hooker
play

HOOKER A solution to analyze Android markets Dimitri Kirchner - PowerPoint PPT Presentation

Nov 04, 2022 •268 likes •1.26k views

HOOKER A solution to analyze Android markets Dimitri Kirchner @Tibapbedoum Georges Bossert @Lapeluche AMOSSYS PhD candidate AMOSSYS / Supelec IT security engineer AMOSSYS Protocole Reverse Engineering Android Hooker: a solution to

  1. HOOKER A solution to analyze Android markets Dimitri Kirchner – @Tibapbedoum Georges Bossert – @Lapeluche AMOSSYS

  2. PhD candidate AMOSSYS / Supelec IT security engineer AMOSSYS Protocole Reverse Engineering Android Hooker: a solution to analyze Android markets 2

  3. IT security engineer at AMOSSYS since 2010 Android Informatique de confiance Hooker: a solution to analyze Android markets 3

  4. Hooker: a solution to analyze Android markets 4

  5. Hooker: a solution to analyze Android markets 5

  6. Hooker: a solution to analyze Android markets 6

  7. Hooker: a solution to analyze Android markets 7

  8. 8

  9. Android security model Ask the user for permissions in order to access phones ressources (texts, GPS, etc.) Hooker : a solution to analyze your Android market 9

  10. Hooker: a solution to analyze Android markets 10

  11. Hooker: a solution to analyze Android markets 11

  12. Hooker: a solution to analyze Android markets 12

  13. Hooker: a solution to analyze Android markets 13

  14. Let’s say, I really need this app … What the application does with its ressources ? Are resources really used by the application ? Are resources used in a legitimate way ? Hooker: a solution to analyze Android markets 14

  15. You already have solutions for that Static versus dynamic analysis tools Hooker: a solution to analyze Android markets 15

  16. Androguard JD-Core/GUI Etc. Hooker: a solution to analyze Android markets 16

  17. Dynamic analysis Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel Hooker: a solution to analyze Android markets 17

  18. Dynamic analysis Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel Solution 2: Modify APK before install (APIMonitor / Fino) to instrument the APK Hooker: a solution to analyze Android markets 18

  19. Dynamic analysis Solution 1: Build a custom Android ROM (Droidbox) to instrument the kernel Solution 2: Modify APK before install (APIMonitor / Fino) to instrument the APK Solution 3: API hooking framework (Substrate / Xposed) Hooker: a solution to analyze Android markets 19

  20. Online scanners Mix of static and dynamic Fancy user interface and reports Hooker: a solution to analyze Android markets 20

  21. Hooker: a solution to analyze Android markets 21

  22. Analysis are centered on one application Is it possible to analyze more than one application ? Can you analyze an entire market ? Hooker: a solution to analyze Android markets 22

  23. Introducing hooker Hooker: a solution to analyze Android markets 23

  24. What is Hooker A solution to analyze Android applications Centralize and aggregate analysis of thousands of differents applications Hooker: a solution to analyze Android markets 24

  26. How Hooker works Microanalysis versus Macroanalysis Hooker: a solution to analyze Android markets 26

  27. How Hooker works Microanalysis versus Macroanalysis Hooker: a solution to analyze Android markets 27

  28. How Hooker works Microanalysis versus Macroanalysis Analysis of several applications Hooker: a solution to analyze Android markets 28

  29. Microanalysis overview Hooker: a solution to analyze Android markets 29

  30. Rule n1: Gather all possible information about the application behavior Hooker : a solution to analyze your Android market 30

  31. Step 1: Androguard It just works great Framework in python Let us extract basic information about the application Package name Permissions Services Etc. Hooker: a solution to analyze Android markets 31

  32. Step 2: Substrate An API hooking framework Changes behavior of one application, without patches, or specific ROM, or whatever What you need is: Root access Compatible Android version Hooker: a solution to analyze Android markets 32

  33. Substrate Injects code into Zygote process (father of all processes) Therefore, injected in all spawned processes (Similar to Xposed) Hooker: a solution to analyze Android markets 33

  34. Use Substrate to: Hook access to personal information (read contacts, etc.) Hook access to specific API (open socket) Modify return of specific methods (anti-anti-emulation) Hooker: a solution to analyze Android markets 34

  35. Hook PowerManager methods Hooker: a solution to analyze Android markets 35

  36. Hook PowerManager methods Methods name Hooker: a solution to analyze Android markets 36

  37. Build events in real time Hooker: a solution to analyze Android markets 37

  38. Build events in real time Hooker: a solution to analyze Android markets 38

  39. Build events in real time Hooker: a solution to analyze Android markets 39

  40. Intrusive level indicator Differentiates critical event from normal event Writing is considered more intrusive than reading Application doing lots of intrusive events is highlighted Hooker: a solution to analyze Android markets 40

  41. Hooker: a solution to analyze Android markets 41

  42. Hooker: a solution to analyze Android markets 42

  43. Hooker: a solution to analyze Android markets 43

  44. Hooker: a solution to analyze Android markets 44

  45. Main limitation White list enumeration We don’t intercept what we don’t declare Hooker: a solution to analyze Android markets 45

  46. Main limitation White list enumeration We don’t intercept what we don’t declare Hooker: a solution to analyze Android markets 46

  47. Hooker: a solution to analyze Android markets 47

  48. Hooker: a solution to analyze Android markets 48

  49. Store events in a distributed database Elastic search Interact with database Kibana (front-end) Hooker: a solution to analyze Android markets 49

  50. Hooker : a solution to analyze your Android market 50

  51. You have to build your own Kibana interface Basic malware generates 2000 events in 60 seconds Hooker: a solution to analyze Android markets 51

  52. Macroanalysis Hooker: a solution to analyze Android markets 52

  53. Macroanalysis Automation and parallelization of microanalysis Hooker: a solution to analyze Android markets 53

  54. Macroanalysis Automation and parallelization of microanalysis Look for specific patterns in thousands of applications Hooker: a solution to analyze Android markets 54

  55. Macroanalysis Automation and parallelization of microanalysis Look for specific patterns in thousands of applications Post analysis Hooker: a solution to analyze Android markets 55

  56. Macroanalysis Automation and parallelization of microanalysis Look for specific patterns in thousands of applications Post analysis Data mining Hooker: a solution to analyze Android markets 56

  57. Automation Step 1: Prepare an Android emulator Step 2: Configure a scenario Install Execute Stimulate External stimulation Reboot Hooker: a solution to analyze Android markets 57

  58. Automation Step 1: Prepare an Android emulator Step 2: Configure a scenario Install Execute Stimulate External stimulation Reboot Hooker: a solution to analyze Android markets 58

  59. Automation Step 1: Prepare an Android emulator Step 2: Configure a scenario Install Execute Stimulate External stimulation Reboot Hooker: a solution to analyze Android markets 59

  60. Automation Step 1: Prepare an Android emulator Step 2: Configure a scenario Install Execute Stimulate External stimulation Phone call SMS reception Reboot GPS stimulation, etc. Hooker: a solution to analyze Android markets 60

  61. Step 3: Run the experiment $ python hooker_xp.py – c automaticAnalysis.conf Wait and see Hooker: a solution to analyze Android markets 61

  62. Post-analysis Python script to query Elasticseach database Query what you want to make: Statistics • Hightlights • Hooker: a solution to analyze Android markets 62

  63. Get thousands of APKs Google store Unofficial markets APK in archives Hooker: a solution to analyze Android markets 63

  64. Get thousands of APKs Google store Unofficial markets APK in archives What we have tried until now: 1000 apps from SlideMe market in the paper 1000 apps from Google store Hooker: a solution to analyze Android markets 64

  65. Network statistics Hooker : a solution to analyze your Android market 65

  66. Most used Network methods getFile sendto recvfrom execute getAuthority getInputStream IOException getSettings getOutputStream URL Socket openConnection getHost closeSocket getPort close connect getProtocol setCertificate 0 50 100 150 200 250 300 Number of applications Hooker : a solution to analyze your Android market 66

  67. Internet permissions 477 apps asking for internet permissions 404 have been found using it Hooker: a solution to analyze Android markets 67

  68. Domains most accessed www.google-analytics.com mm.admob.com googleads.g.doubleclick.net www.google.com ade.wooboo.com.cn secure.gameloft.com 0 10 20 30 40 Number of applications Hooker : a solution to analyze your Android market 68

  69. Domains most accessed www.google-analytics.com mm.admob.com googleads.g.doubleclick.net www.google.com Advertisements ade.wooboo.com.cn secure.gameloft.com 0 10 20 30 40 Number of applications Hooker : a solution to analyze your Android market 69

Recommend

Commerce In-App Purchases Sell Products with a Native Mobile App By: Scott Hooker &

Commerce In-App Purchases Sell Products with a Native Mobile App By: Scott Hooker &

Commerce In-App Purchases Sell Products with a Native Mobile App By: Scott Hooker & Tyler Frankenstein Hello! Tyler Frankenstein Easy Street 3 Co-Founder (DrupalGap Project Lead) Scott Hooker Commerce

322 views • 17 slides
Sean Hooker Head of Redress 2013 Enterprise and Regulatory Reform act it is now compulsory

Sean Hooker Head of Redress 2013 Enterprise and Regulatory Reform act it is now compulsory

Sean Hooker Head of Redress 2013 Enterprise and Regulatory Reform act it is now compulsory for all Letting Agents and Property Managers Lettings now on par with Sales Three authorised schemes lettings agency work means

417 views • 21 slides
Some Observations on Boolean Logic and Optimization John Hooker Carnegie Mellon University

Some Observations on Boolean Logic and Optimization John Hooker Carnegie Mellon University

Some Observations on Boolean Logic and Optimization John Hooker Carnegie Mellon University January 2009 Slide 1 Outline Logic and cutting planes Logic of 0-1 inequalities Logic and linear programming Inference duality

1.63k views • 111 slides
Model of Care for 65 and over Dr. Richard Hooker Clinical Lead West London CCG Integrated Care

Model of Care for 65 and over Dr. Richard Hooker Clinical Lead West London CCG Integrated Care

Model of Care for 65 and over Dr. Richard Hooker Clinical Lead West London CCG Integrated Care Team Paula Morrell Health & Social Care Assistant (HSCA) My Care My Way My Care My Way Service More Coordination Case Finding, Care

405 views • 13 slides
Tutorial: Operations Research in Constraint Programming John Hooker Carnegie Mellon University

Tutorial: Operations Research in Constraint Programming John Hooker Carnegie Mellon University

Tutorial: Operations Research in Constraint Programming John Hooker Carnegie Mellon University May 2009 Revised June 2009 CPAIOR tutorial May 2009 Slide 1 Motivation Benders decomposition allows us to apply CP and OR to different

499 views • 18 slides
Model based dose finding Discussion of presentations given by Bjrn Bornkamp and Andrew Hooker

Model based dose finding Discussion of presentations given by Bjrn Bornkamp and Andrew Hooker

Model based dose finding Discussion of presentations given by Bjrn Bornkamp and Andrew Hooker Norbert Benda Federal Institute for Drugs and Medical Devices | The BfArM is a Federal Institute within the portfolio of the Federal Ministry of

498 views • 8 slides
I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA I i D i s t i n g W a rfa re :

I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA I i D i s t i n g W a rfa re :

I zyxwvutsrqponmlkjihgfedcbaZYXWVUTSRQPONMLKJIHGFEDCBA I i D i s t i n g W a rfa re : Chancellorsville, A Case Study MlDN 1/C Elizabeth Vary 18th ISMOR Oxford, UK 27 - 31 August 2001 Fightin Joe hooker

233 views • 10 slides
T doubts about traditional approaches to Protection Agency (EPA) took judicial or addressing

T doubts about traditional approaches to Protection Agency (EPA) took judicial or addressing

G Environmental Alert January 2005 Contribution Confusion Redux By Michael David Lichtenstein, Esq. and Todd M. Hooker, Esq. wo recent federal court decisions raise TNRCC nor the United Sates Environmental T doubts about traditional

151 views • 3 slides
W hile the Winter of 2003-2004 will be enforcement action, the claimant has no statutory

W hile the Winter of 2003-2004 will be enforcement action, the claimant has no statutory

G Environmental Law Alert March 2004 Winter of 2003-2004, Hot One For Superfund Developments By Richard F. Ricci, Esq., Michael J. Caffrey, Esq., Todd M. Hooker, Esq., and Priya R. Masilamani, Esq. W hile the Winter of 2003-2004 will be

332 views • 4 slides
Symmetry energy constraints from the neutron star crust Nuclear

Symmetry energy constraints from the neutron star crust Nuclear

Symmetry energy constraints from the neutron star crust Nuclear experiment confronRng astrophysical models William G. Newton, Kyleah Murphy, Josh Hooker, Mike

820 views • 37 slides
High-Temperature Circuit Boards for Use in Composite Technology Development, Inc. Geothermal

High-Temperature Circuit Boards for Use in Composite Technology Development, Inc. Geothermal

Geothermal Technologies Program 2010 Peer Review Public Service of Colorado Ponnequin Wind Farm Matthew Hooker High-Temperature Circuit Boards for Use in Composite Technology Development, Inc. Geothermal Well Monitoring Applications

130 views • 9 slides
Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business

Constraint Programming with Decision Diagrams Willem-Jan van Hoeve Tepper School of Business Carnegie Mellon University Acknowledgments: David Bergman, Andre A. Cire, Sam Hoda, and John N. Hooker NSF, Google Summary What can MDDs do for

1.39k views • 109 slides
RESEARCH IN CALIFORNIA DUAL ENROLLMENT: BARRIERS, INNOVATIONS, POLICY LANDSCAPE California

RESEARCH IN CALIFORNIA DUAL ENROLLMENT: BARRIERS, INNOVATIONS, POLICY LANDSCAPE California

RESEARCH IN CALIFORNIA DUAL ENROLLMENT: BARRIERS, INNOVATIONS, POLICY LANDSCAPE California Association of Black School Educators October 19, 2018 PRESENTED BY Naomi Castro, Career Ladders Project Sarah Hooker, JFF Joel Vargas, JFF The

1.13k views • 20 slides
Proctor Preparedness Training Tier II July, 2015 1 Instructors (updated 7/15/2015) Lanai

Proctor Preparedness Training Tier II July, 2015 1 Instructors (updated 7/15/2015) Lanai

Proctor Preparedness Training Tier II July, 2015 1 Instructors (updated 7/15/2015) Lanai Greenhalgh Scott Baily 491-1527 491-7655 Kyle Haefner Stacey Baumgarn 491-1012 491-2319 Mike Hooker Dwight Burke 491-1545 491-5633 Lorie

912 views • 74 slides
I m proved m ethodology for use of non-linear m ixed effect m odels ( NLMEM) in decision m aking

I m proved m ethodology for use of non-linear m ixed effect m odels ( NLMEM) in decision m aking

I m proved m ethodology for use of non-linear m ixed effect m odels ( NLMEM) in decision m aking Mats O. Karlsson & Andrew Hooker Uppsala University EMA, London March 30, 2017 FP7 HEALTH 2013 - 602552 1 Team @ UU Mats

278 views • 16 slides
Proctor Preparedness Training Tier I July 24, 2014 1 Instructors Stacey Baumgarn Lanai

Proctor Preparedness Training Tier I July 24, 2014 1 Instructors Stacey Baumgarn Lanai

Proctor Preparedness Training Tier I July 24, 2014 1 Instructors Stacey Baumgarn Lanai Greenhalgh 491-2319 491-1527 Scott Baily Kyle Haefner 491-7655 491-1012 Dwight Burke Mike Hooker 491-5633 491-1545 Bob Chaffee Lorie J. Johnson

930 views • 64 slides
Ethical Reading Webinar #1 Ethics what is it and why does it matter? Speaker: Professor Brad

Ethical Reading Webinar #1 Ethics what is it and why does it matter? Speaker: Professor Brad

Ethical Reading Webinar #1 Ethics what is it and why does it matter? Speaker: Professor Brad Hooker The University of Reading Enabled by: Host: Gurprit Singh Ethical Reading Help us to make Reading a better place to live and work

250 views • 12 slides
Atlanta Memorial Park Conservancy (formally The Bobby Jones Golf Course and Park Conservancy) 1

Atlanta Memorial Park Conservancy (formally The Bobby Jones Golf Course and Park Conservancy) 1

Atlanta Memorial Park Conservancy (formally The Bobby Jones Golf Course and Park Conservancy) 1 ULI CFL mTAP Team Justin Bates Kim Bucklew Colin Edelstein Brian Hooker Brian Lu Jon Tuley 2 Table of Contents

714 views • 15 slides
Easing the Transition to College Through Paired First Year Seminars National Conference Students

Easing the Transition to College Through Paired First Year Seminars National Conference Students

Hand-out Easing the Transition to College Through Paired First Year Seminars National Conference Students in Transition Oct 21, 11am- 12pm 2013 Virginia Wesleyan College Norfolk, Virginia Denise Wilkinson Rebecca Hooker Professor of

746 views • 52 slides
Citzen Science By: Jon Howard Citizen Sciene Team Team (alphabetical): Paul M. Aoki

Citzen Science By: Jon Howard Citizen Sciene Team Team (alphabetical): Paul M. Aoki

Citzen Science By: Jon Howard Citizen Sciene Team Team (alphabetical): Paul M. Aoki (Intel Research Berkeley) R.J. Honicky (U.C. Berkeley) Ben Hooker (Art Center College of Design) Alan Mainwaring (Intel Research Berkeley)

641 views • 25 slides
AAFPO Annual Meeting June 9, 2018 Welcome Mike Woolley Angel Fire Resort Kalyn Whitacre

AAFPO Annual Meeting June 9, 2018 Welcome Mike Woolley Angel Fire Resort Kalyn Whitacre

AAFPO Annual Meeting June 9, 2018 Welcome Mike Woolley Angel Fire Resort Kalyn Whitacre AAFPO Committee Reports Rick Hooker AF/EACC Mike Stille Election Results Mike Woolley Schedule of Board Meeting Mike Woolley 2019

655 views • 50 slides

More recommend