Authenticator Leakage through Backup Channels on Android

Presented at Black Hat Europe 2015, Unknown date/time (Unknown duration)

Security of authentication protocols heavily replies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate the authenticators into the persistent storage and entrust the underlying Android OS for mediation. Consequently, the authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with Internet and SD card permissions. With this exposure, the malicious apps can steal other apps' authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of 117 tested top-ranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector.


  • Guangdong Bai - National University of Singapore
    Dr. Bai Guangdong is a Research Fellow in National University of Singapore (NUS), where he received his PhD degree. His research interest spans across the broad areas of mobile security, web security, and protocol verification. During his previous research, he has worked on analyzing authentication protocol implementation, online payment, and Android security. His research has helped identify and fix serious security vulnerabilities for major websites like Sina Weibo. His work appears in top academic conferences, such as NDSS and FM.


Similar Presentations: