移动平台典型应用的身份认证问题研究

doi:10.11959/j.issn.2096-109x.2020081

摘要/Abstract

摘要：

近年来的研究表明，针对USIM卡的攻击手段日益增多，在5G环境下攻击者也能使用复制的USIM卡绕过某些正常应用的身份认证，进而获取用户信息。在USIM可被复制的条件下，研究了移动平台上典型应用的身份认证流程，通过分析用户登录、重置密码、执行敏感操作的应用行为给出身份认证树。在此基础上，测试了社交通信、个人健康等7类58款典型应用，发现有29款认证时仅需USIM卡接收的SMS验证码便可通过认证。针对该问题，建议应用开启两步验证，并结合USIM防伪等手段完成认证。

关键词: 移动应用, USIM复制, SMS, 身份认证, 移动应用测试

Abstract:

Recent studies have shown that attacks against USIM card are increasing,and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access.Considering the USIM card being cloned easily even under 5G network,the identity verification process of the popular mobile applications over mobile platform was analyzed.The application behaviors were profiled while users were logging in,resetting password,and performing sensitive operations,thereby the tree model of application authentication was summarized.On this basis,58 popular applications in 7 categories were tested including social communication,healthcare,etc.It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions.To address this issue,two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

Key words: mobile application, USIM cloning, SMS, authentication, mobile app testing

中图分类号:

TP311.1

张效林,谷大武,张驰. 移动平台典型应用的身份认证问题研究[J]. 网络与信息安全学报, 2020, 6(6): 137-151.

Xiaolin ZHANG,Dawu GU,Chi ZHANG. Issues of identity verification of typical applications over mobile terminal platform[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 137-151.

图/表 24

图1

图2

图3

图4

图5

图6

表1

表2

图7

表3

图8

图9

图10

表4

图11

图12

图13

图14

图15

图16

表5

图17

图18

图19

参考文献 32

[1]	3GPP specification:31.102.Characteristics of the Universal Subscriber Identity Module (USIM) application[S].
[2]	国家统计局. 电信业务统计数据[EB].
[3]	DOGTIEV A . App download and usage statistics (2018),business of App(2018)[EB].
[4]	BLAIR I . Mobile App download and usage statistics,BuildFire[EB].
[5]	LIU J R , YU Y , STANDAERT F ,et al. Small tweaks do not help:differential power analysis of milenage implementations in 3G/4G USIM cards[C]// The 20th European Symposium on Computer Security. 2015: 468-480.
[6]	BRIER E , CLAVIER C , OLIVIER F . Correlation power analysis with a leakage model[C]// Cryptographic Hardware and Embedded Systems. 2014: 16-29.
[7]	3GPP specication:35.206.Specification of the MILENAGE algorithm set[S].
[8]	ANWAR N , RIADI I , LUTHFI A . Analisis SIM card cloning terhadap algoritma random number Generator[J]. Buana Inform, 2016,7(2): 143-150.
[9]	SINGH J , RUHL R , LINDSKOG D ,et al. GSM OTA SIM cloning attack and cloning resistance in EAP-SIM and USIM[C]// Proc Soc, 2013: 1005-1010.
[10]	RAO J R , ROHATGI P , SCHERZER H ,et al. Partitioning attacks:or how to rapidly clone some GSM cards[C]// Proc IEEE Symp Secur Priv, 2002: 31-41.
[11]	ZHANG C , LIU J R , GU D W ,et al. Side-channel analysis for the authentication protocols of CDMA cellular networks[J]. J Comput Sci Technol, 2019: 1079-1095.
[12]	3GPP specication:33.501.Security architecture and procedures for 5G System[S].
[13]	BASIN D , RADOMIROVIC S , DREIER J ,et al. A formal analysis of 5G authentication[C]// Proceedings of the ACM Conference on Computer and Communications Security. 2018: 1383-1396.
[14]	LoCCS GoCE. 抱紧你的SIM卡—5G物理安全初探[EB].
	LoCCS GoCE. hold your SIM card tight—a glance at 5G physical security[EB].
[15]	KOOT L . Security of mobile TAN on smartphones a risk analysis for the iOS and Android smartphone platforms[D]. The Netherlands:Radboud University Nijmegen, 2012.
[16]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. Security analysis of mobile two-factor authentication schemes[J]. Intel Technol J, 2014: 138-161.
[17]	ALECU B . SMS Fuzzing-SIM Toolkit attack[R]. 2013.
[18]	KIM H K , YEO H , HWANG H J ,et al. Effective mobile applications testing strategies[R]. 2016.
[19]	Google. Esspresso testing android-framework,Github[EB].
[20]	Apple. Apple ui-automation documentation,Apple[EB].
[21]	GOMEZ L , NEAMTIU I , AZIM T ,et al. Reran:timing-and touch-sensitive record and replay for android[C]// 35th International Conference on Software Engineering (ICSE). 2013: 72-81.
[22]	HU Y , AZIM T , NEAMTIU I . Versatile yet lightweight record-and-replay for android[C]// Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming,Systems,Languages,and Applications. 2015: 349-366.
[23]	MACHIRY A , TAHILIANI R , NAIK M . Dynodroid:an input generation system for android Apps[C]// Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. 2013: 224-234.
[24]	Appsee. App mobile analytics platform[EB].
[25]	OpenSTF. Smartphone test farm,Github[EB].
[26]	WANG R , CHEN S , WANG X F . Signing me onto your accounts through facebook and google:a traffic-guided security study of commercially deployed single-sign-on web services[C]// 2012 IEEE Symposium on Security and Privacy. 2012: 365-379.
[27]	GAN C , WANG W . Uses and gratifications of social media:a comparison of microblog and WeChat[J]. Journal of Systems and Information Technology, 2015(4): 351-363.
[28]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. On the (in) security of mobile two-factor authentication[C]// International Conference on Financial Cryptography and Data Security. 2014: 365-383.
[29]	AppAnnie. The App analytics and App industry standard[EB].
[30]	Statista. Global business data platform[EB].
[31]	iresearch. App指数分析[EB].
	Iresearch. App index Analysis[EB].
[32]	QuestMobile. 2019移动App半年增长报告[EB].
	QuestMobile. Mobile App semi-annual growth report of 2019[EB].

类别	应用组成
社交通信类	WhatsApp,Messenger,Facebook,Instagram,Twitter,Skype,微信,QQ,SnapChat,Pinterest
金融支付类	Amazon,Wish,Poshmark,eBay,Apple Store,Walmart,Flipkart,AliExpress,SHEIN,淘宝，京东,Cash,Paypal,支付宝,交通银行网银
出行外卖类	Uber,滴滴,Lyft,Curb,12306,Google Maps,高德地图,百度地图,Parkmobile,Waze,UberEats,DoorDash,iFood,美团，饿了么
健康医疗类	Keep,Nike Training Club,Calm,GoodRx,Pregnancy
文件云盘类	Dropbox,Google Drive,iCloud,Onedrive，百度网盘
娱乐视频类	Youtube,TikTok,爱奇艺,Netflix,Amazon Prime Video
信息检索类	Google Chrome,百度搜索,Bing Search

指标	信息
机型	iPhone XR
系统	iOS 12.4.1
运行商	中国联通
IMEI	357394092794037
ICCID	89860116208410304191
MEID	35739409279403

请求域名	传递方法	上/下行流量（字节数）	请求字段
support.weixin.qq.com	GET	815 / 22.3×10³	t，lang，rid
support.weixin.qq.com	GET	1.61×10³/ 335	ap_msg
support.weixin.qq.com	GET	648 / 221	id，c，p 10，p0，p 1，p 2

请求域名	传递方法	上/下行流量（千字节数）	请求字段
clientsc.alipay.com	GET	1.21 / 19.0	Serveid、authorizeToken、donotCloseH5、walletVersion、autologin、callback
clientsc.alipay.com	POST	1.28 / 0.543	ackCode、bizTokenForSecurity
clientsc.alipay.com	POST	2.55 / 0.810	newPassword、bizTokenForSecurity、envData

指标	数量	应用名称
密码重置时可被直接绕过	19	WhatsApp、Messenger、Facebook、Instgram、Twitter、SnapChat、Flipkart、Cash、Paypal、滴滴、Lyft、高德地图、iFood、饿了么、Keep、Nike Training Club、 Tiktok、爱奇艺、Netflix
正常登录时可被直接绕过	19	Wechat、QQ、Alipay、淘宝、京东、Cash、滴滴、Lyft、高德地图、百度地图、iFood、美团、饿了么、Keep、GoodRx、百度网盘、Tiktok，爱奇艺、百度
密码重置与正常登录均可被绕过	9	Cash、滴滴、Lyft、高德地图、iFood、饿了么，Keep、Tiktok、爱奇艺