Graz University of Technology
Abstract. A wide range of mobile applications for the Android operating system require users to input sensitive data, such as PINs or
passwords. Given the ubiquitous and security-critical role of credentials,
it is paramount that programs process secrets responsibly and do not
expose them to unrelated parties. Unfortunately, users have no insight
into what happens with their data after entrusting it to an application.
In this paper, we introduce a new approach to identify and follow the
trace of user input right from the point where it enters an application. By
using a combination of static slicing in forward and backward direction,
we are able to reveal potential data leaks and can pinpoint their origin.
To evaluate the applicability of our solution, we conducted a manual and
automated inspection of security-related Android applications that process
user-entered secrets. We find that 182 out of 509 (36%) applications
insecurely store given credentials in files or pass them to a log output.
Keywords: Android Security, Password Input, Static Analysis
The paper published in the IFIP SEC 2018 confeence proceedings by Springer Verlag