Finding Flaws from Password Authentication Code in Android Apps

Password authentication is widely used to validate users’ identities because it is convenient to use, easy for users to remember, and simple to implement. The password authentication protocol transmits passwords in plaintext, which makes the authentication vulnerable to eavesdropping and replay attacks, and several protocols have been proposed to protect against this. However, we find that secure password authentication protocols are often implemented incorrectly in Android applications (apps). To detect the implementation flaws in password authentication code, we propose GLACIATE, a fully automated tool combining machine learning and program analysis. Instead of creating detection templates/rules manually, GLACIATE automatically and accurately learns the common authentication flaws from a relatively small training dataset, and then identifies whether the authentication flaws exist in other apps. We collected 16,387 apps from Google Play for evaluation. GLACIATE successfully identified 4,105 of these with incorrect password authentication implementations. Examining these results, we observed that a significant proportion of them had multiple flaws in their authentication code. We further compared GLACIATE with the state-of-the-art techniques to assess its detection accuracy.