SlideShare a Scribd company logo

2012 04 Analysis Techniques for Mobile OS Security

Raleigh ISSA
Raleigh ISSA

The document discusses security analysis techniques for mobile operating systems. It covers how smartphones differ from traditional computing in their usage model and risk profile. It also discusses rethinking host security for smartphones by defining permissions that applications can access and focusing on what permissions applications ask for and how they use those permissions. The document uses Kirin, a modified Android application installer, as an example to evaluate application policies and permissions at install time to determine if they pose security risks.

Technology
1 of 34
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Analysis Techniques for Mobile Operating System Security Prof. William Enck Raleigh ISSA April 5, 2012 NC State - Prof. William Enck Page 1
A cautionary tale ... NC State - Prof. William Enck Page 2
Traditional computing vs. smartphones • Smartphones: logical conclusion of access consolidation, service decentralization, and commoditization of computing • Usage model is very different ‣ Multi-user single machine to single-user multiple machines ‣ Always on, always computing social instrument ‣ Enterprise: separate action from geography • Changing Risk ‣ Necessarily contains secrets (often high value) ‣ Collects sensitive data as a matter of operation ‣ Drifts seamlessly between “unknown” networks ‣ Highly malleable development practices, largely unknown developers NC State - Prof. William Enck Page 3
Rethinking (host) Security security == permissions security 6= users • Permissions define capabilities. • Application markets deliver functionality (free or paid) via packaged applications. • Users make permission decisions. • Applications are run within sandboxes provided by the OS. • Note: App markets don’t (and can’t) provide security for everything. NC State - Prof. William Enck Page 4
Research Questions • Questions: ‣ What permissions do applications ask for? ‣ What do applications do with the permissions? ‣ What can applications do with the permissions? NC State - Prof. William Enck Page 5
Example: Android Security • Permissions granted to applications and never changed ‣ Permissions are enforced when an application accesses a component, API, etc ‣ Runtime decisions look for assigned permissions (access is granted IFF app A assigned perm X at install) Application 1 Application 2 Permission A: ... B: l1 Permission Labels X Labels Inherit l1,... C: l2 ... Permissions • Example permissions: location, phone IDs, microphone, camera, address book, SMS, application “interfaces” NC State - Prof. William Enck Page 6
Q1: what do applications ask for? • Kirin certifies applications by vetting policies at install-time (relies on runtime enforcement) • Insight: app config and security policy is an upper bound on runtime behavior. • Kirin is a modified application installer ‣ Apps with unsafe policies are rejected New Kirin Optional Extension Kirin Application Security Security Service Rules (1) Attempt Display risk ratings Installation Pass/ to the user and (2) (3) Fail prompt for override. (4) Android Application Installer NC State - Prof. William Enck Page 7
Kirin Security Policy • Kirin enforces security invariants at install-time • Local evaluation of two manifest artifacts ‣ The collection of requested permissions (uses-permission) ‣ The types of registered Intent message listeners • Example: ‣ Do not allow an application with Location and Internet permissions and receives the “booted” event restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]            and  receive        [BOOT_COMPLETE] NC State - Prof. William Enck Page 8
hird-party “restrict”. sets of “receive” restrictions. Then, create of all The remainder of the rule is the conjunction Policy Evaluation also han- of permissions andit in R. strings received. Each set is den and place action The set R directly corresponds to her action either “permission”be formed in time respectively. size rules and can or “receive”, linear to the sem We now define the set (proof by inspection). C ⇥ R ⌅ {true, false 5.2nowKSL thewe define of configurationrules. Let fpackag Semanticsa set of configuration failsailKSL restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]   Next a          and  receive        [BOOT_COMPLETE] based on a We define Let C be the set of all application t and r be: a r tents. semantics KSL possible configurations C⇥R We⌅ {true, false} be a logic to to test if anaapplication now define a simple function represent set of rules i a package manifest. We need only capture the se to • Policy evaluationusedset satisfiability expressible At )KSL. (P encodeKSL. Let R KSL by ofLet ctrules of and the taction strings configuration fails a bethe in labels is rule. all be the configurationin target L the application (P , for invariants = ct , n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp application t and ri be apermissionwe define f A be ithe the possible rule. Then, labelsClearly, f , r ) operates ‣ Invariant violations found in and w.r.t. policy size and Receivers. Note Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R action strings useddoesthe)semanticsactionprovide At rules. time , manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn A now t by not specify ofPt strings used by Let a of KSL ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl • by to receive Intents. Then, each rule ri Let F is C ⌅ R be a an to a advantag ⇥ R to ourif an (2 P Receivers; however, we to the input, as a hash table t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s Let operates Clearly, f the f ail : r = linear use this fact his section use in Section 7).iaWe defineLet RtTable 1: Applications ‣ We rules are tuples: KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo be the configuration a on to can provide constant time set membership checks. test if an application s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a application tthe ri tuple:rule. = forwe define where , r sp Configuration policy a Let FR A for We targetandfunction returning t ,rule) of, refer tot ) ) action ct Then, use and a beApplication ADescription in ⇥ a i f rules i the configurationC ⌅ R : t FR (c Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At ‣ if (P t configuration i ⇤ i Let R where correspond toAt set2A .KSL rules. We cons R Pt ⇥ 2P and a ⇥ of Then, we say the configur Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas if {ri |riPush For linear t ) ⇧ R, f Talk , r rule let ‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR A Clearly, ail(·) i notation. i ⇤ i a th ⇤P F i ates com-all sets3of “permission” restrictions,R. Finally, theif po of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify can provide constant time set membershipand let ARbe th Then, we say the configuration ct passes a given KSL rule-set ithe We use X checks. set o the input, Let FRthat F (c ) set a function returning indicateofof r : C is the be of allin time linear to theset which installer to the ⇤. all ⌅ R operates subsets includingsize jour uld notR (call = ⌃.X, which R t Inauguration Then, create r = ( be F of t ) sets Note NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
Studying the (early) Market • Evaluate 300+ popular Market apps (Jan 2009) ‣ 5 had both dangerous configuration and functionality (1.6%) ‣ 5 had dangerous configuration but not functionality (1.6%) (1) An application must not have the SET_DEBUG_APP permission (2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions (3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions (4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions (7) An application must not have the SEND_SMS and WRITE_SMS permissions (8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions (9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action string NC State - Prof. William Enck Page 10
Q2: What do the applications do? • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ VM Layer: variable tracking throughout Dalvik VM ‣ Native Layer: patches state after native method invocation ‣ Binder IPC Layer: extends tracking between applications ‣ Storage Layer: persistent tracking on files Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Native System Libraries Method-level tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an app NC State - Prof. William Enck Page 11
Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations: performance and granularity is a trade-off NC State - Prof. William Enck Page 12
Performance CaffeineMark 3.0 benchmark • Memory overhead: 4.4% (higher is better) 2000 Android • IPC overhead: 27% 1800 TaintDroid 1600 1400 • Macro-benchmark: 14% overhead 1200 1000 ‣ App load: 3% (2ms) 800 ‣ Address book: (< 20 ms) 600 400 5.5% create, 18% read 200 0 ‣ Phone call: 10% (10ms) sieve loop logic string float method total ‣ Take picture: 29% (0.5s) CaffeineMark score roughly corresponds to the number of Java instructions per second. NC State - Prof. William Enck Page 13
Application Study • Selected 30 applications with bias on popularity and access to Internet, location, microphone, and camera applications # permissions The Weather Channel, Cetos, Solitarie, Movies, Babble, Manga Browser 6 Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 Stream, Ringtones Layer, Knocking, Coupons, Trapster, Spongebot Slide, ProBasketBall 6 MySpace, Barcode Scanner, ixMAT 3 Evernote 1 • Of 105 flagged connections, only 37 clearly legitimate NC State - Prof. William Enck Page 14
Findings • 15 of the 30 applications shared physical location with an ad server (admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com) ‣ Most traffic was plaintext (e.g., AdMob HTTP GET): ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&... • 7 applications sent device (IMEI) and 2 apps sent phone info (Ph. #, IMSI *, ICC-ID) to a remote server without informing the user. NC State - Prof. William Enck Page 15
Q3: What can the applications do? • Static analysis: look at the possible paths and interaction of data ‣ Very, very hard (often undecidable), but community has learned that we can do a lot with small analyses. • Step 1: ded decompiler for Android applications • Step 2: static source code analysis for both dangerous functionality and vulnerabilities ‣ What data could be exfiltrated from the application? ‣ Are developers safely using interfaces? NC State - Prof. William Enck Page 16
ded Decompiler Retargeting Process • Android applications are written CFG in Java, but compiled for the (1) DEX Parsing Construction optimized Dalvik VM language Type Inference Processing Missing Type Inference Constant Identification ‣ Non-trivial to retarget back to Java: (2) Java .class Conversion Constant Pool Conversion register vs. stack architecture, Constant Pool Translation Method Code Retargeting constant pools, ambiguous scalar types, Bytecode Reorganization null references, etc. (3) Java .class Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting: type inference, instruction translation, etc ‣ Optimization: use Soot to re-optimize for Java bytecode ‣ Decompilation: standard Java decompilation (Soot) • Decompiled top 1,100 free apps from Android market: over 21 million lines of source code NC State - Prof. William Enck Page 17
Studying Application Security • Queried for security properties using program analysis, followed by manual inspection to understand purpose • Used several types of analysis to design security properties specific to Android using the Fortify SCA framework Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis framework NC State - Prof. William Enck Page 18
Phone Identifiers • We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc) sent to network servers, but how are they used? ‣ Program analysis pin-pointed 33 apps leaking Phone IDs • Finding 2 - device fingerprints • Finding 3 - tracking actions • Finding 4 - along with registration and login NC State - Prof. William Enck Page 19
Device Fingerprints (1) com.eoeandroid.eWallpapers.cartoon - SyncDeviceInfosService.getDevice_info() r1.append((new StringBuilder("device_id=")).append(tm.getDeviceId()).toString()).append((new StringBuilder("&device_software_version=")).append(tm.getDeviceSoftwareVersion()).toString()); r1.append((new StringBuilder("&build_board=")).append(Build.BOARD).toString()).append((new StringBuilder("&build_brand=")).append(Build.BRAND).toString()).append((new StringBuilder("&build_device=")).append(Build.DEVICE).toString()).append((new StringBuilder("&build_display=")).append(Build.DISPLAY).toString()).append((new StringBuilder("&build_fingerprint=")).append(Build.FINGERPRINT).toString()).append((new StringBuilder("&build_model=")).append(Build.MODEL).toString()).append((new StringBuilder("&build_product=")).append(Build.PRODUCT).toString()).append((new StringBuilder("&build_tags=")).append(Build.TAGS).toString()).append((new StringBuilder("&build_time=")).append(Build.TIME).toString()).append((new StringBuilder("&build_user=")).append(Build.USER).toString()).append((new StringBuilder("&build_type=")).append(Build.TYPE).toString()).append((new StringBuilder("&build_id=")).append(Build.ID).toString()).append((new StringBuilder("&build_host=")).append(Build.HOST).toString()).append((new StringBuilder("&build_version_release=")).append(Build$VERSION.RELEASE).toString()).append((new StringBuilder("&build_version_sdk_int=")).append(Build $VERSION.SDK).toString()).append((new StringBuilder("&build_version_incremental=")).append(Build$VERSION.INCREMENTAL).toString()); r5 = mContext.getApplicationContext().getResources().getDisplayMetrics(); r1.append((new StringBuilder("&density=")).append(r5.density).toString()).append((new StringBuilder("&height_pixels=")).append(r5.heightPixels).toString()).append((new StringBuilder("&scaled_density=")).append(r5.scaledDensity).toString()).append((new StringBuilder("&width_pixels=")).append(r5.widthPixels).toString()).append((new StringBuilder("&xdpi=")).append(r5.xdpi).toString()).append((new StringBuilder("&ydpi=")).append(r5.ydpi).toString()); r1.append((new StringBuilder("&line1_number=")).append(tm.getLine1Number()).toString()).append((new StringBuilder("&network_country_iso=")).append(tm.getNetworkCountryIso()).toString()).append((new StringBuilder("&network_operator=")).append(tm.getNetworkOperator()).toString()).append((new StringBuilder("&network_operator_name=")).append(tm.getNetworkOperatorName()).toString()).append((new StringBuilder("&network_type=")).append(tm.getNetworkType()).toString()).append((new StringBuilder("&phone_type=")).append(tm.getPhoneType()).toString()).append((new StringBuilder("&sim_country_iso=")).append(tm.getSimCountryIso()).toString()).append((new StringBuilder("&sim_operator=")).append(tm.getSimOperator()).toString()).append((new StringBuilder("&sim_operator_name=")).append(tm.getSimOperatorName()).toString()).append((new StringBuilder("&sim_serial_number=")).append(tm.getSimSerialNumber()).toString()).append((new StringBuilder("&sim_state=")).append(tm.getSimState()).toString()).append((new StringBuilder("&subscriber_id=")).append(tm.getSubscriberId()).toString()).append((new StringBuilder("&voice_mail_number=")).append(tm.getVoiceMailNumber()).toString()); i0 = mContext.getResources().getConfiguration().mcc; i1 = mContext.getResources().getConfiguration().mnc; r1.append((new StringBuilder("&imsi_mcc=")).append(i0).toString()).append((new StringBuilder("&imsi_mnc=")).append(i1).toString()); r254 = (ActivityManager) mContext.getSystemService("activity"); $r255 = new ActivityManager$MemoryInfo(); r254.getMemoryInfo($r255); r1.append((new StringBuilder("&total_mem=")).append($r255.availMem).toString()); NC State - Prof. William Enck Page 20
Device Fingerprints (2) com.avantar.wny - com/avantar/wny/PhoneStats.java public String toUrlFormatedString() { StringBuilder $r4; if (mURLFormatedParameters == null) IMEI { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); } return mURLFormatedParameters; } NC State - Prof. William Enck Page 21
Tracking com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity) public void onCreate(Bundle r1) { http://kror.keyringapp.com/service.php ... IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId(); retailerLookupCmd = (new StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString(); ... } com.Qunar - net/NetworkTask.java public void run() { http://client.qunar.com:80/QSearch ... r24 = (TelephonyManager) r21.getSystemService("phone"); url = (new StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append( QConfiguration.getInstance().mPCStat.toMsgString()).toString(); ... } NC State - Prof. William Enck Page 22
Registration and Login com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback) public void onClick(View r1) IMEI { ... r7 = Host.getDeviceId(this$0.getApplicationContext()); LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ... } Is this necessarily bad? NC State - Prof. William Enck Page 23
Location • Found 13 apps with geographic location data flows to the network ‣ Many were legitimate: weather, classifieds, points of interest, and social networking services • Several instances sent to advertisers (same as TaintDroid). More on this shortly. • Code recovery error in AdMob library. NC State - Prof. William Enck Page 24
Phone Misuse • No evidence of abuse in our sample set ‣ Hard-coded numbers for SMS/voice (premium-rate) ‣ Background audio/video recording ‣ Socket API use (not HTTP wrappers) ‣ Harvesting list of installed applications NC State - Prof. William Enck Page 25
Ad/Analytics Libraries Library Path # Apps Obtains • 51% of the apps included an ad or com/admob/android/ads 320 L analytics library (many also included com/google/ads 206 - com/flurry/android 98 - custom functionality) com/qwapi/adclient/android 74 L, P, E com/google/android/apps/analytics 67 - • A few libraries were used most frequently com/adwhirl 60 L com/mobclix/android/sdk 58 L, E • Use of phone identifiers and location com/mellennialmedia/android 52 - sometimes configurable by developer com/zestadz/android 10 - com/admarvel/android/ads 8 - 1000 com/estsoft/adlocal 8 L 367 com/adfonic/android 5 - Number of libraries com/vdroid/ads 5 L, E 91 100 com/greystripe/android/sdk 4 E 32 37 1 app has com/medialets 4 L 15 8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I 10 com/adserver/adview 3 L com/tapjoy 3 - com/inmobi/androidsdk 2 E 1 com/apegroup/ad 1 - 1 com/casee/adsdk 1 S 1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I Total Unique Apps 561 Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID NC State - Prof. William Enck Page 26
Probing for Permissions (1) com/webtrends/mobile/analytics/android/WebtrendsAndroidValueFetcher.java public static String getDeviceId(Object r0) { Context r4; String r7; r4 = (Context) r0; try { r7 = ((TelephonyManager) r4.getSystemService("phone")).getDeviceId(); if (r7 == null) { r7 = ""; Catches SecurityException } } catch (Exception $r8) { WebtrendsDataCollector.getInstance().getLog().d("Exception fetching TelephonyManager.getDeviceId value. ", $r8); r7 = null; } return r7; } NC State - Prof. William Enck Page 27
Probing for Permissions (2) com/casee/adsdk/AdFetcher.java public static String getDeviceId(Context r0) { String r1; r1 = ""; label_19: { if (deviceId != null) { if (r1.equals(deviceId) == false) { break label_19; Checks before accessing } } if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0) { deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId(); } } //end label_19: ... } NC State - Prof. William Enck Page 28
Developer Toolkits • We found identically implemented dangerous functionality in the form of developer toolkits. ‣ Probing for permissions (e.g., Android API, catch SecurityException) ‣ Well-known brands sometimes commission developers that include dangerous functionality. • “USA Today” and “FOX News” both developed by Mercury Intermedia (com/mercuryintermedia), which grabs IMEI on startup NC State - Prof. William Enck Page 29
Custom Exceptions v00032.com.wordplayer - CustomExceptionHandler.java void init() { URLConnection r3; ... r3 = (new URL("http://www.word-player.com/HttpHandler/init.sample")).openConnection(); ... try { $r27 = this.mkStr(((TelephonyManager) _context.getSystemService("phone")).getLine1Number()); } catch (Exception $r81) { break label_5; } ... Phone Number!? } NC State - Prof. William Enck Page 30
Intent Vulnerabilities • Similar analysis rules as independently identified by Chin et al. [Mobisys 2011] • Leaking information to IPC - unprotected intent broadcasts are common, occasionally contain info • Unprotected broadcast receivers - a few apps receive custom action strings w/out protection (lots of “protected bcasts”) • Intent injection attacks - 16 apps had potential vulnerabilities • Delegating control - pending intents are tricky to analyze (notification, alarm, and widget APIs) --- no vulns found • Null checks on IPC input - 3925 potential null dereferences in 591 apps (53%) --- most were in activity components NC State - Prof. William Enck Page 31
Study Limitations • The sample set • Code recovery failures • Android IPC data flows • Fortify SCA language • Obfuscation NC State - Prof. William Enck Page 32
Summary • What permissions do applications ask for? ‣ Kirin demonstrated how permission combinations can be effectively used to certify applications at install-time. • What do applications do with the permissions? ‣ TaintDroid “looks inside” of applications to understand how privacy sensitive information is being used. • What can applications do with the permissions? ‣ We used program analysis and manual inspection to characterize implemented application behavior NC State - Prof. William Enck Page 33
Thank you! William Enck Assistant Professor Department of Computer Science NC State University enck@cs.ncsu.edu http://www.enck.org NC State - Prof. William Enck Page 34

More Related Content

Viewers also liked (10)

PDF
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Andrew Petukhov
 
PPTX
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
PPTX
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
Nurul Haszeli Ahmad
 
PDF
A Study on Dynamic Detection of Web Application Vulnerabilities
Yuji Kosuga
 
PPT
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Andrew Petukhov
 
KEY
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
PDF
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
Isao Takaesu
 
PPTX
Attributes based encryption with verifiable outsourced decryption
KaashivInfoTech Company
 
PPT
data mining for security application
bharatsvnit
 
PPT
Technology buffet for new teachers march 2012
Karen Brooks
 
Армия освобождения домохозяек: структура, состав вооружений, методы коммуникации
Andrew Petukhov
 
Analysis of Field Data on Web Security Vulnerabilities
KaashivInfoTech Company
 
C Overflows Vulnerabilities Exploit Taxonomy And Evaluation on Static Analysi...
Nurul Haszeli Ahmad
 
A Study on Dynamic Detection of Web Application Vulnerabilities
Yuji Kosuga
 
Detecting Security Vulnerabilities in Web Applications Using Dynamic Analysis...
Andrew Petukhov
 
No locked doors, no windows barred: hacking OpenAM infrastructure
Andrew Petukhov
 
CODE BLUE 2016 - Method of Detecting Vulnerability in Web Apps
Isao Takaesu
 
Attributes based encryption with verifiable outsourced decryption
KaashivInfoTech Company
 
data mining for security application
bharatsvnit
 
Technology buffet for new teachers march 2012
Karen Brooks
 

Similar to 2012 04 Analysis Techniques for Mobile OS Security (20)

PDF
Delta ZTNA solution, homegrown ZTNA Solution Overview
James Yeh
 
PDF
Transforming security part 1 - Cloud and virtualization
Priyanka Aash
 
PDF
Shift Left Security
BATbern
 
PDF
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
PPTX
Security best practices
AVEVA
 
PDF
Cloud-Native Security
VMware Tanzu
 
PDF
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
PDF
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
PDF
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
PPTX
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
PDF
Dayal rtp q2_07
Obsidian Software
 
PDF
Managing Deployment of SVA in Your Project
DVClub
 
PDF
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
PPTX
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
PPTX
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
PDF
2018 Genivi Xen Overview Nov Update
The Linux Foundation
 
PDF
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
PDF
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
PPTX
Scs.pptx repaired
Saransh Garg
 
PDF
Cisco open network environment
deepers
 
Delta ZTNA solution, homegrown ZTNA Solution Overview
James Yeh
 
Transforming security part 1 - Cloud and virtualization
Priyanka Aash
 
Shift Left Security
BATbern
 
Mitigating Risk for the Mobile Worker: Novell ZENworks Endpoint Security Mana...
Novell
 
Security best practices
AVEVA
 
Cloud-Native Security
VMware Tanzu
 
Cloud Native Security: New Approach for a New Reality
Carlos Andrés García
 
IEEE PES GM 2017 Cybersecurity Panel Talk
Nathan Wallace, PhD, PE
 
Unit 08: Security for Web Applications
DSBW 2011/2002 - Carles Farré - Barcelona Tech
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
Dayal rtp q2_07
Obsidian Software
 
Managing Deployment of SVA in Your Project
DVClub
 
Best Practices To Secure Kubernetes Cluster
Urolime Technologies
 
Regulated Reactive - Security Considerations for Building Reactive Systems in...
Ryan Hodgin
 
[DSBW Spring 2009] Unit 08: WebApp Security
Carles Farré
 
2018 Genivi Xen Overview Nov Update
The Linux Foundation
 
Streamlining AppSec Policy Definition.pptx
tmbainjr131
 
Proving the Security of Low-Level Software Components & TEEs
Ashley Zupkus
 
Scs.pptx repaired
Saransh Garg
 
Cisco open network environment
deepers
 
Ad

More from Raleigh ISSA (20)

PDF
Raleigh issa chapter updates-slides-2014-9
Raleigh ISSA
 
PDF
Raleigh issa chapter updates-slides-2014-8
Raleigh ISSA
 
PDF
Raleigh issa chapter updates-slides-2014-7
Raleigh ISSA
 
PDF
Raleigh issa chapter updates-slides-2014-6
Raleigh ISSA
 
PDF
Managing privileged account security
Raleigh ISSA
 
PDF
A10 issa d do s 5-2014
Raleigh ISSA
 
PDF
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh ISSA
 
PDF
April 2014 Raleigh ISSA chapter update slides
Raleigh ISSA
 
PDF
March 2014 B2B - Breaking into info sec
Raleigh ISSA
 
PDF
March 2014 Raleigh ISSA chapter update slides
Raleigh ISSA
 
PDF
February 2014 Raleigh Chapter ISSA Board update slides
Raleigh ISSA
 
PDF
2014-01 Raleigh ISSA Chapter Updates January 2014
Raleigh ISSA
 
PPTX
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
PPTX
2013-11 Raleigh ISSA Chapter Updates November 2013
Raleigh ISSA
 
PPTX
2013-10 Raleigh ISSA Chapter Updates October 2013
Raleigh ISSA
 
PDF
2013-09 Raleigh ISSA Chapter Updates September 2013
Raleigh ISSA
 
PPTX
2013-08 Raleigh ISSA Chapter Updates August 2013
Raleigh ISSA
 
PDF
2013-07 How to Win with Customers - Keith Pigues
Raleigh ISSA
 
PDF
2013-07 Raleigh ISSA Chapter Updates July 2013
Raleigh ISSA
 
PDF
2013-06 Raleigh ISSA Chapter Updates June 2013
Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-9
Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-8
Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-7
Raleigh ISSA
 
Raleigh issa chapter updates-slides-2014-6
Raleigh ISSA
 
Managing privileged account security
Raleigh ISSA
 
A10 issa d do s 5-2014
Raleigh ISSA
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh ISSA
 
April 2014 Raleigh ISSA chapter update slides
Raleigh ISSA
 
March 2014 B2B - Breaking into info sec
Raleigh ISSA
 
March 2014 Raleigh ISSA chapter update slides
Raleigh ISSA
 
February 2014 Raleigh Chapter ISSA Board update slides
Raleigh ISSA
 
2014-01 Raleigh ISSA Chapter Updates January 2014
Raleigh ISSA
 
Growing trend of finding2013-11 Growing Trend of Finding Regulatory and Tort ...
Raleigh ISSA
 
2013-11 Raleigh ISSA Chapter Updates November 2013
Raleigh ISSA
 
2013-10 Raleigh ISSA Chapter Updates October 2013
Raleigh ISSA
 
2013-09 Raleigh ISSA Chapter Updates September 2013
Raleigh ISSA
 
2013-08 Raleigh ISSA Chapter Updates August 2013
Raleigh ISSA
 
2013-07 How to Win with Customers - Keith Pigues
Raleigh ISSA
 
2013-07 Raleigh ISSA Chapter Updates July 2013
Raleigh ISSA
 
2013-06 Raleigh ISSA Chapter Updates June 2013
Raleigh ISSA
 
Ad

Recently uploaded (20)

PPTX
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
PDF
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
PDF
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
PDF
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
PDF
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
PDF
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
PPTX
Smart Factory Monitoring IIoT in Machine and Production Operations.pptx
Rejig Digital
 
PDF
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
PDF
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
PPTX
Reimaginando la Ciberdefensa: De Copilots a Redes de Agentes
Cristian Garcia G.
 
PDF
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
PDF
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
PDF
Kubernetes - Architecture & Components.pdf
geethak285
 
PDF
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
PDF
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
PDF
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
PDF
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
PDF
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
PDF
Why aren't you using FME Flow's CPU Time?
Safe Software
 
PPTX
The birth and death of Stars - earth and life science
rizellemarieastrolo
 
Mastering Authorization: Integrating Authentication and Authorization Data in...
Hitachi, Ltd. OSS Solution Center.
 
TrustArc Webinar - Navigating APAC Data Privacy Laws: Compliance & Challenges
TrustArc
 
Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...
Malinda Kapuruge
 
Enhancing Environmental Monitoring with Real-Time Data Integration: Leveragin...
Safe Software
 
How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdf
Bluechip Advanced Technologies
 
Plugging AI into everything: Model Context Protocol Simplified.pdf
Abati Adewale
 
Smart Factory Monitoring IIoT in Machine and Production Operations.pptx
Rejig Digital
 
Simplify Your FME Flow Setup: Fault-Tolerant Deployment Made Easy with Packer...
Safe Software
 
''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...
Fwdays
 
Reimaginando la Ciberdefensa: De Copilots a Redes de Agentes
Cristian Garcia G.
 
99 Bottles of Trust on the Wall — Operational Principles for Trust in Cyber C...
treyka
 
LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdf
Nick Samuel
 
Kubernetes - Architecture & Components.pdf
geethak285
 
GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...
James Anderson
 
FME as an Orchestration Tool with Principles From Data Gravity
Safe Software
 
Automating the Geo-Referencing of Historic Aerial Photography in Flanders
Safe Software
 
Hello I'm "AI" Your New _________________
Dr. Tathagat Varma
 
5 Things to Consider When Deploying AI in Your Enterprise
Safe Software
 
Why aren't you using FME Flow's CPU Time?
Safe Software
 
The birth and death of Stars - earth and life science
rizellemarieastrolo
 

2012 04 Analysis Techniques for Mobile OS Security

  • 1. Analysis Techniques for Mobile Operating System Security Prof. William Enck Raleigh ISSA April 5, 2012 NC State - Prof. William Enck Page 1
  • 2. A cautionary tale ... NC State - Prof. William Enck Page 2
  • 3. Traditional computing vs. smartphones • Smartphones: logical conclusion of access consolidation, service decentralization, and commoditization of computing • Usage model is very different ‣ Multi-user single machine to single-user multiple machines ‣ Always on, always computing social instrument ‣ Enterprise: separate action from geography • Changing Risk ‣ Necessarily contains secrets (often high value) ‣ Collects sensitive data as a matter of operation ‣ Drifts seamlessly between “unknown” networks ‣ Highly malleable development practices, largely unknown developers NC State - Prof. William Enck Page 3
  • 4. Rethinking (host) Security security == permissions security 6= users • Permissions define capabilities. • Application markets deliver functionality (free or paid) via packaged applications. • Users make permission decisions. • Applications are run within sandboxes provided by the OS. • Note: App markets don’t (and can’t) provide security for everything. NC State - Prof. William Enck Page 4
  • 5. Research Questions • Questions: ‣ What permissions do applications ask for? ‣ What do applications do with the permissions? ‣ What can applications do with the permissions? NC State - Prof. William Enck Page 5
  • 6. Example: Android Security • Permissions granted to applications and never changed ‣ Permissions are enforced when an application accesses a component, API, etc ‣ Runtime decisions look for assigned permissions (access is granted IFF app A assigned perm X at install) Application 1 Application 2 Permission A: ... B: l1 Permission Labels X Labels Inherit l1,... C: l2 ... Permissions • Example permissions: location, phone IDs, microphone, camera, address book, SMS, application “interfaces” NC State - Prof. William Enck Page 6
  • 7. Q1: what do applications ask for? • Kirin certifies applications by vetting policies at install-time (relies on runtime enforcement) • Insight: app config and security policy is an upper bound on runtime behavior. • Kirin is a modified application installer ‣ Apps with unsafe policies are rejected New Kirin Optional Extension Kirin Application Security Security Service Rules (1) Attempt Display risk ratings Installation Pass/ to the user and (2) (3) Fail prompt for override. (4) Android Application Installer NC State - Prof. William Enck Page 7
  • 8. Kirin Security Policy • Kirin enforces security invariants at install-time • Local evaluation of two manifest artifacts ‣ The collection of requested permissions (uses-permission) ‣ The types of registered Intent message listeners • Example: ‣ Do not allow an application with Location and Internet permissions and receives the “booted” event restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]            and  receive        [BOOT_COMPLETE] NC State - Prof. William Enck Page 8
  • 9. hird-party “restrict”. sets of “receive” restrictions. Then, create of all The remainder of the rule is the conjunction Policy Evaluation also han- of permissions andit in R. strings received. Each set is den and place action The set R directly corresponds to her action either “permission”be formed in time respectively. size rules and can or “receive”, linear to the sem We now define the set (proof by inspection). C ⇥ R ⌅ {true, false 5.2nowKSL thewe define of configurationrules. Let fpackag Semanticsa set of configuration failsailKSL restrict  permission  [ACCESS_FINE_LOCATION,  INTERNET]   Next a          and  receive        [BOOT_COMPLETE] based on a We define Let C be the set of all application t and r be: a r tents. semantics KSL possible configurations C⇥R We⌅ {true, false} be a logic to to test if anaapplication now define a simple function represent set of rules i a package manifest. We need only capture the se to • Policy evaluationusedset satisfiability expressible At )KSL. (P encodeKSL. Let R KSL by ofLet ctrules of and the taction strings configuration fails a bethe in labels is rule. all be the configurationin target L the application (P , for invariants = ct , n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp application t and ri be apermissionwe define f A be ithe the possible rule. Then, labelsClearly, f , r ) operates ‣ Invariant violations found in and w.r.t. policy size and Receivers. Note Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R action strings useddoesthe)semanticsactionprovide At rules. time , manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn A now t by not specify ofPt strings used by Let a of KSL ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl • by to receive Intents. Then, each rule ri Let F is C ⌅ R be a an to a advantag ⇥ R to ourif an (2 P Receivers; however, we to the input, as a hash table t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s Let operates Clearly, f the f ail : r = linear use this fact his section use in Section 7).iaWe defineLet RtTable 1: Applications ‣ We rules are tuples: KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo be the configuration a on to can provide constant time set membership checks. test if an application s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a application tthe ri tuple:rule. = forwe define where , r sp Configuration policy a Let FR A for We targetandfunction returning t ,rule) of, refer tot ) ) action ct Then, use and a beApplication ADescription in ⇥ a i f rules i the configurationC ⌅ R : t FR (c Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At ‣ if (P t configuration i ⇤ i Let R where correspond toAt set2A .KSL rules. We cons R Pt ⇥ 2P and a ⇥ of Then, we say the configur Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas if {ri |riPush For linear t ) ⇧ R, f Talk , r rule let ‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR A Clearly, ail(·) i notation. i ⇤ i a th ⇤P F i ates com-all sets3of “permission” restrictions,R. Finally, theif po of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify can provide constant time set membershipand let ARbe th Then, we say the configuration ct passes a given KSL rule-set ithe We use X checks. set o the input, Let FRthat F (c ) set a function returning indicateofof r : C is the be of allin time linear to theset which installer to the ⇤. all ⌅ R operates subsets includingsize jour uld notR (call = ⌃.X, which R t Inauguration Then, create r = ( be F of t ) sets Note NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
  • 10. Studying the (early) Market • Evaluate 300+ popular Market apps (Jan 2009) ‣ 5 had both dangerous configuration and functionality (1.6%) ‣ 5 had dangerous configuration but not functionality (1.6%) (1) An application must not have the SET_DEBUG_APP permission (2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions (3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions (4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions (6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions (7) An application must not have the SEND_SMS and WRITE_SMS permissions (8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions (9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action string NC State - Prof. William Enck Page 10
  • 11. Q2: What do the applications do? • TaintDroid is a system-wide integration of taint tracking into the Android platform ‣ VM Layer: variable tracking throughout Dalvik VM ‣ Native Layer: patches state after native method invocation ‣ Binder IPC Layer: extends tracking between applications ‣ Storage Layer: persistent tracking on files Message-level tracking Application Code Msg Application Code Virtual Virtual Variable-level Machine Machine tracking Native System Libraries Method-level tracking File-level Network Interface Secondary Storage tracking • TaintDroid is a firmware modification, not an app NC State - Prof. William Enck Page 11
  • 12. Dynamic Taint Analysis • Dynamic taint analysis is a technique that tracks information dependencies from an origin • Conceptual idea: c = taint_source() ‣ Taint source ... ‣ Taint propagation a = b + c ‣ Taint sink ... network_send(a) • Limitations: performance and granularity is a trade-off NC State - Prof. William Enck Page 12
  • 13. Performance CaffeineMark 3.0 benchmark • Memory overhead: 4.4% (higher is better) 2000 Android • IPC overhead: 27% 1800 TaintDroid 1600 1400 • Macro-benchmark: 14% overhead 1200 1000 ‣ App load: 3% (2ms) 800 ‣ Address book: (< 20 ms) 600 400 5.5% create, 18% read 200 0 ‣ Phone call: 10% (10ms) sieve loop logic string float method total ‣ Take picture: 29% (0.5s) CaffeineMark score roughly corresponds to the number of Java instructions per second. NC State - Prof. William Enck Page 13
  • 14. Application Study • Selected 30 applications with bias on popularity and access to Internet, location, microphone, and camera applications # permissions The Weather Channel, Cetos, Solitarie, Movies, Babble, Manga Browser 6 Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 Stream, Ringtones Layer, Knocking, Coupons, Trapster, Spongebot Slide, ProBasketBall 6 MySpace, Barcode Scanner, ixMAT 3 Evernote 1 • Of 105 flagged connections, only 37 clearly legitimate NC State - Prof. William Enck Page 14
  • 15. Findings • 15 of the 30 applications shared physical location with an ad server (admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com) ‣ Most traffic was plaintext (e.g., AdMob HTTP GET): ...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85 B717D9195A6722A9&d%5Bcoord%5D=47.6612278900 00006%2C-122.31589477&... • 7 applications sent device (IMEI) and 2 apps sent phone info (Ph. #, IMSI *, ICC-ID) to a remote server without informing the user. NC State - Prof. William Enck Page 15
  • 16. Q3: What can the applications do? • Static analysis: look at the possible paths and interaction of data ‣ Very, very hard (often undecidable), but community has learned that we can do a lot with small analyses. • Step 1: ded decompiler for Android applications • Step 2: static source code analysis for both dangerous functionality and vulnerabilities ‣ What data could be exfiltrated from the application? ‣ Are developers safely using interfaces? NC State - Prof. William Enck Page 16
  • 17. ded Decompiler Retargeting Process • Android applications are written CFG in Java, but compiled for the (1) DEX Parsing Construction optimized Dalvik VM language Type Inference Processing Missing Type Inference Constant Identification ‣ Non-trivial to retarget back to Java: (2) Java .class Conversion Constant Pool Conversion register vs. stack architecture, Constant Pool Translation Method Code Retargeting constant pools, ambiguous scalar types, Bytecode Reorganization null references, etc. (3) Java .class Optimization Instruction Set Translation • ded recovers source code from application package ‣ Retargeting: type inference, instruction translation, etc ‣ Optimization: use Soot to re-optimize for Java bytecode ‣ Decompilation: standard Java decompilation (Soot) • Decompiled top 1,100 free apps from Android market: over 21 million lines of source code NC State - Prof. William Enck Page 17
  • 18. Studying Application Security • Queried for security properties using program analysis, followed by manual inspection to understand purpose • Used several types of analysis to design security properties specific to Android using the Fortify SCA framework Analysis for Dangerous Behavior Analysis for Vulnerabilities Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis Havesting Installed Applications Structural analysis Password Management* Data flow analysis Cryptography Misuse* Structural analysis Also studied inclusion of advertisement and Injection Vulnerabilities* Data flow analysis analytics libraries and associated properties * included with analysis framework NC State - Prof. William Enck Page 18
  • 19. Phone Identifiers • We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc) sent to network servers, but how are they used? ‣ Program analysis pin-pointed 33 apps leaking Phone IDs • Finding 2 - device fingerprints • Finding 3 - tracking actions • Finding 4 - along with registration and login NC State - Prof. William Enck Page 19
  • 20. Device Fingerprints (1) com.eoeandroid.eWallpapers.cartoon - SyncDeviceInfosService.getDevice_info() r1.append((new StringBuilder("device_id=")).append(tm.getDeviceId()).toString()).append((new StringBuilder("&device_software_version=")).append(tm.getDeviceSoftwareVersion()).toString()); r1.append((new StringBuilder("&build_board=")).append(Build.BOARD).toString()).append((new StringBuilder("&build_brand=")).append(Build.BRAND).toString()).append((new StringBuilder("&build_device=")).append(Build.DEVICE).toString()).append((new StringBuilder("&build_display=")).append(Build.DISPLAY).toString()).append((new StringBuilder("&build_fingerprint=")).append(Build.FINGERPRINT).toString()).append((new StringBuilder("&build_model=")).append(Build.MODEL).toString()).append((new StringBuilder("&build_product=")).append(Build.PRODUCT).toString()).append((new StringBuilder("&build_tags=")).append(Build.TAGS).toString()).append((new StringBuilder("&build_time=")).append(Build.TIME).toString()).append((new StringBuilder("&build_user=")).append(Build.USER).toString()).append((new StringBuilder("&build_type=")).append(Build.TYPE).toString()).append((new StringBuilder("&build_id=")).append(Build.ID).toString()).append((new StringBuilder("&build_host=")).append(Build.HOST).toString()).append((new StringBuilder("&build_version_release=")).append(Build$VERSION.RELEASE).toString()).append((new StringBuilder("&build_version_sdk_int=")).append(Build $VERSION.SDK).toString()).append((new StringBuilder("&build_version_incremental=")).append(Build$VERSION.INCREMENTAL).toString()); r5 = mContext.getApplicationContext().getResources().getDisplayMetrics(); r1.append((new StringBuilder("&density=")).append(r5.density).toString()).append((new StringBuilder("&height_pixels=")).append(r5.heightPixels).toString()).append((new StringBuilder("&scaled_density=")).append(r5.scaledDensity).toString()).append((new StringBuilder("&width_pixels=")).append(r5.widthPixels).toString()).append((new StringBuilder("&xdpi=")).append(r5.xdpi).toString()).append((new StringBuilder("&ydpi=")).append(r5.ydpi).toString()); r1.append((new StringBuilder("&line1_number=")).append(tm.getLine1Number()).toString()).append((new StringBuilder("&network_country_iso=")).append(tm.getNetworkCountryIso()).toString()).append((new StringBuilder("&network_operator=")).append(tm.getNetworkOperator()).toString()).append((new StringBuilder("&network_operator_name=")).append(tm.getNetworkOperatorName()).toString()).append((new StringBuilder("&network_type=")).append(tm.getNetworkType()).toString()).append((new StringBuilder("&phone_type=")).append(tm.getPhoneType()).toString()).append((new StringBuilder("&sim_country_iso=")).append(tm.getSimCountryIso()).toString()).append((new StringBuilder("&sim_operator=")).append(tm.getSimOperator()).toString()).append((new StringBuilder("&sim_operator_name=")).append(tm.getSimOperatorName()).toString()).append((new StringBuilder("&sim_serial_number=")).append(tm.getSimSerialNumber()).toString()).append((new StringBuilder("&sim_state=")).append(tm.getSimState()).toString()).append((new StringBuilder("&subscriber_id=")).append(tm.getSubscriberId()).toString()).append((new StringBuilder("&voice_mail_number=")).append(tm.getVoiceMailNumber()).toString()); i0 = mContext.getResources().getConfiguration().mcc; i1 = mContext.getResources().getConfiguration().mnc; r1.append((new StringBuilder("&imsi_mcc=")).append(i0).toString()).append((new StringBuilder("&imsi_mnc=")).append(i1).toString()); r254 = (ActivityManager) mContext.getSystemService("activity"); $r255 = new ActivityManager$MemoryInfo(); r254.getMemoryInfo($r255); r1.append((new StringBuilder("&total_mem=")).append($r255.availMem).toString()); NC State - Prof. William Enck Page 20
  • 21. Device Fingerprints (2) com.avantar.wny - com/avantar/wny/PhoneStats.java public String toUrlFormatedString() { StringBuilder $r4; if (mURLFormatedParameters == null) IMEI { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); } return mURLFormatedParameters; } NC State - Prof. William Enck Page 21
  • 22. Tracking com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity) public void onCreate(Bundle r1) { http://kror.keyringapp.com/service.php ... IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId(); retailerLookupCmd = (new StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString(); ... } com.Qunar - net/NetworkTask.java public void run() { http://client.qunar.com:80/QSearch ... r24 = (TelephonyManager) r21.getSystemService("phone"); url = (new StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append( QConfiguration.getInstance().mPCStat.toMsgString()).toString(); ... } NC State - Prof. William Enck Page 22
  • 23. Registration and Login com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback) public void onClick(View r1) IMEI { ... r7 = Host.getDeviceId(this$0.getApplicationContext()); LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ... } Is this necessarily bad? NC State - Prof. William Enck Page 23
  • 24. Location • Found 13 apps with geographic location data flows to the network ‣ Many were legitimate: weather, classifieds, points of interest, and social networking services • Several instances sent to advertisers (same as TaintDroid). More on this shortly. • Code recovery error in AdMob library. NC State - Prof. William Enck Page 24
  • 25. Phone Misuse • No evidence of abuse in our sample set ‣ Hard-coded numbers for SMS/voice (premium-rate) ‣ Background audio/video recording ‣ Socket API use (not HTTP wrappers) ‣ Harvesting list of installed applications NC State - Prof. William Enck Page 25
  • 26. Ad/Analytics Libraries Library Path # Apps Obtains • 51% of the apps included an ad or com/admob/android/ads 320 L analytics library (many also included com/google/ads 206 - com/flurry/android 98 - custom functionality) com/qwapi/adclient/android 74 L, P, E com/google/android/apps/analytics 67 - • A few libraries were used most frequently com/adwhirl 60 L com/mobclix/android/sdk 58 L, E • Use of phone identifiers and location com/mellennialmedia/android 52 - sometimes configurable by developer com/zestadz/android 10 - com/admarvel/android/ads 8 - 1000 com/estsoft/adlocal 8 L 367 com/adfonic/android 5 - Number of libraries com/vdroid/ads 5 L, E 91 100 com/greystripe/android/sdk 4 E 32 37 1 app has com/medialets 4 L 15 8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I 10 com/adserver/adview 3 L com/tapjoy 3 - com/inmobi/androidsdk 2 E 1 com/apegroup/ad 1 - 1 com/casee/adsdk 1 S 1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I Total Unique Apps 561 Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID NC State - Prof. William Enck Page 26
  • 27. Probing for Permissions (1) com/webtrends/mobile/analytics/android/WebtrendsAndroidValueFetcher.java public static String getDeviceId(Object r0) { Context r4; String r7; r4 = (Context) r0; try { r7 = ((TelephonyManager) r4.getSystemService("phone")).getDeviceId(); if (r7 == null) { r7 = ""; Catches SecurityException } } catch (Exception $r8) { WebtrendsDataCollector.getInstance().getLog().d("Exception fetching TelephonyManager.getDeviceId value. ", $r8); r7 = null; } return r7; } NC State - Prof. William Enck Page 27
  • 28. Probing for Permissions (2) com/casee/adsdk/AdFetcher.java public static String getDeviceId(Context r0) { String r1; r1 = ""; label_19: { if (deviceId != null) { if (r1.equals(deviceId) == false) { break label_19; Checks before accessing } } if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0) { deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId(); } } //end label_19: ... } NC State - Prof. William Enck Page 28
  • 29. Developer Toolkits • We found identically implemented dangerous functionality in the form of developer toolkits. ‣ Probing for permissions (e.g., Android API, catch SecurityException) ‣ Well-known brands sometimes commission developers that include dangerous functionality. • “USA Today” and “FOX News” both developed by Mercury Intermedia (com/mercuryintermedia), which grabs IMEI on startup NC State - Prof. William Enck Page 29
  • 30. Custom Exceptions v00032.com.wordplayer - CustomExceptionHandler.java void init() { URLConnection r3; ... r3 = (new URL("http://www.word-player.com/HttpHandler/init.sample")).openConnection(); ... try { $r27 = this.mkStr(((TelephonyManager) _context.getSystemService("phone")).getLine1Number()); } catch (Exception $r81) { break label_5; } ... Phone Number!? } NC State - Prof. William Enck Page 30
  • 31. Intent Vulnerabilities • Similar analysis rules as independently identified by Chin et al. [Mobisys 2011] • Leaking information to IPC - unprotected intent broadcasts are common, occasionally contain info • Unprotected broadcast receivers - a few apps receive custom action strings w/out protection (lots of “protected bcasts”) • Intent injection attacks - 16 apps had potential vulnerabilities • Delegating control - pending intents are tricky to analyze (notification, alarm, and widget APIs) --- no vulns found • Null checks on IPC input - 3925 potential null dereferences in 591 apps (53%) --- most were in activity components NC State - Prof. William Enck Page 31
  • 32. Study Limitations • The sample set • Code recovery failures • Android IPC data flows • Fortify SCA language • Obfuscation NC State - Prof. William Enck Page 32
  • 33. Summary • What permissions do applications ask for? ‣ Kirin demonstrated how permission combinations can be effectively used to certify applications at install-time. • What do applications do with the permissions? ‣ TaintDroid “looks inside” of applications to understand how privacy sensitive information is being used. • What can applications do with the permissions? ‣ We used program analysis and manual inspection to characterize implemented application behavior NC State - Prof. William Enck Page 33
  • 34. Thank you! William Enck Assistant Professor Department of Computer Science NC State University [email protected] http://www.enck.org NC State - Prof. William Enck Page 34