The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends

被引:0
|
作者
Alrawi, Omar [1 ]
Zuo, Chaoshun [2 ]
Duan, Ruian [1 ]
Kasturi, Ranjita Pai [1 ]
Lin, Zhigiang [2 ]
Saltaformaggio, Brendan [1 ]
机构
[1] Georgia Inst Technol, Atlanta, GA 30332 USA
[2] Ohio State Univ, Columbus, OH 43210 USA
关键词
D O I
暂无
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
Cloud backends provide essential features to the mobile app ecosystem, such as content delivery, ad networks, analytics, and more. Unfortunately, app developers often disregard or have no control over prudent security practices when choosing or managing these services. Our preliminary study of the top 5,000 Google Play Store free apps identified 983 instances of N-day and 655 instances of 0-day vulnerabilities spanning across the software layers (OS, software services, communication, and web apps) of cloud backends. The mobile apps using these cloud backends represent between 1M and 500M installs each and can potentially affect hundreds of thousands of users. Further, due to the widespread use of third-party SDKs, app developers are often unaware of the backends affecting their apps and where to report vulnerabilities. This paper presents SkyWalker, a pipeline to automatically vet the backends that mobile apps contact and provide actionable remediation. For an input APK, SkyWalker extracts an enumeration of backend URLs, uses remote vetting techniques to identify software vulnerabilities and responsible parties, and reports mitigation strategies to the app developer. Our findings suggest that developers and cloud providers do not have a clear understanding of responsibilities and liabilities in regards to mobile app backends that leave many vulnerabilities exposed.
引用
收藏
页码:551 / 566
页数:16
相关论文
共 50 条
  • [1] An Experimental Analysis on Cloud-based Mobile Augmentation in Mobile Cloud Computing
    Abolfazli, Saeid
    Sanaei, Zohreh
    Alizadeh, Mojtaba
    Gani, Abdullah
    Xia, Feng
    [J]. IEEE TRANSACTIONS ON CONSUMER ELECTRONICS, 2014, 60 (01) : 146 - 154
  • [2] Multiplayer Game Backends: A Comparison of Commodity Cloud-Based Approaches
    Kasenides, Nicos
    Paspallis, Nearchos
    [J]. SERVICE-ORIENTED AND CLOUD COMPUTING (ESOCC 2020), 2020, 12054 : 41 - 55
  • [3] Cloud-based Mobile Platform for EEG Signal Analysis
    Dzaferovic, Emir
    Vrtagic, Sabahudin
    Bandic, Lejla
    Kevric, Jasmin
    Subasi, Abdulhamit
    Qaisar, Saeed Mian
    [J]. 2016 5TH INTERNATIONAL CONFERENCE ON ELECTRONIC DEVICES, SYSTEMS AND APPLICATIONS (ICEDSA), 2016,
  • [4] Cloud-based or On-device: An Empirical Study of Mobile Deep Inference
    Guo, Tian
    [J]. 2018 IEEE INTERNATIONAL CONFERENCE ON CLOUD ENGINEERING (IC2E 2018), 2018, : 184 - 190
  • [5] Cloud-Based Mobile Testing as a Service
    Tao, Chuanqi
    Gao, Jerry
    [J]. INTERNATIONAL JOURNAL OF SOFTWARE ENGINEERING AND KNOWLEDGE ENGINEERING, 2016, 26 (01) : 147 - 152
  • [6] Cloud-Based Printing for Mobile Devices
    Bhatti, Nina
    O'Brien-Strain, Eamonn
    Liu, Jerry
    [J]. IMAGING AND PRINTING IN A WEB 2.0 WORLD; AND MULTIMEDIA CONTENT ACCESS: ALGORITHMS AND SYSTEMS IV, 2010, 7540
  • [7] A Cloud-based Mobile Healthcare System
    Lin, Chin-Fu
    Lin, Shih-Hsuan
    Peng, Sheng-Lung
    Chang, Ruay-Shiung
    [J]. INTELLIGENT SYSTEMS AND APPLICATIONS (ICS 2014), 2015, 274 : 2001 - 2010
  • [8] A Case for Cloud-Based Mobile Search
    Yan Gao
    [J]. ZTE Communications, 2011, 9 (01) : 33 - 36
  • [9] A Mobile Cloud-Based eHealth Scheme
    Liu, Yihe
    Abbasi, Aaqif Afzaal
    Aghaei, Atefeh
    Abbasi, Almas
    Mosavi, Amir
    Shamshirbane, Shahaboddin
    Al-qaness, Mohammed A. A.
    [J]. CMC-COMPUTERS MATERIALS & CONTINUA, 2020, 63 (01): : 31 - 39
  • [10] Mobile Cloud Forensic Readiness Process Model for Cloud-Based Mobile Applications
    Sharma, Puneet
    Arora, Deepak
    Sakthivel, T.
    [J]. INTERNATIONAL JOURNAL OF DIGITAL CRIME AND FORENSICS, 2020, 12 (03) : 58 - 76