Skip to Main content Skip to Navigation
Conference papers

Hunting Password Leaks in Android Applications

Abstract : A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or passwords. Given the ubiquitous and security-critical role of credentials, it is paramount that programs process secrets responsibly and do not expose them to unrelated parties. Unfortunately, users have no insight into what happens with their data after entrusting it to an application. In this paper, we introduce a new approach to identify and follow the trace of user input right from the point where it enters an application. By using a combination of static slicing in forward and backward direction, we are able to reveal potential data leaks and can pinpoint their origin. To evaluate the applicability of our solution, we conducted a manual and automated inspection of security-related Android applications that process user-entered secrets. We find that 182 out of 509 (36%) applications insecurely store given credentials in files or pass them to a log output.
Document type :
Conference papers
Complete list of metadatas

Cited literature [14 references]  Display  Hide  Download

https://hal.inria.fr/hal-02023717
Contributor : Hal Ifip <>
Submitted on : Thursday, February 21, 2019 - 2:34:31 PM
Last modification on : Thursday, February 21, 2019 - 2:55:14 PM
Long-term archiving on: : Thursday, May 23, 2019 - 12:02:56 AM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2021-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Johannes Feichtner. Hunting Password Leaks in Android Applications. 33th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2018, Poznan, Poland. pp.278-292, ⟨10.1007/978-3-319-99828-2_20⟩. ⟨hal-02023717⟩

Share

Metrics

Record views

70