Write a Blog >>
ICSE 2021
Mon 17 May - Sat 5 June 2021

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called ``data-clone attack'': once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim’s account stealthily. A nature countermeasure is to check the consistency of device-specific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.

In this paper, we develop VPDroid, a transparent Android OS-level virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid’s isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps’ susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environments show that VPDroid’s device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.

Conference Day
Wed 26 May

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

11:20 - 12:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1 +12h
Chair(s): Alessandra GorlaIMDEA Software Institute
11:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Mathe University of Queensland, Juanru LiShanghai Jiao Tong University, hyoungshick kimSungkyunkwan University, Elisa BertinoPurdue University, Surya NepalData61, CSIRO, Diet OstryData61, CSIRO, Cong SunXidian University
Pre-print Media Attached
11:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna SongWuhan University, Jiang MingUniversity of Texas at Arlington, Lin JiangXDJA, Han YanWuhan University, Yi XiangWuhan University, Yuan ChenWuhan University, Jianming FuWuhan University, Guojun PengWuhan University
Pre-print Media Attached
12:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian ZhanThe Hong Kong Polytechnic University, Lingling FanNankai University, Sen ChenTianjin University, Feng WuNanyang Technological University, Tianming LiuMonash Univerisity, Xiapu LuoThe Hong Kong Polytechnic University, Yang LiuNanyang Technological University
Pre-print
23:20 - 00:20
2.1.1. Vulnerabilities in Android #1Technical Track at Blended Sessions Room 1
23:20
20m
Paper
Fine with ``1234''? An Analysis of SMS One-Time Password Randomness in Android AppsTechnical Track
Technical Track
Siqi Mathe University of Queensland, Juanru LiShanghai Jiao Tong University, hyoungshick kimSungkyunkwan University, Elisa BertinoPurdue University, Surya NepalData61, CSIRO, Diet OstryData61, CSIRO, Cong SunXidian University
Pre-print Media Attached
23:40
20m
Paper
App's Auto-Login Function Security Testing via Android OS-Level VirtualizationTechnical Track
Technical Track
Wenna SongWuhan University, Jiang MingUniversity of Texas at Arlington, Lin JiangXDJA, Han YanWuhan University, Yi XiangWuhan University, Yuan ChenWuhan University, Jianming FuWuhan University, Guojun PengWuhan University
Pre-print Media Attached
00:00
20m
Paper
ATVHunter: Reliable Version Detection of Third-Party Libraries for Vulnerability Identification in Android AppsACM SIGSOFT Distinguished PaperTechnical Track
Technical Track
Xian ZhanThe Hong Kong Polytechnic University, Lingling FanNankai University, Sen ChenTianjin University, Feng WuNanyang Technological University, Tianming LiuMonash Univerisity, Xiapu LuoThe Hong Kong Polytechnic University, Yang LiuNanyang Technological University
Pre-print