Personal Information Leaks with Automatic Login in Mobile Social Network Services

Choi, Jae Hak; Cho, Haehyun; Yi, Jeong Hyun

doi:10.3390/e17063947

Cited by 9 publications

(2 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Unfortunately, the variable nature of mobile devices (e.g., the switch of Wi-Fi hotspot and cellular data) makes it difficult to determine an adequate number of concurrent sessions. The previous work [7] has pointed out that, although many apps do not permit duplicate logins from different devices, they do allow multiple session requests from the same device ID. Our evaluation also confirms that most apps allow maintaining two or more connections per user.…”

Section: Mitigation Discussionmentioning

confidence: 99%

Android Data-Clone Attack via Operating System Customization

et al. 2020

View full text Add to dashboard Cite

To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

show abstract

Section: Mitigation Discussionmentioning

confidence: 99%

Android Data-Clone Attack via Operating System Customization

et al. 2020

View full text Add to dashboard Cite

show abstract

“…The next paper, [3] entitled "Personal Information Leaks with Automatic Login in Mobile Social Network Services" by Jongwon Choi, et al presents the possibility of a credential cloning attack. Because the credentials are convenient for users, they are utilized by most mobile social network service (SNS) apps.…”

mentioning

confidence: 99%

Special Issue on Entropy-Based Applied Cryptography and Enhanced Security for Ubiquitous Computing

Park

Zhou

2016

Entropy

View full text Add to dashboard Cite

Entropy is a basic and important concept in information theory. It is also often used as a measure of the unpredictability of a cryptographic key in cryptography research areas. Ubiquitous computing (Ubi-comp) has emerged rapidly as an exciting new paradigm. In this special issue, we mainly selected and discussed papers related with ore theories based on the graph theory to solve computational problems on cryptography and security, practical technologies; applications and services for Ubi-comp including secure encryption techniques, identity and authentication; credential cloning attacks and countermeasures; switching generator with resistance against the algebraic and side channel attacks; entropy-based network anomaly detection; applied cryptography using chaos function, information hiding and watermark, secret sharing, message authentication, detection and modeling of cyber attacks with Petri Nets, and quantum flows for secret key distribution, etc.Keywords: applied cryptography; enhanced security; ubiquitous computing Entropy is a basic and important concept in information theory introduced by Claude E. Shannon. It is also often used as a measure of the unpredictability of a cryptographic key in cryptography research areas. Ubi-comp has emerged rapidly as an exciting new paradigm. Together with these trends, applied cryptography and security have become rising big issues for providing secure and trusted computing in the next generation of information and communications. A detailed discussion of these issues includes applied cryptography and security concerns that cover amongst others, confidentiality, integrity, and availability including various application areas. In particular, these topics will comprehensively focus on the important aspects of entropy-based applied cryptography and enhanced security for Ubi-comp. Topics in Ubi-comp include entropy-based applied cryptographic aspects, entropy-based hash functions, mathematical and algorithmic foundations of applied cryptography, advanced design and analysis of cryptographic algorithms, authentication and access control, privacy protection and trust computing, entropy-based network security issues, information hiding and digital forensics, security issues in cloud computing and mobile social networks. This special issue aims to provide advanced theories and applications. Furthermore, researchers contribute with original research and review articles that present state-of-the-art research outcomes, practical results in entropy-based applied cryptographic models, and enhanced security system for Ubi-comp.During our working period, we received a total of 33 submissions from at least 10 countries where the corresponding authors were majorly counted by the deadline for paper submission. All these submissions were found with significant contributions in main interested topics of our special issue. However, only 14 high quality papers were accepted after two or three-round strict and rigorous review processes. These accepted papers mainly look at our issu...

show abstract