Demo and Motivating Example

1. Demo video of AUSERA

2. Motivating example

Fig. 1 A motivating example of how the vulnerable banking app leaks its sensitive data

Fig. 2 Sensitive data tagging

Fig. 3 Function Identification

Fig. 1 shows the vulnerable logic in "VulApp" and the attack conducted by "MalApp" that causes financial loss of the victim.

"VulApp" is a banking app that has a number of monetary services, such as payment, transfer. Before using its functionalities, users are asked to register by entering into their first name, last name, password, and address. The entered data is passed to the service and used to update the system (e.g., database) state. However, it has an additional misused behavior that causes this security risk — the entered credentials are packaged into an SMS message, and sent to the bank server by ServiceManager. It is extremely astonishing that the SMS message with credential data is also stored into the outbox.

The motivating example is a real case, it discloses users' credentials and causes a severe financial loss.

Approach illustration based on the motivating example:

(1) Sensitive Data Tagging: As shown in Fig. 2, in this motivating example, the sensitive data is tagged as <edit_PIN, pin>, <edit_firstName, firstname>, <edit_lastName,lastname> and <edit_addr, addr>. According to the phase of sensitive data tagging, we confirm the motivating example does send sensitive user data via SMS.

(2) Function Identification: As shown in Fig. 3, the sources of the motivating example is <android.widget.EditText: android.text.Editable getText()> (i.e., edit_PIN, edit_firstName, edit_lastName, edit_addr), the sink is <android.telephony.SmsManager: void sendTextMessage()>, the right figure shows the flow of the data.

(3) Security Weakness Detection: Based on the above two phases, we confirm that the app leaks the sensitive data (i.e., pin, firstname, lastname, addr) via sendTextMessage().

The result of AUSERA is as follows:

Found a flow to sink 

virtualinvoke $r10.<android.telephony.SmsManager: void sendTextMessage(java.lang.String,java.lang.String, java.lang.String,android.app.PendingIntent,android.app.PendingIntent)>($r1, null, $r2, $r6, $r7),

from the following sources: 

 - $r5 = virtualinvoke $r4.<android.widget.EditText: android.text.Editable getText()>() (in <com.globe.gcash. android.activity.transaction.RegistrationTransactionActivity: void doNext()>) 
=> com.globe.gcash.android.activity.transaction.RegistrationTransactionActivity;void doNext();$r4 
==> pin;firstName;lastName;addr