Messing with the Android Runtime

Similar documents
This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Hacking your Droid ADITYA GUPTA

Bypassing SSL Pinning on Android via Reverse Engineering

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

Pentesting Android Apps. Sneha Rajguru

Introduction to Android

Smartphone Security for Android Applications

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt Secure Software Engineering Group Steven Arzt 1

The Behavioral Analysis of Android Malware

AppUse - Android Pentest Platform Unified

Android Programming and Security

Advanced ANDROID & ios Hands-on Exploitation

Overview. The Android operating system is like a cake consisting of various layers.

Android Packer. facing the challenges, building solutions. Rowland YU. Senior Threat Researcher Virus Bulletin 2014

Defending Behind The Device Mobile Application Risks

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY I ANMOL MISRA. ( r öc) CRC Press VV J Taylor & Francis Group ^ "^ Boca Raton London New York

Popular Android Exploits

Mobile Application Development Android

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Android Security - Common attack vectors

Malware detection methods for fixed and mobile networks

Beginners Guide to Android Reverse Engineering

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Analysis of advanced issues in mobile security in android operating system

Android Application Repackaging

Enterprise Application Security Workshop Series

Leave The App Alone! - Attack and Defense of Android App Hijack

Android Security Joshua Hodosh and Tim Leek

HybriDroid: Analysis Framework for Android Hybrid Applications

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

Table of Contents 7 8

OWASP Mobile Top Ten 2014 Meet the New Addition

HP AppPulse Mobile. Adding HP AppPulse Mobile to Your Android App

(In-)Security of Backend-as-a-Service

Design and Implementation of an Android Host-based Intrusion Prevention System

Research and Design of Universal and Open Software Development Platform for Digital Home

The OWASP Foundation

Forensics II. Android reverse engineering Logs [repetition]

How Security Testing can ensure Your Mobile Application Security. Yohannes, CEHv8, ECSAv8, ISE, OSCP(PWK) Information Security Consultant

Harvesting Developer Credentials in Android Apps

Mobile App Reputation

Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

Reversing Android Malware

Mobile Application Security Testing ASSESSMENT & CODE REVIEW

Programming the Android Platform. Logistics

Project Ideas. Semester long projects of medium scope. TAs presenting project ideas today. Students can submit their own ideas

Two-factor Protection Scheme in Securing the Source Code of Android Applications

Mobile Application Security: Who, How and Why

Islamic University of Gaza. Faculty of Engineering. Computer Engineering Department. Mobile Computing ECOM Eng. Wafaa Audah.

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Android Commercial Spyware Disease and Medication

A Study of Android Application Security

Programming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna

Lecture 1 Introduction to Android

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

AppConnect FAQ for MobileIron Technology Partners! AppConnect Overview

Running Android Applications on BlackBerry 10 developer.blackberry.com/android

Put a Firewall in Your JVM Securing Java Applications!

Introduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code

Enterprise Mobility Management

Research on Situation and Key Issues of Smart Mobile Terminal Security

Habanero Extreme Scale Software Research Project

Introduction to Android Android Architecture Software Development Purpose of the project Location Based Service (LBS) Android. Location class Google

Securing your Mobile Applications. Karson Chan Security Consultant

IJREAT International Journal of Research in Engineering & Advanced Technology, Volume 1, Issue 1, March, 2013 ISSN:

Mobile applications security Android OS (case study) Maciej Olewiński. Cryptographic Seminar r.

The Java Series. Java Essentials I What is Java? Basic Language Constructs. Java Essentials I. What is Java?. Basic Language Constructs Slide 1

Dynamic Analysis of Android Malware

Android Basics. Xin Yang

Student Tech Security Training. ITS Security Office

MOBILE SMARTPHONES AS SECURE SIGNATURE-CREATION DEVICES

Mobile Payment Security

Mobile Devices - An Introduction to the Android Operating Environment. Design, Architecture, and Performance Implications

RoverPal - A Mobile Payment Application

Studying Security Weaknesses of Android System

OpenCV on Android Platforms

SECURITY ASPECTS OF OPEN SOURCE

International Engineering Journal For Research & Development

Certified Cyber Security Analyst VS-1160

Implementing Database Security and Auditing

NFCulT. An easy a nice tool that will make you have fun, or... make profit!

Mobile Application Security and Penetration Testing Syllabus

Mobile Security Framework; Advances in Mobile Governance in Korea. TaeKyung Kim

Paul Sabanal IBM X-Force Advanced Research. State Of The ART. Exploring The New Android KitKat Runtime IBM Corporation

CompTIA Mobile App Security+ Certification Exam (Android Edition) Live exam ADR-001 Beta Exam AD1-001

Transcription:

Northeastern University Systems Security Lab Messing with the Android Runtime Collin Mulliner, April 26th 2013, Singapore crm[at]ccs.neu.edu SyScan Singapore 2013

$ finger collin@mulliner.org 'postdoc' Security Researcher $HOME = Northeastern University, Boston, MA, USA cat.project specialized in mobile handset security Current work Android security Android security Past work Some Bluetooth security work A lot on SMS and MMS security Mobile web usage and privacy Some early work on NFC phone security 2

Introduction Android Application Security Find vulnerabilities (audit) Analyze malware RE what is this application doing What does this thing do? How does this thing work? Disassemble look at smali code Run in emulator/sandbox look at traces / network (Static) instrumentation look at app while it runs 3

Introduction Android Application Security Find vulnerabilities (audit) Analyze malware RE what is this application doing What does this thing do? How does this thing work? Disassemble look at smali code Run in emulator/sandbox look at traces / network (Static) instrumentation look at app while it runs This talk is about Dynamic Instrumentation Instrumentation at the Dalvik level (not bytecode!) 4

Static Instrumentation on Android Unpack APK Convert manifest back to plain text,... Disassemble DEX classes Get smali code Instrument smali code Modify smali code, add own code Repackage application Compile code, Sign, etc... Install and run Hope it works... (bug in patch, self integrity check,...) 5

Dynamic Instrumentation Change/modify application code at runtime Allows to add and remove code/hooks on-the-fly Technique has been around for many years Instrument library calls: quick overview what happens No disassembly needed Still need to disassemble for target specific stuff Find the interesting stuff to instrument 6

Dynamic Instrumentation on Android No: unpacking, compile, repacking Saves us time APK not modified Defeat 'simple' integrity checks But Android Apps are written in Java and run in a VM... 7

Android Picture: Google 8

Android Runtime Dalvik Virtual Machine (DVM) Core Libraries (java.x.y) Executes: Framework and Applications Android Process Application Process for MainActivity Additional process(s) for Service Framework system_server... 9

Dalvik Instrumentation The Basic Idea Convert Dalvik method to native (JNI) method We get control of the execution Call original Dalvik method from native method This creates an in-line hook of the Dalvik method Implement instrumentation code using JNI Access to everything (private, protected doesn't exist) 10

Dalvik Instrumentation Tech Overview Inject 'shared object' (.so) into running process Provides the native code My talk: Dynamic Binary Instrumentation on Android Android Process Native code 'talks to the DVM' Resolve symbols from DVM Call DVM functions to: Lookup classes and methods Hook method Call original method 11

Messing with the Android Runtime The Runtime runs Applications and their Services The Android System/Framework What can we do with this Aid reverse engineering Attacks Test stuff fast Examples... 12

Monitor / Reverse Applications How does the application work? Maybe App is obfuscated, strings are encrypted Instrument interesting methods to see what App does String operations Reflection... String java.lang.stringbuffer.tostring() int java.lang.string.compareto(..) int java.lang.string.comparetoignorecase(..) String java.lang.stringbuilder.tostring() Method java.lang.class.getmethod(..) 13

Attack stuff Two Apps talk to each other via some IPC Instrument one side to attack the other side Disable Signature Verification boolean java.security.signature.verify(byte[]) { } Used for all kinds of things... Patch to always return true; (used it to attack various things) 14

Rapid Prototyping of Framework Modifications Defense against SMS OTP stealing Trojans [1] Change local SMS routing based on SMS content For the prototype we needed to change code in the framework com/android/internal/telephony/smsdispatcher.java protected void dispatchpdus(byte[] pdus) { } Instead of recompiling Android just replace the method save a lot of time test on many different devices without custom compile [1] SMS based One Time Passwords: Attacks and Defense (short paper) Collin Mulliner, Ravishankar Borgaonkar, Patrick Stewin, Jean Pierre Seifert To appear In the Proceedings of the 10th Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2013) Berlin, Germany, July 2013 15

Conclusions Dynamic Instrumentation via the Android Runtime allows Modification of Apps and the Framework in memory Doesn't break APK signatures Portable across devices Super stable (not a hack) But can only replace whole functions no bytecode modification Possible to stir up Android AppSec quite a bit Obfuscation and use of reflection is kinda useless We have various ongoing projects based on this Students doing interesting stuff 16

Northeastern University Systems Security Labs EOF Thank you! twitter: @collinrm crm[at]ccs.neu.edu http://mulliner.org/android

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information