IEEE Consumer Electronics Magazine - May 2018 - 54

We can measurably boost
the difficulty of the attack by
increasing the number of candidate
paths for the credential data.
credential data from many possible different combinations
of candidate fields within three attempts. If the number of
consecutive failed attempts from a device is greater than
three, automatic login attempts from the same device could
be ignored or prohibited.

BLOCKING ROOTED DEVICES
To perform a user credential cloning attack, a culprit's malware needs to access the target app's files that store the user
credential data in the application. The Android platform,
however, implements a sandboxing mechanism to negate
such risks by protecting files owned by one app from other
applications. Therefore, the constraint in the sandbox must
first be removed or bypassed to execute a user credential
cloning attack.
Rooting is the simplest way to bypass the Android platform's sandbox mechanism for performing user credential
cloning attacks. On a rooted device, the attacker's application
can simply attain the root access with a single line of code,
e.g., Runtime.exec("su"). Thus, our first line of defense
should be to use rooting prevention mechanisms, although it
is questionable whether existing antirooting solutions are
effective in practice [16].

USING NOTIFICATION MESSAGES
FOR AUTOMATIC LOGIN
We can simply deploy a warning notification system for automatic login at the server side. That is, whenever an automatic
login attempt is processed, the application server can send a
simple push notification to the user's application to verify
that the automatic login function was invoked by the rightful
person or used illegally by someone else, even when the
rightful person is not using that application. If the rightful
person is not aware of the automatic login attempt, he or she
can take an action immediately to report this suspicious login
activity to the application server.
We do not claim that this is a perfect solution that can
completely thwart user cloning attacks. But this strategy
may likely be effective for users with a high awareness of
security issues, without incurring a significant implementation cost.

ETHICAL CONSIDERATIONS
The main goal of our experiment was not to damage Starbucks and MOCI's business or reputation. As can be seen
from the previous sections, we simply aimed to identify security risks associated with the automatic login feature on
54 IEEE Consumer Electronics Magazine

MAy 2018

Android devices and recommend practical mitigation solutions to make it difficult for attackers to perform effective
user credential cloning attacks.

RELATED WORK
The automatic login feature widely employed on Android [17]
can allow an attacker to steal user credential information and
impersonate a victim [18]. By default, Android protects an
application's private data, such as user credentials, using a
sandbox policy. However, malware having the root privilege
can access those data. According to an official report from
Google [8], 5.6% of all Android devices were rooted. Furthermore, Android devices can be forcibly rooted through a security vulnerability [9], [16] by such means as a rootkit [19]. In
theory, a secure storage facility can be used to prevent theft of
user credential information, even from an attacker who has the
root privilege. In practice, however, it is not easy to equip
mobile devices with a secure storage facility. Hardware-based
data protection would be ideal, but we cannot mandate that
everyone use mobile devices that are furnished with a hardware cryptochip, e.g., ARM TrustZone [20] or Trusted Platform Module [21].
The Open Web Application Security Project (OWASP)
introduced this insecure storage issue as one of the top ten
mobile security risks [22]. King [23] showed that user credentials stored in the Android app FourGoat, which was
developed by OWASP for educating developers and testers
about Android security, can be easily obtained by anyone
with physical access to the Android device.
Recently, Choi et al. [24] detailed the feasibility of user
credential cloning attacks against social networking applications, such as Google Account and Facebook, in the Android
platform. Park et al. [25] also showed that credential information can be extracted from instant messenger applications,
even though the apps deployed several defense mechanisms,
such as code signing and device authentication. All of those
attacks required the installation of a malicious application
with the root permission. We extend their work into a more
generalized attack model for developing the automatic user
credential cloning attack framework; while previous studies
[24], [25] focused on specific applications through reverseengineering them, we present a generic procedure for user
credential cloning attacks that comprises four main steps
(see the "User Credential Cloning Attack" section).

CONCLUSION
It is a cumbersome task for smartphone users to type their
passwords on smartphones with the small keyboards provided. Therefore, people frequently accomplish the login procedure for Android applications by exploiting the option of
using automatic login via user credentials stored in these
applications rather than by physically keying in user passwords. However, this feature could be dangerous. According
to our observations and analysis, real-world applications
from the Google Play Store are potentially exposed to user
credential cloning attacks.

Table of Contents for the Digital Edition of IEEE Consumer Electronics Magazine - May 2018