标题:Toward Discovering and Exploiting Private Server-side Web APIs
作者:Chen, Jia; Cui, Xingmin; Zhao, Ziming; Liang, Jie; Guo, Shanqing
通讯作者:Chen, J
作者机构:[Chen, Jia; Guo, Shanqing] Shandong Univ, Sch Comp Sci & Technol, Jinan, Peoples R China.; [Cui, Xingmin] Univ Hong Kong, Hong Kong, Hong Kong, Peop 更多
会议名称:IEEE 23rd International Conference on Web Services (ICWS)
会议日期:JUN 27-JUL 02, 2016
来源:2016 IEEE International Conference on Web Services (ICWS)
出版年:2016
页码:420-427
DOI:10.1109/ICWS.2016.61
关键词:Web APIs; Android Apps; Static Analysis; Dynamic Analysis
摘要:Many service providers including large enterprises have released their own applications (apps) that incorporate HTTP clients to facilitate the communications with their servers. The workflows of and APIs used by a web app and its corresponding mobile app are not always the same. We call the APIs found in apps private web APIs in that they are only supposed to be invoked by apps that developed by the service providers themselves. However, checking the origin of an HTTP request is very difficult, and private web APIs can be easily invoked by other entities. Hence, it is imperative to study if private web APIs provide the same level of security checks and validations as their public counterparts. To automatically discover the undocumented private APIs in Android apps, we design a system that uses static analysis to find the activities that invoke web APIs. Our system then runs the discovered activities on a customized Android system to monitor its HTTP requests and responses. We evaluated our system on 76 popular apps on the Google Play market. Our system successfully run 48 apps and discovered many private server-side APIs from more than 30 apps. Further manual investigation discovered that 9 of the apps have vulnerabilities that would enable API misuse and session hijacking.
收录类别:CPCI-S
资源类型:会议论文
TOP