How many different apps do you have on your smartphone, and how many of them require a user account to get access to their services? Did you ever think about the complexity of their password policies? Do they even guarantee strong passwords?
We are on a mission to improve the understanding of Android app development in order to facilitate developer tools which better suit the developers’ needs. We want to gather insights regarding the use and implementation of password policies in Android apps. Unfortunately, the extraction of password policies is a non-trivial task: Developers frequently use custom code, configurations, and arbitrary frameworks to deliver seamless user experiences. Hence, manual investigations are required.
A few problems you’ll be confronted with:
Much research has been carried out to investigate the security of passwords used in practice [1] [2]. Interestingly, the used password complexity did not change over time if users were free to choose their own, mostly insecure, passwords. On the other hand, researchers found that if inappropriate password policies are set into place, the amount of wasted working time can severely impact the employees’ productivity [3]. Hence, it is important to define “appropriate” password policies which are not too complex, yet they can provide basic security. However, we do not have any information regarding the use of password policies in Android mobile apps.
In this seminar project, we want to explore the implementation and use of password policies in Android apps.
Your task will consist of:
[1] Morris and Thompson, Password security: A case history, 1979 (PDF)
[2] Zviran and Haga, Password security: an empirical study, 1999 (PDF)
[3] Inglesant and Sasse, The true cost of unusable password policies: password use in the wild, 2010 (PDF)