a study of android application security
play

A Study of Android Application Security William Enck , Damien Octeau, - PowerPoint PPT Presentation

Nov 25, 2023 •151 likes •533 views

  1. ������� ��� �������� �������������� �������� � � ������� ��� �������� �������� ������ ���������� �� �������� ������� ��� ����������� ������������ ����� ��������������������� ���� �� A Study of Android Application Security William Enck , Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri USENIX Security Symposium August 2011 Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. New Dominant Player Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. New Dominant Player • Nobody is looking at all the apps (250K and growing) • What would you look for if you did? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  4. Studying Applications • Goal: Study a breadth of security properties in a large set of popular Android smartphone applications. • How do you get the applications and source code? ‣ How to retrieve application packages (.apk files)? ‣ How to retrieving application source code? • How do you go about studying the source code? ‣ What do you look for? ‣ How do you look for it? ‣ How do you know what’s actually there? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  5. Dalvik EXecutables • Android applications written Java, compiled to Java bytecode, and translated into DEX bytecode (Dalvik VM) Java dx Compiler Class1.class .dex file Constant Pool Header Class Info Constant Pool Data Java Class1 definition Source Code (.java files) ClassN.class ClassN definition Constant Pool Data Class Info Data • We want to work with Java, not DEX bytecode ‣ There are a lot of existing program analysis tools for Java ‣ We want to see what the developer was doing (i.e., confirmation) • Non-trivial to retarget back to Java: ‣ register vs. stack architecture , constant pools , ambiguous scalar types , null references , etc. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  6. Getting back to the Source Retargeting Process • The ded decompiler CFG Construction (1) DEX Parsing ‣ Refers to both the entire process Type Inference Processing Missing Type Inference and the .dex ⇒ .class retargeting tool Constant Identification (2) Java .class Constant Pool Conversion Conversion Constant Pool ‣ Multi-stage process with many Translation Method Code Retargeting sub-stages Bytecode Reorganization (3) Java .class ‣ http://siis.cse.psu.edu/ded Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting : type inference, instruction translation, etc ‣ Optimization : use Soot to re-optimize for Java bytecode ‣ Decompilation : standard Java decompilation (Soot) Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  7. Type Inference START double return_a_double(int a) { if(a != 1) return 2.5; 0 const/4 else return 1.2; } 1 if-eq Source code false true 3 const- 6 const-wide wide/high16 double return_a_double(int) 5 return- 0: const/4 v0,1 11 goto 1: if-eq v3,v0,6 wide 3: const-wide/high16 v0,16388 5: return-wide v0 6: const-wide v0,4608083138725491507 11: goto 5 EXIT DEX bytecode CFG Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  8. Type Inference START Ambiguous double return_a_double(int a) { if(a != 1) assignment to return 2.5; 0 const/4 else v0 return 1.2; } 1 if-eq Source code false true 3 const- 6 const-wide wide/high16 double return_a_double(int) 5 return- 0: const/4 v0,1 11 goto 1: if-eq v3,v0,6 wide 3: const-wide/high16 v0,16388 5: return-wide v0 6: const-wide v0,4608083138725491507 11: goto 5 EXIT DEX bytecode CFG Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  9. Type Inference START Ambiguous double return_a_double(int a) { if(a != 1) assignment to return 2.5; 0 const/4 else v0 return 1.2; } Uses v0 1 if-eq Source code false true 3 const- 6 const-wide wide/high16 double return_a_double(int) 5 return- 0: const/4 v0,1 11 goto 1: if-eq v3,v0,6 wide 3: const-wide/high16 v0,16388 5: return-wide v0 6: const-wide v0,4608083138725491507 11: goto 5 EXIT DEX bytecode CFG Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  10. Recovering Types ded dex2jar double return_a_double(int var1) { double return_a_double(int var1) { double var2; long var2; if(var1 != 1) { if(var1 != 1) { var2 = 2.5D; var2 = 4612811918334230528L; } else { } else { var2 = 1.2D; var2 = 4608083138725491507L; } } return var2; return (double)var2; } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  11. Optimization by Soot Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  12. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { setTile(0, x, y); } } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  13. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  14. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } ded New .class files Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  15. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } ded public void clearTiles() { int var1 = 0; while(true) { int var2 = mXTileCount; if(var1 >= var2) { New .class return; } files int var3 = 0; while(true) { var2 = mYTileCount; if(var3 >= var2) { ++var1; break; } byte var4 = 0; this.setTile(var4, var1, var3); ++var3; } } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 8

  16. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } ded New .class files Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  17. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } ded Optimized New .class .class files files Soot Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  18. Optimization by Soot public void clearTiles() { for (int x = 0; x < mXTileCount; x++) { for (int y = 0; y < mYTileCount; y++) { .class files .dex file setTile(0, x, y); } } } ded public void clearTiles() { for(int var1 = 0; var1 < mXTileCount; ++var1) { for(int var2 = 0; var2 < mYTileCount; ++var2) { Optimized New .class this.setTile(0, var1, var2); .class files files } Soot } } Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  19. Studying Apps • Decompiled top 1,100 free apps from Android market: over 21 million lines of source code • We use static analysis to identify both dangerous behavior and vulnerabilities followed by inspection ‣ Must identify specific properties for analysis ‣ Note: Static analysis says what can happen not what does Systems and Internet Infrastructure Security Laboratory (SIIS) Page 10

  20. Analysis Framework • Using Fortify SCA custom rules let you focus on the what, not the how ‣ Control flow analysis: e.g., look at API options ‣ Data flow analysis: e.g., information leaks, injection attacks ‣ Structural analysis: “grep on steroids” ‣ Semantic analysis: look at possible variable values Systems and Internet Infrastructure Security Laboratory (SIIS) Page 11

  21. Analysis Overview Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis framework • Existing Java analysis rules aren’t sufficient • FSMs and other details in Tech Report: http://www.enck.org/pubs/NAS-TR-0144-2011.pdf Systems and Internet Infrastructure Security Laboratory (SIIS) Page 12

Recommend

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware

Security &amp; Pie Android 9.0 &amp; APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

660 views • 15 slides
Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview

Android Android Application Development - Ashwin Agenda Android Platform Overview Installation Building Blocks Application Development Development Tools Source walk through Introduction to Android Open software

978 views • 49 slides
Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Stack Overflow Considered Harmful? The Impact of Copy&amp;Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&amp;Paste on Android Application Security

Stack Overflow Considered Harmful? The Impact of Copy&amp;Paste on Android Application Security F. Fischer * , K. Bttinger * , H.Xiao * , C. Stransky , Y. Acar , M. Backes , S. Fahl * Fraunhofer AISEC CISPA, Saarland

739 views • 44 slides
Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation

Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation

Dana Geist &amp; Marat Nigmatullin Root/Jailbreak Detection Evasion Study on iOS and Android Research Project 1 Motivation Compromised (rooted/jailbroken) devices are a major issue in the mobile security field. Security and business

718 views • 28 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android

Android AsyncTask AsyncTask Android AsyncTask is an abstract class provided by Android which gives us the liberty to perform heavy tasks in the background and keep the UI thread light thus making the application more responsive. Basic

240 views • 5 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

614 views • 40 slides
Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS

Android UI Tools CS 4720 Mobile Application Development Resource: developer.android.com CS 4720 UI vs. UX An important distinction to make up front is the difference between UI and UX UI User Interface The components of a

659 views • 20 slides
Services Android Services A Service is an application component that runs in the background, not

Services Android Services A Service is an application component that runs in the background, not

Lesson 22 Lesson 22 Android Android Services Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work

692 views • 26 slides
Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS

Android Activity CS 4720 Mobile Application Development Source: developer.android.com CS 4720 Activity Conceptually, an Activity is a single screen of your application In other words, an App really is a collection of related

892 views • 16 slides
Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies held in 2011: an Internet

Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies held in 2011: an Internet

Antri Kolani CS682 ADVANCED SECURITY TOPICS Two usability studies held in 2011: an Internet survey of 308 Android users, and a laboratory study of 25 Android users Study participants displayed low attention and comprehension rates 2

1.11k views • 52 slides
Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco

Enhancing Mobile Malware: an Android RAT Case Study BSIDES VIENNA 2014 November 22 About Marco Lancini Security Consultant, CEFRIEL @lancinimarco Roberto Puricelli Security Consultant, CEFRIEL @robywankenoby 2 Introduction Intro

870 views • 35 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application development Agenda Google I/O Froyo Future Other Device updates Google I/O Googles developer conference May 2010, San Francisco

594 views • 24 slides
Outline Introduction of Android System Four primary application components

Outline Introduction of Android System Four primary application components

Xin Pan CSCI5448 2011 Fall Outline Introduction of Android System Four primary application components AndroidManifest.xml Introduction of Android Sensor Framework Package Interface Classes Examples of Using

434 views • 42 slides
HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android

HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android

HELLO WORLD ON ANDROID Create a new Android Project Open File-&gt;New-&gt;Android project Application name Company domain Project location Hello World Project Target Android Devices Hello World Project Add an

213 views • 18 slides
Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS

Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS

Android Services CS 4720 Mobile Application Development Resource: developer.android.com CS 4720 The Android Architecture CS 4720 2 The Service A Service is a process running the background It does not have a UI A Service

264 views • 9 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In

Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In

Android Architecture CS 4720 Mobile Application Development CS 4720 The Basics In general, all apps are written in Java (this is not always the case as there are third-party conversion tools) A compiled Android app is an .apk

208 views • 17 slides
Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling

Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling

Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany 2014 Annual Computer Security Applications Conference Presenter: Qi Wang 1 Android application separation One

661 views • 22 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides

More recommend