This page has only limited features, please log in for full access.
The majority of mobile apps use credentials to provide an automatic login function. Credentials are security tokens based on a user’s ID and password information. They are created for initial authentication, and this credential authentication then replaces user verification. However, because the credential management of most Android apps is currently very insecure, the duplication and use of another user’s credentials would allow an attacker to view personal information stored on the server. Therefore, in this paper, we analyze the vulnerability of some major mobile SNS apps to credential duplication that would enable access to personal information. To address the identified weaknesses, we propose a secure credential management scheme. The proposed scheme first differentiates the credential from the smart device using an external device. Using a security mechanism, the credential is then linked with the smart device. This ensures that the credential will be verified by the special smart device. Furthermore, based on experimental results using a prototype security mechanism, the proposed scheme is shown to be a very useful solution because of its minimal additional overhead.
Jongwon Choi; Geonbae Na; Jeong Hyun Yi. Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks. Multimedia Tools and Applications 2016, 75, 14833 -14848.
AMA StyleJongwon Choi, Geonbae Na, Jeong Hyun Yi. Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks. Multimedia Tools and Applications. 2016; 75 (22):14833-14848.
Chicago/Turabian StyleJongwon Choi; Geonbae Na; Jeong Hyun Yi. 2016. "Hardware-assisted credential management scheme for preventing private data analysis from cloning attacks." Multimedia Tools and Applications 75, no. 22: 14833-14848.
To log in to a mobile social network service (SNS) server, users must enter their ID and password to get through the authentication process. At that time, if the user sets up the automatic login option on the app, a sort of security token is created on the server based on the user’s ID and password. This security token is called a credential. Because such credentials are convenient for users, they are utilized by most mobile SNS apps. However, the current state of credential management for the majority of Android SNS apps is very weak. This paper demonstrates the possibility of a credential cloning attack. Such attacks occur when an attacker extracts the credential from the victim’s smart device and inserts it into their own smart device. Then, without knowing the victim’s ID and password, the attacker can access the victim’s account. This type of attack gives access to various pieces of personal information without authorization. Thus, in this paper, we analyze the vulnerabilities of the main Android-based SNS apps to credential cloning attacks, and examine the potential leakage of personal information that may result. We then introduce effective countermeasures to resolve these problems.
Jongwon Choi; Haehyun Cho; Jeong Hyun Yi. Personal Information Leaks with Automatic Login in Mobile Social Network Services. Entropy 2015, 17, 3947 -3962.
AMA StyleJongwon Choi, Haehyun Cho, Jeong Hyun Yi. Personal Information Leaks with Automatic Login in Mobile Social Network Services. Entropy. 2015; 17 (6):3947-3962.
Chicago/Turabian StyleJongwon Choi; Haehyun Cho; Jeong Hyun Yi. 2015. "Personal Information Leaks with Automatic Login in Mobile Social Network Services." Entropy 17, no. 6: 3947-3962.