Automatically Detecting Checked-In Secrets in Android Apps: How Far Are We?
- URL: http://arxiv.org/abs/2412.10922v1
- Date: Sat, 14 Dec 2024 18:14:25 GMT
- Title: Automatically Detecting Checked-In Secrets in Android Apps: How Far Are We?
- Authors: Kevin Li, Lin Ling, Jinqiu Yang, Lili Wei,
- Abstract summary: Developers often overlook the proper storage of such secrets, opting to put them directly into their projects.
Checked-in secrets are checked into the projects and can be easily extracted and exploited by malicious adversaries.
Unlike open-source projects, the lack of direct access to the source code and the presence of obfuscation complicates the checked-in secret detection for Android apps.
- Score: 4.619114660081147
- License:
- Abstract: Mobile apps are predominantly integrated with cloud services to benefit from enhanced functionalities. Adopting authentication using secrets such as API keys is crucial to ensure secure mobile-cloud interactions. However, developers often overlook the proper storage of such secrets, opting to put them directly into their projects. These secrets are checked into the projects and can be easily extracted and exploited by malicious adversaries. While many researchers investigated the issue of checked-in secret in open-source projects, there is a notable research gap concerning checked-in secrets in Android apps deployed on platforms such as Google Play Store. Unlike open-source projects, the lack of direct access to the source code and the presence of obfuscation complicates the checked-in secret detection for Android apps. This motivates us to conduct an empirical analysis to measure and compare the performance of different checked-in secret detection tools on Android apps. We first conducted a literature review to find all the checked-in secret detection tools that can be applied to Android apps. Then, we evaluate three representative tools on 5,135 Android apps, comparing their performance and analyzing their limitations. Our experiment reveals 2,142 checked-in secrets affecting 2,115 Android apps. We also disclose that the current checked-in secret detection techniques suffer from key limitations. All of the evaluated tools can miss a significant number of checked-in secrets in Android apps. Nevertheless, we observed that the tools are complimentary, suggesting the possibility of developing a more effective checked-in secret detection tool by combining their insights. Additionally, we propose that analyzing string groups within methods containing checked-in secrets may provide a more effective strategy to overcome obfuscation challenges.
Related papers
- How Far are App Secrets from Being Stolen? A Case Study on Android [9.880229355258875]
Android apps can hold secret strings of themselves such as cloud service credentials or encryption keys.
Leakage of such secret strings can induce unprecedented consequences like monetary losses or leakage of user private information.
This study characterizes app secret leakage issues based on 575 potential app secrets sampled from 14,665 popular Android apps on Google Play.
arXiv Detail & Related papers (2025-01-14T03:15:31Z) - Secret Breach Prevention in Software Issue Reports [2.8747015994080285]
This paper presents a novel technique for secret breach detection in software issue reports.
We highlight the challenges posed by noise, such as log files, URLs, commit IDs, stack traces, and dummy passwords.
We propose an approach combining the strengths of state-of-the-artes with the contextual understanding of language models.
arXiv Detail & Related papers (2024-10-31T06:14:17Z) - A Large-Scale Privacy Assessment of Android Third-Party SDKs [17.245330733308375]
Third-party Software Development Kits (SDKs) are widely adopted in Android app development.
This convenience raises substantial concerns about unauthorized access to users' privacy-sensitive information.
Our study offers a targeted analysis of user privacy protection among Android third-party SDKs.
arXiv Detail & Related papers (2024-09-16T15:44:43Z) - AssetHarvester: A Static Analysis Tool for Detecting Secret-Asset Pairs in Software Artifacts [4.778835435164734]
We present AssetHarvester, a static analysis tool to detect secret-asset pairs in a repository.
We curated a benchmark of 1,791 secret-asset pairs of four database types extracted from 188 public repositories to evaluate the performance of AssetHarvester.
Our findings indicate that data flow analysis employed in AssetHarvester detects secret-asset pairs with 0% false positives and aids in improving recall of secret detection tools.
arXiv Detail & Related papers (2024-03-28T00:24:49Z) - A Comparative Study of Software Secrets Reporting by Secret Detection
Tools [5.9347272469695245]
According to GitGuardian's monitoring of public GitHub repositories, secrets continued accelerating in 2022 by 67% compared to 2021.
We present an evaluation of five open-source and four proprietary tools against a benchmark dataset.
The top three tools based on precision are: GitHub Secret Scanner (75%), Gitleaks (46%), and Commercial X (25%), and based on recall are: Gitleaks (88%), SpectralOps (67%) and TruffleHog (52%)
arXiv Detail & Related papers (2023-07-03T02:32:09Z) - SalienDet: A Saliency-based Feature Enhancement Algorithm for Object
Detection for Autonomous Driving [160.57870373052577]
We propose a saliency-based OD algorithm (SalienDet) to detect unknown objects.
Our SalienDet utilizes a saliency-based algorithm to enhance image features for object proposal generation.
We design a dataset relabeling approach to differentiate the unknown objects from all objects in training sample set to achieve Open-World Detection.
arXiv Detail & Related papers (2023-05-11T16:19:44Z) - Black-box Dataset Ownership Verification via Backdoor Watermarking [67.69308278379957]
We formulate the protection of released datasets as verifying whether they are adopted for training a (suspicious) third-party model.
We propose to embed external patterns via backdoor watermarking for the ownership verification to protect them.
Specifically, we exploit poison-only backdoor attacks ($e.g.$, BadNets) for dataset watermarking and design a hypothesis-test-guided method for dataset verification.
arXiv Detail & Related papers (2022-08-04T05:32:20Z) - SPAct: Self-supervised Privacy Preservation for Action Recognition [73.79886509500409]
Existing approaches for mitigating privacy leakage in action recognition require privacy labels along with the action labels from the video dataset.
Recent developments of self-supervised learning (SSL) have unleashed the untapped potential of the unlabeled data.
We present a novel training framework which removes privacy information from input video in a self-supervised manner without requiring privacy labels.
arXiv Detail & Related papers (2022-03-29T02:56:40Z) - Analysis of Longitudinal Changes in Privacy Behavior of Android
Applications [79.71330613821037]
In this paper, we examine the trends in how Android apps have changed over time with respect to privacy.
We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers.
We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
arXiv Detail & Related papers (2021-12-28T16:21:31Z) - Mind the GAP: Security & Privacy Risks of Contact Tracing Apps [75.7995398006171]
Google and Apple have jointly provided an API for exposure notification in order to implement decentralized contract tracing apps using Bluetooth Low Energy.
We demonstrate that in real-world scenarios the GAP design is vulnerable to (i) profiling and possibly de-anonymizing persons, and (ii) relay-based wormhole attacks that basically can generate fake contacts.
arXiv Detail & Related papers (2020-06-10T16:05:05Z) - Efficient Intent Detection with Dual Sentence Encoders [53.16532285820849]
We introduce intent detection methods backed by pretrained dual sentence encoders such as USE and ConveRT.
We demonstrate the usefulness and wide applicability of the proposed intent detectors, showing that they outperform intent detectors based on fine-tuning the full BERT-Large model.
We release our code, as well as a new challenging single-domain intent detection dataset.
arXiv Detail & Related papers (2020-03-10T15:33:54Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.