Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies &amp; Vulnerabilities

Mendoza, Abner; Gu, Guofei

doi:10.1109/sp.2018.00039

Cited by 33 publications

(24 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Mendoza et al studied the inconsistencies in input validation logic between apps and their respective web API services [5]. They developed a tool to extract requests to web API services from an app, and to infer sample input values that violate the implemented constraints found in the app, such as email address or JSON content validation executed on the client side.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Web APIs in Android through the Lens of Security

Gadient

Ghafari

Tarnutzer

et al. 2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Web communication has become an indispensable characteristic of mobile apps. However, it is not clear what data the apps transmit, to whom, and what consequences such transmissions have.We analyzed the web communications found in mobile apps from the perspective of security. We first manually studied 160 Android apps to identify the commonly-used communication libraries, and to understand how they are used in these apps. We then developed a tool to statically identify web API URLs used in the apps, and restore the JSON data schemas including the type and value of each parameter.We extracted 9 714 distinct web API URLs that were used in 3 376 apps. We found that developers often use the java.net package for network communication, however, third-party libraries like OkHttp are also used in many apps. We discovered that insecure HTTP connections are seven times more prevalent in closed-source than in open-source apps, and that embedded SQL and JavaScript code is used in web communication in more than 500 different apps. This finding is devastating; it leaves billions of users and API service providers vulnerable to attack.

show abstract

Section: Related Workmentioning

confidence: 99%

“…https://github.com/skylot/jadx 3 https://javaparser.org 4 https://github.com/javaparser/javasymbolsolver5 The HTTP request header is a plain text record providing input details for the web API request.…”

mentioning

confidence: 99%

Web APIs in Android through the Lens of Security

Gadient

Ghafari

Tarnutzer

et al. 2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

show abstract

“…Inferring the protocol format is not the primary goal of our analysis. Recently, WARDroid [27] introduces a static-analysis based method to extract web APIs, but it focuses on the implementation logic, which is not the objective of our analysis. However, our technique can certainly integrate these techniques to recognize the message format in addition to the discovery of the web APIs.…”

Section: Leakage Of Privacy Sensitive Data In Mobile Applicationsmentioning

confidence: 99%

Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services

Zhao¹,

Zuo²,

Pellegrino³

et al. 2019

Proceedings 2019 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Increasingly, mobile application-based ride-hailing services have become a very popular means of transportation. Due to the handling of business logic, these services also contain a wealth of privacy-sensitive information such as GPS locations, car plates, driver licenses, and payment data. Unlike many of the mobile applications in which there is only one type of users, ride-hailing services face two types of users: riders and drivers. While most of the efforts had focused on the rider's privacy, unfortunately, we notice little has been done to protect drivers. To raise the awareness of the privacy issues with drivers, in this paper we perform the first systematic study of the drivers' sensitive data leakage in ride-hailing services. More specifically, we select 20 popular ride-hailing apps including Uber and Lyft and focus on one particular feature, namely the nearby cars feature. Surprisingly, our experimental results show that largescale data harvesting of drivers is possible for all of the ridehailing services we studied. In particular, attackers can determine with high-precision the driver's privacy-sensitive information including mostly visited address (e.g., home) and daily driving behaviors. Meanwhile, attackers can also infer sensitive information about the business operations and performances of ride-hailing services such as the number of rides, utilization of cars, and presence on the territory. In addition to presenting the attacks, we also shed light on the countermeasures the service providers could take to protect the driver's sensitive information.

show abstract

“…Most of the time, in order to exchange data and information, a system must interact with other systems using different mechanism. For web service security testing [54,55], this is a critical element, as the mechanism or tool should have the ability to make sure the security interrelate and then manage with remaining components. b) Performance specifies the ability of the mechanism to ensure performance quality and also is a measure of how fast a request of service can be completed.…”

Section: ) Rq1"what Are the Issues Web Service Testing?"mentioning

confidence: 99%

“…Mentioned parameters have become leading issues in web service testing due to its distinctive scalability [11] and confidentiality concerns. Furthermore, real challenging task [12][13][14] in web service testing domain is that it has no Graphic User Interface (GUI) [15]. Thus, web service has no GUI to be verified and tested.…”

Section: Introductionmentioning

confidence: 99%

Web Service Testing Techniques: A Systematic Literature Review

Ghani¹,

Kadir²,

Mustafa³

2019

IJACSA

View full text Add to dashboard Cite

These days continual demands on loosely coupled systems have web service gives basic necessities to deliver resolution that are adaptable and sufficient to be work at runtime for maintaining the high quality of the system. One of the basic techniques to evaluate the quality of such systems is through testing. Due to the rapid popularization of web service, which is progressing and continuously increasing, testing of web service has become a basic necessity to maintain high quality of web service. The testing of the performance of Web service based applications is attracting extensive attention. In order to evaluate the performance of web services, it is essential to evaluate the QoS (Quality of Service) attributes such as interoperability, reusability, auditability, maintainability, accuracy and performance to improve the quality of service. The purpose of this study is to introduce the systematic literature review of web services testing techniques to evaluate the QoS attributes to make the testing technique better. With the intention of better testing quality in web services, this systematic literature review intends to evaluate what QoS parameters are necessary to provide better quality assurance. The focus of systematic literature is also to make sure that quality of testing can be encouraged for the present and future. Consequently, the main attention and motivation of the study is to provide an overview of recent research efforts of web service testing techniques from the research community. Each testing technique in web services has identified apparent standards, benefits, and restrictions. This systemic literature review provides a different testing resolution to industry to decide which testing technique is the most efficient and effective with the testing assignment agenda with available resources. As for the significance, it can be said that web service testing technique are still broadly open for improvements.

show abstract

Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities

Cited by 33 publications

References 31 publications

Web APIs in Android through the Lens of Security

Web APIs in Android through the Lens of Security

Geo-locating Drivers: A Study of Sensitive Data Leakage in Ride-Hailing Services

Web Service Testing Techniques: A Systematic Literature Review

Contact Info

Product

Resources

About