{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,21]],"date-time":"2026-01-21T12:08:17Z","timestamp":1768997297189,"version":"3.49.0"},"reference-count":46,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T00:00:00Z","timestamp":1688083200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T00:00:00Z","timestamp":1688083200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"Universit\u00e0 del Salento"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["J Comput Virol Hack Tech"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The recent publication of the \u201cBrowser in the Middle\u201d attack has demonstrated an effective way to compromise a good number of variants of Multifactor Authentication and to control the information flow between the victim an the accessed service. That attack was mainly aimed at the victim use of a desktop browser to access a service. The present paper shows how that attack may be extended to involve the mobile environment and how, thanks to that enhancement, the attack may also gain the persistence attribute. The new attack is named MobileApp-in-the-Middle (MAitM). Again, as in BitM, no installation of malware on the victim\u2019s platform is needed with MAitM.<\/jats:p>","DOI":"10.1007\/s11416-023-00484-z","type":"journal-article","created":{"date-parts":[[2023,6,30]],"date-time":"2023-06-30T13:01:31Z","timestamp":1688130091000},"page":"27-39","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["Persistent MobileApp-in-the-Middle (MAitM) attack"],"prefix":"10.1007","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4038-2317","authenticated-orcid":false,"given":"Christian","family":"Catalano","sequence":"first","affiliation":[]},{"given":"Franco","family":"Tommasi","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,6,30]]},"reference":[{"issue":"2","key":"484_CR1","doi-asserted-by":"publisher","first-page":"179","DOI":"10.1007\/s10207-021-00548-5","volume":"21","author":"F Tommasi","year":"2022","unstructured":"Tommasi, F., Catalano, C., Taurino, I.: Browser-in-the-middle (BiTM) attack. Int. J. Inf. Secur. 21(2), 179\u2013189 (2022)","journal-title":"Int. J. Inf. Secur."},{"key":"484_CR2","unstructured":"Sjouwerman, S.: Anti-MFA Phishing Attacks Are Here to Stay \u2013 Businesses Need to Prepare. SC Magazine (2022)"},{"key":"484_CR3","unstructured":"Abrams, L.: Devious Phishing Method Bypasses MFA Using Remote Access Software. Bleeping Computer (2022)"},{"key":"484_CR4","unstructured":"di Corinto, A.: Tre ricercatori italiani hanno scoperto come neutralizzare l\u2019autenticazione a due fattori. la Repubblica (2022)"},{"key":"484_CR5","unstructured":"Pirrone, G.: L\u2019autenticazione a due fattori pu\u00f2 essere violata? Wired (2022)"},{"key":"484_CR6","unstructured":"Doria, M.: L\u2019autenticazione a due fattori non \u00e8 pi\u00f9 sicura, ecco perch\u00e9. Tom\u2019s Hardware (2022)"},{"key":"484_CR7","doi-asserted-by":"publisher","first-page":"402","DOI":"10.1016\/j.cose.2019.07.001","volume":"86","author":"A Ahmad","year":"2019","unstructured":"Ahmad, A., Webb, J., Desouza, K.C., Boorman, J.: Strategically-motivated advanced persistent threat: definition, process, tactics and a disinformation model of counterattack. Comput. Secur. 86, 402\u2013418 (2019)","journal-title":"Comput. Secur."},{"issue":"2","key":"484_CR8","doi-asserted-by":"publisher","first-page":"1851","DOI":"10.1109\/COMST.2019.2891891","volume":"21","author":"A Alshamrani","year":"2019","unstructured":"Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutor. 21(2), 1851\u20131877 (2019)","journal-title":"IEEE Commun. Surv. Tutor."},{"issue":"11","key":"484_CR9","doi-asserted-by":"publisher","first-page":"3874","DOI":"10.3390\/app10113874","volume":"10","author":"S Quintero-Bonilla","year":"2020","unstructured":"Quintero-Bonilla, S., del Mart\u00edn Rey, A.: A new proposal on the advanced persistent threat: a survey. Appl. Sci. 10(11), 3874 (2020)","journal-title":"Appl. Sci."},{"key":"484_CR10","unstructured":"Google: Progressive web apps PWA (2022)"},{"key":"484_CR11","unstructured":"ngrok: Ngrok (2022)"},{"key":"484_CR12","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.eswa.2018.03.050","volume":"106","author":"KL Chiew","year":"2018","unstructured":"Chiew, K.L., Yong, K.S.C., Tan, C.L.: A survey of phishing attacks: their types, vectors and technical approaches. Expert Syst. Appl. 106, 1\u201320 (2018)","journal-title":"Expert Syst. Appl."},{"issue":"1","key":"484_CR13","doi-asserted-by":"publisher","first-page":"15","DOI":"10.1016\/S1361-3723(18)30007-1","volume":"2018","author":"I Vayansky","year":"2018","unstructured":"Vayansky, I., Kumar, S.: Phishing-challenges and solutions. Comput. Fraud Secur. 2018(1), 15\u201320 (2018)","journal-title":"Comput. Fraud Secur."},{"key":"484_CR14","unstructured":"Mole, P.V.: Progressive Web Apps: A Novel Way for Cross-Platform Development. Obtenido de: https:\/\/www.researchgate.net\/publication\/344170769 (2020)"},{"key":"484_CR15","doi-asserted-by":"crossref","unstructured":"Majchrzak, T.A., Bi\u00f8rn-Hansen, A., Gr\u00f8nli, T.-M.: Progressive web apps: the definite approach to cross-platform development? (2018)","DOI":"10.24251\/HICSS.2018.718"},{"key":"484_CR16","doi-asserted-by":"crossref","unstructured":"Liu, T., Wang, H., Li, L., Bai, G., Guo, Y., Xu, G.: Dapanda: Detecting aggressive push notifications in android apps. In: 2019 34th IEEE\/ACM International Conference on Automated Software Engineering (ASE), pp. 66\u201378. IEEE (2019)","DOI":"10.1109\/ASE.2019.00017"},{"key":"484_CR17","doi-asserted-by":"crossref","unstructured":"Pande, N., Somani, A., Samal, S.P., Kakkirala, V.: Enhanced web application and browsing performance through service-worker infusion framework. In: 2018 IEEE International Conference on Web Services (ICWS), pp. 195\u2013202. IEEE (2018)","DOI":"10.1109\/ICWS.2018.00032"},{"key":"484_CR18","doi-asserted-by":"crossref","unstructured":"Gambhir, A., Raj, G.: Analysis of cache in service worker and performance scoring of progressive web application. In: 2018 International Conference on Advances in Computing and Communication Engineering (ICACCE), pp. 294\u2013299. IEEE (2018)","DOI":"10.1109\/ICACCE.2018.8441715"},{"key":"484_CR19","doi-asserted-by":"crossref","unstructured":"Malavolta, I., Procaccianti, G., Noorland, P., Vukmirovic, P.: Assessing the impact of service workers on the energy efficiency of progressive web apps. In: 2017 IEEE\/ACM 4th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 35\u201345. IEEE (2017)","DOI":"10.1109\/MOBILESoft.2017.7"},{"key":"484_CR20","unstructured":"Developer, M.: PWA installability requirements (2022)"},{"key":"484_CR21","doi-asserted-by":"crossref","unstructured":"Lee, J., Kim, H., Park, J., Shin, I., Son, S.: Pride and prejudice in progressive web apps: Abusing native app-like features in web applications. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 1731\u20131746 (2018)","DOI":"10.1145\/3243734.3243867"},{"key":"484_CR22","unstructured":"B\u0159ou\u0161ek, P.: Evaluation and Usage of Google Progressive Web Apps Technology. PhD thesis, Masarykova univerzita, Fakulta informatiky (2017)"},{"key":"484_CR23","doi-asserted-by":"publisher","first-page":"41576","DOI":"10.1109\/ACCESS.2019.2905219","volume":"7","author":"F Tommasi","year":"2019","unstructured":"Tommasi, F., Catalano, C., Fornaro, M., Taurino, I.: Mobile session fixation attack in micropayment systems. IEEE Access 7, 41576\u201341583 (2019)","journal-title":"IEEE Access"},{"key":"484_CR24","unstructured":"web.dev: Manifest (2022)"},{"key":"484_CR25","unstructured":"web.dev: Serviceworkers (2022)"},{"key":"484_CR26","unstructured":"Team, G.D.: Screen copy (2022)"},{"key":"484_CR27","unstructured":"Project, T.L.: Lineageos android distribution (2016-2022)"},{"key":"484_CR28","unstructured":"IceWreck: Lokiboard-android-keylogger (2022)"},{"key":"484_CR29","unstructured":"Microsoft: Microsoft office (2022)"},{"key":"484_CR30","unstructured":"Google: Remote debug android devices (2022)"},{"issue":"1","key":"484_CR31","doi-asserted-by":"publisher","first-page":"1","DOI":"10.3390\/cryptography2010001","volume":"2","author":"A Ometov","year":"2018","unstructured":"Ometov, A., Bezzateev, S., M\u00e4kitalo, N., Andreev, S., Mikkonen, T., Koucheryavy, Y.: Multi-factor authentication: a survey. Cryptography 2(1), 1 (2018)","journal-title":"Cryptography"},{"key":"484_CR32","doi-asserted-by":"crossref","unstructured":"Grimes, R.A.: Hacking multifactor authentication (2020)","DOI":"10.1002\/9781119672357"},{"key":"484_CR33","doi-asserted-by":"crossref","unstructured":"Parmar, V., Sanghvi, H.A., Patel, R.H., Pandya, A.S.: A comprehensive study on passwordless authentication. In: 2022 International Conference on Sustainable Computing and Data Communication Systems (ICSCDS), pp. 1266\u20131275. IEEE (2022)","DOI":"10.1109\/ICSCDS53736.2022.9760934"},{"key":"484_CR34","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1016\/j.infsof.2017.09.012","volume":"94","author":"I Vel\u00e1squez","year":"2018","unstructured":"Vel\u00e1squez, I., Caro, A., Rodr\u00edguez, A.: Authentication schemes and methods: a systematic literature review. Inf. Softw. Technol. 94, 30\u201337 (2018)","journal-title":"Inf. Softw. Technol."},{"issue":"8","key":"484_CR35","doi-asserted-by":"publisher","first-page":"1390","DOI":"10.1109\/TPDS.2010.206","volume":"22","author":"X Huang","year":"2010","unstructured":"Huang, X., Xiang, Y., Chonka, A., Zhou, J., Deng, R.H.: A generic framework for three-factor authentication: preserving security and privacy in distributed systems. IEEE Trans. Parallel Distrib. Syst. 22(8), 1390\u20131397 (2010)","journal-title":"IEEE Trans. Parallel Distrib. Syst."},{"key":"484_CR36","unstructured":"Iwuoha, O., Emmanuel, N., Ekwonwune, E.: Enhancing multi-factor authentication in modern computing (2017)"},{"issue":"12","key":"484_CR37","doi-asserted-by":"publisher","first-page":"46","DOI":"10.1145\/3424260","volume":"63","author":"RP Jover","year":"2020","unstructured":"Jover, R.P.: Security analysis of sms as a second factor of authentication. Commun. ACM 63(12), 46\u201352 (2020)","journal-title":"Commun. ACM"},{"issue":"9","key":"484_CR38","first-page":"20","volume":"127","author":"N Kaur","year":"2015","unstructured":"Kaur, N., Devgan, M.: A comparative analysis of various multistep login authentication mechanisms. Int. J. Comput. Appl. 127(9), 20\u201326 (2015)","journal-title":"Int. J. Comput. Appl."},{"key":"484_CR39","doi-asserted-by":"crossref","unstructured":"Dmitrienko, A., Liebchen, C., Rossow, C., Sadeghi, A.-R.: On the (in) security of mobile two-factor authentication. In: International Conference on Financial Cryptography and Data Security, pp. 365\u2013383. Springer (2014)","DOI":"10.1007\/978-3-662-45472-5_24"},{"key":"484_CR40","unstructured":"Schneier, B.: NIST is No Longer Recommending Two-Factor Authentication Using SMS. (2016)"},{"issue":"6","key":"484_CR41","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1109\/MSEC.2021.3077954","volume":"19","author":"S Wiefling","year":"2021","unstructured":"Wiefling, S., D\u00fcrmuth, M., Iacono, L.L.: Verify it\u2019s you: how users perceive risk-based authentication. IEEE Secur. Priv. 19(6), 47\u201357 (2021)","journal-title":"IEEE Secur. Priv."},{"key":"484_CR42","doi-asserted-by":"crossref","unstructured":"Jubur, M., Shrestha, P., Saxena, N., Prakash, J.: Bypassing push-based second factor and passwordless authentication with human-indistinguishable notifications. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 447\u2013461 (2021)","DOI":"10.1145\/3433210.3453084"},{"issue":"2","key":"484_CR43","doi-asserted-by":"publisher","first-page":"13","DOI":"10.3390\/fi10020013","volume":"10","author":"P Loreti","year":"2018","unstructured":"Loreti, P., Bracciale, L., Caponi, A.: Push attack: binding virtual and real identities using mobile push notifications. Future Internet 10(2), 13 (2018)","journal-title":"Future Internet"},{"key":"484_CR44","doi-asserted-by":"crossref","unstructured":"Eminagaoglu, M., Cini, E., Sert, G., Zor, D.: A two-factor authentication system with qr codes for web and mobile applications. In: 2014 Fifth International Conference on Emerging Security Technologies, pp. 105\u2013112 (2014). IEEE","DOI":"10.1109\/EST.2014.19"},{"key":"484_CR45","doi-asserted-by":"crossref","unstructured":"Reynolds, J., Smith, T., Reese, K., Dickinson, L., Ruoti, S., Seamons, K.: A tale of two studies: The best and worst of yubikey usability. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 872\u2013888. IEEE (2018)","DOI":"10.1109\/SP.2018.00067"},{"key":"484_CR46","doi-asserted-by":"crossref","unstructured":"Meiser, G., Laperdrix, P., Stock, B.: Careful who you trust: studying the pitfalls of cross-origin communication. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 110\u2013122 (2021)","DOI":"10.1145\/3433210.3437510"}],"container-title":["Journal of Computer Virology and Hacking Techniques"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-023-00484-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s11416-023-00484-z\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s11416-023-00484-z.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,2,23]],"date-time":"2024-02-23T11:22:08Z","timestamp":1708687328000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s11416-023-00484-z"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,30]]},"references-count":46,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,3]]}},"alternative-id":["484"],"URL":"https:\/\/doi.org\/10.1007\/s11416-023-00484-z","relation":{},"ISSN":["2263-8733"],"issn-type":[{"value":"2263-8733","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,30]]},"assertion":[{"value":"12 October 2022","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"9 May 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 June 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of interest"}},{"value":"Not applicable.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Institutional review board statement"}},{"value":"Not applicable.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Informed consent statement"}}]}}