privacy issues with the google android market
play

Privacy Issues with the Google Android Market Thorben Kr uger - PowerPoint PPT Presentation

Oct 23, 2022 •157 likes •774 views

Privacy Issues with the Google Android Market Thorben Kr uger Bastiaan Wissingh benthor@os3.nl bastiaan@os3.nl February 2, 2011 1/ 18 Outline Introduction Terms Research I Background MITM Sniffing Findings Research II App Analysis

  1. Privacy Issues with the Google Android Market Thorben Kr¨ uger Bastiaan Wissingh benthor@os3.nl bastiaan@os3.nl February 2, 2011 1/ 18

  2. Outline Introduction Terms Research I Background MITM Sniffing Findings Research II App Analysis Findings Implications Bonus Conclusion 2/ 18

  3. Definition of Terms 3/ 18

  4. Definition of Terms ◮ Android 3/ 18

  5. Definition of Terms ◮ Android ◮ Google Android Market 3/ 18

  6. Definition of Terms ◮ Android ◮ Google Android Market ◮ XMPP 3/ 18

  7. Definition of Terms ◮ Android ◮ Google Android Market ◮ XMPP ◮ App 3/ 18

  8. Original Question Google Android Market - Remotely Controllable? 4/ 18

  9. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? 4/ 18

  10. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality 4/ 18

  11. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality ◮ What Privacy Issues? 4/ 18

  12. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality ◮ What Privacy Issues? ◮ Proposed Mitigations? 4/ 18

  13. Current Research: Status 5/ 18

  14. Current Research: Status ◮ Market uses XMPP over SSL 5/ 18

  15. Current Research: Status ◮ Market uses XMPP over SSL ◮ Google Android: A State-of-the-Art Review of Security Mechanisms 5/ 18

  16. Current Research: Status ◮ Market uses XMPP over SSL ◮ Google Android: A State-of-the-Art Review of Security Mechanisms ◮ AppBrain 5/ 18

  17. Approach: SSL Man-In-The-Middle 6/ 18

  18. Approach: SSL Man-In-The-Middle ◮ Idea: Traffic Introspection 6/ 18

  19. Approach: SSL Man-In-The-Middle ◮ Idea: Traffic Introspection ◮ Methods: Lots Of Dirty Hacks 6/ 18

  20. Traffic Analysis: Results 7/ 18

  21. Traffic Analysis: Results ◮ Confirmed: XMPP-Triggered Installation 7/ 18

  22. Traffic Analysis: Results ◮ Confirmed: XMPP-Triggered Installation ◮ Unconfirmed: Additional Functionality 7/ 18

  23. Approach: Reverse Engineering 8/ 18

  24. Approach: Reverse Engineering ◮ Analyze Market Package 8/ 18

  25. Approach: Reverse Engineering ◮ Analyze Market Package ◮ Core System Application 8/ 18

  26. Binary Analysis: Findings 9/ 18

  27. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” 9/ 18

  28. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable 9/ 18

  29. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality 9/ 18

  30. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality ◮ INSTALL ASSET ◮ REMOVE ASSET 9/ 18

  31. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality ◮ INSTALL ASSET ◮ REMOVE ASSET ◮ Evidence: Persistent Connection 9/ 18

  32. Privacy Implications 10/ 18

  33. Privacy Implications ◮ No Evidence For: Advanced Remote Control Functionality 10/ 18

  34. Privacy Implications ◮ No Evidence For: Advanced Remote Control Functionality ◮ Possible Issue For Some: Remotely Triggered Application Removal 10/ 18

  35. Mitigation Idea: Patch Script 11/ 18

  36. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary 11/ 18

  37. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary ◮ Result Still Executable 11/ 18

  38. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary ◮ Result Still Executable ◮ Assembly-Level Patch: Remove Unwanted Functionality 11/ 18

  39. Accidental Finding: Market App Honors Permission System 12/ 18

  40. Accidental Finding: Market App Honors Permission System ◮ Error For Patched Market: No Permission To Install Apps 12/ 18

  41. Accidental Finding: Market App Honors Permission System ◮ Error For Patched Market: No Permission To Install Apps ◮ Very Unexpected 12/ 18

  42. Digression: Android Permission System 13/ 18

  43. Digression: Android Permission System ◮ Central Part Of Android Architecture 13/ 18

  44. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! 13/ 18

  45. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! ◮ Uses: Plain XML Files 13/ 18

  46. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! ◮ Uses: Plain XML Files ◮ Problem: Very Coarse Grained UI 13/ 18

  47. Android Permission System: Current Research 14/ 18

  48. Android Permission System: Current Research ◮ permissionBlocker.apk 14/ 18

  49. Android Permission System: Current Research ◮ permissionBlocker.apk ◮ Apex 14/ 18

  50. Proposal: Extension of Apex 15/ 18

  51. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack 15/ 18

  52. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack ◮ Hurdle: System App Permissions Handled Differently 15/ 18

  53. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack ◮ Hurdle: System App Permissions Handled Differently ◮ Red Tape: Nothing Has Been Released 15/ 18

  54. Conclusion 16/ 18

  55. Conclusion ◮ Current Market App Less Evil Than Expected 16/ 18

  56. Conclusion ◮ Current Market App Less Evil Than Expected ◮ Binary/Assembly Patches Possible 16/ 18

  57. Conclusion ◮ Current Market App Less Evil Than Expected ◮ Binary/Assembly Patches Possible ◮ Alternative Approach: Permission Management 16/ 18

  58. Outlook 17/ 18

  59. Outlook ◮ Reimplement Apex: NLnet funding? 17/ 18

  60. Questions? 18/ 18

Recommend

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Lesson 25 Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work created and shared by Google

518 views • 41 slides
(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 (iPhone) https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8 (Android)

365 views • 13 slides
Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a

Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a

11/12/13 Setup Google Map API for Android Setup Google Map API for Android Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a regular Android App on your device. See instructions if you did not finish

384 views • 6 slides
A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia

A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia

A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia University Android is increasingly popular Android Dominates the Market Google Play Uploading Content to Google Play is Easy Very low barrier to

730 views • 72 slides
Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State

Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State

Lesson 25 Lesson 25 Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced

1k views • 21 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and Proprietary Google Privacy Principles 1. Use information to provide our users with valuable products and services. 2. Develop products that

541 views • 13 slides
Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application development Agenda Google I/O Froyo Future Other Device updates Google I/O Googles developer conference May 2010, San Francisco

594 views • 24 slides
CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Open source (https://source.android.com/setup/) Google: Owns Android,

652 views • 43 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android OS,

589 views • 35 slides
CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android

388 views • 38 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

927 views • 38 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

627 views • 40 slides
Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and

Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and

Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and Mobile Marketing, Google Russia Android and Mobile Marketing, Google Russia Google Confidential and Proprietary Table of Contents 1. Mobile Internet

551 views • 40 slides
Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues

Simone Fischer-Hbner Privacy October 2006 Overview I. Definition II. Basic Privacy Principles III. Privacy Issues (LBS, RFID,...) IV. European Privacy Legislation/ Directives I. Definition Warren & Brandeis 1890 The right to

694 views • 30 slides
Legislation: Standing and Certification Issues in Facebook and Google THURSDAY, AUGUST 16, 2018

Legislation: Standing and Certification Issues in Facebook and Google THURSDAY, AUGUST 16, 2018

Presenting a live 90-minute webinar with interactive Q&A Data Privacy Class Actions and Biometric Legislation: Standing and Certification Issues in Facebook and Google THURSDAY, AUGUST 16, 2018 1pm Eastern | 12pm Central | 11am

732 views • 39 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Android SDK Tools in Debian Kai-Chung Yan <seamlikok@gmail.com> Why Android SDK in Debian?

Android SDK Tools in Debian Kai-Chung Yan <seamlikok@gmail.com> Why Android SDK in Debian?

Android SDK Tools in Debian Kai-Chung Yan <seamlikok@gmail.com> Why Android SDK in Debian? The SDK from Google is non-free [1] Why Android SDK in Debian? The SDK from Google is non-free [1] Reproducible SDK & APKs

519 views • 29 slides
CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and

CS 403X Mobile and Ubiquitous Computing Lecture 14: Google Places, Other Useful Android APIs and Cool Location Aware Apps Emmanuel Agu Google Places Place: physical space that has a name (e.g. local businesses, points of interest,

690 views • 24 slides
Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de

Outline Google Hacking Privacy Searches Countermeasures Future Work Conclusion Google Hacking against Privacy Emin Islam Tatl tatli@th.informatik.uni-mannheim.de Department of Computer Science, University of Mannheim (on leave to the

389 views • 21 slides
Blueprint of a Mobile App Indy Khare - Tech Lead & Manager Google Photos Android 2008 - 2009

Blueprint of a Mobile App Indy Khare - Tech Lead & Manager Google Photos Android 2008 - 2009

Blueprint of a Mobile App Indy Khare - Tech Lead & Manager Google Photos Android 2008 - 2009 iOS 2010 - 2013 iOS & Android 2013 - Today Android Designing Building Iterating Designing Do a few things and do them well Focus on UX

569 views • 36 slides
CS5530 Mobile/Wireless Systems Using Google Map in Android Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems Using Google Map in Android Yanyan Zhuang Department of Computer

CS5530 Mobile/Wireless Systems Using Google Map in Android Yanyan Zhuang Department of Computer Science http://www.cs.uccs.edu/~yzhuang UC. Colorado Springs CS5530 Ref. CN5E, NT@UW, WUSTL Setup Install the Google Play services SDK o

483 views • 32 slides

More recommend