architectural risk analysis for android applicationssohr/papers/fomsess_eng.pdf · comprehensible...
Post on 25-May-2020
1 Views
Preview:
TRANSCRIPT
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
1
University of Applied Sciences Bremen, 22.06.2015
Dr. Karsten Sohr
TZI – Universität Bremen
Center for Computing Technologies
Architectural Risk Analysis forAndroid Applications
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
2
Outline
Software security as an own discipline
Security problems in Android apps
Research project ZertApps
Outlook
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
3
Software Security as an Own Discipline
Current security mechanisms such as firewalls anti-virus software orintrustion dectection systems are reactive
Cause of many security problems: security issues in software
McGraw: Trinity of trouble
1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?)
2. Increasing connectivity (SOA, Internet of Things, Iindustrial controllers…)
3. Extensibility of systems (Nachladen von Apps, Plugins für Browser)
Tools and processes to improve software security• Security development lifecycle (SDL)
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
5
Architektural Risk Analysis as Part of the SDL
Security analysis of the software architecture• At design time
• Detection of basic security problems („flaws“ vs. „bugs“)
• Example of flaws: Missing encryption; only integrity protection, althoughconfidentiality is requierd; inconsistent role-based accesscontrol;overprivilegation; wrong usage of frameworks
Two approaches• Threat Modeling/STRIDE (Microsoft)
• Architektural risik analysis from McGraw
Core idea in both approaches:
Discussion of basic security aspects with the help of diagrams(forest-level overview)
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
6
Threat Modeling with Dataflow diagrams
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
7
Security Holes in Apps
Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger
Overprivileged apps
Confused-deputy problems
Massive vulnerabilities in SSL-implementation of apps
Injection of JavaScript code into apps with web functionality
Faulty usage of software frameworks
Basic waeknesses in systems consisting of a remote-control appand a backend
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
8
An E-Mail of a Colleague …
If you are interested in the SSL-stuff again: The app is implemented as a
WebView, i.e., all is HTML. What speaks to a big error is this:
public void onReceivedSslError(android.webkit.WebView, android.webkit.SslErrorHandler, android.net.http.SslError){
com.WebDevs.SPCanywhere.MyWebViewClient $r0;
android.webkit.WebView $r1;
android.webkit.SslErrorHandler $r2;
android.net.http.SslError $r3;
$r0 := @this: com.WebDevs.SPCanywhere.MyWebViewClient;
$r1 := @parameter0: android.webkit.WebView;
$r2 := @parameter1: android.webkit.SslErrorHandler;
$r3 := @parameter2: android.net.http.SslError;
virtualinvoke $r2.<android.webkit.SslErrorHandler: void proceed()>();
return;
}
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
9
Decompiled to Java
public void onReceivedSslError(WebView
paramWebView, SslErrorHandler
paramSslErrorHandler, SslError
paramSslError)
{
paramSslErrorHandler.proceed();
}
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
10
Insecure Usage of the Android Framework:Telekom Online Manager
Intent localIntent1 =
new
Intent("de.telekom.hotspot.intent.action.SMS_STATUS");
localIntent1.putExtra("status",
CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED);
localIntent1.putExtra("username", str2);
localIntent1.putExtra("password", str3);
sendBroadcast(localIntent1);
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
11
Exported Content Provider: SAP Mobile Documents
<provider
android:name="com.sap.mcm.android.content.FileContentProvider"
android:exported="true"
android:authorities="com.sap.mcm.android.provider" />
public File getFile(Uri paramUri){
McmDocument localMcmDocument = getDocument(paramUri);
File localFile =
new File(localMcmDocument.getUnencryptedPath());
return localFile;
}
private void decryptNextDocument() {
McmDocument localMcmDocument =
(McmDocument)this.documents.get(this.nextDocumentIndex);
localMcmDocument.copyUnencrypted(this);
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
12
Problem Statement
We need cost-efficient analysis methods andevaluation processes that assure thatAndroid apps are show an appropriatesecurity level.
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
13
Current Research Project ZertApps
BMBF-funded project ZertApps: Certified security for mobile applications
Project partners:
• Universität Bremen,
• Fraunhofer SIT,
• TU Darmstadt,
• OTARIS Interactive Service GmbH,
• datenschutz cert GmbH,
• SAP AG
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
14
Project Goals /1
Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot
If necessary, dynamic analysis to improve static analysis
Interaction of several apps (→ confused deputy problem)
Consideration of hybride apps (apps with Java and web parts)
• E.g., analysis of PhoneGap-based apps
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
15
Project Goals /2
Comprehensible presentation of analysis results for different groups ofusers
• Security administrators, evaluators, developers, users?
Conception of a lightweight certification process / scheme
• Low cost
• Graded certification concept
Tool-support for certification
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
16
Own Contribution: Architektural Risk Analysis
Extraction and security analysis of the software architecture of apps
Reverse engineering of dataflow diagrams (DFDs) with the help of staticanalysis (Soot)
Automated analysis of these extracted DFDs against known architecturalweaknesses (e.g., CWE entries)
Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
1
7
Procedure
Android App
EDFDAndroid Model
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
18
Static Analysis
Android app
Android model
Component detection
Entry point dectection
Detection of exit points
Identification of intra-component flows
Identification of inter-component flows
Determination of external communications
Usage of shared preferences
Usage of encryption
A Service
Activity
Identification of security properties
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
19
Procedure
Android app
Android model EDFD
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
20
Example Dataflow Diagram
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
21
Example Dataflow Diagram: Hybride App
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
22
Procedure
Android app
Android model
Pattern catalogue
EDFD Risk model
Security rules
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
23
Checking Security Rules
MATCH (source : Element)
-[flow : Channel *]->
(target : Element)
WHERE flow.data.IsConfidential
and not flow.IsEncrypted
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
24
Summary & Outlook
Software security becomes more relevant
• Mobile apps, Internet of Things, industrial controllers, …
Systematic and cost-efficient prcesses for software securityare needed
Escecially relevant: security of apps
Tool support
New supporting kinds of analysis:
Static (and dynamic) code analyses for the extraction andvalidation of the implemented security architecture
Systemqualität und InformationssicherheitDr. Karsten Sohr, sohr@tzi.de
25
Thank you very much foryour attention!
Questions?
top related