TruApp: A TrustZone-based authenticity detection service for mobile apps

Yalew, Sileshi Demesie; Mendonça, Pedro; Maguire, Gerald Q.; Haridi, Seif; Correia, Miguel

doi:10.1109/wimob.2017.8115820

Cited by 7 publications

(1 citation statement)

References 19 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As the decryption key is stored in the TrustZone environment, data-clone attacks cannot copy the decryption key to another device together with encrypted user credential data, and therefore the server will fail to verify the login credentials. The recent papers, TruApp [38] and IM-Visor [39] explore the feasibility of protecting app integrity and sensitive data with TrustZone, and Rubinov et al's work partitions a critical app automatically for TrustZone [40].…”

Section: III Discussionmentioning

confidence: 99%

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Song

Jiang

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks.In this paper, we develop VPDroid, a transparent Android OSlevel virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environmentsshow that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack. I. In t r o d u c t io nWith the prosperous development of the Android system and mobile networks [1], [2], the apps running on Android keep updating constantly to meet the fast-growing demand of smartphone users. In addition to the standard functionalities such as communication and entertainment, apps are now performing various critical tasks such as social networking [3], GPS navigation [4], IoT device remote control [5], and mobile payment [6]. Inevitably large amounts of private data (e.g., user credentials) are stored in the smartphone. Therefore, the

show abstract

Section: III Discussionmentioning

confidence: 99%

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Song

Jiang

et al. 2021

2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

Android Data-Clone Attack via Operating System Customization

et al. 2020

View full text Add to dashboard Cite

To avoid the inconvenience of retyping a user's ID and password, most mobile apps now provide the automatic login feature for a better user experience. To this end, auto-login credential is stored locally on the smartphone. However, such sensitive credential can be stolen by attackers and placed into their smartphones via the well-known credential-clone attack. Then, attackers can imperceptibly log into the victim's account, which causes more devastating and covert losses than merely intercepting the user's password. In this article, we propose a generalized Android credential-clone attack, called data-clone attack. By exploiting the new-found vulnerabilities of original equipment manufacturer (OEM)-made phone clone apps, we design an identity theft method that overcomes the problem of incomplete credential extraction and eliminates the requirement of root authority. To evade the consistency check of device-specific attributes in apps, we design two environment customization methods for app-level and operating system (OS)-level, respectively. Especially, we develop a transparent Android OS customization solution, named CloneDroid, which simulates 101 special attributes of Android OS. We implement a prototype of CloneDroid and the experimental results show that 172 out of 175 most-downloaded apps' accounts can be jeopardized, such as Facebook and WeChat. Moreover, our study has identified 18 confirmed zero-day vulnerabilities. Our findings paint a cautionary tale for the security community that billions of accounts are potentially exposed to Android OS customization-assisted data-clone attacks.

show abstract

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

et al. 2021

View full text Add to dashboard Cite

Trusted Execution Environments have been applied to improve data security in many distinct application scenarios since they enable data processing in a separate and protected region of memory. To investigate how this technology has been applied to the different IoT scenarios, which commonly deal with specific characteristics such as device resource constraints, we carried out a systematic literature review. For this, we selected and analyzed 58 papers from different conferences and journals, identifying the main IoT solutions and scenarios in which TEE has been employed. We also gathered the mentioned TEE advantages and disadvantages as well as the suggestions for future works. This study gives a general overview of the use of TEEs for cloud/fog-based IoT applications, bringing some challenges and directions.

show abstract

TruApp: A TrustZone-based authenticity detection service for mobile apps

Cited by 7 publications

References 19 publications

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

App’s Auto-Login Function Security Testing via Android OS-Level Virtualization

Android Data-Clone Attack via Operating System Customization

Systematic Literature Review on the Use of Trusted Execution Environments to Protect Cloud/Fog-Based Internet of Things Applications

Contact Info

Product

Resources

About