Unde Understandi nding+O ng+Ope pen+P n+Ports+i +in+A n+Andr ndroid+ d+ Ap Applications:+Discover ery,+Diagnosis,+and+ Se Secur curity+A y+Assessme ment Daoyuan Wu 1 ,*Debin Gao 1 ,*Rocky*K.*C.*Chang 2 ,* En He 3 ,*Eric*K.*T.*Cheng 2 ,*and*Robert*H.*Deng 1 1 2 3 China Electronic Technology Cyber Security Co., Ltd.
http://127.0.0.1:1234 Open&port //filename Inject&dangerous& commands 2
Th The$First$Step:$Discovering$Open$Ports$in$Apps In;lab'Dynamic' Static'Analysis Analysis OPAnalyzer [EuroS&P’17]' Cannot'mimic'real'user' Crowdsourcing inputs'to'driven'apps Issues:& Discovery dynamic'code'loading,' Leverage'users’'interaction' complex'implicit'flows,' Difficult'to'recognize with'their'smartphones'to' and'code'obfuscation. random'port'numbers monitor'open'ports 3
Ne NetMo Mon:(O :(On*de devi vice Op Open(Port(Monitoring Available(on(Google(Play(since(October(2016 https://play.google.com/store/apps/details?id= com.netmon 4
Po Port%Monitoring%Mechanism $"cat"/proc/net/tcp6"""""""""(accessible"also"on"the"latest"Android"8"and"9) sl local_address remote_address st tx_queue rx_queue tr5tm6>when5retrnsmt uid /proc/net/tcp 0:" 0000000000000000 FFFF00000100007F : 9AE0 |tcp6|udp|udp6 00000000000000000000000000000000:00005 0A 00000000:000000005 00:000000005000000005 10156 1:" 0000000000000000FFFF00000100007F:EC225 00000000000000000000000000000000:000050A500000000:000000005 00:00000000500000000510272 2:" 0000000000000000FFFF00002600040A:E8EA5 ! 0000000000000000FFFF00006B72662F:01BB506500000000:000000005 03:00001279500000000555550 p p 3:" 0000000000000000FFFF00002600040A:84B05 0000000000000000FFFF00005FC2D9AC:01BB508500000000:000000015 00:00000000500000000510015 Periodically analyze5proc5with5minimal5overhead 5
Se Server%si side)Op Open%Po Port)Analytic)Engine UID App Type IP Port Time App Type IP Port U1 Netflix UDP4 0.0.0.0 1900 T1 Netflix TCP4 0.0.0.0 9080 U1 Netflix UDP4 0.0.0.0 39798 T1 Netflix UDP4 0.0.0.0 1900 U2 Netflix UDP4 0.0.0.0 1900 T2 U2 Netflix UDP4 0.0.0.0 32799 T2 …… Ux Netflix TCP4 0.0.0.0 9080 Tx App Type IP Port Uy Netflix TCP4 0.0.0.0 9080 Ty Netflix UDP4 0.0.0.0 Random Per-app Raw port “Intelligent” open ports monitoring records engine 6
Se Server%si side)Op Open%Po Port)Analytic)Engine 7
Se Server%si side)Op Open%Po Port)Analytic)Engine 8
Se Server%si side)Op Open%Po Port)Analytic)Engine 9
Cr Crowdsou ourced*Open*Port ort*Results • The$ten'month$data: • The$effectiveness: • The$pervasiveness: • 3,293$user$phones$from$ • Discovered$2,284$apps$ • Correlated$with$ 136$different$countries with$TCP$open$ports,$ top$3,216$apps vs.$ 1,632$apps$detected$ from$Google$Play,$ • 26%$are$from$US,$while$ in$state'of'the'art$ 492$of$them$are$ diverse$for$others research$[EuroS&P’17]. with$open$ports. • 40M$port$monitoring$ • In$a$controlled$set$of$ records: apps$with$TCP$open$ • Pervasiveness: • 2,778$open'port$apps ports,$25.1%$of$them$use$ 15.3%. • And$their$4,954$open$ dynamic$or$obfuscated$ ports codes$for$open$ports. 10
Op Open%Ports% s%in%925%Popular%Apps 11
Op Open%Ports% s%in%755%Built1in in%Apps More'than'half'of'these'built2in' apps'contain UDP'open'port'68. One'quarter'(175'apps,'23.2%)' have'TCP/UDP'port'5060'open. 41'Samsung'and'16'LG'models' modify'some'Android'AOSP'apps' to'introduce'port'5060. TCP'port'6000'in'Xiaomi Browser • UDP'port'19529'in'LG’s'18'apps • 12
Wh While&crowdsourcing&is&effecti tive&in& disc discover ering ing&o &open&po pen&ports, s, it it&do &does es&no ¬&r &reveal&t eal&the&c he&code de6le level&in el&informa matio ion& n& fo for&more&in6dep depth&under h&understanding anding&o &or& diag diagno nosis sis.
Op Open%Port%Diagn gnosi sis% s%via%Static%Analysi sis SDK? Insecure 2 parameters? 1 14
Diagno gnosis(I: I:(Open pen.Po Port(SDKs • Out$of$the$1,520$open0port$apps: • 61.8%$are$solely$due$to$SDKs; Facebook$SDK$is$the$major$contributor. • 13$open0port$SDKs$detected: 15
Diagno gnosis(II: II:(Ins Insec ecur ure( e(API( PI(Us Usages es Did%not%set%the%IP%addr param%or%set%it%“null”. 611%open%ports% 164%ports%from% 581%apps%whose% from%390%apps% 120%apps% open%ports%are% (67.1%)%adopted% (20.7%) set%their% not%introduced% “convenient”% port%number% by%SDKs API%usages param random 20.7%&(120/581)&open1port&apps&adopt&convenient&but&insecure API& usages. 16
In#t In#the#las he#last#phase#o #phase#of#o f#our ur#pipeline, #pipeline,# we we#perform#three#novel# securit ity#as assessments#of# of#op open#por orts.
Vul ulner nerabi bility,Patter erns ns,Iden Identified, ed,in, n,Open, pen,Ports Terminate+on-going+ Crash+Instagram+by+ sessions+by+sending+ sending+just+a+HTTP+ two+UDP+packets request Some+open+ports+are+used+as+ Send+a+HTTP+URL+request+pointing+to+a+large+file,+ an(analytics(interface( for+their+ to+maliciously+ inflate(victim(apps’(cellular(data( companion+websites. usage in+the+background. 18
Deni enial'of of'Se Service ce.A .Attack ck.E .Evaluation on. 19
In Inter er&de devi vice+ e+Connec nnectivi vity+Mea easur urem emen ent Remote$open?port$attacks$require$the$victim$ device$to$be$connected$(intra? or$inter?network).$ 6,391$network$scan$traces 224$cellular$ 2,181$WiFi networks$ networks 111$(49.6%) 1,823$(83.6%) Allow$intra?network connectivity$(in$the$same$network) 23$cellular 10$WiFi Allow$inter?network connectivity$due$to$using$public$IP 20
Con Conclusion on)&)Takeaway • We#proposed#the#first#open.port#analysis#pipeline. • We#found#open#ports#in#many#popular#and#built.in#apps,#and#also#in#SDKs. • We#performed#comprehensive#security#assessments: • Vulnerabilities#in#popular#apps,#DoS#experiments,#real#connectivity#measurement. Contact:#Daoyuan Wu# dywu.2015@smu.edu.sg 21
Recommend
More recommend