Automatic Forgery of Cryptographically Consistent Messages to Identify Security Vulnerabilities in Mobile Services presented at NDSS 2016

by Rui Wang, Zhiqiang Lin, Chaoshun Zuo, Wubing Wang,

Summary : Most smartphone apps today require access to remote services, and many of them also require users to be authenticated in order to use their services. To ensure the communication security between the app and the service, app developers often use cryptographic mechanisms such as encryption (e.g., HTTPS) and hashing (e.g., MD5, SHA1) to ensure the confidentiality and integrity of the network messages. However, such cryptographic mechanisms can only protect the communication security, and server-side checks are still needed because malicious clients completely owned by attackers can generate any messages they wish. As a result, incorrect or missing server side checks can lead to severe security vulnerabilities including password brute-forcing, leaked password probing, and security access token hijacking. To demonstrate such a threat, we present AutoSign, a tool that can automatically generate valid client side messages to test whether the server side of an app has ensured the security of user accounts with sufficient checks. To enable these security tests, a fundamental challenge lies in how to generate the valid cryptographically computed authenticated messages such that they can be consumed by the server. We have addressed this challenge with a set of systematic techniques developed in AutoSign, and tested it with 76 popular app services. Our experimental results show that among them 65 (86%) of their servers are vulnerable to password brute-forcing attacks, all (100%) are vulnerable to leaked password probing attacks, and 9 (12%) are vulnerable to Facebook access token hijacking attacks.