Smartphone Security for Android Applications

Similar documents

All Your Code Belongs To Us Dismantling Android Secrets With CodeInspect. Steven Arzt Secure Software Engineering Group Steven Arzt 1

Detecting privacy leaks in Android Apps

(In-)Security of Backend-as-a-Service

A Study of Android Application Security

Technical Report. Harvesting Runtime Data in Android Applications for Identifying Malware and Enhancing Code Analysis

This is DEEPerent: Tracking App behaviors with (Nothing changed) phone for Evasive android malware

Mobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus

Messing with the Android Runtime

Obfuscation: know your enemy

Android Developer Fundamental 1

Lecture 1 Introduction to Android

(In)Security of Backend-as-a-Service

Technical Report. Highly Precise Taint Analysis for Android Applications. Nr. TUD-CS May 8th, 2013

ANDROID BASED MOBILE APPLICATION DEVELOPMENT and its SECURITY

Bypassing SSL Pinning on Android via Reverse Engineering

Android Application Repackaging

Android Packer. facing the challenges, building solutions. Rowland YU. Senior Threat Researcher Virus Bulletin 2014

The OWASP Foundation

Mobile Application Development Android

Advanced ANDROID & ios Hands-on Exploitation

Mobile Payment Security

Introduction to Android

Mobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus

RE-TRUST Design Alternatives on JVM

Introduction to Native Android Development with NDK

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips

Jonathan Worthington Scarborough Linux User Group

WebView addjavascriptinterface Remote Code Execution 23/09/2013

Programming the Android Platform. Logistics

Overview of CS 282 & Android

Android Programming and Security

Protection against Code Obfuscation Attacks based on control dependencies in Android Systems

Android Development. Marc Mc Loughlin

When Security Gets in the Way. PenTesting Mobile Apps That Use Certificate Pinning

02 B The Java Virtual Machine

Cloud Computing. Up until now

Islamic University of Gaza. Faculty of Engineering. Computer Engineering Department. Mobile Computing ECOM Eng. Wafaa Audah.

Blackbox Android. Breaking Enterprise Class Applications and Secure Containers. Marc Blanchou Mathew Solnik 10/13/

HybriDroid: Analysis Framework for Android Hybrid Applications

341 - Bioinformatics Android Coursework

Habanero Extreme Scale Software Research Project

INTRODUCTION TO ANDROID CSCI 4448/5448: OBJECT-ORIENTED ANALYSIS & DESIGN LECTURE 11 02/15/2011

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Introduction to Android Development. Jeff Avery CS349, Mar 2013

ANDROID APPS DEVELOPMENT FOR MOBILE AND TABLET DEVICE (LEVEL I)

- Applet java appaiono di frequente nelle pagine web - Come funziona l'interprete contenuto in ogni browser di un certo livello? - Per approfondire

First Java Programs. V. Paúl Pauca. CSC 111D Fall, Department of Computer Science Wake Forest University. Introduction to Computer Science

OpenCV on Android Platforms

Reversing Android Malware

An Introduction to Android

Introduction to Android. CSG250 Wireless Networks Fall, 2008

Introduction to Android

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

Install Java Development Kit (JDK) 1.8

CS 106 Introduction to Computer Science I

Remote Android Assistant with Global Positioning System Tracking

Lecture 17: Mobile Computing Platforms: Android. Mythili Vutukuru CS 653 Spring 2014 March 24, Monday

With a single download, the ADT Bundle includes everything you need to begin developing apps:

Introduction to IBM Worklight Mobile Platform

Mobile Application Security Testing ASSESSMENT & CODE REVIEW

User scripting on Android using BladeDroid

Android Architecture. Alexandra Harrison & Jake Saxton

Overview. The Android operating system is like a cake consisting of various layers.

ODROID Multithreading in Android

Downloading Electro Scan Smartphone App From Google Play* * Previously known as The Android Market

Reminders. Lab opens from today. Many students want to use the extra I/O pins on

Analysis of advanced issues in mobile security in android operating system

Monitoring, Tracing, Debugging (Under Construction)

Generate Android App

INTRODUCTION TO OBJECTIVE-C CSCI 4448/5448: OBJECT-ORIENTED ANALYSIS & DESIGN LECTURE 12 09/29/2011

Bypassing Browser Memory Protections in Windows Vista

Table of Contents. Adding Build Targets to the SDK 8 The Android Developer Tools (ADT) Plug-in for Eclipse 9

Enterprise Application Security Workshop Series

CSCI E 98: Managed Environments for the Execution of Programs

Android Programming. Høgskolen i Telemark Telemark University College. Cuong Nguyen,

Version 7.7 PREEMPTIVE SOLUTIONS DASHO. User Guide

Mobile Application Security and Penetration Testing Syllabus

Chapter 2 Getting Started

Introduction to Android

User Manual. Gold Lock 3G Military Grade Encryption For Android OS 2.1 and Later

Mobile Application Security: Who, How and Why

Pentesting Android Apps. Sneha Rajguru

Introduction to Java

A proposal to realize the provision of secure Android applications - ADMS: an application development and management system -

Storing Encrypted Plain Text Files Using Google Android

Transcription:

Smartphone Security for Android Applications Steven Arzt Siegfried Rasthofer (Eric Bodden) 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 1

About Us PhD-Students at the Secure Software Engineering Group (Eric Bodden) Steven Arzt Master in IT-Security Research Interests: Applied Software Security on Mobile Devices (Android Security) Static/Dynamic Code Analysis Siegfried Rasthofer Blog: http://sse-blog.ec-spride.de Eric Bodden 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 2

About the Course Lab Course 6 Credit Points Teams of 1-3 Students Team and Topic Registration due on Friday, October 25 th Contact us via e-mail: Steven.Arzt@ec-spride.de, Siegfried.Rasthofer@ec-spride.de 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 3

Proposed Topics 1. Android App Obfuscator 2. Android App Deobfuscator 3. Jimple Integration into Eclipse 4. Flow-Insensitive Data Flow Analysis 5. Runtime Code Patches on Android 6. Monitoring Android Apps for Runtime Code Changes 7. DroidBase: Detailed Android App Search Engine Own topic proposals are welcome! 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 4

T1: Android App Obfuscator (1) Make reverse engineering / code understanding harder Raise the bar for static and dynamic analysis tools Hide behavior in applications, but retain functionality Automatic code generation and transformation User selects transformations to apply, rest is fully automatic Plugin infrastructure for new transformations 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 5

T1: Android App Obfuscator (2) SmsManager manager = new SmsManager(); manager.sendtextmessage("0900013131313", "", "Hello World", null, null); Change Class Name Change Method Name String rawname = "tntnbobhfs"; Maybe encrypt String classname = ""; for (char c : rawname.tochararray()) { if (classname.length() == 0 classname.length() == 3) c = Character.toUpperCase(c); classname += Character.toString((char) (c - 1)); } Add Unused Computation Class c = Class.forName("android.telephony." + classname); Method m = c.getmethod("sendtextmessage", String.class, String.class, String.class, PendingIntent.class, PendingIntent.class); Object mgr = c.newinstance(); m.invoke(mgr, "0900013131313", "", "Hello World", null, null); Obfuscate constants 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 6

T1: Android App Obfuscator (3) TelephonyManager telephonymanager = (TelephonyManager) getsystemservice(context.telephony_service); String imei = obfuscate(telephonymanager.getdeviceid()); Log.i("INFO", imei); private String obfuscate(string imei){ String result = ""; } for (char c : imei.tochararray()){ switch (c) { case '0' : result += 'a'; break; case '1' : result += 'b'; break; case '2' : result += 'c'; break; case '3' : result += 'd'; break; case '4' : result += 'e'; break; case '5' : result += 'f'; break; case '6' : result += 'g'; break; case '7' : result += 'h'; break; case '8' : result += 'i'; break; case '9' : result += 'j'; break; default : System.err.println("Problem in obfuscate for character: " + c); } } return result; 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 7

T1: Android App Obfuscator (4) Many more ideas Control flow obfuscation using GOTOs Exploit virtual dispatch / override semantics, reflection/invokedynamic? Distribute data across instance / static fields, parameters, Generate / decrypt and execute code at runtime Generate constants using runtime information Dynamic analysis tool and debugger detection Be creative with own ideas! Related work will be provided! 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 8

T2: Android App Deobfuscator Detect and remove obfuscations where possible Remap simple reflective calls to targets Simulate app execution and generate new code Detect fishy code in applications 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 9

T3: Jimple Integration into Eclipse (1) 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 10

T3: Jimple Integration into Eclipse (2) What is Jimple? Java but Simple Used as intermediate representation for Java/Android Source and Bytecode public void <init>() { de.ecspride.rv2013 $r0; Three-operand language No invocation stacks Only few opcodes android.telephony.smsmanager $r1; $r0 := @this: de.ecspride.rv2013; specialinvoke $r0.<android.app.activity: void <init>()>(); $r1 = staticinvoke <android.telephony.smsmanager: android.telephony.smsmanager getdefault()>(); $r0.<de.ecspride.rv2013: android.telephony.smsmanager smsmanager> = $r1; return; } 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 11

T3: Jimple Integration into Eclipse (3) Build on existing Soot plugin Code highlighting and syntax checking Open declaration Type hierarchy Search for references Refactorings, especially variable and method renaming Integration into Eclipse s project model Decompile APK to Jimple Compile Jimple to APK 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 12

T4: Flow-Insensitive Data Flow Analysis (1) Follow the flow of data through the program: TelephonyManager mgr = (TelephonyManager) this.getsystemservice(telephony_service); SmsManager sms = SmsManager.getDefault(); String imei = mgr.getdeviceid(); imei = ""; sms.sendtextmessage("+49 1234", null, imei, null, null); Flow sensitivity is precise, but may be costly Use flow-insensitive pre-analysis Flow-insensitive analyses are an over-approximation 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 14

T4: Flow-Insensitive Data Flow Analysis (2) FlowDroid: Highly precise taint analysis Mostly fast Still quite (time & memory) expensive in some cases Efficient detection of goodware No precise analysis necessary Highly Precise Taint Analysis for Android Application Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 15

T5: Runtime Code Patches on Android (1) Custom App Loader 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 16

T5: Runtime Code Patches on Android (2) 1. Custom loader spawns new Dalvik VM for app 2. Loader modifies Dalvik data structures to change app Rewrite app in memory Completely replace app in memory 3. Loader monitors Dalvik structures for policy enforcement 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 17

T6: Monitoring for Apps Runtime Code Changes Protect Dalvik data structures against manipulation Ideas: Use a monitoring loader that gets loaded first Periodically poll and compare against checksum Place native code inside the app into a sandbox Intercept memory accesses to protected locations 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 18

T7: DroidBase: Detailed Android App Search Engine (1) only name search 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 19

T7: DroidBase: Detailed Android App Search Engine (2) 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 20

T7: DroidBase: Detailed Android App Search Engine (3) Why? - Easily search for specific type of Android app - Base for nice statistics - How many apps do have aggressive Ads? - What kind of apps do specific developers develop? - How many apps do include native code/reflections/javascript? -... - Interesting for researchers download mechanism - Easily detection of apps with known vulnerabilities 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 21

Lab Grading Well-documented code 60% Final presentation 20% Test cases 20% 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 22

Proposed Topics 1. Android App Obfuscator 2. Android App Deobfuscator 3. Jimple Integration into Eclipse 4. Flow-Insensitive Data Flow Analysis 5. Runtime Code Patches on Android 6. Monitoring Android Apps for Runtime Code Changes 7. DroidBase: Detailed Android App Search Engine Own topic proposals are welcome! 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 23

Team and Topic Registration due on Friday, October 25 th Steven Arzt and Siegfried Rasthofer Secure Software Engineering Group (EC-SPRIDE) Email: steven.arzt@cased.de siegfried.rasthofer@cased.de Blog: http://sse-blog.ec-spride.de Website: http://sse.ec-spride.de 17.09.2013 Secure Software Engineering Group Steven Arzt and Siegfried Rasthofer 24