AppCracker: Widespread Vulnerabilities in User and Session Authentication in Mobile Apps. Fangda Cai and Hao Chen and Yuanyi Wu and Yuan Zhang. A fundamental security principle in developing networked applications is end-to-end security, where the confidentiality and integrity of the data transmitted over the network do not rely on the security of the network. In response to the ever increasing traffic from mobile apps, WiFi networks are spreading fast and widely. Since WiFi networks are unregulated, a passive attacker may eavesdrop on the traffic on open WiFi networks, while an active attacker may set up his own WiFi network to modify its traffic at will. In theory, end-to-end security should protect mobile apps from both these attacks; in practice, however, the situation is far less rosy. We examine how the popular, important mobile apps on Chinese Android markets defend themselves against untrusted networks. We select top apps from major categories, such as online shopping, banking, social networks, travel services, and apps from companies with huge market capitalization. We analyze both their code and their network traffic to identify vulnerabilities. We design a mini-language for describing the vulnerabilities and develop a tool, AppCracker, that launches both passive and active attacks on these apps to verify their vulnerabilities. AppCracker has confirmed that 100 apps from 69 companies are vulnerable during their user or session authentication. These vulnerabilities allow an adversary to capture the victim user's login credentials or to hijack the victim's session. We describe these diverse types of vulnerabilities, many of which are caused by the misuse of cryptography in their home-grown cryptographic protocols. Finally, we discuss the lessons learned during our investigation to help app developers avoid similar pitfalls. We hope that our findings will raise awareness of this problem among both the research community and app developers, and will encourage research in automated tools for detecting these vulnerabilities.