Smartphone Security for Android Applications

Transcription

1 Smartphone Security for Android Applications Steven Arzt Siegfried Rasthofer (Eric Bodden) Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 1

2 About Us PhD-Students at the Secure Software Engineering Group (Eric Bodden) Steven Arzt Master in IT-Security Research Interests: Applied Software Security on Mobile Devices (Android Security) Static/Dynamic Code Analysis Siegfried Rasthofer Blog: Eric Bodden Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 2

3 About the Course Lab Course 6 Credit Points Teams of 1-3 Students Team and Topic Registration due on Friday, October 25 th Contact us via [email protected], [email protected] Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 3

4 Proposed Topics 1. Android App Obfuscator 2. Android App Deobfuscator 3. Jimple Integration into Eclipse 4. Flow-Insensitive Data Flow Analysis 5. Runtime Code Patches on Android 6. Monitoring Android Apps for Runtime Code Changes 7. DroidBase: Detailed Android App Search Engine Own topic proposals are welcome! Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 4

5 T1: Android App Obfuscator (1) Make reverse engineering / code understanding harder Raise the bar for static and dynamic analysis tools Hide behavior in applications, but retain functionality Automatic code generation and transformation User selects transformations to apply, rest is fully automatic Plugin infrastructure for new transformations Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 5

6 T1: Android App Obfuscator (2) SmsManager manager = new SmsManager(); manager.sendtextmessage(" ", "", "Hello World", null, null); Change Class Name Change Method Name String rawname = "tntnbobhfs"; Maybe encrypt String classname = ""; for (char c : rawname.tochararray()) { if (classname.length() == 0 classname.length() == 3) c = Character.toUpperCase(c); classname += Character.toString((char) (c - 1)); } Add Unused Computation Class c = Class.forName("android.telephony." + classname); Method m = c.getmethod("sendtextmessage", String.class, String.class, String.class, PendingIntent.class, PendingIntent.class); Object mgr = c.newinstance(); m.invoke(mgr, " ", "", "Hello World", null, null); Obfuscate constants Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 6

7 T1: Android App Obfuscator (3) TelephonyManager telephonymanager = (TelephonyManager) getsystemservice(context.telephony_service); String imei = obfuscate(telephonymanager.getdeviceid()); Log.i("INFO", imei); private String obfuscate(string imei){ String result = ""; } for (char c : imei.tochararray()){ switch (c) { case '0' : result += 'a'; break; case '1' : result += 'b'; break; case '2' : result += 'c'; break; case '3' : result += 'd'; break; case '4' : result += 'e'; break; case '5' : result += 'f'; break; case '6' : result += 'g'; break; case '7' : result += 'h'; break; case '8' : result += 'i'; break; case '9' : result += 'j'; break; default : System.err.println("Problem in obfuscate for character: " + c); } } return result; Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 7

8 T1: Android App Obfuscator (4) Many more ideas Control flow obfuscation using GOTOs Exploit virtual dispatch / override semantics, reflection/invokedynamic? Distribute data across instance / static fields, parameters, Generate / decrypt and execute code at runtime Generate constants using runtime information Dynamic analysis tool and debugger detection Be creative with own ideas! Related work will be provided! Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 8

9 T2: Android App Deobfuscator Detect and remove obfuscations where possible Remap simple reflective calls to targets Simulate app execution and generate new code Detect fishy code in applications Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 9

10 T3: Jimple Integration into Eclipse (1) Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 10

11 T3: Jimple Integration into Eclipse (2) What is Jimple? Java but Simple Used as intermediate representation for Java/Android Source and Bytecode public void <init>() { de.ecspride.rv2013 $r0; Three-operand language No invocation stacks Only few opcodes android.telephony.smsmanager $r1; $r0 de.ecspride.rv2013; specialinvoke $r0.<android.app.activity: void <init>()>(); $r1 = staticinvoke <android.telephony.smsmanager: android.telephony.smsmanager getdefault()>(); $r0.<de.ecspride.rv2013: android.telephony.smsmanager smsmanager> = $r1; return; } Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 11

12 T3: Jimple Integration into Eclipse (3) Build on existing Soot plugin Code highlighting and syntax checking Open declaration Type hierarchy Search for references Refactorings, especially variable and method renaming Integration into Eclipse s project model Decompile APK to Jimple Compile Jimple to APK Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 12

13 T4: Flow-Insensitive Data Flow Analysis (1) Follow the flow of data through the program: TelephonyManager mgr = (TelephonyManager) this.getsystemservice(telephony_service); SmsManager sms = SmsManager.getDefault(); String imei = mgr.getdeviceid(); imei = ""; sms.sendtextmessage(" ", null, imei, null, null); Flow sensitivity is precise, but may be costly Use flow-insensitive pre-analysis Flow-insensitive analyses are an over-approximation Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 14

14 T4: Flow-Insensitive Data Flow Analysis (2) FlowDroid: Highly precise taint analysis Mostly fast Still quite (time & memory) expensive in some cases Efficient detection of goodware No precise analysis necessary Highly Precise Taint Analysis for Android Application Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 15

15 T5: Runtime Code Patches on Android (1) Custom App Loader Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 16

16 T5: Runtime Code Patches on Android (2) 1. Custom loader spawns new Dalvik VM for app 2. Loader modifies Dalvik data structures to change app Rewrite app in memory Completely replace app in memory 3. Loader monitors Dalvik structures for policy enforcement Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 17

17 T6: Monitoring for Apps Runtime Code Changes Protect Dalvik data structures against manipulation Ideas: Use a monitoring loader that gets loaded first Periodically poll and compare against checksum Place native code inside the app into a sandbox Intercept memory accesses to protected locations Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 18

18 T7: DroidBase: Detailed Android App Search Engine (1) only name search Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 19

19 T7: DroidBase: Detailed Android App Search Engine (2) Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 20

20 T7: DroidBase: Detailed Android App Search Engine (3) Why? - Easily search for specific type of Android app - Base for nice statistics - How many apps do have aggressive Ads? - What kind of apps do specific developers develop? - How many apps do include native code/reflections/javascript? Interesting for researchers download mechanism - Easily detection of apps with known vulnerabilities Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 21

21 Lab Grading Well-documented code 60% Final presentation 20% Test cases 20% Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 22

22 Proposed Topics 1. Android App Obfuscator 2. Android App Deobfuscator 3. Jimple Integration into Eclipse 4. Flow-Insensitive Data Flow Analysis 5. Runtime Code Patches on Android 6. Monitoring Android Apps for Runtime Code Changes 7. DroidBase: Detailed Android App Search Engine Own topic proposals are welcome! Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 23

23 Team and Topic Registration due on Friday, October 25 th Steven Arzt and Siegfried Rasthofer Secure Software Engineering Group (EC-SPRIDE) Blog: Website: Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 24