IEEE Consumer Electronics Magazine - May 2018 - 51

contents of the changed files. The culprit can implement this
step by systematically testing every possible combination of
fields or manually inspecting the fields until a set of the fields
related to the user account is discovered. This task may be
relatively slow compared to the others, but it must be performed only once.
Figure 2 shows an overview of the user credential cloning
attack. We assume that both the target and the malware are
installed on the victim's smartphone. The malicious application extracts the victim's user credential data files from the
target app's storage and uploads them to the malefactor's
remote server. Finally, the credential files located at the
attacker's smartphone are replaced or updated with the victim's credential files.

CASE STUDIES
In this article, we show the feasibility of the user credential
cloning attack through case studies involving two Android
applications. We chose the Starbucks and MOCI apps in particular and tested their security against our attack because
these two are among the most widely used in each category
(mobile commerce and social media) and also provide an
automatic login feature that is configured by default.
In our experiment with those applications, we used two
Android devices: 1) a rooted Google Nexus 5, running
Android 6.0, in the role of the victim's device ^ D victimh and 2)
a rooted Google Nexus 5X, running Android 7.1, as the culprit's device ^ D attacker h . We also used a PC, which fulfilled the
role of the attacker's server ^S attacker h .

STARBUCKS
We first performed a user credential cloning attack on the
Starbucks application. Our implementation followed the procedure described in the "User Credential Cloning Attack"
section. After triggering the automatic login with different
user accounts on the app, we attempted to observe which
storage files in the application were changed and then found
that there were several changes in the Shared Preferences file (com.starbucks.co_preferences.
xml). An example of this file is presented in Figure 3. We

The Starbucks and MOCI apps are
among the most widely used in
each category (mobile commerce
and social media).
can see that basic user account information-the user identification, MD5 hash of the user password, user's name, mileage points, the application's unique device ID (UDID),
number of coupons, Starbucks card number, and so forth-is
included in the file. (In Figure 3, we present some fields, e.g.,
the hash of the password, with fake data instead of a user's
original data.) Among these fields, we identified in particular
those necessary for automatic login by repeatedly replacing
parts randomly selected from all of the changed fields with
another user account's contents until automatic login was
successfully processed. The identified fields are as follows:
LOGIN_USER_NICKNAME_INFO_ID, LOGIN_PASSWORD_INFO_ID, LOGIN_REAL_NICKNAME_INFO_
ID, LOGIN_REAL_NICKNAME_USE_ID, and LOG
IN_ID_INFO_ID.
We implemented an Android application and installed it
on ^ D victimh to copy the Shared Preferences file into external
storage and upload it in ^ D victimh for ^S attacker h . When the file
was uploaded, we extracted from it the values of the five
necessary fields. With these values extracted from ^ D victimh,
we updated the same five fields in the Shared Preferences
file on D attacker via Android Debug Bridge (ADB), which is a
debug support tool for communication between a host and
an Android device. Note that all of the steps can be processed automatically within a few seconds. After successfully completing all the tasks, we could log in to the
Starbucks app on D attacker with the user account used in
D victim . Figure 4 shows the attack results before and after
performing a user credential cloning attack on the Starbucks
application. In this figure, we can see that different account
information is displayed according to which user credential
data are used.

com.starbucks.co
_preferences.xml
Overwrite
Information

Transmit
Preferences File
Attacker's Server

Victim's
Preferences
File

Attacker's
Preferences
File

Victim's
Smartphone

Attacker's
Smartphone

FIGURE 2. An overview of a user credential cloning attack.

MAy 2018

IEEE Consumer Electronics Magazine

Table of Contents for the Digital Edition of IEEE Consumer Electronics Magazine - May 2018