移动平台典型应用的身份认证问题研究

doi:10.11959/j.issn.2096-109x.2020081

Abstract

Abstract:

Recent studies have shown that attacks against USIM card are increasing,and an attacker can use the cloned USIM card to bypass the identity verification process in some applications and thereby get the unauthorized access.Considering the USIM card being cloned easily even under 5G network,the identity verification process of the popular mobile applications over mobile platform was analyzed.The application behaviors were profiled while users were logging in,resetting password,and performing sensitive operations,thereby the tree model of application authentication was summarized.On this basis,58 popular applications in 7 categories were tested including social communication,healthcare,etc.It found that 29 of them only need SMS verification codes to get authenticated and obtain permissions.To address this issue,two-step authentication was suggested and USIM anti-counterfeiting was applied to assist the authentication process.

Key words: mobile application, USIM cloning, SMS, authentication, mobile app testing

CLC Number:

TP311.1

Xiaolin ZHANG,Dawu GU,Chi ZHANG. Issues of identity verification of typical applications over mobile terminal platform[J]. Chinese Journal of Network and Information Security, 2020, 6(6): 137-151.

Figures/Tables 24

References 32

[1]	3GPP specification:31.102.Characteristics of the Universal Subscriber Identity Module (USIM) application[S].
[2]	国家统计局. 电信业务统计数据[EB].
[3]	DOGTIEV A . App download and usage statistics (2018),business of App(2018)[EB].
[4]	BLAIR I . Mobile App download and usage statistics,BuildFire[EB].
[5]	LIU J R , YU Y , STANDAERT F ,et al. Small tweaks do not help:differential power analysis of milenage implementations in 3G/4G USIM cards[C]// The 20th European Symposium on Computer Security. 2015: 468-480.
[6]	BRIER E , CLAVIER C , OLIVIER F . Correlation power analysis with a leakage model[C]// Cryptographic Hardware and Embedded Systems. 2014: 16-29.
[7]	3GPP specication:35.206.Specification of the MILENAGE algorithm set[S].
[8]	ANWAR N , RIADI I , LUTHFI A . Analisis SIM card cloning terhadap algoritma random number Generator[J]. Buana Inform, 2016,7(2): 143-150.
[9]	SINGH J , RUHL R , LINDSKOG D ,et al. GSM OTA SIM cloning attack and cloning resistance in EAP-SIM and USIM[C]// Proc Soc, 2013: 1005-1010.
[10]	RAO J R , ROHATGI P , SCHERZER H ,et al. Partitioning attacks:or how to rapidly clone some GSM cards[C]// Proc IEEE Symp Secur Priv, 2002: 31-41.
[11]	ZHANG C , LIU J R , GU D W ,et al. Side-channel analysis for the authentication protocols of CDMA cellular networks[J]. J Comput Sci Technol, 2019: 1079-1095.
[12]	3GPP specication:33.501.Security architecture and procedures for 5G System[S].
[13]	BASIN D , RADOMIROVIC S , DREIER J ,et al. A formal analysis of 5G authentication[C]// Proceedings of the ACM Conference on Computer and Communications Security. 2018: 1383-1396.
[14]	LoCCS GoCE. 抱紧你的SIM卡—5G物理安全初探[EB].
	LoCCS GoCE. hold your SIM card tight—a glance at 5G physical security[EB].
[15]	KOOT L . Security of mobile TAN on smartphones a risk analysis for the iOS and Android smartphone platforms[D]. The Netherlands:Radboud University Nijmegen, 2012.
[16]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. Security analysis of mobile two-factor authentication schemes[J]. Intel Technol J, 2014: 138-161.
[17]	ALECU B . SMS Fuzzing-SIM Toolkit attack[R]. 2013.
[18]	KIM H K , YEO H , HWANG H J ,et al. Effective mobile applications testing strategies[R]. 2016.
[19]	Google. Esspresso testing android-framework,Github[EB].
[20]	Apple. Apple ui-automation documentation,Apple[EB].
[21]	GOMEZ L , NEAMTIU I , AZIM T ,et al. Reran:timing-and touch-sensitive record and replay for android[C]// 35th International Conference on Software Engineering (ICSE). 2013: 72-81.
[22]	HU Y , AZIM T , NEAMTIU I . Versatile yet lightweight record-and-replay for android[C]// Proceedings of the 2015 ACM SIGPLAN International Conference on Object-Oriented Programming,Systems,Languages,and Applications. 2015: 349-366.
[23]	MACHIRY A , TAHILIANI R , NAIK M . Dynodroid:an input generation system for android Apps[C]// Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. 2013: 224-234.
[24]	Appsee. App mobile analytics platform[EB].
[25]	OpenSTF. Smartphone test farm,Github[EB].
[26]	WANG R , CHEN S , WANG X F . Signing me onto your accounts through facebook and google:a traffic-guided security study of commercially deployed single-sign-on web services[C]// 2012 IEEE Symposium on Security and Privacy. 2012: 365-379.
[27]	GAN C , WANG W . Uses and gratifications of social media:a comparison of microblog and WeChat[J]. Journal of Systems and Information Technology, 2015(4): 351-363.
[28]	DMITRIENKO A , LIEBCHEN C , ROSSOW C ,et al. On the (in) security of mobile two-factor authentication[C]// International Conference on Financial Cryptography and Data Security. 2014: 365-383.
[29]	AppAnnie. The App analytics and App industry standard[EB].
[30]	Statista. Global business data platform[EB].
[31]	iresearch. App指数分析[EB].
	Iresearch. App index Analysis[EB].
[32]	QuestMobile. 2019移动App半年增长报告[EB].
	QuestMobile. Mobile App semi-annual growth report of 2019[EB].

Metrics

Recommended 0

No Suggested Reading articles found!

类别	应用组成
社交通信类	WhatsApp,Messenger,Facebook,Instagram,Twitter,Skype,微信,QQ,SnapChat,Pinterest
金融支付类	Amazon,Wish,Poshmark,eBay,Apple Store,Walmart,Flipkart,AliExpress,SHEIN,淘宝，京东,Cash,Paypal,支付宝,交通银行网银
出行外卖类	Uber,滴滴,Lyft,Curb,12306,Google Maps,高德地图,百度地图,Parkmobile,Waze,UberEats,DoorDash,iFood,美团，饿了么
健康医疗类	Keep,Nike Training Club,Calm,GoodRx,Pregnancy
文件云盘类	Dropbox,Google Drive,iCloud,Onedrive，百度网盘
娱乐视频类	Youtube,TikTok,爱奇艺,Netflix,Amazon Prime Video
信息检索类	Google Chrome,百度搜索,Bing Search

指标	信息
机型	iPhone XR
系统	iOS 12.4.1
运行商	中国联通
IMEI	357394092794037
ICCID	89860116208410304191
MEID	35739409279403

请求域名	传递方法	上/下行流量（字节数）	请求字段
support.weixin.qq.com	GET	815 / 22.3×10³	t，lang，rid
support.weixin.qq.com	GET	1.61×10³/ 335	ap_msg
support.weixin.qq.com	GET	648 / 221	id，c，p 10，p0，p 1，p 2

请求域名	传递方法	上/下行流量（千字节数）	请求字段
clientsc.alipay.com	GET	1.21 / 19.0	Serveid、authorizeToken、donotCloseH5、walletVersion、autologin、callback
clientsc.alipay.com	POST	1.28 / 0.543	ackCode、bizTokenForSecurity
clientsc.alipay.com	POST	2.55 / 0.810	newPassword、bizTokenForSecurity、envData

指标	数量	应用名称
密码重置时可被直接绕过	19	WhatsApp、Messenger、Facebook、Instgram、Twitter、SnapChat、Flipkart、Cash、Paypal、滴滴、Lyft、高德地图、iFood、饿了么、Keep、Nike Training Club、 Tiktok、爱奇艺、Netflix
正常登录时可被直接绕过	19	Wechat、QQ、Alipay、淘宝、京东、Cash、滴滴、Lyft、高德地图、百度地图、iFood、美团、饿了么、Keep、GoodRx、百度网盘、Tiktok，爱奇艺、百度
密码重置与正常登录均可被绕过	9	Cash、滴滴、Lyft、高德地图、iFood、饿了么，Keep、Tiktok、爱奇艺

Issues of identity verification of typical applications over mobile terminal platform

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 24

References 32

Related Articles 15

Metrics

Recommended 0

[1]	Chuntao ZHU, Chengxi YIN, Bolin ZHANG, Qilin YIN, Wei LU. Forgery face detection method based on multi-domain temporal features mining [J]. Chinese Journal of Network and Information Security, 2023, 9(3): 123-134.
[2]	Jin CAO, Xiaoping SHI, Ruhui MA, Hui LI. Fusion of satellite-ground and inter-satellite AKA protocols for double-layer satellite networks [J]. Chinese Journal of Network and Information Security, 2023, 9(1): 18-31.
[3]	Hui GUO, Yong LUO, Xiaolu GUO. Automotive ethernet controller authentication method based on national cryptographic algorithms [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 20-28.
[4]	Jun LIU, Lin YUAN, Zhishang FENG. Survey of key management schemes for cluster networks [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 52-69.
[5]	Min XIAO, Tao YAO, Yuanni LIU, Yonghong HUANG. Dynamic and efficient vehicular cloud management scheme with privacy protection [J]. Chinese Journal of Network and Information Security, 2022, 8(6): 70-83.
[6]	Qi JIANG, Ru FENG, Ruijie ZHANG, Jinhua WANG, Ting CHEN, Fushan WEI. GRU-based multi-scenario gait authentication for smartphones [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 26-39.
[7]	Cong YI, Jun HU. Novel continuous identity authentication method based on mouse behavior [J]. Chinese Journal of Network and Information Security, 2022, 8(5): 179-188.
[8]	Liquan CHEN, Xiao LI, Zheyi YANG, Sijie QIAN. Blockchain-based high transparent PKI authentication protocol [J]. Chinese Journal of Network and Information Security, 2022, 8(4): 1-11.
[9]	Jianlin NIU, Zhiyu REN, Xuehui DU. Cross-domain authentication scheme based on consortium blockchain [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 123-133.
[10]	Weicheng ZHANG, Hongquan WEI, Shuxin LIU, Liming PU. Fast handover authentication scheme in 5G mobile edge computing scenarios [J]. Chinese Journal of Network and Information Security, 2022, 8(3): 154-168.
[11]	Zijun XU, Jianwei LIU, Geng LI. Research on network slicing security for 5G mMTC [J]. Chinese Journal of Network and Information Security, 2022, 8(1): 95-105.
[12]	Guanqun YANG, Yin LIU, Hao XU, Hongwei XING, Jianhui ZHANG, Entang LI. Credible distributed identity authentication system of microgrid based on blockchain [J]. Chinese Journal of Network and Information Security, 2021, 7(6): 88-98.
[13]	Yueyang YE, Xinglan ZHANG. Research on anonymous identity authentication technology in Fabric [J]. Chinese Journal of Network and Information Security, 2021, 7(3): 134-140.
[14]	Hao WANG,Tianhao WU,Konglin ZHU,Lin ZHANG. Anonymous vehicle authentication scheme based on blockchain technology in the intersection scenario [J]. Chinese Journal of Network and Information Security, 2020, 6(5): 27-35.
[15]	Xu ZHANG,Xin MA. Lightweight mobile Ad Hoc network authentication scheme based on blockchain [J]. Chinese Journal of Network and Information Security, 2020, 6(4): 14-22.