., Wang, R., Lin, Z.: Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In: NDSS (2016)

    Google Scholar 

Download references


We would like to thank our shepherd Kanchana Thilakarathna for his feedback in revising the paper. This work is supported by NSF grant CNS-1617424 to UC Riverside.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Arash Alavi .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Alavi, A. et al. (2017). Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54327-7

  • Online ISBN: 978-3-319-54328-4

  • eBook Packages: Computer ScienceComputer Science (R0)