[DLS] Driving apps to test the security of third-party components / Towards reliable storage of 56-bit secrets in human memory

Jaeyeon Jung / Stuart Schechter
Microsoft Research
Friday, July 4th 2014, 10:30am


Driving apps to test the security of third-party components: I present an app automation tool called Brahmastra for helping app stores and security researchers to test third-party components in mobile apps at runtime. The main challenge is that call sites that invoke third-party code may be deeply embedded in the app, beyond the reach of traditional GUI testing tools. Our approach uses static analysis to construct a page transition graph and discover execution paths to invoke third-party code. We then perform binary rewriting to “jump start” the third-party code by following the execution path, efficiently pruning out undesired executions. Compared with the state-of-the-art GUI testing tools, Brahmastra is able to successfully analyze third-party code in 2.7 x more apps and decrease test duration by a factor of 7. We use Brahmastra to uncover interesting results for two use cases: 175 out of 220 children’s apps we tested display ads that point to web pages that attempt to collect personal information, which is a potential violation of the Children’s Online Privacy Protection Act (COPPA); and 13 of the 200 apps with the Facebook SDK that we tested are vulnerable to a known access token attack.

Towards reliable storage of 56-bit secrets in human memory: Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56-bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times over up to two weeks with a password of their choosing. After they entered their password correctly we displayed a short code (4 letters or 2 words, 18.8 bits) that we required them to type. For subsequent logins we added an increasing delay prior to displaying the code, which they could avoid by typing the code from memory. As participants learned, we added two more codes to comprise a 56.4-bit secret. Overall, 94% of participants eventually typed their entire secret from memory, learning it after a median of 36 logins. The learning component of our system added a median delay of just 6.9 seconds per login and a total of less than 12 minutes over an average of ten days. 88% were able to recall their codes exactly when asked at least three days later, with only 21% reporting having written their secret down. As one participant wrote with surprise, ``the words are branded into my brain.

Speaker Bio

Dr.Jaeyeon Jung: Jaeyeon Jung is a researcher at Microsoft Research. Prior to joining Microsoft, she was a research scientist at Intel Labs Seattle (2007-2011) after a brief stint as a software architect at Mazu networks (2006-2007). She obtained her PhD from MIT in 2006. Her current research focuses on developing new technologies for protecting consumer privacy, particularly in the areas of mobile systems and emerging consumer devices for the home. She is best known for her work on TaintDroid, which produced a runtime information flow tracking system for monitoring Android applications for privacy violations. The findings from the TaintDroid work resulted in the wide spread media coverage including CNET, BBC, and Wired.

Dr.Stuart Schechter: Stuart Schechter is a man of few accomplishments and so, the reluctant reader should be pleased to learn, his biography is correspondingly short. Stuart researches computer security, human behavior, and occasionally missteps in such distant topics as computer architecture and research ethics. Those who have worked with Stuart rave about his “tireless efforts and disturbingly obsessive dedication… to brainstorming paper titles” and his knack for “carefully vetting ideas to expose every shortcoming, especially when examining ideas he cannot take credit for.” Institutions that may or may not be re-evaluating their admissions or hiring policies as a result of past associations with Stuart include The Ohio State University College of Engineering (B.S.), Harvard’s School of Engineering and Applied Sciences (Ph.D.), MIT Lincoln Laboratory (his happily-former employer), Microsoft Research (his less-fortunate current employer).