Abstract: This work is originally present in “App’s Auto-Login Function Security Testing via Android OS-Level Virtualization”.Most mobile apps provide the automated login option to improve user experience despite the small keyboard's limitations. Users can avoid the hassle of having to type their ID and password again whenever an app is running in the foreground. The so-called "data-clone attack" can be launched by copying the locally stored, auto-login dependent data and installing it on the attackers' smartphones, which allows the attackers to exceed the allowed number of login devices and secretly connect into the victim's account. Verifying the consistency of device-specific properties is a natural countermeasure. The programme will block the auto-login feature and hence guard against data-clone attempts as long as the new device displays distinct device fingerprints from the old one. In this article,with VP Droid, security analysts can alter several device artefacts in a virtual phone without using user-level API hooks, including CPU model, Android ID, and phone number. The isolation method of VPDroid makes sure that user-mode apps in the virtual phone cannot identify differences between devices. We simulate data-clone attacks with 234 of the most popular Android apps using VPDroid in order to evaluate how vulnerable Android apps are to these assaults. Our tests on five distinct virtual phone settings demonstrate that all evaluated apps that do device-consistency checks, such Twitter, WeChat, and PayPal, may be tricked by VPDroid's device attribute customisation. As a zero-day vulnerability, our report has been verified by 19 vendors.
|
DOI:
10.17148/IJARCCE.2022.116129
