Where Is the Weakest Link? A Study on Security Discrepancies Between Android Apps and Their Website Counterparts

As we move into the mobile era, many functionalities in standard web services are being re-implemented in mobile apps and services, including many security-related functionalities. However, it has been observed that security features that are standardized in the PC and web space are often not implemented correctly by app developers resulting in serious security vulnerabilities. For instance, prior work has shown that the standard SSL/TLS certificate validation logic in browsers is not implemented securely in mobile apps. In this paper, we study a related question: given that many web services are offered both via browsers/webpages and mobile apps, are there any discrepancies between the security policies of the two? To answer the above question, we perform a comprehensive study on 100 popular app-web pairs. Surprisingly, we find many discrepancies – we observe that often the app security policies are much weaker than their website counterparts. We find that one can perform unlimited number of login attempts at a high rate (e.g., 600 requests per second) from a single IP address by following the app protocol whereas the website counterpart typically blocks such attempts. We also find that the cookies used in mobile apps are generally more valuable as they do not expire as quickly as the ones used for websites and they are often stored in plaintext on mobile devices. In addition, we find that apps often do not update the libraries they use and hence vulnerabilities are often left unpatched. Through a study of 6400 popular apps, we identify 31 apps that use one or more vulnerable (unpatched) libraries. We responsibly disclosed all of our findings to the corresponding vendors and have received positive acknowledgements from them. This result is a vivid demonstration of “security is only as good as its weakest link”.