Architectural Risk Analysis for Android Applications

Architectural Risk Analysis for Android Applications ComNets - AG RN-Kolloquium, 13.07.2015 Karsten Sohr TZI Universität Bremen 1

Outline Software security as an own discipline Security problems in Android apps Research project ZertApps Outlook 2

Software Security as an Own Discipline Current security mechanisms such as firewalls anti-virus software or intrustion dectection systems are reactive Cause of many security problems: security issues in software McGraw: Trinity of trouble 1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?) 2. Increasing connectivity (SOA, Internet of Things, industrial controllers ) 3. Extensibility of systems (installation of apps, plugins for browsers) Tools and processes to improve software security Security development lifecycle (SDL) 3

Code Review through Static Code Analysis Security analysis of the source code of applications Detection of common programming bugs, such as buffer overflows, SQLinjection- and cross-site-scripting vulnerabilities Automated analysis Use of compiler-construction techniques Intermediate representation of the program e.g. by abstract syntax trees, static single assignment (SSA) Data- and control flow analyses False positives, false negatives Non-Decidability Commercial tools: HP-Fortify SCA, IBM AppScan, Coverity Prevent (for C/C++ code) 4

Architectural Risk Analysis as Part of the SDL Security analysis of the software architecture At design time Detection of basic security problems ( flaws vs. bugs ) Examples of flaws: Missing encryption; only integrity protection, although confidentiality is required; inconsistent role-based access control; overprivilegation; wrong usage of software frameworks Two approaches Threat Modeling/STRIDE (Microsoft) Architectural risk analysis from McGraw Core idea in both approaches: Discussion of basic security aspects with the help of diagrams (forest-level overview) 5

Threat Modeling with Dataflow Diagrams 6

Security Holes in Mobile Apps Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger Overprivileged apps Confused-deputy problems Massive vulnerabilities in SSL-implementation of Android apps Injection of JavaScript code into apps with web functionality Faulty usage of software frameworks Basic weaknesses in systems consisting of a remote-control app and a backend 7

An E-Mail of a Colleague If you are interested in the SSL-stuff again: The app is implemented as a WebView, i.e., all is HTML. What speaks to a big error is this: public void onreceivedsslerror(android.webkit.webview, android.webkit.sslerrorhandler, android.net.http.sslerror){ } com.webdevs.spcanywhere.mywebviewclient $r0; android.webkit.webview $r1; android.webkit.sslerrorhandler $r2; android.net.http.sslerror $r3; $r0 := @this: com.webdevs.spcanywhere.mywebviewclient; $r1 := @parameter0: android.webkit.webview; $r2 := @parameter1: android.webkit.sslerrorhandler; $r3 := @parameter2: android.net.http.sslerror; virtualinvoke $r2.<android.webkit.sslerrorhandler: void proceed()>(); return; 8

Decompiled to Java public void onreceivedsslerror(webview paramwebview, SslErrorHandler paramsslerrorhandler, SslError paramsslerror) { } paramsslerrorhandler.proceed(); 9

Insecure Usage of the Android Framework: Telekom Online Manager Intent localintent1 = new Intent("de.telekom.hotspot.intent.action.SMS_STATUS"); localintent1.putextra("status", CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED); localintent1.putextra("username", str2); localintent1.putextra("password", str3); sendbroadcast(localintent1); 10

Problem Statement We need cost-efficient analysis methods and evaluation processes that assure that Android apps show an appropriate security level. 11

Current Research Project ZertApps BMBF-funded project ZertApps: Certified Security for Mobile Applications Project partners: Universität Bremen, Fraunhofer SIT, TU Darmstadt, OTARIS Interactive Service GmbH, datenschutz cert GmbH, SAP AG 12

Project Goals /1 Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot If necessary, dynamic analysis to improve static analysis Interaction of several apps ( confused deputy problem) Consideration of hybride apps (apps with Java and web parts) E.g., analysis of PhoneGap-based apps 13

Project Goals /2 Comprehensible presentation of analysis results for different groups of users Security administrators, evaluators, developers, users? Conception of a lightweight certification process / scheme Low cost Graded certification concept Tool-support for certification 14

Our Contribution: Architectural Risk Analysis Extraction and security analysis of the software architecture of apps Reverse engineering of dataflow diagrams (DFDs) with the help of static analysis (Soot) Automated analysis of these extracted DFDs against known architectural weaknesses (e.g., CWE entries) Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke 15

Example Dataflow Diagram 16

Example Dataflow Diagram: Hybride App 17

Summary & Outlook Software security becomes more relevant Mobile apps, Internet of Things, Industrie 4.0, Systematic and cost-efficient prcosses for software security are needed Especially relevant: security of apps Tool support New supporting kinds of analysis: Static (and dynamic) code analyses for the extraction and validation of the implemented security architecture 18

Thank you very much for your attention! Questions? 19