Limited by the small keyboard, most mobile apps support the automatic login feature for better user experience. Therefore, users avoid the inconvenience of retyping their ID and password when an app runs in the foreground again. However, this auto-login function can be exploited to launch the so-called "data-clone attack": once the locally-stored, auto-login depended data are cloned by attackers and placed into their own smartphones, attackers can break through the login-device number limit and log in to the victim's account stealthily. A natural countermeasure is to check the consistency of devicespecific attributes. As long as the new device shows different device fingerprints with the previous one, the app will disable the auto-login function and thus prevent data-clone attacks. In this paper, we develop VPDroid, a transparent Android OS-level virtualization platform tailored for security testing. With VPDroid, security analysts can customize different device artifacts, such as CPU model, Android ID, and phone number, in a virtual phone without user-level API hooking. VPDroid's isolation mechanism ensures that user-mode apps in the virtual phone cannot detect device-specific discrepancies. To assess Android apps' susceptibility to the data-clone attack, we use VPDroid to simulate data-clone attacks with 234 most-downloaded apps. Our experiments on five different virtual phone environments show that VPDroid's device attribute customization can deceive all tested apps that perform device-consistency checks, such as Twitter, WeChat, and PayPal. 19 vendors have confirmed our report as a zero-day vulnerability. Our findings paint a cautionary tale: only enforcing a device-consistency check at client side is still vulnerable to an advanced data-clone attack.
翻译:由小键盘限制, 大多数移动应用程序都支持自动登录功能, 以便提高用户的虚拟经验。 因此, 当一个应用程序再次在前方运行时, 用户避免了重写身份和密码的不便。 但是, 这个自动login 功能可以被利用来启动所谓的“ 数据球攻击 ” : 一旦本地储存的自动login 依赖的数据被攻击者克隆并安装到自己的智能手机中, 攻击者可以突破登录点代码限制, 并登录到受害人的账户中。 自然对应措施是检查设备特定属性的一致性。 只要新设备显示与前一个工具不同设备指纹, 该应用程序将禁用自动记录功能, 从而防止数据球攻击。 在本文中, 我们开发了VDIDroid, 一个透明的和机器人的OS级虚拟化平台, 专门为安全测试。 安全分析员只能自定义不同设备易变功能, 如 CUPE 模型, 以及机器人身份识别, 和电话号码, 在虚拟手机上, 没有用户级的APILE 钩钩子, 也无法将我们的数据定位定位定位定位定位系统 用于评估我们的数据定位的用户定位定位系统。