Android apps can hold secret strings of themselves such as cloud service credentials or encryption keys. Leakage of such secret strings can induce unprecedented consequences like monetary losses or leakage of user private information. In practice, various security issues were reported because many apps failed to protect their secrets. However, little is known about the types, usages, exploitability, and consequences of app secret leakage issues. While a large body of literature has been devoted to studying user private information leakage, there is no systematic study characterizing app secret leakage issues. How far are Android app secrets from being stolen? To bridge this gap, we conducted the first systematic study to characterize app secret leakage issues in Android apps based on 575 potential app secrets sampled from 14,665 popular Android apps on Google Play. We summarized the common categories of leaked app secrets, assessed their security impacts and disclosed app bad practices in storing app secrets. We devised a text mining strategy using regular expressions and demonstrated that numerous app secrets can be easily stolen, even from the highly popular Android apps on Google. In a follow-up study, we harvested 3,711 distinct exploitable app secrets through automatic analysis. Our findings highlight the prevalence of this problem and call for greater attention to app secret protection.
翻译:安卓应用可能包含自身的秘密字符串,例如云服务凭据或加密密钥。此类秘密字符串的泄露可能导致前所未有的后果,如经济损失或用户隐私信息泄露。实践中,由于许多应用未能妥善保护其秘密,已报告了各类安全问题。然而,关于应用秘密泄露问题的类型、用途、可利用性及后果,目前知之甚少。尽管已有大量文献致力于研究用户隐私信息泄露,但尚未有系统研究来刻画应用秘密泄露问题。安卓应用秘密距离被窃取究竟有多远?为填补这一空白,我们基于从Google Play上14,665款热门安卓应用中抽样的575个潜在应用秘密,开展了首次系统研究以刻画安卓应用中的秘密泄露问题。我们总结了泄露应用秘密的常见类别,评估了其安全影响,并揭示了应用在存储秘密时的不良实践。我们设计了一种基于正则表达式的文本挖掘策略,并证明即使是在Google上高度流行的安卓应用中,仍有大量应用秘密可被轻易窃取。在后续研究中,我们通过自动化分析收集了3,711个不同的可利用应用秘密。我们的研究结果凸显了该问题的普遍性,并呼吁对应用秘密保护给予更多关注。