Issues of identity verification of typical applications over mobile terminal platform

doi:10.11959/j.issn.2096-109x.2020081

Abstract

Abstract:

Recent studies have shown that attacks against USIM card are increasing,and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access.Considering the USIM card being cloned easily even under 5G network,the identity verification process of the popular mobile applications over mobile platform was analyzed.The application behaviors were profiled while users were logging in,resetting password,and performing sensitive operations,thereby the tree model of application authentication was summarized.On this basis,58 popular applications in 7 categories were tested including social communication,healthcare,etc.It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions.To address this issue,two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

Key words: mobile application, USIM cloning, SMS, authentication, mobile app testing

CLC Number:

TP311.1

Xiaolin ZHANG,Dawu GU,Chi ZHANG. Issues of identity verification of typical applications over mobile terminal platform[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 137-151.

Figures/Tables 24

References 32

[1]	3GPP specification:31.102.Characteristics of the Universal Subscriber Identity Module (USIM) application[S].
[2]	国家统计局. 电信业务统计数据[EB].
[3]	DOGTIEV A . App download and usage statistics (2018),business of App(2018)[EB].
[4]	BLAIR I . Mobile App download and usage statistics,BuildFire[EB].
[5]	LIU J R , YU Y , STANDAERT F ,et al. Small tweaks do not help:differential power analysis of milenage implementations in 3G/4G USIM cards[C]// The 20th European Symposium on Computer Security. 2015: 468-480.
[6]	BRIER E , CLAVIER C , OLIVIER F . Correlation power analysis with a leakage model[C]// Cryptographic Hardware and Embedded Systems. 2014: 16-29.
[7]	3GPP specication:35.206.Specification of the MILENAGE algorithm set[S].
[8]	ANWAR N , RIADI I , LUTHFI A . Analisis SIM card cloning terhadap algoritma random number Generator[J]. Buana Inform, 2016,7(2): 143-150.
[9]	SINGH J , RUHL R , LINDSKOG D ,et al. GSM OTA SIM cloning attack and cloning resistance in EAP-SIM and USIM[C]// Proc Soc, 2013: 1005-1010.
[10]	RAO J R , ROHATGI P , SCHERZER H ,et al. Partitioning attacks:or how to rapidly clone some GSM cards[C]// Proc IEEE Symp Secur Priv, 2002: 31-41.
[11]	ZHANG C , LIU J R , GU D W ,et al. Side-channel analysis for the authentication protocols of CDMA cellular networks[J]. J Comput Sci Technol, 2019: 1079-1095.
[12]	3GPP specication:33.501.Security architecture and procedures for 5G System[S].
[13]	BASIN D , RADOMIROVIC S , DREIER J ,et al. A formal analysis of 5G authentication[C]// Proceedings of the ACM Conference on Computer and Communications Security. 2018: 1383-1396.
[14]	LoCCS GoCE. 抱紧你的SIM卡—5G物理安全初探[EB].
	LoCCS GoCE. hold your SIM card tight—a glance at 5G physical security[EB].
[15]	KOOT L . Security of mobile TAN on smartphones a risk analysis for the iOS and Android smartphone platforms[D]. The Netherlands:Radboud University Nijmegen, 2012.
[16]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. Security analysis of mobile two-factor authentication schemes[J]. Intel Technol J, 2014: 138-161.
[17]	ALECU B . SMS Fuzzing-SIM Toolkit attack[R]. 2013.
[18]	KIM H K , YEO H , HWANG H J ,et al. Effective mobile applications testing strategies[R]. 2016.
[19]	Google. Esspresso testing android-framework,Github[EB].
[20]	Apple. Apple ui-automation documentation,Apple[EB].
[21]	GOMEZ L , NEAMTIU I , AZIM T ,et al. Reran:timing-and touch-sensitive record and replay for android[C]// 35th International Conference on Software Engineering (ICSE). 2013: 72-81.
[22]	HU Y , AZIM T , NEAMTIU I . Versatile yet lightweight record-and-replay for android[C]// Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming,Systems,Languages,and Applications. 2015: 349-366.
[23]	MACHIRY A , TAHILIANI R , NAIK M . Dynodroid:an input generation system for android Apps[C]// Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. 2013: 224-234.
[24]	Appsee. App mobile analytics platform[EB].
[25]	OpenSTF. Smartphone test farm,Github[EB].
[26]	WANG R , CHEN S , WANG X F . Signing me onto your accounts through facebook and google:a traffic-guided security study of commercially deployed single-sign-on web services[C]// 2012 IEEE Symposium on Security and Privacy. 2012: 365-379.
[27]	GAN C , WANG W . Uses and gratifications of social media:a comparison of microblog and WeChat[J]. Journal of Systems and Information Technology, 2015(4): 351-363.
[28]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. On the (in) security of mobile two-factor authentication[C]// International Conference on Financial Cryptography and Data Security. 2014: 365-383.
[29]	AppAnnie. The App analytics and App industry standard[EB].
[30]	Statista. Global business data platform[EB].
[31]	iresearch. App指数分析[EB].
	Iresearch. App index Analysis[EB].
[32]	QuestMobile. 2019移动App半年增长报告[EB].
	QuestMobile. Mobile App semi-annual growth report of 2019[EB].

类别	应用组成
社交通信类	WhatsApp,Messenger,Facebook,Instagram,Twitter,Skype,微信,QQ,SnapChat,Pinterest
金融支付类	Amazon,Wish,Poshmark,eBay,Apple Store,Walmart,Flipkart,AliExpress,SHEIN,淘宝，京东,Cash,Paypal,支付宝,交通银行网银
出行外卖类	Uber,滴滴,Lyft,Curb,12306,Google Maps,高德地图,百度地图,Parkmobile,Waze,UberEats,DoorDash,iFood,美团，饿了么
健康医疗类	Keep,Nike Training Club,Calm,GoodRx,Pregnancy
文件云盘类	Dropbox,Google Drive,iCloud,Onedrive，百度网盘
娱乐视频类	Youtube,TikTok,爱奇艺,Netflix,Amazon Prime Video
信息检索类	Google Chrome,百度搜索,Bing Search

类别	应用组成
社交通信类	WhatsApp,Messenger,Facebook,Instagram,Twitter,Skype,微信,QQ,SnapChat,Pinterest
金融支付类	Amazon,Wish,Poshmark,eBay,Apple Store,Walmart,Flipkart,AliExpress,SHEIN,淘宝，京东,Cash,Paypal,支付宝,交通银行网银
出行外卖类	Uber,滴滴,Lyft,Curb,12306,Google Maps,高德地图,百度地图,Parkmobile,Waze,UberEats,DoorDash,iFood,美团，饿了么
健康医疗类	Keep,Nike Training Club,Calm,GoodRx,Pregnancy
文件云盘类	Dropbox,Google Drive,iCloud,Onedrive，百度网盘
娱乐视频类	Youtube,TikTok,爱奇艺,Netflix,Amazon Prime Video
信息检索类	Google Chrome,百度搜索,Bing Search

指标	信息
机型	iPhone XR
系统	iOS 12.4.1
运行商	中国联通
IMEI	357394092794037
ICCID	89860116208410304191
MEID	35739409279403

指标	信息
机型	iPhone XR
系统	iOS 12.4.1
运行商	中国联通
IMEI	357394092794037
ICCID	89860116208410304191
MEID	35739409279403

请求域名	传递方法	上/下行流量（字节数）	请求字段
support.weixin.qq.com	GET	815 / 22.3×10³	t，lang，rid
support.weixin.qq.com	GET	1.61×10³/ 335	ap_msg
support.weixin.qq.com	GET	648 / 221	id，c，p 10，p0，p 1，p 2