Toward discovering and exploiting private server-side Web API
Jia CHEN1,Shan-qing1 GUO1,2
1 School of Computer Science and Technology,Shandong University,Jinan 250101,China 2 Key Laboratory of Cryptologic Technology and Information Security,Ministry of Education,Shandong University,Jinan 250101,China
Most of the interfaces for mobile application and server interaction use the Web API for communication,but the Web API introduced by these mobile applications may introduce new security issues.To facilitate the study of the security of Web API,a system for automatically discovering the server-side Web API interface in APK files based on the conventional Android program testing framework was designed and implemented.This system can help to develop the research on private server-side Web API interface security.
BOSOMWORTH D . Mobile marketing statistics compilation[EB/OL]. .
SOUNTHIRARAJ D , SAHS J , GREENWOOD , et al. SMV-HUNTER:large scale,automated detection of SSL/TLS man-in-the-middle vulnerabilities in Android App[C]//The 21st Annual Network and Distributed System Security Symposium.
LU L , LI Z , WU Z , et al. Chex:statically vetting android apps for component hijacking vulnerabilities[C]//The 2012 ACM conference on Computer and communications security. 2012:229-240.
ENCK W , GILBERT P , CHUN B G , et al. Taintdroid:an informa-tion-flow tracking system for realtime privacy monitoring on smartphones[C]//The 9th Usenix Conference on Operating Systems Design and Implementation. 2016:1-6.
FAHL S , HARBACH M , MUDERS T , et al. Why eve and mallory love Android:an analysis of Android SSL (in) security[C]//The 2012 ACM Conference on Computer and Communications Security. 2012:50-61.
CAI F , CHEN H , WU Y , et al. Appcracker:widespread vulnerabili-ties in user and session authentication in mobile Apps[C]//Mobile Security Technologies Workshop. 2015.
DEVELOPERS A . Transmitting network data using volley[EB/OL]. .
YANG W , PRASAD M R , XIE T . A grey-box approach for mated GUI-model generation of mobile applications[C]//In Fun-damental Approaches to Software Engineering. 2013:250-265.
AMALFITANO D , FASOLINO A R , TRAMONTANA P , et al. Using GUI ripping for automated testing of Android applica-tions[C]//The 27th IEEE/ACM International Conference on Auto-mated Software Engineering. 2012:258-261.
HAO S , LIU B , NATH S , et al. PUMA:programmable UI-automation for large-scale dynamic analysis of mobile Apps[C]//The 12th Annual International Conference on Mobile Systems,Applications,and Services. 2014:204-217.
CHOUDHARY S R , GORLA A , ORSO A . Automated test input generation for Android:are we there yet?[C]//ArXiv Preprint ArXiv:1503. 2015.
WEB SECURITY P . Burp suite[EB/OL]. .
EGELE M , KRUEGEL C , KIRDA E , et al. PiOS:detecting privacy leaks in iOS applications[C]//Network and Distributed System Se-curity Symposium (NDSS). 2011.
ARZT S , RASTHOFER S , FRITZ C , et al. Flowdroid:precise context,flow,field,object-sensitive and lifecycle-aware taint analy-sis for android Apps [C]//ACM SIGPLAN Notices. 2014:259-269.
WEI F , ROY S , OU X , et al. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of android Apps[C]//The 2014 ACM Sigsac Conference on Com-puter and Communications Security. 2014:1329-1341.
CUI X , WANG J , HUI L C , et al. Wechecker:efficient and precise detection of privilege escalation vulnerabilities in android Apps[C]//The 8th ACM Conference on Security＆ Privacy in Wireless and Mo-bile Networks. 2015:25.
CUI X , YU D , CHAN P , et al. Cochecker:detecting capability and sensitive data leaks from component chains in an-droid[C]//Information Security and Privacy. 2014:446-453.
LUO T , HAO H , DU W , et al. Attacks on WebView in the Android system[C]//The 27th Annual Computer Security Applications Conference. 2011:343-352.
CHAOSHUN Z , WUBING W , RUI W , et al. Automatic forgery of cryptographically consistent messages to identify security vulner-abilities in mobile services[C]//The 23rd ISOC Network and Dis-tributed System Security Symposium (NDSS). 2016.
MACHIRY A , TAHILIANI R , NAIK M Dynodroid:an input gen-eration system for Android Apps[C]//The 9th Joint Meetingon Foundations of Software Engineering. 2013:224-234.
ANAND S , NAIK M , HARROLD M J , et al. Automated concolic testing of smartphone Apps[C]//The ACM Sigsoft 20th Interna-tional Symposium on the Foundations of Software Engineering. 2012:59.
MAHMOOD R , MIRZAEI N , MALEK S . EvoDroid:segmented evolutionary testing of android Apps[C]//The 22nd ACM Sigsoft International Symposium on Foundations of Software. 2014:599-609.