Exploitation and Mitigation of Authentication Schemes Based on Device-Public Information

Today's mobile applications increasingly rely on communication with a remote backend service to perform many critical functions, including handling user-specific information. This implies that some form of authentication will be used to associate a user with their actions and data. Schemes involving tedious account creation procedures can represent ``friction'' for users. Consequently, many applications are moving toward alternative solutions, some of which, while increasing usability, sacrifice security.

This paper focuses on a new trend of authentication schemes based on what we called ``device-public'' information, which consist of properties and data that an application on the device can obtain. While convenient to users (since they require little or no interaction), these schemes are vulnerable by design, since all the needed information to authenticate a user is available to any app installed on the device. An attacker with a malicious app on a user's device could easily hijack the user's account, steal private information, send (and receive) messages on behalf of the user, or steal valuable virtual goods.

To demonstrate how easily these vulnerabilities can be weaponized, we developed a generic exploitation technique that first mines all relevant data from a victim's phone, and then transfers and injects them into an attacker's phone to fool apps into granting access to the victim's account. Moreover, we developed a dynamic analysis detection system to automatically highlight problematic apps. Our analysis tool identified 41 vulnerable apps among 1000 popular applications, including the popular messaging apps WhatsApp and Viber. Finally, our work proposes solutions to this issue.