35th Annual Computer Security Applications Conference (ACSAC 2019)

Full Program »
Paper
View File
ACM
Presentation
View File
pdf

Detecting (Absent) App-to-app Authentication on Cross-device Short-distance Channels

Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely cross-device app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious app-to-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set, and potentially.We also discuss the impact of the problem in real scenarios by presenting two real use-cases. At the end of the paper we reported limitations of our model along with future improvements.

Stefano Cristalli
University of Milan

Long Lu
Northeastern University

Danilo Bruschi
University of Milan

Andrea Lanzi
University of Milan

 



Powered by OpenConf®
Copyright©2002-2020 Zakon Group LLC