IEEE Consumer Electronics Magazine - May 2018 - 49

User Credential
Cloning Attacks
in Android Applications
Exploiting automatic login on Android apps and mitigating strategies.
By Junsung Cho, Dayeon Kim, and Hyoungshick Kim

A

utomatic login is a commonly used feature
of smartphones, because their small keyboards
make it difficult to key in user credential information. However, this feature may pose a serious risk
to smartphone users' privacy. The stored data for
automatic login could be stolen by an attacker, resulting in
identity theft. In this article, we demonstrate an execution of
this attack in a systematic manner through two real-world
Android application case studies by implementing a prototype. We also discuss five possible defense strategies to mitigate the risk of user credential data being stolen from the
application files.

AUTOMATIC LOGIN VULNERABILITY
Automatic login is a feature for user authentication whereby
user credentials are stored locally and used when verification
is required. It is frequently provided as a common means to
enhance convenience by avoiding the necessity of keying a
user name and password into an application (e.g., a web
page) each time it is accessed.
Automatic login is useful, but it can be harmful as well; the
stored user credentials can be stolen or misused by unauthorized parties. For example, many websites offer the opportunity
to remain logged in to a website via a browser-saved cookie
that caches the user credential information. However, cookies
can simply be stolen [1] and used by an attacker to impersonate someone. In the worst-case scenario, if the stored credential is used for a single sign-on authentication system (e.g., a
Google account), then the attacker would have access to all
the services it protects. Also, anyone having physical access to
a system using an automatic login could unlock it without a
victim's password even when it cannot be stolen.

In this article, we revisit this problem, focusing on a different domain of the Android platform and present a generic
attack strategy called a user credential cloning attack, which
might be a serious threat to Android applications that support
the automatic login feature. This attack is an attempt by a
malefactor to steal a victim's credential data from his or her
Android app and log in to the victim's account using these
stolen access rights via the attacker's Android application. In
practice, people tend to prefer the automatic login feature in
small-touchscreen smartphones in particular, as opposed to
personal computer (PC) environments, because of its quickness and convenience [2], [3]. The majority of existing
Android apps (e.g., Facebook, Twitter, and Skype) support
the automatic login feature by default. We show how the user
credential cloning attack can be effectively devised against
such Android applications.
To show the feasibility of the proposed attack strategy, we
implemented the user credential cloning attack against two
Android applications, Starbucks and MOCI. The Starbucks
application provides various services, such as paying for orders,
earning loyalty rewards, and finding stores. MOCI is a wellknown anonymous social networking application (https://www
.moci.kr/) in South Korea. For Starbucks, we can see that a
user's authentication credentials are stored in an Extensible
Markup Language file called Shared Preferences
(com.starbucks.co_preferences.xml) to manage
an application's private primitive data in key-value pairs. For
MOCI, a user's authentication credentials are stored in SQLite
Databases (moci.sqlite). If an attacker obtains this kind
of file from a victim's app and replaces his or her own file with
the victim's, the attacker can log in to the victim's account via
the automatic login feature.
MAy 2018

^

IEEE Consumer Electronics Magazine

49



http://www.moci.kr/ http://www.moci.kr/

Table of Contents for the Digital Edition of IEEE Consumer Electronics Magazine - May 2018

IEEE Consumer Electronics Magazine - May 2018 - Cover1
IEEE Consumer Electronics Magazine - May 2018 - Cover2
IEEE Consumer Electronics Magazine - May 2018 - 1
IEEE Consumer Electronics Magazine - May 2018 - 2
IEEE Consumer Electronics Magazine - May 2018 - 3
IEEE Consumer Electronics Magazine - May 2018 - 4
IEEE Consumer Electronics Magazine - May 2018 - 5
IEEE Consumer Electronics Magazine - May 2018 - 6
IEEE Consumer Electronics Magazine - May 2018 - 7
IEEE Consumer Electronics Magazine - May 2018 - 8
IEEE Consumer Electronics Magazine - May 2018 - 9
IEEE Consumer Electronics Magazine - May 2018 - 10
IEEE Consumer Electronics Magazine - May 2018 - 11
IEEE Consumer Electronics Magazine - May 2018 - 12
IEEE Consumer Electronics Magazine - May 2018 - 13
IEEE Consumer Electronics Magazine - May 2018 - 14
IEEE Consumer Electronics Magazine - May 2018 - 15
IEEE Consumer Electronics Magazine - May 2018 - 16
IEEE Consumer Electronics Magazine - May 2018 - 17
IEEE Consumer Electronics Magazine - May 2018 - 18
IEEE Consumer Electronics Magazine - May 2018 - 19
IEEE Consumer Electronics Magazine - May 2018 - 20
IEEE Consumer Electronics Magazine - May 2018 - 21
IEEE Consumer Electronics Magazine - May 2018 - 22
IEEE Consumer Electronics Magazine - May 2018 - 23
IEEE Consumer Electronics Magazine - May 2018 - 24
IEEE Consumer Electronics Magazine - May 2018 - 25
IEEE Consumer Electronics Magazine - May 2018 - 26
IEEE Consumer Electronics Magazine - May 2018 - 27
IEEE Consumer Electronics Magazine - May 2018 - 28
IEEE Consumer Electronics Magazine - May 2018 - 29
IEEE Consumer Electronics Magazine - May 2018 - 30
IEEE Consumer Electronics Magazine - May 2018 - 31
IEEE Consumer Electronics Magazine - May 2018 - 32
IEEE Consumer Electronics Magazine - May 2018 - 33
IEEE Consumer Electronics Magazine - May 2018 - 34
IEEE Consumer Electronics Magazine - May 2018 - 35
IEEE Consumer Electronics Magazine - May 2018 - 36
IEEE Consumer Electronics Magazine - May 2018 - 37
IEEE Consumer Electronics Magazine - May 2018 - 38
IEEE Consumer Electronics Magazine - May 2018 - 39
IEEE Consumer Electronics Magazine - May 2018 - 40
IEEE Consumer Electronics Magazine - May 2018 - 41
IEEE Consumer Electronics Magazine - May 2018 - 42
IEEE Consumer Electronics Magazine - May 2018 - 43
IEEE Consumer Electronics Magazine - May 2018 - 44
IEEE Consumer Electronics Magazine - May 2018 - 45
IEEE Consumer Electronics Magazine - May 2018 - 46
IEEE Consumer Electronics Magazine - May 2018 - 47
IEEE Consumer Electronics Magazine - May 2018 - 48
IEEE Consumer Electronics Magazine - May 2018 - 49
IEEE Consumer Electronics Magazine - May 2018 - 50
IEEE Consumer Electronics Magazine - May 2018 - 51
IEEE Consumer Electronics Magazine - May 2018 - 52
IEEE Consumer Electronics Magazine - May 2018 - 53
IEEE Consumer Electronics Magazine - May 2018 - 54
IEEE Consumer Electronics Magazine - May 2018 - 55
IEEE Consumer Electronics Magazine - May 2018 - 56
IEEE Consumer Electronics Magazine - May 2018 - 57
IEEE Consumer Electronics Magazine - May 2018 - 58
IEEE Consumer Electronics Magazine - May 2018 - 59
IEEE Consumer Electronics Magazine - May 2018 - 60
IEEE Consumer Electronics Magazine - May 2018 - 61
IEEE Consumer Electronics Magazine - May 2018 - 62
IEEE Consumer Electronics Magazine - May 2018 - 63
IEEE Consumer Electronics Magazine - May 2018 - 64
IEEE Consumer Electronics Magazine - May 2018 - 65
IEEE Consumer Electronics Magazine - May 2018 - 66
IEEE Consumer Electronics Magazine - May 2018 - 67
IEEE Consumer Electronics Magazine - May 2018 - 68
IEEE Consumer Electronics Magazine - May 2018 - 69
IEEE Consumer Electronics Magazine - May 2018 - 70
IEEE Consumer Electronics Magazine - May 2018 - 71
IEEE Consumer Electronics Magazine - May 2018 - 72
IEEE Consumer Electronics Magazine - May 2018 - 73
IEEE Consumer Electronics Magazine - May 2018 - 74
IEEE Consumer Electronics Magazine - May 2018 - 75
IEEE Consumer Electronics Magazine - May 2018 - 76
IEEE Consumer Electronics Magazine - May 2018 - 77
IEEE Consumer Electronics Magazine - May 2018 - 78
IEEE Consumer Electronics Magazine - May 2018 - 79
IEEE Consumer Electronics Magazine - May 2018 - 80
IEEE Consumer Electronics Magazine - May 2018 - 81
IEEE Consumer Electronics Magazine - May 2018 - 82
IEEE Consumer Electronics Magazine - May 2018 - 83
IEEE Consumer Electronics Magazine - May 2018 - 84
IEEE Consumer Electronics Magazine - May 2018 - 85
IEEE Consumer Electronics Magazine - May 2018 - 86
IEEE Consumer Electronics Magazine - May 2018 - 87
IEEE Consumer Electronics Magazine - May 2018 - 88
IEEE Consumer Electronics Magazine - May 2018 - 89
IEEE Consumer Electronics Magazine - May 2018 - 90
IEEE Consumer Electronics Magazine - May 2018 - 91
IEEE Consumer Electronics Magazine - May 2018 - 92
IEEE Consumer Electronics Magazine - May 2018 - 93
IEEE Consumer Electronics Magazine - May 2018 - 94
IEEE Consumer Electronics Magazine - May 2018 - 95
IEEE Consumer Electronics Magazine - May 2018 - 96
IEEE Consumer Electronics Magazine - May 2018 - 97
IEEE Consumer Electronics Magazine - May 2018 - 98
IEEE Consumer Electronics Magazine - May 2018 - 99
IEEE Consumer Electronics Magazine - May 2018 - 100
IEEE Consumer Electronics Magazine - May 2018 - 101
IEEE Consumer Electronics Magazine - May 2018 - 102
IEEE Consumer Electronics Magazine - May 2018 - 103
IEEE Consumer Electronics Magazine - May 2018 - 104
IEEE Consumer Electronics Magazine - May 2018 - 105
IEEE Consumer Electronics Magazine - May 2018 - 106
IEEE Consumer Electronics Magazine - May 2018 - 107
IEEE Consumer Electronics Magazine - May 2018 - 108
IEEE Consumer Electronics Magazine - May 2018 - 109
IEEE Consumer Electronics Magazine - May 2018 - 110
IEEE Consumer Electronics Magazine - May 2018 - 111
IEEE Consumer Electronics Magazine - May 2018 - 112
IEEE Consumer Electronics Magazine - May 2018 - 113
IEEE Consumer Electronics Magazine - May 2018 - 114
IEEE Consumer Electronics Magazine - May 2018 - 115
IEEE Consumer Electronics Magazine - May 2018 - 116
IEEE Consumer Electronics Magazine - May 2018 - 117
IEEE Consumer Electronics Magazine - May 2018 - 118
IEEE Consumer Electronics Magazine - May 2018 - 119
IEEE Consumer Electronics Magazine - May 2018 - 120
IEEE Consumer Electronics Magazine - May 2018 - Cover3
IEEE Consumer Electronics Magazine - May 2018 - Cover4
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20240102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20231112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20230102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20221112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20220102
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20211112
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210708
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210506
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_20210304
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202010
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202009
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202007
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202004
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202003
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_202001
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201910
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201909
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201907
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201905
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201903
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201901
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201811
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201809
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201807
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201805
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_201803
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2017
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_october2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2016
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_october2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_july2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_april2015
https://www.nxtbook.com/nxtbooks/ieee/consumerelectronics_january2015
https://www.nxtbookmedia.com