Authenticator Leakage Through Backup Channels on Android

by Guangdong Bai

Security of authentication protocols heavily replies on the confidentiality of credentials (or authenticators) like passwords and session IDs. However, unlike browser-based web applications for which highly evolved browsers manage the authenticators, Android apps have to construct their own management. We find that most apps simply locate the authenticators into the persistent storage and entrust the underlying Android OS for mediation. Consequently, the authenticators can be leaked through compromised backup channels. In this work, we conduct the first systematic investigation on this previously overlooked attack vector. We find that nearly all backup apps on Google Play inadvertently expose backup data to any app with Internet and SD card permissions. With this exposure, the malicious apps can steal other apps' authenticators and obtain complete control over the authenticated sessions. We show that this can be stealthily and efficiently done by building a proof-of-concept app named AuthSniffer. We find that 80 (68.4%) out of 117 tested top-ranked apps which have implemented authentication schemes are subject to this threat. Our study should raise the awareness of app developers and protocol analysts about this attack vector.

Authenticator Leakage Through Backup Channels on Android blackhat 2015
5 Likes	5 Dislikes
4,626 views views	117K followers
People & Blogs	Upload TimePublished on 5 Mar 2016

Related keywords

1. infosec news
2. information security manager
3. blackhat asia 2019
4. blackhat 2019
5. infosec twitter
6. blackhat 2018
7. black hat seo technique
8. blackhat europe
9. blackhat badger sekiro
10. black hat x reader
11. black hat cartoon
12. black hat x dr flug
13. cyber securityとは
14. blackhat conference 2019
15. cyber security cloud
16. black hat full movie
17. blackhat badger
18. blackhat forum
19. information security foundation 勉強
20. infosec rotkreuz
21. cyber security framework
22. information security policy template
23. infosecurity utrecht
24. infosec ups system
25. cyber security news
26. cyber security act
27. infosecurity
28. blackhat full movie
29. infosec blog
30. black hat badger
31. information security foundation 参考書
32. information security management system
33. cyber security conference
34. black hat seo
35. cyber security pro
36. black hat movie
37. blackhat imdb
38. infosec podcast
39. black hat cast
40. cyber security pro 新しいネットワークが検出されました
41. cyber security cloud managed rules
42. cyber security measures
43. information security governance
44. infosec global
45. infosecurity europe 2020
46. infosec health
47. infosec magazine
48. information security 日本語
49. infosec 19
50. black hat anime
51. information security foundation
52. infosecurity magazine
53. cyber security tokyo
54. black hat meaning
55. black hatch
56. information security definition
57. information security pdf
58. infosec europe 2019
59. cyber security market
60. infosec institute
61. infosec 2019 london
62. information security foundation 難易度
63. black hatch gamefowl
64. cyber security management system
65. information security certifications
66. blackhat film
67. cyber security pro アンインストール
68. information security specialist
69. cyber security 意味
70. cyber security analyst
71. information security policy
72. black hat usa 2019
73. information security forum
74. information security news
75. infosec conferences
76. information security officer
77. infosekta
78. cyber security japan
79. blackhat trailer
80. information security analyst
81. cyber security university
82. black hat hacker
83. black hat forum
84. cyber security company
85. black hat hacking
86. black hat villainous
87. blackhat conference
88. information security foundation based on iso/iec 27001
89. blackhat usa
90. cyber security report
91. blackhatworld
92. black hat x demencia
93. information security management
94. blackhat cast
95. black hat 2019
96. infosec reactions