AppCracker -- Widespread Vulnerabilities in User paper note and Session Authentication in Mobile Apps

Posted on Edited on In

面试老师让我读的

INTRODUCTION

文章发明了一种叫AppCracker的工具来检测比较流行的app的安全漏洞

这些漏洞发生的原因:

use home-grown protocols and fall victim to various cryptographic pitfalls, such as insecure selection of symmetric and public keys, insecure distribution of keys, insecure modes of operation, insecure message authentication code, or security by obscurity. Besides user authentication, session authentication is also vulnerable in some apps, as they fail to protect their session IDs in the HTTP request body or cookie.

METHODOLOGY

然后这个 AppCracker 有俩模式

  • Passive mode (as an eavesdropper): AppCracker takes as input packets from the app (e.g., the output of tshark, a command line tool for dumping network traffic) and extracts useful data from the packets.
  • Active mode (as a MITM attacker): Figure 1 shows AppCracker in the active attack mode.
image-20220606201417507

Fig. 1: AppCracker running in the active attack mode. AppCracker interacts with an unmodified Apache web server running on the same WiFi AP

  1. The app sends an HTTP(S) request to the WIFI AP. The iptables running on the AP redirects the request to the web server running on the same AP.
  2. The web server forwards the request to AppCracker.
  3. AppCracker modifies the request and sends it back to the web server.
  4. The web server forwards the request to the app server.
  5. The web server receives the response from the app server.
  6. The web server forwards the response to AppCracker.
  7. AppCracker modifies the response and sends it back to the web server.
  8. The web server forwards the response back to the app.

然后 用python去模拟请求

image-20220606202924335

看到这里作者都还是在扯皮 一句有用的话也没有

PASSIVE ATTACK

举出了一些可能存在安全隐患的例子

Plaintext or Encoded Data – 有些app没有对流量进行加密

Encryption – 有些的加密不规范

Message Integrity – 有些app 没用SSL 用他们自己写的认证

Sessions

ACTIVE ATTACKS

中间人攻击 + 认证上的漏洞

总结

科研上和我平时接触到的安全区别还是比较大的。感觉做科研,更像是研究出一套安全开发方法论。比如这篇论文中的一些数据传输没有加密,在渗透测试中其实可利用的范围还是有限的,现在的扫描器扫到了也就只是提醒一下。而科研中对于这种问题的态度似乎是极为严肃的,因为可能会考虑到更加广泛的攻击方式和攻击面。

无论是渗透测试还是白盒审计更多考虑到的是一些真实存在的漏洞,比如我要挖一个实际可利用的漏洞。而科研上似乎要站在更高的层次,针对一些可能会出现存在的问题进行一种通用的考虑。