Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach

• URL: http://arxiv.org/abs/2310.14137v1
• Date: Sun, 22 Oct 2023 00:08:51 GMT
• Title: Finding Vulnerabilities in Mobile Application APIs: A Modular Programmatic Approach
• Authors: Nate Haris, Kendree Chen, Ann Song, Benjamin Pou,
• Abstract summary: Application Programming Interfaces (APIs) are becoming increasingly popular to transfer data in a variety of mobile applications. These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer mis implementation. This paper created a custom, modular endpoint vulnerability detection tool to analyze information leakage in various mobile Android applications.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Currently, Application Programming Interfaces (APIs) are becoming increasingly popular to facilitate data transfer in a variety of mobile applications. These APIs often process sensitive user information through their endpoints, which are potentially exploitable due to developer misimplementation. In this paper, a custom, modular endpoint vulnerability detection tool was created and implemented to present current statistics on the degree of information leakage in various mobile Android applications. Our endpoint vulnerability detection tool provided an automated approach to API testing, programmatically modifying requests multiple times using specific information attack methods (IAMs) and heuristically analyzing responses for potentially vulnerable endpoints (PVEs). After analysis of API requests in an encompassing range of applications, findings showed that easily exploitable Broken Access Control (BAC) vulnerabilities of varying severity were common in over 50% of applications. These vulnerabilities ranged from small data leakages due to unintended API use, to full disclosure of sensitive user data, including passwords, names, addresses, and SSNs. This investigation aims to demonstrate the necessity of complete API endpoint security within Android applications, as well as provide an open source example of a modular program which developers could use to test for endpoint vulnerabilities.

Related papers

• AutoPT: How Far Are We from the End2End Automated Web Penetration Testing? [54.65079443902714]
  We introduce AutoPT, an automated penetration testing agent based on the principle of PSM driven by LLMs. Our results show that AutoPT outperforms the baseline framework ReAct on the GPT-4o mini model.
  arXiv  Detail & Related papers  (2024-11-02T13:24:30Z)
• Enabling Communication via APIs for Mainframe Applications [4.872049174955585]
  We propose a novel framework for creating APIs for legacy mainframe applications. Our approach involves identifying APIs by compiling artifacts such as transactions, screens, control flow blocks, inter-microservice calls, business rules, and data accesses. We use static analyses like liveness and reaching definitions to traverse the code and automatically compute API signatures.
  arXiv  Detail & Related papers  (2024-08-08T05:35:36Z)
• PriRoAgg: Achieving Robust Model Aggregation with Minimum Privacy Leakage for Federated Learning [49.916365792036636]
  Federated learning (FL) has recently gained significant momentum due to its potential to leverage large-scale distributed user data. The transmitted model updates can potentially leak sensitive user information, and the lack of central control of the local training process leaves the global model susceptible to malicious manipulations on model updates. We develop a general framework PriRoAgg, utilizing Lagrange coded computing and distributed zero-knowledge proof, to execute a wide range of robust aggregation algorithms while satisfying aggregated privacy.
  arXiv  Detail & Related papers  (2024-07-12T03:18:08Z)
• A Classification-by-Retrieval Framework for Few-Shot Anomaly Detection to Detect API Injection Attacks [9.693391036125908]
  We propose a novel unsupervised few-shot anomaly detection framework composed of two main parts. First, we train a dedicated generic language model for API based on FastText embedding. Next, we use Approximate Nearest Neighbor search in a classification-by-retrieval approach.
  arXiv  Detail & Related papers  (2024-05-18T10:15:31Z)
• An Investigation into Misuse of Java Security APIs by Large Language Models [9.453671056356837]
  This paper systematically assesses ChatGPT's trustworthiness in code generation for security API use cases in Java. Around 70% of the code instances across 30 attempts per task contain security API misuse, with 20 distinct misuse types identified. For roughly half of the tasks, this rate reaches 100%, indicating that there is a long way to go before developers can rely on ChatGPT to securely implement security API code.
  arXiv  Detail & Related papers  (2024-04-04T22:52:41Z)
• Object Detectors in the Open Environment: Challenges, Solutions, and Outlook [95.3317059617271]
  The dynamic and intricate nature of the open environment poses novel and formidable challenges to object detectors. This paper aims to conduct a comprehensive review and analysis of object detectors in open environments. We propose a framework that includes four quadrants (i.e., out-of-domain, out-of-category, robust learning, and incremental learning) based on the dimensions of the data / target changes.
  arXiv  Detail & Related papers  (2024-03-24T19:32:39Z)
• Prompt Engineering-assisted Malware Dynamic Analysis Using GPT-4 [45.935748395725206]
  We introduce a prompt engineering-assisted malware dynamic analysis using GPT-4. In this method, GPT-4 is employed to create explanatory text for each API call within the API sequence. BERT is used to obtain the representation of the text, from which we derive the representation of the API sequence.
  arXiv  Detail & Related papers  (2023-12-13T17:39:44Z)
• DeepfakeBench: A Comprehensive Benchmark of Deepfake Detection [55.70982767084996]
  A critical yet frequently overlooked challenge in the field of deepfake detection is the lack of a standardized, unified, comprehensive benchmark. We present the first comprehensive benchmark for deepfake detection, called DeepfakeBench, which offers three key contributions. DeepfakeBench contains 15 state-of-the-art detection methods, 9CL datasets, a series of deepfake detection evaluation protocols and analysis tools, as well as comprehensive evaluations.
  arXiv  Detail & Related papers  (2023-07-04T01:34:41Z)
• Not what you've signed up for: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection [64.67495502772866]
  Large Language Models (LLMs) are increasingly being integrated into various applications. We show how attackers can override original instructions and employed controls using Prompt Injection attacks. We derive a comprehensive taxonomy from a computer security perspective to systematically investigate impacts and vulnerabilities.
  arXiv  Detail & Related papers  (2023-02-23T17:14:38Z)
• OpenAPI Specification Extended Security Scheme: A method to reduce the prevalence of Broken Object Level Authorization [0.0]
  API Security is a topic for concern given the absence of standardized authorization in the OpenAPI standard. This paper examines the number one vulnerability in API Security: Broken Object Level Authorization(BOLA)
  arXiv  Detail & Related papers  (2022-12-13T14:28:06Z)
• mPSAuth: Privacy-Preserving and Scalable Authentication for Mobile Web Applications [0.0]
  mPSAuth is an approach for continuously tracking various data sources reflecting user behavior and estimating the likelihood of the current user being legitimate. We show that mPSAuth can provide high accuracy with low encryption and communication overhead, while the effort for the inference is increased to a tolerable extent.
  arXiv  Detail & Related papers  (2022-10-07T12:49:34Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.