Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely cross-device app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious app-to-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set. We also discuss the impact of the problem in real scenarios by presenting two real case studies. At the end of the paper we reported limitations of our model along with future improvements.

Detecting (Absent) App-to-app authentication on cross-device short-distance channels / S. Cristalli, L. Lu, D. Bruschi, A. Lanzi - In: ACSAC '19: Proceedings[s.l] : ACM, 2019 Dec. - ISBN 9781450376280. - pp. 328-338 (( Intervento presentato al 35. convegno ACSAC tenutosi a San Juan Puerto Rico nel 2019.

Detecting (Absent) App-to-app authentication on cross-device short-distance channels

S. Cristalli
Primo
Membro del Collaboration Group
;
D. Bruschi
Penultimo
Membro del Collaboration Group
;
A. Lanzi
Ultimo
Supervision
2019

Abstract

Short-distance or near-field communication is increasingly used by mobile apps for interacting or exchanging data in a cross-device fashion. In this paper, we identify a security issue, namely cross-device app-to-app communication hijacking (or CATCH), that affect Android apps using short-distance channels (e.g., Bluetooth and Wi-Fi-Direct). This issue causes unauthenticated or malicious app-to-app interactions even when the underlying communication channels are authenticated and secured. In addition to discovering the security issue, we design an algorithm based on data-flow analysis for detecting the presence of CATCH in Android apps. Our algorithm checks if a given app contains an app-to-app authentication scheme, necessary for preventing CATCH. We perform experiments on a set of Android apps and show the CATCH problem is always present on the whole analyzed applications set. We also discuss the impact of the problem in real scenarios by presenting two real case studies. At the end of the paper we reported limitations of our model along with future improvements.
Android; Authentication protocols; Data-flow analysis; Mobile security
Settore INF/01 - Informatica
Applied Computer Security Associates (ACSA)
Book Part (author)
File in questo prodotto:
File Dimensione Formato  
3359789.3359814.pdf

accesso aperto

Tipologia: Publisher's version/PDF
Dimensione 4.2 MB
Formato Adobe PDF
4.2 MB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

Caricamento pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/706090
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? 1
social impact