정보과학회 논문지 (Journal of KIISE)

  • 제42권1호
  • /
  • Pages.23-32
  • /
  • 2015
  • /
  • 2383-630X(pISSN)
  • /
  • 2383-6296(eISSN)
한국정보과학회 (Korean Institute of Information Scientists and Engineers)
권호 표지
DOI QR코드

DOI QR Code

구글 보이스 취약점을 통한 안드로이드 서드 파티 어플리케이션의 사용자 인증 개선방안 연구

Study on the Improvement about User Authentication of Android Third Party Application Through the Vulnerability in Google Voice

  • 이세영 (성균관대학교 정보통신대학) ;
  • 박재균 (성균관대학교 정보통신대학) ;
  • 홍성대 (성균관대학교 정보통신대학) ;
  • 최형기 (성균관대학교 정보통신대학)
  • 투고 : 2014.08.22
  • 심사 : 2014.10.14
  • 발행 : 2015.01.15
⟨ 이전 논문 다음 논문 ⟩

초록

안드로이드 마켓을 보면 서드 파티 어플리케이션이 상당한 비중을 차지하는 것을 볼 수 있다. 하지만 이런 서드 파티 어플리케이션의 보안 측면에 대한 연구는 많이 이루어지지 않고 있는 실정이다. 그 중에서도 서드 파티 어플리케이션이 많이 사용되는 것 중 하나가 모바일 VoIP(Voice Over IP) 어플리케이션이다. 모바일 VoIP 어플리케이션 중에서 본 논문은 구글 보이스 서비스를 연동시켜주는 대표적인 3가지 서드 파티 어플리케이션의 사용자 인증 구조에 대해 알아본다. 그리고 안드로이드 파일 시스템 구조 속에서 사용자 계정 정보를 저장하고 있는 파일을 통해 계정 정보를 전달하는 흐름을 파악하고 현재 쓰이고 있는 방법에 대한 취약점을 통해 일어날 수 있는 위험 요소를 알아보고 타원 곡선 디피-헬만 키 교환과 해시 체이닝을 사용해 개선된 인증 메커니즘 방안을 제안한다.

In the Android market, a large portion of the market share consists of third party applications, but not much research has been performed in this respect. Of these applications, mobile Voice Over IP (VoIP) applications are one of the types of applications that are used the most. In this paper, we focus on user authentication methods for three representative applications of the Google Voice service, which is a famous mobile VoIP application. Then, with respect to the Android file system, we developed a method to store and to send user information for authentication. Finally, we demonstrate a vulnerability in the mechanism and propose an improved mechanism for user authentication by using hash chaining and an elliptic curve Diffie-Hellman key exchange.

키워드

참고문헌

  1. AxVoice. (2012.May.10). [Online]. Available: http:// blog.axvoice.com/us-telecom-industry-from-2010-to-2015-a-research-by-axvoice/
  2. Talkatone. (2014.May.7). [Online]. Available: http:// support.talkatone.com/customer/portal/articles/1410745-support-for-google-voice-ending-may-15-2014.
  3. Henry, Paul, and Hui Luo. "WiFi: what's next?." Communications Magazine, IEEE. Vol. 40, No. 12, pp. 66-72, Dec. 2002.
  4. Google Voice Wikipedia. [Online]. Available: http://en.wikipedia.org/wiki/Google_Voice
  5. Google Hangout.[Online]. Available: https://support.google.com/hangouts/
  6. Android Developer Site.[Online]. Available: http://developer.android.com/
  7. Felt, Adrienne Porter, et al., "Android permissions demystified," Proc. of the 18th ACM conference on Computer and communications security. ACM, 2011.
  8. Enck, William, et al., "TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones," Communications of the ACM, Vol. 57, No. 3, pp. 99-106, Mar. 2014. https://doi.org/10.1145/2494522
  9. Mulliner, Collin, et al., "PatchDroid: scalable thirdparty security patches for Android devices," Proc. of the 29th Annual Computer Security Applications Conference. ACM, 2013.
  10. Stewart, Joe. (2007.Aug.25). "DNS cache poisoningthe next generation," [Online]. Available: http://www.secureworks.com/ (2003).
  11. Fahl, Sascha, et al., "Why Eve and Mallory love Android: An analysis of Android SSL (in) security," Proc. of the 2012 ACM conference on Computer and communications security. ACM, 2012.
  12. Chasung Lim, Wookey Lee, and Tae-Chang Jo, "An Effective Protection Mechanism for SSL Man-in-the-Middle Proxy Attacks," Journal of KIISE: Computing Practices and Letters, Vol. 16, No. 6, pp. 693-697, Jun. 2010.
  13. Schneier, Bruce, "Two-factor authentication: too little, too late," Commun. ACM 48.4 (2005): 136. https://doi.org/10.1145/1053291.1053327
  14. Chin, David H., "Touch-based authentication of a mobile device through user generated pattern creation," U.S. Patent No. 7,593,000. 22 Sep. 2009.
  15. Jeon, Woongryul, et al., "A practical analysis of smartphone security," Human Interface and the Management of Information. Interacting with Information. Springer Berlin Heidelberg, 2011. 311-320.
  16. Sung-Ryul Kim, "Copy Protection System for Android App using Public Key Infrastructure," Journal of Security Engineering, Vol. 9, No. 1, Feb. 2012.
  17. S. Blake-Wilson, et al., "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)," RFC4492, May (2006).
  18. Hu, Yih-Chun, Markus Jakobsson, and Adrian Perrig, "Efficient constructions for one-way hash chains," Applied Cryptography and Network Security, Springer Berlin Heidelberg, (2005).
  19. T. I. Song, S. H. Shin, S. H. Choong, "Development of Light-weight Secure Protocol based on Certification Message for Secure Commination of Mobile Devices," Proc. of the KIISE Korea Computer Congress 2011, pp. 152-155, 2011. (in Korean)
  20. S. Y. Lee, J. K. Park, S. D. Hong, H. K. Choi, "Google Voice Hacks : Study on the Improvement about User Authentication Mechanism in Android Device," Proc. of the KIISE Korea Computer Congress 2014, pp. 949-951, 2014. (in Korean)

피인용 문헌

  1. A study on novel filtering and relationship between input-features and target-vectors in a deep learning model for stock price prediction vol.49, pp.3, 2019, https://doi.org/10.1007/s10489-018-1308-x