As we move into the mobile era, many functionalities in standard web services are being re-implemented in mobile apps and services, including many security-related functionalities. However, it has been observed that security features that are standardized in the PC and web space are often not implemented correctly by app developers resulting in serious security vulnerabilities. For instance, prior work has shown that the standard SSL/TLS certificate validation logic in browsers is not implemented securely in mobile apps. In this paper, we study a related question: given that many web services are offered both via browsers/webpages and mobile apps, are there any discrepancies between the security policies of the two?
To answer the above question, we perform a comprehensive study on 100 popular app-web pairs. Surprisingly, we find many discrepancies – we observe that often the app security policies are much weaker than their website counterparts. We find that one can perform unlimited number of login attempts at a high rate (e.g., 600 requests per second) from a single IP address by following the app protocol whereas the website counterpart typically blocks such attempts. We also find that the cookies used in mobile apps are generally more valuable as they do not expire as quickly as the ones used for websites and they are often stored in plaintext on mobile devices. In addition, we find that apps often do not update the libraries they use and hence vulnerabilities are often left unpatched. Through a study of 6400 popular apps, we identify 31 apps that use one or more vulnerable (unpatched) libraries. We responsibly disclosed all of our findings to the corresponding vendors and have received positive acknowledgements from them. This result is a vivid demonstration of “security is only as good as its weakest link”.
- Security Policy
- Login Request
- Security Protection
- Dictionary Attack
- Correct Password
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
This is a preview of subscription content, access via your institution.
The Hacker News. Warning: 18,000 android apps contains code that spy on your text messages. http://thehackernews.com/2015/10/android-apps-steal-sms.html. Accessed 10 Nov 2016
Authentication Policy Table. http://www.cs.ucr.edu/~aalav003/authtable.html. Accessed 10 Nov 2016
FFmpeg. https://ffmpeg.org/. Accessed 10 Nov 2016
Hacker Selling 200 Million Yahoo Accounts On Dark Web. http://thehackernews.com/2016/08/hack-yahoo-account.html. Accessed 10 Nov 2016
Red Hat Bugzilla Bug 1204676. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2331. Accessed 10 Nov 2016
Amber. Some Best Practices for Web App Authentication. http://codingkilledthecat.wordpress.com/2012/09/04/some-best-practices-for-web-app-authentication/. Accessed 10 Nov 2016
Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. CoRR, abs/1303.0857 (2013)
De Ryck, P., Desmet, L., Piessens, F., Joosen, W.: Secsess: keeping your session tucked away in your browser. In: Proceedings of the 30th Annual ACM Symposium on Applied Computing (SAC 2015) (2015)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: ACM CCS (2012)
Georgiev, M., Jana, S., Shmatikov, V.: Breaking and fixing origin-based access control in hybrid web/mobile application frameworks. In: 2014 Network and Distributed System Security (NDSS 2014), San Diego, February 2014
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app. advertisements. In: WiSeC (2012)
Hwang, S., Lee, S., Kim, Y., Ryu, S.: Bittersweet ADB: attacks and defenses. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA (CCS 2015) (2015)
Leung, C., Ren, J., Choffnes, D., Wilson, C.: Should you use the app for that?: Comparing the privacy implications of app- and web-based online services. In: Proceedings of the 2016 ACM on Internet Measurement Conference (IMC 2016), New York, NY, USA, pp. 365–372. ACM (2016)
Mori, G., Malik, J.: Recognizing objects in adversarial clutter: breaking a visual captcha. In: Proceedings of the 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition (2003)
OWASP. Blocking Brute Force Attacks. http://www.owasp.org/index.php/Blocking_Brute_Force_Attacks. Accessed 10 Nov 2016
OWASP. Testing for Captcha (OWASP-AT-012). http://www.owasp.org/index.php/Testing_for_Captcha_(OWASP-AT-012). Accessed 10 Nov 2016
Sivakorn, S., Polakis, I., Keromyti, A.D.: The cracked cookie jar: http cookie hijacking and the exposure of private information. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE (2016)
Tam, J., Simsa, J., Hyde, S., Ahn, L.V.: Breaking audio captchas. In: Koller, D., Schuurmans, D., Bengio, Y., Bottou, L., (eds.) Advances in Neural Information Processing Systems, vol. 21, pp. 1625–1632 (2008)
Wolverton, T.: Hackers find new way to milk eBay users. In: Proceedings of the 1998 Network and Distributed System Security Symposium (2002)
Wright, J.: How Browsers Store Your Passwords (and Why You Shouldn’t Let Them). http://raidersec.blogspot.com/2013/06/how-browsers-store-your-passwords-and.html/. Accessed 10 Nov 2016
Zuo, C., Wang, W., Wang, R., Lin, Z.: Automatic forgery of cryptographically consistent messages to identify security vulnerabilities in mobile services. In: NDSS (2016)
We would like to thank our shepherd Kanchana Thilakarathna for his feedback in revising the paper. This work is supported by NSF grant CNS-1617424 to UC Riverside.
Editors and Affiliations
Rights and permissions
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Alavi, A. et al. (2017). Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham. https://doi.org/10.1007/978-3-319-54328-4_8
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54327-7
Online ISBN: 978-3-319-54328-4
eBook Packages: Computer ScienceComputer Science (R0)