SlideShare uma empresa Scribd logo

Reading Group Presentation: Why Eve and Mallory Love Android

Michael Rushanan
Michael Rushanan

This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group. The academic proceeding can be found here: www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf

Educação
1 de 43
Why  Eve  and  Mallory  Love   Android   An  Analysis  of  Android  SSL  (In)Security  
WARNING   •  The  views  presented  in  this  presentaAon  are  my  own  and   do  not  express  the  views  of  the  Johns  Hopkins  University.   •  The  content  presented  in  this  presentaAon  was  extracted   from  mulAple  academic  conference  proceedings.   •  Most  pictorial  references  were  shamelessly  collected  from   the  internet  and  presented  without  reference.  If  you  find   your  image  and  wish  to  request  that  I  provide  a  reference,   please  email  me  at  the  address  provided  on  my  website:   michaelrushanan.org.  
Building  Our  Story   •  There  once  was  a  mobile  device  called  Android…   •  2012  market  share  forecasts  of  48%  and   400,000+  apps  (or  so  says  our  authors)…   •  Everyone  believed  Android  to  be  safe  because  it   uAlized  Java  for  its  applicaAon  development   language,  runs  inside  an  isolated  (sandboxed)   virtual  machine,  follows  a  unix-­‐based  permissions   model,  exposes  a  wonderful  API  for  secure   methods  and  cryptography.    
Developers  Are  Idiots   •  Or  completely  malicious  geniuses!   •  Case  in  point:   –  ApplicaAon  Developers  seemingly  don’t  understand  the  less-­‐is-­‐ more  paradox  for  se`ng  permissions.   –  Manufacturers  allow  devices  to  stagnate  by  not  supporAng   latest  OS  releases.   –  The  android  runAme  supports  a  range  of  APIs  by  exposing   runAme  arguments  for  validaAng  the  current  API.   –  *SIGH*  People  sAll  implement  their  own,  already  provided,   methods.  For  example,  extending  the  SSLSocketFactory  class.  
My  Advice  to  the  UI  Class   String   BRICK   Required  to  be  able  to  disable  the  device  (very   dangerous!).       String   CAMERA   Required  to  be  able  to  access  the  camera   device.       String   READ_SMS   Allows  an  applicaAon  to  read  SMS  messages.        
Why  Should  Fruit  Ninja…   •  Have  access  to  your  phone  state?   •  Be  able  to  read  SMS?     •  Access  your  camera?  
Android  Security   •  Trend  Micro  reported  17  malicious  apps   discovered  in  the  Google  Play  Store.   •  Six  of  these  apps  contained  a  reused  snippet   of  code  –  Plankton.  Ten  the  year  prior.   •  Plankton…   –  Enables  the  app  to  connect  to  a  set  of  command   and  control  servers.   –  Collects  user’s  browsing  history,  bookmarks,  and   device  informaAon  (that  really  doesn’t  sound  that  bad).  
Malicious  App  Stats  
WARNING:  It’s  About  to  Get  Real   •  Prior  to  jumping  straight  into  current  Android   research,  I’d  like  to  point  out  something.  
ExtrapolaAng  the  Experimental   Method  for  evaluaAng  Android  Apps   •  You  take  a  handful  of  apps,  usually  the  free   ones.   •  Introduce  some  new  component.   •  Perform  some  analysis.   •  Uncover  some  horrible  truth.   •  Consider  implicaAons  and  make  suggesAons.  
A  Study  of  Android  ApplicaAon   Security   •  William  Enck  et  al.  
Android  App  Security   •  “1,100  Popular  Free  Apps  examined.”   •  “ded  decompiler  used  to  recover  Android  applicaAon  source  code   directly  from  installaAon  image.”   •  “Horizontal  study  of  smartphone  applicaAons  based  on  staAc   analysis  of  21  million  lines  of  recovered  code.”   •  “Uncovered  pervasive  use/misuses  of  personal/phone  idenAfiers,   and  deep  penetraAon  of  adverAsing  and  analyAcs.”   •  “Conclude  by  considering  the  implicaAons  of  these  preliminary   findings  and  offer  direcAons  for  future  analysis.”  
Android  App  Security   •  ded  is  a  Dalvik  decompiler  that  is  used  to  recover  an  applicaAons   Java  source  from  the  installed  image.   –  Madness:  DVM-­‐to-­‐JVM  bytecode  retargeAng.   –  TranslaAng  class  and  method  structures.  Inferring  types.   •  DVM:   –  .class  files  converted  to  .dex.   –  MulAple  classes  are  included  into  a  single  .dex  file.   –  Dupilcate  objects  and  constants  used  in  mulAple  class  fields  are   included  ONCE  in  the  .dex.   –  Java  bytecode  is  converted  into  an  alternaAve  instrucAon  set  used  by   DVM.   –  DVM  executables  installed  onto  a  mobile  device  are  subject  to  further   opAmizaAons  (reording  byte  order,  inline  linking  of  simple  data   structures  and  funcAon  libraries).  
Trivia   •  What  is  IMEI?   •  IMSI?   •  ICC-­‐ID  
This  is  a  really  big  paper…   •  So  we’ll  menAon  the  stuff  that  is  interesAng:   –  Authors  purport  a  wide  misuse  of  privacy  sensiAve   informaAon:     •  IMEI   •  IMSI   •  ICC-­‐ID   –  Usage  of  ad  and  analyAc  network  libraries  were   integrated  with  51%  of  applicaAons  studied  (eh,  they   were  free  apps).   –  Many  developers  fail  to  securely  use  Android  APIs.   They’re  idiots,  remember?  
Points  that  Repeat   •  Leaking  informaAon  to  logs:  Log  API  (logcat).   •  Unprotected  Broadcast  Receivers  –  we’ll  talk  more   about  this  later.  IPC  mishaps  101.   •  Intent  InjecAon  Apacks.   •  Denial  of  Service  with  Null  Checks  on  IPC  input   (applicaAon  crashes).   •  DelegaAng  control  (we’ll  talk  about  this  in  a  second).   •  Tapjoy…     •  SDCard  usage  (external  vs  internal  storage).   •  NaAve  code  usage  (JNI…  NDK).  
SCanDroid:   Automated  Security  CerAficaAon  of  Android   ApplicaAons   •  Adam  Fuchs  et  al.             *This  applica8on  to  prove  a  research  goal  name  usage  deal  is  also  repeated.    
Android  App  Security   •  Unless  I  missed  it,  no  collecAon  of  apps  were  pulled  from  the  Market.   •  “Enforcing  permissions  is  not  sufficient  to  prevent  security  violaAons,   since  permissions  may  be  misused,  intenAonally  or  unintenAonally,  to   introduce  insecure  data  flows.  SCanDroid,  a  tool  for  reasoning   automaAcally  about  the  security  of  Android  ApplicaAons.”   •  ScanDroid  staAcally  analyzes  data  flows  through  Android  applicaAons…  it   can  decide  whether  it  is  safe  for  an  applicaAon  to  run  with  certain   permissions,  based  on  the  permissions  enforced  by  other  applicaAons.   •  A  soluAon  to  the  failing  permissions  model.   •  With  data  flow  analysis,  the  precision  of  reasoning  by  the  user  is  no  longer   limited.  
SCanDroid   •  ScanDroid  (Program  Analysis):   –  Parses  manifest  file,  and     –  Analyzes  data  flow.   –  Uri  and  Intent-­‐based  addr.  
Android  Basics   λ  Intents  are  the  preferred  mechanisms  for  asynchronous  IPC  in  Android.   -  sendBroadcast()   -  sendOrderedBroadcast()   λ  You  can  apply  access  permissions  to  broadcasted  intents  so  only  certain   applicaAons  can  register  to  see  the  intents.  If  you're  doing  this,  you  might  just   consider  invoking  the  receiver  directly.   -  android:exported     λ  Allow  use  of  IPC  by  other  apps.   -  android:protecAonLevel   λ  Characterizes  the  potenAal  risk  implied  in  the  permission  and  indicates  the  procedure  the  system   should  follow  when  determining  whether  or  not  to  grant  permission  to  requester.   -  “normal”  =  default  low  risk,  requests  isolated  applicaAon  features.   -  “dangerous”  =  high-­‐risk,  requests  private  user  data  or  control.   -  “signature”  =  granted  only  if  the  requesAng  applicaAon  is  signed  with  the  same  cerAficate  as  the  applicaAon  that   declared  the  permission.     -  “signatureOrSystem”  =  system  grants  only  to  applicaAons  that  are  in  the  Android  system  image  or  as  above.   -  android:permission   λ  ApplicaAons  will  need  to  declare  a  corresponding  <uses-­‐permission>  element  in  their  manifest  to  start,   stop,  or  bind  service.  
TaintDroid:   An  InformaAon-­‐Flow  Tracking  System  for  RealAme   Privacy  Monitoring  on  Smartphones   •  William  Enck  et  al.    
Trivia   •  Where  else  have  we  seen  tainAng  used?  
TaintDroid   •  “30  popular  third-­‐party  Android  ApplicaAons.   •  “TaintDroid,  an  efficient,  system-­‐wide  dynamic  taint  tracking  and   analysis  system  capable  of  simultaneously  tracking  mulAple  sources   of  sensiAve  data.”   •  Monitor  behavior  with  TaintDroid.   •  “68  instances  of  potenAal  misuse  of  users’  private  informaAon   across  20  applicaAons.”   •  “Monitoring  sensiAve  data  with  TaintDroid  provides  informed  use   of  third-­‐party  applicaAons  for  phone  users  and  valuable  input  for   smartphone  security  service  firms  seek  to  idenAfy  misbehavior.”  
TaintDroid   •  An  extension  to  the  mobile  playorm,  not  an   applicaAon  itself.   •  Taints  data  sources  with  a  label,  and  as  the   data  propagates  through  program  variables,   files,  and  interprocess  messages  this  allows   TaintDroid  to  monitor  (variable,  message,   method,  and  file  level).  
TaintDroid  
Permission  Re-­‐DelegaAon   Apacks  &  Defenses   •  Adrienne  Porter  Felt  et  al.    
ExtrapolaAng  the  Experimental   Method  for  evaluaAng  Android  Apps   •  872  survey  applicaAons.   •  Demonstrate  Permission  re-­‐delegaAon.   •  Perform  some  analysis.   •  “More  than  a  third  request  permissions  for  sensiAve  resources  and   also  exposes  public  interfaces  –  at  risk  for  exposing  permission  re-­‐ delegaAon.”   •  “IPC  InspecAon,  a  new  OS  mechanism  for  defending  against   permission  re-­‐delegaAon.  Reduces  an  applicaAon’s  permissions   a{er  receiving  communicaAon  from  a  less  privileged  applicaAon.”  
Permission  Re-­‐DelegaAon   •  Permission  re-­‐delegaAon  is  an  apack  when   lower  priv.  app  can  gain  advanced  priv.  by   communicaAng  with  more  trusted  app    
Permission  Bloat  
Eve  and  Mallory  <3  Android   •  Finally,  we’ll  move  on  to  discussing  the  paper   at  hand.   •  Sascha  et  al.   •  Many  Android  apps  have  a  legiAmate  need  to   communicate  over  the  Internet.  
Eve  and  Mallory  <3  Android   •  Paper  wants  to:   –  Discover  potenAal  security  threats  posed  by   benign  Android  apps  that  use  SSL/TLS  protocols  to   protect  data.   –  Query  users  if  they  really  understand  those  pop   up  messages  concerning  SSL/TLS  warnings   (caveat:  when  they  actually  happen).  
Trivia   •  Whats  the  *Droid  name  used  in  this  paper?  
MalloDroid   •  Analyzed  13,500  popular  free  apps.   •  Revealed  1,074  (8%)  of  apps  potenAally  vulnerable  to   MITM.   •  Selected  100  apps  of  interest  (no  rhyme  nor  reason).   •  41  of  these  apps  gather  sensiAve  data  (e.g.,  banking   credenAals).   •  Many  of  these  apps  communicate  over  the  internet  for   legiAmate  reasons  –  thus  requiring  the  INTERNET   permission.  
MalloDroid   •  These  INTERNET  capable  apps  uAlize  the  SSL/TLS  for  secure   communicaAon.   •  MalloDroid  is  an  extension  to  AndroGuard   –  Reverse  Engineering,  Malware  and  goodware  analysis  of  Android  apps.   –  Wripen  in  python  to  play  with  DEX  (disassemble,  decompilaAon),  APK,   Binary  xml,  Resources.   •  Performs  staAc  code  analysis:   –  Analyze  the  networking  API  calls  and  extract  valid  HTTP(S)  URLS  from   the  decompiled  apps;   –  Check  the  validity  of  the  SSL  cerAficates  of  all  extracted  HTTPS  hosts;   –  IdenAfy  apps  that  contain  API  calls  that  differ  from  Android’s  default   SSL  usage:   •  Non-­‐default  trust  managers;   •  SSL  socket  factories  or  hostname  verifiers  with  permissive  verificaAon   strategies.  
MalloDroid   •  Out  of  the  100  selected  apps,  the  following   idenAfiers  were  scanned  for:   –  AccepAng  all  SSL  cerAficates.   –  Allowing  all  hostnames  regardless  of  the  cerAficates   Common  Name.   –  NeglecAng  precauAons  against  SSL  stripping.   –  TrusAng  all  available  CerAficate  AuthoriAes.   –  Not  using  SSL  pinning  (eh,  don’t  really  have  to  do   this).   –  Misinforming  users  about  SSL  usage.  
Android  &  SSL   •  Several  packages  for  accessing  the  network:   java.net,  javax,net,  android.net  and   org.apache.hpp.   •  Developers  must  ensure  that  they  use  SSL   correctly:   –  TrusAng  All  CerAficates.  TrustManager  interface  can   allow  trust  of  all  cerAficates  regardless  of  who  signed   them.   –  Allowing  all  Hostnames.  Forgo  checks  of  whether  the   cert  was  issued  for  this  address  or  not.   –  TrusAng  Many  CAs.  134  Root  CAs  by  default.   –  Mixed-­‐Mode/NO  SSL.  SSLStripping…  mostly  a   webview  problem.  
Android  &  SSL  Byproduct  
MITM   •  Argument  here  is  that  mobile  has  an  increased  chance  of   vulnerability  when  considering  a  malicious  MITM  (proxy   SSL).   •  Authors  make  the  argument  that  just  because  an  app   doesn’t  use  SSL  appropriately,  doesn’t  mean  that  there  is   sensiAve  informaAon  there.   •  ExperimentaAon:   –  Targeted  Finance,  Business,  CommunicaAon,  Social  Tools.   –  266  apps  in  quesAon,  cherry  picked  100  again.   –  Used  Samsung  Galaxy  Nexus,  Android  4.0   –  Network  Access  via  MITM  SSL  Proxy  w/  self-­‐signed  cerAficate  or   one  that  was  signed  by  a  trusted  CA.  
What  Happened   •  Banking/Paypal  credenAals  were  leaked.   •  Bitcoin-­‐miner  API  keys  were  leaked.   •  Email/Contact  data…   •  Why?   –  Allowing  all  Hostnames.   –  Allowing  any  CA-­‐signed  cerAficate  
Case  of  SSLPinning  
Case  for  Appropriate  Feedback  
Survey     •  The  end  result  was  approximately  half  of  the   surveyed  populaAon  didn’t  really  understand   what  a  secure  connecAon  (via  SSL/TLS)  was,   and  what  a  feedback  message  about  SSL/TLS   meant.  
Nailed  It   •  13,500  popular  free  apps  examined.     •  Introduce  some  new  component.   •  1,074  of  the  apps  contained  SSL/TLS  code.  100   cherry  picked  apps  resulted  in  41  vulnerable   apps  gathering  a  large  variety  of  sensiAve   data.   •  Banking  and  personal  data  is  sensiAve,  and   suscepAble  to  the  apacks.   •  Using  MalloDroid  with  Androguard.  

Recomendados

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 

Recomendados

Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...
Android Malware: Study and analysis of malware for privacy leak in ad-hoc net...IOSR Journals
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidFraunhofer AISEC
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
COVERT app
COVERT appCOVERT app
COVERT appitba9
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalc0c0n - International Cyber Security and Policing Conference
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 

Mais conteúdo relacionado

Mais procurados

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
михаил дударев
михаил дударевмихаил дударев
михаил дударевapps4allru
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!espheresecurity
 
Mobile application security
Mobile application securityMobile application security
Mobile application securityShubhneet Goel
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
COVERT app
COVERT appCOVERT app
COVERT appitba9
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Carlos Laorden
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 

Mais procurados (20)

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
михаил дударев
михаил дударевмихаил дударев
михаил дударев
 
Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!Mobile Application Security – Effective methodology, efficient testing!
Mobile Application Security – Effective methodology, efficient testing!
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
COVERT app
COVERT appCOVERT app
COVERT app
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
Anomaly Detection using String Analysis for Android Malware Detection - CISIS...
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
Android Security
Android SecurityAndroid Security
Android Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android security
Android securityAndroid security
Android security
 

Semelhante a Reading Group Presentation: Why Eve and Mallory Love Android

Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012 hakersinfo
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security ModelMichael Rushanan
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security
 
Cryptographic misuse
Cryptographic misuseCryptographic misuse
Cryptographic misuseAashish R
 
Towards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for AndroidTowards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for AndroidSergey Staroletov
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile securityJudy Ngure
 
Cryptographic misuse in android applications
Cryptographic misuse in android applicationsCryptographic misuse in android applications
Cryptographic misuse in android applicationsAashish R
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Dasnullowaspmumbai
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Mwri security testing-android-with-mercury-2013-04-02
Mwri security testing-android-with-mercury-2013-04-02Mwri security testing-android-with-mercury-2013-04-02
Mwri security testing-android-with-mercury-2013-04-02Droidcon Berlin
 
Android App Developement
Android App DevelopementAndroid App Developement
Android App DevelopementAayush Gupta
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code ReviewsDenim Group
 

Semelhante a Reading Group Presentation: Why Eve and Mallory Love Android (20)

I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Android village @nullcon 2012
Android village @nullcon 2012 Android village @nullcon 2012
Android village @nullcon 2012
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model600.250 UI Cross Platform Development and the Android Security Model
600.250 UI Cross Platform Development and the Android Security Model
 
Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013Virtue Security - The Art of Mobile Security 2013
Virtue Security - The Art of Mobile Security 2013
 
Cryptographic misuse
Cryptographic misuseCryptographic misuse
Cryptographic misuse
 
Towards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for AndroidTowards the methods of analysis malicious applications for Android
Towards the methods of analysis malicious applications for Android
 
Droidcon mobile security
Droidcon mobile securityDroidcon mobile security
Droidcon mobile security
 
Cryptographic misuse in android applications
Cryptographic misuse in android applicationsCryptographic misuse in android applications
Cryptographic misuse in android applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Mwri security testing-android-with-mercury-2013-04-02
Mwri security testing-android-with-mercury-2013-04-02Mwri security testing-android-with-mercury-2013-04-02
Mwri security testing-android-with-mercury-2013-04-02
 
Android App Developement
Android App DevelopementAndroid App Developement
Android App Developement
 
Mobile Application Security Code Reviews
Mobile Application Security Code ReviewsMobile Application Security Code Reviews
Mobile Application Security Code Reviews
 

Último

Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptxmary850239
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Developmentchesterberbo7
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseCeline George
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxDhatriParmar
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSMae Pangan
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxSayali Powar
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQuiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxDhatriParmar
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxkarenfajardo43
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWQuiz Club NITW
 

Último (20)

Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx4.11.24 Poverty and Inequality in America.pptx
4.11.24 Poverty and Inequality in America.pptx
 
Using Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea DevelopmentUsing Grammatical Signals Suitable to Patterns of Idea Development
Using Grammatical Signals Suitable to Patterns of Idea Development
 
prashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Professionprashanth updated resume 2024 for Teaching Profession
prashanth updated resume 2024 for Teaching Profession
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
How to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 DatabaseHow to Make a Duplicate of Your Odoo 17 Database
How to Make a Duplicate of Your Odoo 17 Database
 
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptxMan or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
Man or Manufactured_ Redefining Humanity Through Biopunk Narratives.pptx
 
Textual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHSTextual Evidence in Reading and Writing of SHS
Textual Evidence in Reading and Writing of SHS
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptxBIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
BIOCHEMISTRY-CARBOHYDRATE METABOLISM CHAPTER 2.pptx
 
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITWQ-Factor General Quiz-7th April 2024, Quiz Club NITW
Q-Factor General Quiz-7th April 2024, Quiz Club NITW
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptxUnraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
Unraveling Hypertext_ Analyzing Postmodern Elements in Literature.pptx
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptxGrade Three -ELLNA-REVIEWER-ENGLISH.pptx
Grade Three -ELLNA-REVIEWER-ENGLISH.pptx
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
Mythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITWMythology Quiz-4th April 2024, Quiz Club NITW
Mythology Quiz-4th April 2024, Quiz Club NITW
 

Reading Group Presentation: Why Eve and Mallory Love Android

  • 1. Why  Eve  and  Mallory  Love   Android   An  Analysis  of  Android  SSL  (In)Security  
  • 2. WARNING   •  The  views  presented  in  this  presentaAon  are  my  own  and   do  not  express  the  views  of  the  Johns  Hopkins  University.   •  The  content  presented  in  this  presentaAon  was  extracted   from  mulAple  academic  conference  proceedings.   •  Most  pictorial  references  were  shamelessly  collected  from   the  internet  and  presented  without  reference.  If  you  find   your  image  and  wish  to  request  that  I  provide  a  reference,   please  email  me  at  the  address  provided  on  my  website:   michaelrushanan.org.  
  • 3. Building  Our  Story   •  There  once  was  a  mobile  device  called  Android…   •  2012  market  share  forecasts  of  48%  and   400,000+  apps  (or  so  says  our  authors)…   •  Everyone  believed  Android  to  be  safe  because  it   uAlized  Java  for  its  applicaAon  development   language,  runs  inside  an  isolated  (sandboxed)   virtual  machine,  follows  a  unix-­‐based  permissions   model,  exposes  a  wonderful  API  for  secure   methods  and  cryptography.    
  • 4. Developers  Are  Idiots   •  Or  completely  malicious  geniuses!   •  Case  in  point:   –  ApplicaAon  Developers  seemingly  don’t  understand  the  less-­‐is-­‐ more  paradox  for  se`ng  permissions.   –  Manufacturers  allow  devices  to  stagnate  by  not  supporAng   latest  OS  releases.   –  The  android  runAme  supports  a  range  of  APIs  by  exposing   runAme  arguments  for  validaAng  the  current  API.   –  *SIGH*  People  sAll  implement  their  own,  already  provided,   methods.  For  example,  extending  the  SSLSocketFactory  class.  
  • 5. My  Advice  to  the  UI  Class   String   BRICK   Required  to  be  able  to  disable  the  device  (very   dangerous!).       String   CAMERA   Required  to  be  able  to  access  the  camera   device.       String   READ_SMS   Allows  an  applicaAon  to  read  SMS  messages.        
  • 6. Why  Should  Fruit  Ninja…   •  Have  access  to  your  phone  state?   •  Be  able  to  read  SMS?     •  Access  your  camera?  
  • 7. Android  Security   •  Trend  Micro  reported  17  malicious  apps   discovered  in  the  Google  Play  Store.   •  Six  of  these  apps  contained  a  reused  snippet   of  code  –  Plankton.  Ten  the  year  prior.   •  Plankton…   –  Enables  the  app  to  connect  to  a  set  of  command   and  control  servers.   –  Collects  user’s  browsing  history,  bookmarks,  and   device  informaAon  (that  really  doesn’t  sound  that  bad).  
  • 9. WARNING:  It’s  About  to  Get  Real   •  Prior  to  jumping  straight  into  current  Android   research,  I’d  like  to  point  out  something.  
  • 10. ExtrapolaAng  the  Experimental   Method  for  evaluaAng  Android  Apps   •  You  take  a  handful  of  apps,  usually  the  free   ones.   •  Introduce  some  new  component.   •  Perform  some  analysis.   •  Uncover  some  horrible  truth.   •  Consider  implicaAons  and  make  suggesAons.  
  • 11. A  Study  of  Android  ApplicaAon   Security   •  William  Enck  et  al.  
  • 12. Android  App  Security   •  “1,100  Popular  Free  Apps  examined.”   •  “ded  decompiler  used  to  recover  Android  applicaAon  source  code   directly  from  installaAon  image.”   •  “Horizontal  study  of  smartphone  applicaAons  based  on  staAc   analysis  of  21  million  lines  of  recovered  code.”   •  “Uncovered  pervasive  use/misuses  of  personal/phone  idenAfiers,   and  deep  penetraAon  of  adverAsing  and  analyAcs.”   •  “Conclude  by  considering  the  implicaAons  of  these  preliminary   findings  and  offer  direcAons  for  future  analysis.”  
  • 13. Android  App  Security   •  ded  is  a  Dalvik  decompiler  that  is  used  to  recover  an  applicaAons   Java  source  from  the  installed  image.   –  Madness:  DVM-­‐to-­‐JVM  bytecode  retargeAng.   –  TranslaAng  class  and  method  structures.  Inferring  types.   •  DVM:   –  .class  files  converted  to  .dex.   –  MulAple  classes  are  included  into  a  single  .dex  file.   –  Dupilcate  objects  and  constants  used  in  mulAple  class  fields  are   included  ONCE  in  the  .dex.   –  Java  bytecode  is  converted  into  an  alternaAve  instrucAon  set  used  by   DVM.   –  DVM  executables  installed  onto  a  mobile  device  are  subject  to  further   opAmizaAons  (reording  byte  order,  inline  linking  of  simple  data   structures  and  funcAon  libraries).  
  • 14. Trivia   •  What  is  IMEI?   •  IMSI?   •  ICC-­‐ID  
  • 15. This  is  a  really  big  paper…   •  So  we’ll  menAon  the  stuff  that  is  interesAng:   –  Authors  purport  a  wide  misuse  of  privacy  sensiAve   informaAon:     •  IMEI   •  IMSI   •  ICC-­‐ID   –  Usage  of  ad  and  analyAc  network  libraries  were   integrated  with  51%  of  applicaAons  studied  (eh,  they   were  free  apps).   –  Many  developers  fail  to  securely  use  Android  APIs.   They’re  idiots,  remember?  
  • 16. Points  that  Repeat   •  Leaking  informaAon  to  logs:  Log  API  (logcat).   •  Unprotected  Broadcast  Receivers  –  we’ll  talk  more   about  this  later.  IPC  mishaps  101.   •  Intent  InjecAon  Apacks.   •  Denial  of  Service  with  Null  Checks  on  IPC  input   (applicaAon  crashes).   •  DelegaAng  control  (we’ll  talk  about  this  in  a  second).   •  Tapjoy…     •  SDCard  usage  (external  vs  internal  storage).   •  NaAve  code  usage  (JNI…  NDK).  
  • 17. SCanDroid:   Automated  Security  CerAficaAon  of  Android   ApplicaAons   •  Adam  Fuchs  et  al.             *This  applica8on  to  prove  a  research  goal  name  usage  deal  is  also  repeated.    
  • 18. Android  App  Security   •  Unless  I  missed  it,  no  collecAon  of  apps  were  pulled  from  the  Market.   •  “Enforcing  permissions  is  not  sufficient  to  prevent  security  violaAons,   since  permissions  may  be  misused,  intenAonally  or  unintenAonally,  to   introduce  insecure  data  flows.  SCanDroid,  a  tool  for  reasoning   automaAcally  about  the  security  of  Android  ApplicaAons.”   •  ScanDroid  staAcally  analyzes  data  flows  through  Android  applicaAons…  it   can  decide  whether  it  is  safe  for  an  applicaAon  to  run  with  certain   permissions,  based  on  the  permissions  enforced  by  other  applicaAons.   •  A  soluAon  to  the  failing  permissions  model.   •  With  data  flow  analysis,  the  precision  of  reasoning  by  the  user  is  no  longer   limited.  
  • 19. SCanDroid   •  ScanDroid  (Program  Analysis):   –  Parses  manifest  file,  and     –  Analyzes  data  flow.   –  Uri  and  Intent-­‐based  addr.  
  • 20. Android  Basics   λ  Intents  are  the  preferred  mechanisms  for  asynchronous  IPC  in  Android.   -  sendBroadcast()   -  sendOrderedBroadcast()   λ  You  can  apply  access  permissions  to  broadcasted  intents  so  only  certain   applicaAons  can  register  to  see  the  intents.  If  you're  doing  this,  you  might  just   consider  invoking  the  receiver  directly.   -  android:exported     λ  Allow  use  of  IPC  by  other  apps.   -  android:protecAonLevel   λ  Characterizes  the  potenAal  risk  implied  in  the  permission  and  indicates  the  procedure  the  system   should  follow  when  determining  whether  or  not  to  grant  permission  to  requester.   -  “normal”  =  default  low  risk,  requests  isolated  applicaAon  features.   -  “dangerous”  =  high-­‐risk,  requests  private  user  data  or  control.   -  “signature”  =  granted  only  if  the  requesAng  applicaAon  is  signed  with  the  same  cerAficate  as  the  applicaAon  that   declared  the  permission.     -  “signatureOrSystem”  =  system  grants  only  to  applicaAons  that  are  in  the  Android  system  image  or  as  above.   -  android:permission   λ  ApplicaAons  will  need  to  declare  a  corresponding  <uses-­‐permission>  element  in  their  manifest  to  start,   stop,  or  bind  service.  
  • 21. TaintDroid:   An  InformaAon-­‐Flow  Tracking  System  for  RealAme   Privacy  Monitoring  on  Smartphones   •  William  Enck  et  al.    
  • 22. Trivia   •  Where  else  have  we  seen  tainAng  used?  
  • 23. TaintDroid   •  “30  popular  third-­‐party  Android  ApplicaAons.   •  “TaintDroid,  an  efficient,  system-­‐wide  dynamic  taint  tracking  and   analysis  system  capable  of  simultaneously  tracking  mulAple  sources   of  sensiAve  data.”   •  Monitor  behavior  with  TaintDroid.   •  “68  instances  of  potenAal  misuse  of  users’  private  informaAon   across  20  applicaAons.”   •  “Monitoring  sensiAve  data  with  TaintDroid  provides  informed  use   of  third-­‐party  applicaAons  for  phone  users  and  valuable  input  for   smartphone  security  service  firms  seek  to  idenAfy  misbehavior.”  
  • 24. TaintDroid   •  An  extension  to  the  mobile  playorm,  not  an   applicaAon  itself.   •  Taints  data  sources  with  a  label,  and  as  the   data  propagates  through  program  variables,   files,  and  interprocess  messages  this  allows   TaintDroid  to  monitor  (variable,  message,   method,  and  file  level).  
  • 26. Permission  Re-­‐DelegaAon   Apacks  &  Defenses   •  Adrienne  Porter  Felt  et  al.    
  • 27. ExtrapolaAng  the  Experimental   Method  for  evaluaAng  Android  Apps   •  872  survey  applicaAons.   •  Demonstrate  Permission  re-­‐delegaAon.   •  Perform  some  analysis.   •  “More  than  a  third  request  permissions  for  sensiAve  resources  and   also  exposes  public  interfaces  –  at  risk  for  exposing  permission  re-­‐ delegaAon.”   •  “IPC  InspecAon,  a  new  OS  mechanism  for  defending  against   permission  re-­‐delegaAon.  Reduces  an  applicaAon’s  permissions   a{er  receiving  communicaAon  from  a  less  privileged  applicaAon.”  
  • 28. Permission  Re-­‐DelegaAon   •  Permission  re-­‐delegaAon  is  an  apack  when   lower  priv.  app  can  gain  advanced  priv.  by   communicaAng  with  more  trusted  app    
  • 30. Eve  and  Mallory  <3  Android   •  Finally,  we’ll  move  on  to  discussing  the  paper   at  hand.   •  Sascha  et  al.   •  Many  Android  apps  have  a  legiAmate  need  to   communicate  over  the  Internet.  
  • 31. Eve  and  Mallory  <3  Android   •  Paper  wants  to:   –  Discover  potenAal  security  threats  posed  by   benign  Android  apps  that  use  SSL/TLS  protocols  to   protect  data.   –  Query  users  if  they  really  understand  those  pop   up  messages  concerning  SSL/TLS  warnings   (caveat:  when  they  actually  happen).  
  • 32. Trivia   •  Whats  the  *Droid  name  used  in  this  paper?  
  • 33. MalloDroid   •  Analyzed  13,500  popular  free  apps.   •  Revealed  1,074  (8%)  of  apps  potenAally  vulnerable  to   MITM.   •  Selected  100  apps  of  interest  (no  rhyme  nor  reason).   •  41  of  these  apps  gather  sensiAve  data  (e.g.,  banking   credenAals).   •  Many  of  these  apps  communicate  over  the  internet  for   legiAmate  reasons  –  thus  requiring  the  INTERNET   permission.  
  • 34. MalloDroid   •  These  INTERNET  capable  apps  uAlize  the  SSL/TLS  for  secure   communicaAon.   •  MalloDroid  is  an  extension  to  AndroGuard   –  Reverse  Engineering,  Malware  and  goodware  analysis  of  Android  apps.   –  Wripen  in  python  to  play  with  DEX  (disassemble,  decompilaAon),  APK,   Binary  xml,  Resources.   •  Performs  staAc  code  analysis:   –  Analyze  the  networking  API  calls  and  extract  valid  HTTP(S)  URLS  from   the  decompiled  apps;   –  Check  the  validity  of  the  SSL  cerAficates  of  all  extracted  HTTPS  hosts;   –  IdenAfy  apps  that  contain  API  calls  that  differ  from  Android’s  default   SSL  usage:   •  Non-­‐default  trust  managers;   •  SSL  socket  factories  or  hostname  verifiers  with  permissive  verificaAon   strategies.  
  • 35. MalloDroid   •  Out  of  the  100  selected  apps,  the  following   idenAfiers  were  scanned  for:   –  AccepAng  all  SSL  cerAficates.   –  Allowing  all  hostnames  regardless  of  the  cerAficates   Common  Name.   –  NeglecAng  precauAons  against  SSL  stripping.   –  TrusAng  all  available  CerAficate  AuthoriAes.   –  Not  using  SSL  pinning  (eh,  don’t  really  have  to  do   this).   –  Misinforming  users  about  SSL  usage.  
  • 36. Android  &  SSL   •  Several  packages  for  accessing  the  network:   java.net,  javax,net,  android.net  and   org.apache.hpp.   •  Developers  must  ensure  that  they  use  SSL   correctly:   –  TrusAng  All  CerAficates.  TrustManager  interface  can   allow  trust  of  all  cerAficates  regardless  of  who  signed   them.   –  Allowing  all  Hostnames.  Forgo  checks  of  whether  the   cert  was  issued  for  this  address  or  not.   –  TrusAng  Many  CAs.  134  Root  CAs  by  default.   –  Mixed-­‐Mode/NO  SSL.  SSLStripping…  mostly  a   webview  problem.  
  • 37. Android  &  SSL  Byproduct  
  • 38. MITM   •  Argument  here  is  that  mobile  has  an  increased  chance  of   vulnerability  when  considering  a  malicious  MITM  (proxy   SSL).   •  Authors  make  the  argument  that  just  because  an  app   doesn’t  use  SSL  appropriately,  doesn’t  mean  that  there  is   sensiAve  informaAon  there.   •  ExperimentaAon:   –  Targeted  Finance,  Business,  CommunicaAon,  Social  Tools.   –  266  apps  in  quesAon,  cherry  picked  100  again.   –  Used  Samsung  Galaxy  Nexus,  Android  4.0   –  Network  Access  via  MITM  SSL  Proxy  w/  self-­‐signed  cerAficate  or   one  that  was  signed  by  a  trusted  CA.  
  • 39. What  Happened   •  Banking/Paypal  credenAals  were  leaked.   •  Bitcoin-­‐miner  API  keys  were  leaked.   •  Email/Contact  data…   •  Why?   –  Allowing  all  Hostnames.   –  Allowing  any  CA-­‐signed  cerAficate  
  • 41. Case  for  Appropriate  Feedback  
  • 42. Survey     •  The  end  result  was  approximately  half  of  the   surveyed  populaAon  didn’t  really  understand   what  a  secure  connecAon  (via  SSL/TLS)  was,   and  what  a  feedback  message  about  SSL/TLS   meant.  
  • 43. Nailed  It   •  13,500  popular  free  apps  examined.     •  Introduce  some  new  component.   •  1,074  of  the  apps  contained  SSL/TLS  code.  100   cherry  picked  apps  resulted  in  41  vulnerable   apps  gathering  a  large  variety  of  sensiAve   data.   •  Banking  and  personal  data  is  sensiAve,  and   suscepAble  to  the  apacks.   •  Using  MalloDroid  with  Androguard.