introducing a s e f · - parth patel $ whoami_ agenda manual research automation - a s e f let’s...

INTRODUCING..... A S E F

Android Security Evaluation Framework

- Parth Patel

$ whoami_

Agenda

Manual Research

Automation - A S E F

Let’s solve problems

Conclusion

Android OS

Open Source

Security Evaluation of

Android Apps

Android APP Store

Attacker

User

Attacker

Developer

Developer

Developer

Android APP Store

?

Developer

Attacker

Bouncer

Developer

Developer

Attacker

Android APP Store

?

Developer

Attacker

Bouncer

Developer

Developer

Attacker

A A

A

?

Developer Attacker

User

Permissions

Manual Research

“Behavioral Analysis”of Apps

Android SDK - Emulator (Android Virtual Device - AVD) - Android Debug Bridge - adb - Android Asset Packaging Tool - aapt

Wireshark

dex2jar

IDE - eclipse

Utilities for Behavioral Analysis

Limitations of

‘Manual Research’

Introducing .....

A S E F

A S E F

A S E F as a Black Box

MalwareAggressive Adware

Bandwidth

Vulnerabilities

Passive Active Interpret

Initialization

Normalization

Organization

Launch

Test Cycle

Parsing

Analyzing

Results

A S E F

Configurator adb refresh Device Detect(virtual/physical)

i/p A S E F Phase 1: Passive

Initialization Mode

Default Virtual Device =Google Safe Browsing API =Host IP = interface =

Creates Virtual Device

Session cleanup Enable USB debugging

Array of .apk path

Location of an APP

A S E F Phase 1: Passive

Normalization Mode

Extractor

Location of APPs

Extracted APPs

A S E F Phase 1: Passive

Organization Mode

ConverterTest Result

Archive

%HAPK->{$apk} = ( { pkgnm => $PKGNM , launchact => $LAUNCHACT , vercode => $VERCODE , vername => $VERNAME , applable => $APPLABLE , adbstart => "" , adbstop => ""}, );

TEST_05_11_12-19:53:56

TEST_05_11_12-20:20:19

TEST_05_13_12-11:38:28

TEST_NIGHTLY_SCAN2

1.apk2.apk3.apk

adb_log.txtnetwork_traffic.txtadb_log.txtnetwork_traffic.txtadb_log.txtnetwork_traffic.txt

Virtual Device

Launcher

Boot Boot check

Running

Not Running

Display unlock

A S E F Phase II : Active

Launch Mode

Installation mode

Launch mode

Activity mode

Uninstallation mode

stop - adb logcat

stop - tcpdump

start-timestamp

stop-timestamp

kernel log memory dump services running

kernel log memory dump services running

kernel log memory dump services running

kernel log memory dump services running

Extensive mode

Tm

Tm

Tm

A S E F Phase II : Active

Test Cycle

start - adb log

start - tcpdump

NetworkActivity

URLs/IPs

Google’s Safe Browsing API malware

aggressive adwareAccess rate of URL/IP

Traffic Analyzer

Data tx / BandWidthData usage

Bandwidth

Associated Permissions

Unique permissions of AppsPermission mapping

Unique APIs API mapping

Decompilation/ APIs used

Reconstructing source code

apk unzip dex2jar jar2class class2jad Source Code

Black listing Found/Add App to the blacklist Black listed

A S E F Phase III : Interpret

Parsing Mode Analyzing Mode Results

Vulnerability Detector

Signatures Vulnerabilities%HVULN

%HAPK

A S E F

Demo

Statistics & Results

Apps leaking private information

Safe Apps- 74

Total Apps = 80

6 Apps - Leaking private data

IMIE number

phone number

Bandwidth Usage

Data usage - 3 min Test Cycle

bytes

Aggressive Adware

(No of Servers accessed) / App 3 min Test Cycle

(Access-rate) / App 3 min Test Cycle

Threshold

Ad Requests @ 1.333 req/sec

Aggressive Adware

Permission mapping

Permission distribution - 1000 game apps

Internet

Vibrate

Send SMS

Write Contacts

Read Contacts

mount/unmount filesystem

Vulnerability Scanning

0

20

40

60

80

No of Apps

No of total Apps No of Vulnerable Apps

75

Non-updated Android Apps

0

20

40

60

80

No of Apps

No of total Apps No of Vulnerable Apps

75

12

A S E F Scan - Before updates

Adobe Flash PlayerMozilla Firefox

0

20

40

60

80

No of Apps

No of total Apps No of Vulnerable Apps

75

0

20

40

60

80

No of Apps

No of total Apps No of Vulnerable Apps

75

6

A S E F Scan - After updates

Extending the Framework

Installation mode

Launch mode

Activity mode

Uninstallation mode

stop - adb logcat

stop - tcpdump

start-timestamp

stop-timestamp

start - adb log

start - tcpdump

start - cmd line tool

stop - cmd line tool

Command line tools

Extending the Framework

Let’s solve problems....

A S E F to scan an APP STORE

Protect & Promote

A S E F in

Large Organizations

THE NIGHT PHOENIX

Android APP

ANDROID

NIGHT PHOENIX

apkzip

Extractor of A S E F

NIGHT PHOENIX & A S E F

A S E FServer

@ of .apk path

unzip

Package Manager

NIGHT PHOENIX ??

Alarm Manager

Who watches THE WATCHMEN

Internet

Write externalstorage

THE NIGHT PHOENIX

THE DARK PHOENIX

It is just the beginning ........

Next Generation of A S E F

Scalability - Load balancer module

Offline scanning - Crawler module

A S E F in cloud

Automated/Custom signature generation

Distinguishing updates - Security Fixes

UI reporting with correlated results and statistics

Conclusion ?

A S E F

Thank You

Twitter : @parth_84

email : pdpatel@qualys.comhttp://code.google.com/p/asef/

https://community.qualys.com/blogs/securitylabs/2012/07/25/android-security-evaluation-framework--a-s-e-f