Authentication is the most pervasive means for developers to protect users' private data against attacks while using mobile applications. Incorrect implementations of authentication make users' accounts vulnerable to several attacks such as eavesdropping attacks, reply attacks, and man-inthe- middle attacks, and thus break the first line of defense in securing mobile services. To solve this problem, we design a system that learns patterns from authentication bugs, and identifies incorrect authentication implementations from mobile applications. By conducting a static analysis, our system extracts control and data dependencies for further pattern learning and utilizes a machine learning algorithm to build a classification model. To distinguish whether an application contains any authentication bugs, we take the unknown application as an input and recognize the vulnerable patterns. To evaluate the accuracy of our system, we collected 1200 Android applications from the official Google Play store, representing a variety of categories. We compare our system with MalloDroid, a state-of-the-art tool for SSL/ TLS authentication bug detection. Our system successfully identifies 691 SSL/TLS authentication bugs with precision, recall, and F1 value as 52.75, 93.89, and 67.55 percent, respectively.

中文翻译：

---

Android 应用程序是否得到了很好的保护以免受攻击？


身份验证是开发人员在使用移动应用程序时保护用户私人数据免受攻击的最普遍手段。不正确的身份验证实施使用户的帐户容易受到窃听攻击、回复攻击和中间人攻击等多种攻击，从而破坏了移动服务安全的第一道防线。为了解决这个问题，我们设计了一个系统，可以从身份验证错误中学习模式，并识别移动应用程序中不正确的身份验证实现。通过进行静态分析，我们的系统提取控制和数据依赖性以进行进一步的模式学习，并利用机器学习算法构建分类模型。为了区分应用程序是否包含任何身份验证错误，我们将未知应用程序作为输入并识别易受攻击的模式。为了评估我们系统的准确性，我们从官方 Google Play 商店收集了 1200 个 Android 应用程序，代表了各种类别。我们将我们的系统与 MalloDroid 进行比较，MalloDroid 是一种最先进的 SSL/TLS 身份验证错误检测工具。我们的系统成功识别了 691 个 SSL/TLS 身份验证错误，准确率、召回率和 F1 值分别为 52.75%、93.89% 和 67.55%。