Harvesting Developer Credentials in Android Apps

Similar documents
(In-)Security of Backend-as-a-Service

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Defending Behind The Device Mobile Application Risks

How we keep harmful apps out of Google Play and keep your Android device safe

(In)Security of Backend-as-a-Service


BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

Research on Situation and Key Issues of Smart Mobile Terminal Security

1. Why is the customer having the penetration test performed against their environment?

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

Final Year Project Interim Report

VMware Horizon Workspace Security Features WHITE PAPER

Securing your Mobile Applications. Karson Chan Security Consultant

Workday Mobile Security FAQ

VPN Lesson 2: VPN Implementation. Summary

Enterprise Application Security Workshop Series

Defender Token Deployment System Quick Start Guide

The increasing popularity of mobile devices is rapidly changing how and where we

CMDBuild Authentication (file auth.conf)

HP ProtectTools Embedded Security Guide

Installation Guides - Information required for connection to the Goldfields Institute s (GIT) Wireless Network

SUREedge Software Appliance (vmware) Installation Guide

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

GadgetTrak Mobile Security Android & BlackBerry Installation & Operation Manual

Securing Office 365 with MobileIron

Cloud Storage Security

Using Foundstone CookieDigger to Analyze Web Session Management

Adding Stronger Authentication to your Portal and Cloud Apps

BlackBerry 10.3 Work and Personal Corporate

How to Use vsphere to Connect to and Manage an ESXi Hypervisor Installation

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Mobile Banking. Secure Banking on the Go. Matt Hillary, Director of Information Security, MX

How do I Install and Configure MS Remote Desktop for the Haas Terminal Server on my Mac?

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

SECURING MOBILE APPLICATIONS

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Android Application Repackaging

Manual for Android 1.5

Mobile Devices: Know the RISKS. Take the STEPS. PROTECT AND SECURE Health Information.

Nessus Agents. October 2015

Configuring an Android device to access Staff Wi-Fi and .

Cloudifile Getting Started

SECURITY ANALYSIS OF A SINGLE SIGN-ON MECHANISM FOR DISTRIBUTED COMPUTER NETWORKS

NOS for IT User and Application Specialist. IT Security (ESKITU04) November 2014 V1.0

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

What is Web Security? Motivation

Cloud Backup Express

WebView addjavascriptinterface Remote Code Execution 23/09/2013

AWS Account Management Guidance

Xerox Mobile Print Cloud

PCI Assessments 3.0 What Will the Future Bring? Matt Halbleib, SecurityMetrics

The Android Developers Guide to 3 rd -Party SDK Assessment and Security

Insecure Internal Storage in Android

White Paper What is Noah Mobile?

Discovering passwords in the memory

Arcot Systems, Inc. Securing Digital Identities. FPKI-TWG Mobility Solutions Today s Speaker Tom Wu Principal Software Engineer

Web Application Report

z/os Security - FTP Logon Failures

IIS, FTP Server and Windows

Tutorial on Smartphone Security

Guidance End User Devices Security Guidance: Apple OS X 10.9

CONTENTS. PCI DSS Compliance Guide

Penetration Testing: Lessons from the Field

BM482E Introduction to Computer Security

ADFS Integration Guidelines

Windows Phone 8 Security Overview

05.0 Application Development

Security Overview Enterprise-Class Secure Mobile File Sharing

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

Hands on, field experiences with BYOD. BYOD Seminar

Windows Operating Systems. Basic Security

Discovering authentication credentials in volatile memory of Android mobile devices

Penetration Test Report

Guide to Vulnerability Management for Small Companies

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

SSO Methods Supported by Winshuttle Applications

Comodo Mobile Device Manager Software Version 1.0

Mac OS X. Staff members using NEIU issued laptops and computers on Active Directory can access NEIU resources that are available on the wired network.

Five Steps to Improve Internal Network Security. Chattanooga ISSA

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

Privilege Escalation via Antivirus Software

4. Getting started: Performing an audit

Two-Factor Authentication and Swivel

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

End User Devices Security Guidance: Apple OS X 10.10

Wharf T&T. iwatch 2012 Mobile Apps User Guide (ios / Android)

Transcription:

8 th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, Jun 24-26 Harvesting Developer Credentials in Android Apps Yajin Zhou, Lei Wu, Zhi Wang, Xuxian Jiang Florida State University, North Carolina State University, Qihoo 360

Apps are Becoming Popular 2

Third-party Services Require Authentication APP Authentication Request APP Authentication Request 3

Protecting Developer Credentials is Hard 1.method public static SendMailInBackground 2 new-instance v3, Lcom/pompeiicity/funpic/Email; 3 const-string v7, "whav*****@gmail.com" 4 const-string v8, "jea****" 5 invoke-direct {v3, v7, v8}, Lcom/pompeiicity/funpic/Email;-> 6 <init>(ljava/lang/string;ljava/lang/ String;)V 7... 8.end method 4

Credential Leak is Dangerous "whav*****@gmail.com" "jea****"... 5

CredMiner: Mine Credentials from Apps App Repo Select Candidate Apps Identify Data Sources Reconstruct Credentials Validate Credentials 6

Select Candidate Apps Apps that use interesting libraries (i.e., libraries that accept plaintext credentials) JavaMail Library Amazon AWS Library 7

Identify Data Sources String _user, _passwd; _user = edcba"; _passwd = 54321"; 3. Find Source String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 2. Backtrack Credentials (Backward Slicing) 1. Locate Sink Methods 8

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 9

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 10

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 11

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 12

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println( Authenticating "); return new PasswordAuthentication(user, passwd); 13

Program Slicing Example String _user, _passwd; _user = edcba"; _passwd = 54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); return new PasswordAuthentication(user, passwd); 14

Backward Slicing Dalvik byte-code is register-based. Simple Example (backward): Instruction v -> Interesting Library move v2, v move v3,v4 const-string v2, "abcde" Tracked Registers v v2 (Ignored) (Done) Generated Program Slice: const-string v2, "abcde" move v2,v v -> Interesting Library Next page: A real-world example 15

16

Reconstruct Credentials Use an execution engine (in Python) to execute (forward) the program slice. Create mock objects on demand, to run the program slice. Program Slice Execution Engine Plaintext Credentials 17

Reconstruct Credentials Emulated java.lang.stringbuilder.append(char): 18

Validate Credentials Run the app in an Android emulator and monitor its execution. Compare the run-time parameters to those recovered by CredMiner. Monitor the interaction with remote servers. Username, Password Login Succeed! 19

Evaluation Distribution of Collected Apps: 20

Evaluation Overall Result: 237 candidate apps use the JavaMail library. 196 candidate apps use the Amazon AWS SDK. 51.1% (121/237) and 67.3% (132/196) of these candidate apps are vulnerable. Distribution of Vulnerable Apps: 21

Evaluation Email Credentials 121/237 (51.1%) are vulnerable 11 apps having more than 50,000 downloads. 8/1404 malware are vulnerable! Only 2 of these malware protect their accounts with custom string encoding schemes 22

Evaluation Email Credentials Case Study: A popular app with more than 1,000,000 downloads. JavaMail is used to send pin recovery email. Email credential is obfuscated with AES. The encrypted credential is encoded again in Base64. The key to decrypt is only encoded in Base64. the initial vector for AES is simply a constant string. The decrypted password is abc123**. 23

Evaluation Email Credentials Leaked credentials: Total vs. Valid 24

Evaluation Amazon AWS Credentials Background: Permanent credential? (Anonymous) token vending machine (TVM): 25

Evaluation Amazon AWS Credentials Problem: Mis-configure the TVM servers. Fail to constrain the privilege of the temporary credential. Result: 132/196 (67.3%) are vulnerable 24% have more than 50,000 downloads Case study: One app from Google Play, has more than 5,000,000 downloads. The temporary credential is not properly confined, the attacker is able to enumerate the UIDs and access other app users files. (We created two accounts and conducted this experiment.) 26

Takeaway Never embed developers credentials in the app. Use secure solutions from service providers correctly. > Insecure sample code provided by service providers can mislead developers. Use secure samples! > There are no clear instructions about how to use the SDKs securely. Simple, clean, and secure documents! A secure default configuration of the services! 27

Thank you! Q&A 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information