Android Security Evaluation Framework

INTRODUCING... A S E F Android Security Evaluation Framework - Parth Patel

$ whoami_

Agenda Manual Research Automation - A S E F Let s solve problems Conclusion

Android OS Open Source

Security Evaluation of Android Apps

Developer Android APP Store Developer Attacker Developer Attacker User

Developer Android APP Store Developer Attacker Developer Attacker Bouncer?

Developer Android APP Store Developer Attacker Attacker Developer Bouncer?

Developer Attacker A A A? User

Permissions

Manual Research

Behavioral Analysis of Apps

Utilities for Behavioral Analysis Android SDK - Emulator (Android Virtual Device - AVD) - Android Debug Bridge - adb - Android Asset Packaging Tool - aapt Wireshark dex2jar IDE - eclipse

Limitations of Manual Research

Introducing... A S E F

A S E F as a Black Box Malware Aggressive Adware A S E F Bandwidth Vulnerabilities

A S E F Passive Active Interpret Initialization Launch Parsing Normalization Test Cycle Analyzing Organization Results

i/p A S E F Phase 1: Passive Initialization Mode Configurator adb refresh Device Detect (virtual/physical) Default Virtual Device = Google Safe Browsing API = Host IP = interface = Session cleanup Enable USB debugging Creates Virtual Device

Location of an APP Location of APPs A S E F Phase 1: Passive Normalization Mode Array of.apk path Extractor Extracted APPs

A S E F Phase 1: Passive Organization Mode Converter Test Result Archive %HAPK->{$apk} = ( { pkgnm => $PKGNM, launchact => $LAUNCHACT, vercode => $VERCODE, vername => $VERNAME, applable => $APPLABLE, adbstart => "", adbstop => ""}, ); TEST_05_11_12-19:53:56 TEST_05_11_12-20:20:19 TEST_05_13_12-11:38:28 TEST_NIGHTLY_SCAN2 1.apk 2.apk 3.apk adb_log.txt network_traffic.txt adb_log.txt network_traffic.txt adb_log.txt network_traffic.txt

A S E F Phase II : Active Launch Mode Virtual Not Running Boot Boot check Display unlock Device Launcher Running

start - adb log start - tcpdump start-timestamp Extensive mode kernel log memory dump services running Tm Tm Tm Installation mode Launch mode Activity mode Uninstallation mode kernel log memory dump services running kernel log memory dump services running kernel log memory dump services running stop - adb logcat stop - tcpdump stop-timestamp A S E F Phase II : Active Test Cycle

A S E F Phase III : Interpret Parsing Mode Analyzing Mode Results Network Activity Traffic Analyzer URLs/IPs Data tx / BandWidth Google s Safe Browsing API Access rate of URL/IP malware aggressive adware Data usage Bandwidth Vulnerability Detector Associated Permissions Decompilation / APIs used Signatures %HVULN %HAPK Unique permissions of Apps Reconstructing source code Unique APIs Vulnerabilities Permission mapping API mapping apk unzip dex2jar jar2class class2jad Source Code Black listing Found/Add App to the blacklist Black listed

A S E F Demo

Statistics & Results

Apps leaking private information

6 Apps - Leaking private data Safe Apps- 74 Total Apps = 80

phone number IMIE number

Bandwidth Usage

bytes Data usage - 3 min Test Cycle

Aggressive Adware

(No of Servers accessed) / App 3 min Test Cycle

(Access-rate) / App 3 min Test Cycle Threshold

Ad Requests @ 1.333 req/sec Aggressive Adware

Permission mapping

mount/unmount filesystem Send SMS Write Contacts Internet Read Contacts Vibrate Permission distribution - 1000 game apps

Vulnerability Scanning

No of total Apps No of Vulnerable Apps 80 75 60 40 20 0 No of Apps Non-updated Android Apps

No of total Apps No of Vulnerable Apps 80 75 60 40 20 Adobe Flash Player Mozilla Firefox 12 0 No of Apps A S E F Scan - Before updates

No of total Apps No of Vulnerable Apps 80 75 60 40 20 0 No of Apps

No of total Apps No of Vulnerable Apps 80 75 60 40 20 0 No of Apps A S E F Scan - After updates 6

Extending the Framework

start - cmd line tool start-timestamp start - adb log start - tcpdump Installation mode Command line tools Launch mode Activity mode Uninstallation mode stop - adb logcat stop - tcpdump stop - cmd line tool stop-timestamp

Extending the Framework

Let s solve problems...

A S E F to scan an APP STORE Protect & Promote

A S E F in Large Organizations

Android APP THE NIGHT PHOENIX

NIGHT PHOENIX & A S E F Package Manager NIGHT PHOENIX Extractor of A S E F @ of.apk path apkzip A S E F Server unzip ANDROID

NIGHT PHOENIX?? Alarm Manager

Who watches THE WATCHMEN

THE NIGHT PHOENIX Internet Write external storage

THE DARK PHOENIX

It is just the beginning...

Next Generation of A S E F Scalability - Load balancer module Automated/Custom signature generation Distinguishing updates - Security Fixes UI reporting with correlated results and statistics A S E F in cloud Offline scanning - Crawler module

Conclusion?

Thank You Twitter : @parth_84 email : pdpatel@qualys.com http://code.google.com/p/asef/ https://community.qualys.com/blogs/securitylabs/2012/07/25/ android-security-evaluation-framework--a-s-e-f A S E F