Analysis And Detection Of Android Application Session Identifier Management Flaw

The session identifier(session token)is often used for authentication of the communication between the client and the server,which is a unique string identifying the user.It may lead to security issues such as account hijacking or illegal access to protected resources once the session identifier is leaked,so they should be carefully managed.However,according to recent investigation reports,there are many mobile applications that manage session identifier in an improper manner.Besides,there are few related researches and most of them do not cover comprehensively the usage scenarios of the session identifiers.In order to solve the above problems,this thesis proposes an automatic analyzer based on static data flow analysis to detect the defects of improper management of session identifiers in Android applications.The specific work is as follows:(1)We define the anti-patterns of session identifier management.According to the requirements proposed by OWASP and the disclosed vulnerabilities of real-world applications,we develop five common anti-patterns of session identifier management,including creating session identifiers on the client-side,storing raw session identifiers without encryption,leaking session identifiers to log files,leaking session identifiers to external domains,and expiring session identifiers improperly.(2)We present Sess Droid,an automatic prototype tool to detect the defects of improper management of session identifiers according to the above five anti-patterns,and it is implemented based on static data flow technology.The input of Sess Droid are Android applications(.apk files),and output the defect information in these applications.Specifically,it first analyzes the input application whether adopts the authentication mechanism which based on session identifiers,if so,it then detects the defects of improper management of session identifiers in the target application.Finally,it outputs the category of defects and the details(i.e.,location,suggested remedy)of them.(3)We utilize Sess Droid to conduct an empirical analysis on 1,000 commercial applications which downloaded from the Google Play.The results of the empirical analysis show that among the 978 successfully decompiled applications,there are 563 applications that implement the authentication mechanism based on session identifiers,and 92 of them have at least one anti-pattern.Furthermore,we manually inspect 30 of them to prove the effectiveness and efficiency of Sess Droid.Finally,we provide developers with feedback on corresponding defects and suggestions to hance the security of Android applications.