AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services

When accessing online private resources (e.g., user proiles, photos, shopping carts) from a client (e.g., a desktop web-browser or a mobile app), the service providers must implement proper access control, which typically involves both authentication and authorization. However, not all of the service providers follow the best practice, resulting in various access control vulnerabilities. To understand such a threat in a large scale, and identify the vulnerable access control implementations in online services, this paper introduces AuthScope, a tool that is able to automatically execute a mobile app and pinpoint the vulnerable access control implementations, particularly the vulnerable authorizations, in the corresponding online service. he key idea is to use diferential traic analysis to recognize the protocol ields and then automatically substitute the ields and observe the server response. One of the key challenges for a large scale study lies in how to obtain the postauthentication request-and-response messages for a given app. We have thus developed a targeted dynamic activity explorer to perform an in-context analysis and drive the app execution to automatically log in the service. We have tested AuthScope with 4, 838 popular mobile apps from Google Play, and identiied 597 0-day vulnerable authorizations that map to 306 apps.