摘要:
today mobile apps are everywhere. typically, they have to connect to remote services to be really useful. unfortunately, both the mobile apps and the remote services can be poorly engineered and they may contain various vulnerabilities that undermine users’ security and privacy. a significant amount of research efforts in the community has focused on vetting the vulnerabilities in the mobile apps. however, little attention has targeted on the remote services. in this talk, i will present a line of research that automatically identifies the vulnerabilities of remote services through mobile app analysis. in particular, i will first present autoforge that is able to automatically generate server request messages even with cryptographic constraints such that authentication vulnerabilities can be identified. then, i will describe authscope that identifies the authorization vulnerabilities via differential analysis. finally, i will talk about leakscope that identifies the data leakage vulnerabilities in the cloud from mobile apps. with these tools and techniques, tens of thousands of vulnerabilities in the remote services