architectural risk analysis for android applicationssohr/papers/fomsess_eng.pdf · comprehensible...

Systemqualität und InformationssicherheitDr. Karsten Sohr, [email protected]

1

University of Applied Sciences Bremen, 22.06.2015

Dr. Karsten Sohr

TZI – Universität Bremen

Center for Computing Technologies

Architectural Risk Analysis forAndroid Applications


2

Outline

Software security as an own discipline

Security problems in Android apps

Research project ZertApps

Outlook


3

Software Security as an Own Discipline

Current security mechanisms such as firewalls anti-virus software orintrustion dectection systems are reactive

Cause of many security problems: security issues in software

McGraw: Trinity of trouble

1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?)

2. Increasing connectivity (SOA, Internet of Things, Iindustrial controllers…)

3. Extensibility of systems (Nachladen von Apps, Plugins für Browser)

Tools and processes to improve software security• Security development lifecycle (SDL)


5

Architektural Risk Analysis as Part of the SDL

Security analysis of the software architecture• At design time

• Detection of basic security problems („flaws“ vs. „bugs“)

• Example of flaws: Missing encryption; only integrity protection, althoughconfidentiality is requierd; inconsistent role-based accesscontrol;overprivilegation; wrong usage of frameworks

Two approaches• Threat Modeling/STRIDE (Microsoft)

• Architektural risik analysis from McGraw

Core idea in both approaches:

Discussion of basic security aspects with the help of diagrams(forest-level overview)


6

Threat Modeling with Dataflow diagrams


7

Security Holes in Apps

Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger

Overprivileged apps

Confused-deputy problems

Massive vulnerabilities in SSL-implementation of apps

Injection of JavaScript code into apps with web functionality

Faulty usage of software frameworks

Basic waeknesses in systems consisting of a remote-control appand a backend


8

An E-Mail of a Colleague …

If you are interested in the SSL-stuff again: The app is implemented as a

WebView, i.e., all is HTML. What speaks to a big error is this:

public void onReceivedSslError(android.webkit.WebView, android.webkit.SslErrorHandler, android.net.http.SslError){

com.WebDevs.SPCanywhere.MyWebViewClient $r0;

android.webkit.WebView $r1;

android.webkit.SslErrorHandler $r2;

android.net.http.SslError $r3;

$r0 := @this: com.WebDevs.SPCanywhere.MyWebViewClient;

$r1 := @parameter0: android.webkit.WebView;

$r2 := @parameter1: android.webkit.SslErrorHandler;

$r3 := @parameter2: android.net.http.SslError;

virtualinvoke $r2.<android.webkit.SslErrorHandler: void proceed()>();

return;

}


9

Decompiled to Java

public void onReceivedSslError(WebView

paramWebView, SslErrorHandler

paramSslErrorHandler, SslError

paramSslError)

{

paramSslErrorHandler.proceed();

}


10

Insecure Usage of the Android Framework:Telekom Online Manager

Intent localIntent1 =

new

Intent("de.telekom.hotspot.intent.action.SMS_STATUS");

localIntent1.putExtra("status",

CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED);

localIntent1.putExtra("username", str2);

localIntent1.putExtra("password", str3);

sendBroadcast(localIntent1);


11

Exported Content Provider: SAP Mobile Documents

<provider

android:name="com.sap.mcm.android.content.FileContentProvider"

android:exported="true"

android:authorities="com.sap.mcm.android.provider" />

public File getFile(Uri paramUri){

McmDocument localMcmDocument = getDocument(paramUri);

File localFile =

new File(localMcmDocument.getUnencryptedPath());

return localFile;

}

private void decryptNextDocument() {

McmDocument localMcmDocument =

(McmDocument)this.documents.get(this.nextDocumentIndex);

localMcmDocument.copyUnencrypted(this);


12

Problem Statement

We need cost-efficient analysis methods andevaluation processes that assure thatAndroid apps are show an appropriatesecurity level.


13

Current Research Project ZertApps

BMBF-funded project ZertApps: Certified security for mobile applications

Project partners:

• Universität Bremen,

• Fraunhofer SIT,

• TU Darmstadt,

• OTARIS Interactive Service GmbH,

• datenschutz cert GmbH,

• SAP AG


14

Project Goals /1

Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot

If necessary, dynamic analysis to improve static analysis

Interaction of several apps (→ confused deputy problem)

Consideration of hybride apps (apps with Java and web parts)

• E.g., analysis of PhoneGap-based apps


15

Project Goals /2

Comprehensible presentation of analysis results for different groups ofusers

• Security administrators, evaluators, developers, users?

Conception of a lightweight certification process / scheme

• Low cost

• Graded certification concept

Tool-support for certification


16

Own Contribution: Architektural Risk Analysis

Extraction and security analysis of the software architecture of apps

Reverse engineering of dataflow diagrams (DFDs) with the help of staticanalysis (Soot)

Automated analysis of these extracted DFDs against known architecturalweaknesses (e.g., CWE entries)

Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke


1

7

Procedure

Android App

EDFDAndroid Model


18

Static Analysis

Android app

Android model

Component detection

Entry point dectection

Detection of exit points

Identification of intra-component flows

Identification of inter-component flows

Determination of external communications

Usage of shared preferences

Usage of encryption

A Service

Activity

Identification of security properties


19

Procedure

Android app

Android model EDFD


20

Example Dataflow Diagram


21

Example Dataflow Diagram: Hybride App


22

Procedure

Android app

Android model

Pattern catalogue

EDFD Risk model

Security rules


23

Checking Security Rules

MATCH (source : Element)

-[flow : Channel *]->

(target : Element)

WHERE flow.data.IsConfidential

and not flow.IsEncrypted


24

Summary & Outlook

Software security becomes more relevant

• Mobile apps, Internet of Things, industrial controllers, …

Systematic and cost-efficient prcesses for software securityare needed

Escecially relevant: security of apps

Tool support

New supporting kinds of analysis:

Static (and dynamic) code analyses for the extraction andvalidation of the implemented security architecture


25

Thank you very much foryour attention!

Questions?