Risk-Rating Framework for Mobile Applications (Sponsored by DISA CTO)

Risk-Rating Framework for Mobile Applications (Sponsored by DISA CTO) Praveen Sharma praveen.sharma@ll.mit.edu (781-981-6709) Federal Mobile Computing Summit March 6, 2014

What is Risk-Rating Framework? Mobile Application(s) Risk-Rating Framework (RRF) Probability of an app being BENIGN INCONCLUSIVE MALIGN Compliance to Mobile App SRGs Enables vetting of Android and ios mobile apps Supports DISA s mobile APP SRG compliance https://rr-mitll.ll.mit.edu/ (CAC-card accessible) Fed Mobile Summit- 2 SRGs: Security Requirements Guidelines (issued by DISA)

Information Flow/Presentation Outline apps Tools (Manifest, Static, Dynamic) Common Threat Architecture Representation RRF Algorithms Bayesian Classifiers Partial Least Square Classifiers Compliance Checking Algorithms Rule-based Algorithms UI Mobile Malware and Potentially Good apps Mobile App SRGs Fed Mobile Summit- 3

Architecture Apps REST Ingest Active MQ Pipeline Active MQ Data Merging Tools- Chain Rating, Threat Model, Rollup Algorithms REST UI/Reporting Mongo Document Mongo Pipeline Mongo Score Mongo analysis Models Continuous Asset Evaluation Situational Awareness and Risk-Rating (CAESARS) Reference Architecture Supports Modularity, and Extension to New tools and Algorithms Fed Mobile Summit- 4

Apps/Input Data Set Android Apps Input Data Set Apple ios Apps Input Data Set Potentially Good Apps Known Bad Apps Potentially Good Apps F-Droid Google-Play Apps Contagiondump and Trade 1000 apps; 600 unique apps Source code and binary downloads possible Metadata* not available/ useful 4882 unique apps Only binary downloads Metadata available 6000 Malware sample; 1500 unique samples Apple Store Only binary downloads Metadata available (EverNote, Flashlight, AutoCad) *Metadata: reputation of the developer, stability of apps, Fed Mobile Summit- 5

Code-Checking Tools and Analysis: Overall Summary Tools for Android Apps Tools for Apple Apps Static Dynamic Services & RE Static, reputation AndroGuard (O) Android Audit Tools (O) Andrubis (A) Macholib (C) Androwarn (O) Apk-view-tracer (O) AntiLVL BiPlist (C) APKInspector (O) ASEF (O) APKTool (O) MIT LL reputation libs Coverity (C) Droidbox (O) ARE (O) Delvik ByteCode Analysis (O, A) Fed Mobile Summit- 6 DroidScope (O, A) AXMLPrinter2 (O) Dexpler (A) Mercury (O, C) ContrOWL Dexter (A, S) TaintDroid (O, A) Dare: Dalvik Retargetting (O, A) HP Fortify/Appscan (C, S) JED (C) Klocwork (C) Stowaway (A, S) Symdroid (A) PushDownoo (A) Google Bouncer (C) IDA Pro (C) Mobile-Sandbox (A,S) Color coding: Blue: Have done a deeper analysis O: Open Source C: Commercial A: Academic S: Service-Based

Code-Checking Tools and Analysis: Overall Summary Tools for Android Apps Tools for Apple Apps Static Dynamic Services & RE Static, reputation AndroGuard (O) Android Audit Tools (O) Andrubis (A) Macholib (C) Androwarn (O) Apk-view-tracer (O) AntiLVL BiPlist (C) APKInspector (O) ASEF (O) APKTool (O) MIT LL reputation libs Coverity (C) Droidbox (O) ARE (O) Delvik ByteCode Analysis (O, A) Fed Mobile Summit- 7 DroidScope (O, A) AXMLPrinter2 (O) These are just the illustrative tools integrated into RRF to demonstrate RRF capabilities Any other tool can be integrated into RRF Dexpler (A) Mercury (O, C) ContrOWL Dexter (A, S) TaintDroid (O, A) Dare: Dalvik Retargetting (O, A) HP Fortify/Appscan (C, S) JED (C) Klocwork (C) Stowaway (A, S) Symdroid (A) PushDownoo (A) Google Bouncer (C) IDA Pro (C) Mobile-Sandbox (A,S) Color coding: Blue: Have done a deeper analysis O: Open Source C: Commercial A: Academic S: Service-Based

Partial Least Squares (PLS) Classifier App Extract Declared Permissions and Static Features Create Expanded Feature Vector with Combinations of Features Partial Least Squares Analysis Permissions, n-tuples of permissions Apps X 11 X 12 X 13 X 1N X 21 X 22 X 23 X 2N... X M1 X M2 X M3 X MN Iteratively estimate Latent Variables from Measured Variables X 11 X 12 X 13 X 1k X 21 X 22 X 23 X 2k... X M1 X M2 X M3 X Mk Classifier Output Fed Mobile Summit- 8

Bayesian Classifier Probability Distribution for Permissions and Active Trail Fed Mobile Summit- 9

Algorithm Evaluation: Receiver Operating Curves Bayesian Classifier Partial Least Square Classifier Fed Mobile Summit- 10 Both the Risk-Rating Algorithms provide a low number of false positives

User Interface Overview Tab Details Tab Email report Compliance Summary Android apps ios apps

Mobile APP (MAPP) SRGs Where we are? Incorporated 4 SRGs Where we are going? Mapping SRGs to static features Identifying if incorporating the SRGs require Source code Fed Mobile Summit- 12 Static analysis Dynamic analysis Run-time test MDM will provide the needed information Guidance from DISA All of the above SRGs: Security Requirements Guidelines (issued by DISA) MAPP SRGs Currently Incorporated (4) SRG-APP-999999-MAPP-00077 The mobile application source code must not contain known malware. SRG-APP-000033-MAPP-00011 The mobile application must not execute as a privileged operating system process unless necessary to perform any application functions. SRG-APP-000243-MAPP-00049 The mobile application must not write data to persistent memory accessible to other applications. SRG-APP-000128-MAPP-00028 The mobile application must not change the file permissions of any files other than those dedicated to its own operation. MAPP SRGs Being Investigated (6) => static or dynamic analysis may be sufficient, guidance from DISA MAPP SRGs Considered for Investigation (13) => source code, dynamic, run-time, MAPP SRGs Postponed for now (28) => relates to classified, multiple persona,

MAPP SRGs Being Investigated (Examples) SRG-APP-000022-MAPP-00009 SRG-APP-000112-MAPP-00026 SRG-APP-000225-MAPP-00047 MAPP SRGs Currently Investigated (4) The mobile application must not permit execution of code without user direction unless the code is sourced from an organization-defined list of approved network resources. The mobile application code must not include embedded interpreters for prohibited mobile code. The mobile application must fail to an initial state when the application unexpectedly terminates, unless it maintains a secure state at all times. SRG-APP-000251-MAPP-00051 SRG-APP-000251-MAPP-00052 SRG-APP-000251-MAPP-00053 SRG-APP-000251-MAPP-00054 The mobile application must prevent XML injection. The mobile application must validate the correctness of data inputs. The mobile application must define a character set for data inputs. The mobile application must not contain format string vulnerabilities. Fed Mobile Summit- 13

Path Forward Incorporate Dynamic and Run-time Features for Android apps Integrate more MAPP SRGs Integrate static, dynamic and run-time features for ios apps Incorporate AV Interface with MDM solutions Creating controlled data-sets Investigating Dynamic Bayesian Networks Fed Mobile Summit- 14

Fed Mobile Summit- 15 Backup

Both the Risk-Rating Results Provide Almost Identical Scores Benign Apps Malign Apps Bayesian Network 1% Num Failed 10% Num Unknown Partial Least Square 89% Num Passed Fed Mobile Summit- 16

Code-Checking Tools and Analysis: Android Apps (Output from Androlyze) MathRace App from GooglePlay Manifest: Declared Perms Androlyze: Used Perms ACCESS_NETWORK_STATE ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION ACCESS_LOCATION_EXTRA_COMMANDS INTERNET READ_PHONE_STATE RECEIVE_BOOT_COMPLETED WAKE_LOCK com.android.launcher.permission.install_sho RTCUT ACCESS_NETWORK_STATE ACCESS_FINE_LOCATION INTERNET READ_PHONE_STATE WAKE_LOCK VIBRATE WRITE HISTORY BOOKMARKS Permission declared not used Permission used but not declared Fed Mobile Summit- 17

Code-Checking Tools and Analysis: ios FedExMobile from Apple MACHOLIB Plist: /System/Library/Frameworks/ MessageUI.framework/MessageUI /System/Library/Frameworks/Security.framework/ Security /System/Library/Frameworks/ CoreGraphics.framework/CoreGraphics LSRequiresIPhoneOS : TRUE CFBundleName: FedExMobile CFBundlePackageType: APPL CFBuildDate : 4/6/2012 Rating Rank : 100 Rating Label : 4+ Files : {List of Files} Frameworks calls used Metadata for ios Fed Mobile Summit- 18

Risk Rating Framework Prototype: Process and Components (Status Overview) apks Manifest Analysis (AAPT, APK Inspector) Static Analysis (Androguard, Androwarn, Androlyze in pipeline, features being integrated) User Modeling & Dynamic Analysis (Taintdroid, Droidbox, ASEF investigated, Not incorporated in the RRF) Declared perms., intents, Features (used perms, functional calls, ) extracted but not incorporated in alg. Features Common Represen tation Threat Model RRF Algorithms (Bayesian & Partial Least Square Classifiers) (Compliance Check Rule-based alg.) Mobile App SRGs Developer Reputation UI ipas Manifest Analysis (MIT LL parser for Macholib & Plist) Static Analysis (Work-in-progress) Framework calls Features Common Represen tation RRF Algorithms (Bayesian & Partial Least Square Classifiers) (Compliance Check Rule-based alg.) Fed Mobile Summit- 19 User Modeling & Dynamic Analysis (Work-in-progress) Developer Reputation Reputation Threat Model Mobile App SRGs

Common Threat Representation Option 1 Manifest tool: OVAL: Open Vulnerability and Assessment Language MAEC: Malware Attribute Enumeration and Characterization SCAP: Security Content Automation Non-Interference Policies Prevent information flow from high to low Declassification Policies Enable some portion of data to be revealed (such as the last four digits of the credit card numbers) Random Executable Crash Inputs Static Tools Common Representation of Different Outputs from Different tools Option 2 Splunk Dynamic Tools Option 3 NoSQL Document/No-Document databases Fed Mobile Summit- 20

Fed Mobile Summit- 21 Static Features distribution