Blogs (1) >>
ASE 2019
Sun 10 - Fri 15 November 2019 San Diego, California, United States
Tue 12 Nov 2019 16:40 - 17:00 at Hillcrest - Security Chair(s): Julia Rubin

Mobile developers use OAuth APIs to implement Single-Sign-On services. However, the OAuth protocol was originally designed for the authorization for third-party websites not to authenticate users in third-party mobile apps. As a result, it is challenging for developers to correctly implement mobile OAuth securely. These vulnerabilities due to the misunderstanding of OAuth and inexperience of developers could lead to data leakage and account breach. In this paper, we perform an empirical study on the usage of OAuth APIs in Android applications and their security implications. In particular, we develop OAUTHLINT, that incorporates a query-driven static analysis to automatically check programs on the Google Play marketplace. OAUTHLINT takes as input an anti-protocol that encodes a vulnerable pattern extracted from the OAuth specifications and a program P. Our tool then generates a counter-example if the anti-protocol can match a trace of P’s possible executions. To evaluate the effectiveness of our approach, we perform a systematic study on 600+ popular apps which have more than 10 millions of downloads. The evaluation shows that 101 (32%) out of 316 applications that use OAuth APIs make at least one security mistake.

Tue 12 Nov

16:00 - 17:40: Papers - Security at Hillcrest
Chair(s): Julia RubinUniversity of British Columbia
ase-2019-papers16:00 - 16:20
Performance-Boosting Sparsification of the IFDS Algorithm with Applications to Taint AnalysisACM SIGSOFT Distinguished Paper Award
Dongjie HeUniversity of New South Wales; Institute of Computing Technology, CAS; University of Chinese Academy of Sciences, Haofeng LiInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Lei WangInstitute of Computing Technology, Chinese Academy of Science, Haining MengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Hengjie ZhengInstitute of Computing Technology, CAS; University of Chinese Academy of Sciences, Jie LiuUniversity of New South Wales, Shuangwei Huvivo AI Lab, Lian LiInstitute of Computing Technology at Chinese Academy of Sciences, China, Jingling XueUNSW Sydney
ase-2019-papers16:20 - 16:40
Characterizing Android App Signing Issues
Haoyu WangBeijing University of Posts and Telecommunications, China, Hongxuan LiuPeking University, Xusheng XiaoCase Western Reserve University, Guozhu MengInstitute of Information Engineering, Chinese Academy of Sciences, Yao GuoPeking University
ase-2019-papers16:40 - 17:00
OAuthLint: An Empirical Study on OAuth Bugs in Android Applications
Tamjid Al RahatUniversity of Virginia, Yu FengUniversity of California, Santa Barbara, Yuan TianUniversity of Virginia
ase-2019-Journal-First-Presentations17:00 - 17:20
Are Free Android App Security Analysis Tools Effective in Detecting Known Vulnerabilities?
Venkatesh-Prasad RanganathKansas State University, Joydeep MitraKansas State University
Link to publication DOI Pre-print Media Attached
ase-2019-Demonstrations17:20 - 17:30
SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods
Goran PiskachevFraunhofer IEM, Lisa Nguyen Quang DoGoogle, Oshando JohnsonFraunhofer IEM, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM
Pre-print Media Attached File Attached
ase-2019-Demonstrations17:30 - 17:40
Sip4J: Statically Inferring Access Permission Contracts for Parallelising Sequential Java Programs
Ayesha SadiqMonash University, Li LiMonash University, Australia, Yuan-Fang LiMonash University, Ijaz AhmedUniversity of Lahore, Sea LingMonash University