Context
authentication vulnerabilities in mobile applications are present even in high-rated and high-downloaded applications. MT (metamorphic testing), combined with GUI (graphical user interface) testing, through a capture-and-replay methodology (black-box testing) can be exploited to detect vulnerabilities in Android mobile applications, particularly those that disregard OAuth 2.0 guidelines.
Peculiarity of the study:
- unlike existing approaches that primarily focus on detecting authentication vulnerabilities through static code analysis and automated orchestration, this method operates at the GUI level during run-time
- MT testing is applied to the GUI context
Approach
The vulnerabilities approached by the research team are insecure communication and insecure authentication/authorization (see authentication vulnerabilities)
Metamorphic relations were manually identified (techniques for automatically generating MR are not available for GUI-based testing):
- MR1: an auth server should not trust invalid SSL/TLS certificates
- MR2: access token should be refreshed after prolonged inactivity (+60 minutes)
- MR3: access token should be destroyed after a logout and a new one must be generated
- MR4: an auth server should reject a connection when HTTPS is not used
- MR5: the system must prevent any unauthorized user to access protected resources through the GUI
Testing technique used:
- GUI-based test cases consisting of user event sequences the GUI, with test oracle implemented using the GUI
Experimental procedure:
- a tester manually interact with a mobile application (e.g. Booking app) and execute the authentication
- all the actions and the events are collected and recorded
- tests are automatically generated by varying the MR conditions
- tests are executed and screenshots are compared
Results
163 popular Android applications were tested:
- 159 vulnerabilities unknown to developers were found
- three independent security experts validate the vulnerabilities found
- 26 companies committed to fix the vulnerabilities
- high perceived application quality and more application downloads do not negative correlate with having vulnerabilities