Abstract

Nowadays, people's lifestyle is more and more dependent on mobile applications (Apps), such as shopping, financial management and surfing the internet. However, developers mainly focus on the implementation of Apps and the improvement of user experience while ignoring security issues. In this paper, we perform the comprehensive study on vulnerabilities caused by misuse of APIs and form a methodology for this type of vulnerability analysis. We investigate the security of three types of Android Apps including finance, shopping and browser which are closely related to human life. And we analyze four vulnerabilities including Improper certificate validation(CWE-295:ICV), WebView bypass certificate validation vulnerability(CVE-2014-5531:WBCVV), WebView remote code execution vulnerability(CVE-2014-1939:WRCEV) and Alibaba Cloud OSS credential disclosure vulnerability(CNVD-2017-09774:ACOCDV). In order to verify the effectiveness of our analysis method in large-scale Apps on the Internet, we propose a novel scalable tool - VulArcher, which is based on heuristic method and used to discover if the above vulnerabilities exist in Apps. We download a total of 6114 of the above three types of samples in App stores, and we use VulArcher to perform the above vulnerability detection for each App. We perform manual verification by randomly selecting 100 samples of each vulnerability. We find that the accuracy rate for ACOCDV can reach 100%, the accuracy rate for WBCVV can reach 95%, and the accuracy rate for the other two vulnerabilities can reach 87%. And one of vulnerabilities detected by VulArcher has been included in China National Vulnerability Database (CNVD) ID(CNVD-2017-23282). Experiments show that our tool is feasible and effective. For the convenience of researchers in related communities, We make our data and tool available at https://buptnsrclab.github.io/blog/2020/01/03/vularcher-site-launched.

Highlights

  • With the rapid growth of functional requirement of mobile Apps, the development iteration of Apps is more and more rapid

  • By manual analysis of 400 Apps, we find the vulnerabilities caused by the misuse of APIs accounted for the majority, and the most of vulnerabilities caused by API misuse are WRCEV, WBCVV, ICV and ACOCDV

  • Based on the above analysis, we explore the severity of these vulnerabilities and perform the comprehensive study on the four vulnerabilities caused by the misuse of APIs and form an analysis methodology for each category of vulnerabilities

Read more

Summary

INTRODUCTION

With the rapid growth of functional requirement of mobile Apps, the development iteration of Apps is more and more rapid. Malicious JavaScript normally runs on the vulnerable App, which reads the file information from the sdcard directory of the Android device It indicates that this vulnerability exists and can be exploited in the App. 3) INSIGHT When developers use the addJavascriptInterface (Object object, String name) API to call a web page. 4) ALIBABA CLOUD OSS CREDENTIAL DISCLOSURE VULNERABILITY (ACOCDV) For an App that uses the API OSSPlainTextAKSKCredentialProvider provided by the Alibaba OSS SDK to create credential information with server, its secretKey needed in the method is hard coded in the program. This causes the existence of information disclosure vulnerability. The entire vulnerability search process is fast and accurate

EXTRACT SUSPICIOUS CODE SEGMENT
EXPERIMENT
DISCUSSIONS AND LIMITATIONS
Findings
VIII. CONCLUSIONS

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.