Are Android Apps Being Protected Well Against Attacks?

Authentication is the most pervasive means for developers to protect users' private data against attacks while using mobile applications. Incorrect implementations of authentication make users' accounts vulnerable to several attacks such as eavesdropping attacks, reply attacks, and man-inthe- middle attacks, and thus break the first line of defense in securing mobile services. To solve this problem, we design a system that learns patterns from authentication bugs, and identifies incorrect authentication implementations from mobile applications. By conducting a static analysis, our system extracts control and data dependencies for further pattern learning and utilizes a machine learning algorithm to build a classification model. To distinguish whether an application contains any authentication bugs, we take the unknown application as an input and recognize the vulnerable patterns. To evaluate the accuracy of our system, we collected 1200 Android applications from the official Google Play store, representing a variety of categories. We compare our system with MalloDroid, a state-of-the-art tool for SSL/ TLS authentication bug detection. Our system successfully identifies 691 SSL/TLS authentication bugs with precision, recall, and F1 value as 52.75, 93.89, and 67.55 percent, respectively.