Skip to Main Content
Frequently Asked Questions
Submit an ETD
Global Search Box
Need Help?
Keyword Search
Participating Institutions
Advanced Search
School Logo
Files
File List
Dissertation__Chaoshun_Zuo.pdf (4.54 MB)
ETD Abstract Container
Abstract Header
Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications
Author Info
Chaoshun, Zuo
Permalink:
http://rave.ohiolink.edu/etdc/view?acc_num=osu1607053836106829
Abstract Details
Year and Degree
2020, Doctor of Philosophy, Ohio State University, Computer Science and Engineering.
Abstract
Today, mobile applications (apps for short) are everywhere and they often need to talk to remote backends to provide a variety of services. These backends, regardless of traditional servers or emerging cloud-based backends, are typically multi-user computing systems that need to regulate who can view or use a resource. A particular security mechanism to achieve this objective is to use access control, which typically consists of both authentication and authorization. In this dissertation, we present a systematic methodology to automatically identify vulnerable access control implementations in mobile applications (i.e., remote backends including traditional servers and cloud-based backends, and mobile apps) through automated reverse engineering of the binary code of mobile apps available in the app stores (e.g., Google Play). In particular, this methodology involves four key components: AutoForge, AuthScope, LeakScope, and MultiScope, where the first three components focus on vulnerable access controls that involve two parties (e.g., app and server, or app and cloud-based backend) and the last one focuses on vulnerable multi-party access controls (e.g., multi-party payment transactions for in-app purchases). More specifically, in order to identify vulnerable access controls in traditional servers, we designed two components that depend on traffic analysis to identify vulnerable authentication and authorization respectively. First, with respect to the identification of vulnerable authorization, we designed AutoForge that forges traffic for login to identify whether servers are subject to password brute-forcing attacks. Second, to identify vulnerable authorization, we implemented AuthScope that manipulates traffic by mutating fields used for authorization between two different users to inspect whether servers have enforced the authorization token properly. Additionally, to identify vulnerable access controls in cloud-based backends and multi-party communication models, we present two components that analyze remote and local APIs to identify vulnerabilities. In particular, to identify vulnerable access control implementations that lead to data leakages in cloud-based backends, we presented LeakScope to uncover secret keys from local APIs and invoked remote APIs with these keys to identify the misused keys and misconfigured permissions. On the other hand, to identify vulnerable authorization in multi-party communications (e.g., in-game purchase) that expose games to payment bypass attacks, we proposed MultiScope to analyze local APIs that are used to verify the payment transactions to identify whether a game app is subject to such bypassing attacks.
Committee
Lin Zhiqiang (Advisor)
Zhang Yinqian (Committee Member)
Qin Feng (Committee Member)
Rountev Atanas (Committee Member)
Pages
215 p.
Subject Headings
Computer Science
Keywords
Android security, mobile security, access control, reverse engineering
Recommended Citations
Refworks
EndNote
RIS
Mendeley
Citations
Chaoshun, Z. (2020).
Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications
[Doctoral dissertation, Ohio State University]. OhioLINK Electronic Theses and Dissertations Center. http://rave.ohiolink.edu/etdc/view?acc_num=osu1607053836106829
APA Style (7th edition)
Chaoshun, Zuo.
Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications.
2020. Ohio State University, Doctoral dissertation.
OhioLINK Electronic Theses and Dissertations Center
, http://rave.ohiolink.edu/etdc/view?acc_num=osu1607053836106829.
MLA Style (8th edition)
Chaoshun, Zuo. "Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications." Doctoral dissertation, Ohio State University, 2020. http://rave.ohiolink.edu/etdc/view?acc_num=osu1607053836106829
Chicago Manual of Style (17th edition)
Abstract Footer
Document number:
osu1607053836106829
Download Count:
616
Copyright Info
© 2020, some rights reserved.
Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications by Zuo Chaoshun is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License. Based on a work at etd.ohiolink.edu.
This open access ETD is published by The Ohio State University and OhioLINK.