cs 5410 - computer and network security: mobile … network security: mobile phone security...
TRANSCRIPT
Florida Institute for Cybersecurity (FICS) Research
CS 5410 - Computer and Network Security: Mobile Phone Security
Professor Patrick TraynorFall 2017
Florida Institute for Cybersecurity (FICS) Research
Announcements• All that remains now is the Final Exam and
the Final Poster presentation.
• Start thinking about how you should prepare!
2
Florida Institute for Cybersecurity (FICS) Research
And what about apps?
3
Florida Institute for Cybersecurity (FICS) Research
What is Android?• The most popular smartphone operating system --
led by Google
• Complete software stack
• Open source (Apache v2 license) ... mostly
• Open Handset Alliance ... 30+ industrial partners
• Google, T-Mobile, Sprint, HTC, LG, Motorola, Samsung, Broadcom, Intent, NVIDIA, Qualcomm, and many more.
4
Florida Institute for Cybersecurity (FICS) Research
Android Phones• An Android contains a number of “applications”
• Android comes installed with a number of basic systems tools, e.g., dialer, address book, etc.
• Developers use the Android API to construct applications.• All apps are written in Java and executed within a custom Java
virtual machine.
• Each application package is contained in a jar file (.apk)
• Applications are installed by the user
• No “app store” required, just build and go.• Open access to data and voice services
5
Florida Institute for Cybersecurity (FICS) Research
Architecture• The Android smartphone operating system is built upon
Linux and includes many libraries and a core set of applications.
• The middleware makes it interesting
• Not focused on UNIX processes
• Uses the Binder component framework
• Originally part of BeOS, then enhancedby Palm, now used in Android
• Applications consist of many components of different types
• Applications interact via components
• We focus on security with respect to the component API
6
Phone Application
Contacts Application
Maps Application
Android Middleware
Linux
Reference
Monitor
Policy
Binder
Component
Framework
Florida Institute for Cybersecurity (FICS) Research
Component Model• While each application runs as its own UNIX uid,
sharing can occur through application-level interactions
• Interactions based on components
• Different component types
• Activity
• Service
• Content Provider
• Broadcast Receiver
• Target component in the same or different application
7
Starting an Activity for a Result
ActivityActivity
start
return
Communicating with a Service
Activity
callback
Service
call
start/stop/bind
Querying a Content Provider
Activity
Read/WriteQuery
return
Content Provider
Receiving an Intent Broadcast
System
Activity
Service
Broadcast Receiver
SendIntent
Florida Institute for Cybersecurity (FICS) Research
The Android Manifest• Manifest files are the technique for describing the
contents of an application package (i.e., resource file)• Each Android application has a special
AndroidManifest.xml file (included in the .apk package)• describes the contained components
• components cannot execute unless they are listed
• specifies rules for “auto-resolution”• specifies access rules• describes runtime dependencies• optional runtime libraries• required system permissions
8
Florida Institute for Cybersecurity (FICS) Research
Manifest Specification
9
Florida Institute for Cybersecurity (FICS) Research
Authorization• Is this a good or bad way to do authorization?
10
Florida Institute for Cybersecurity (FICS) Research
Android Security• Applications are sandboxed using the Dalvik Virtual
Machine.
• Communication can occur through the previously discussed mechanisms.
• Assuming that the underlying isolation mechanisms are sufficient, where are attacks most likely to be found in these devices?
• Dalvik is being replaced by the Android Runtime (ART).
• Largely the same, except uses Ahead-of-Time (AOT) compilation, has improved garbage collection.
11
Florida Institute for Cybersecurity (FICS) Research
Studying Apps• Decompiled top 1,100 free apps from Android
market: over 21 million lines of source code
• We use static analysis to identify both dangerous behavior and vulnerabilities followed by inspection
• Must identify specific properties for analysis
• Note: Static analysis says what can happen not what does
12
Florida Institute for Cybersecurity (FICS) Research
Phone Identifiers• We’ve seen phone identifiers (Ph.#, IMEI,
IMSI, etc) sent to network servers, but how are they used?
• Program analysis pin-pointed 33 apps leaking Phone IDs
• Finding 2 - device fingerprints
• Finding 3 - tracking actions
• Finding 4 - along with registration and login
13
Florida Institute for Cybersecurity (FICS) Research
Device Fingerprints
14
com.avantar.wny - com/avantar/wny/PhoneStats.javapublic String toUrlFormatedString(){
StringBuilder $r4; if (mURLFormatedParameters == null) { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); }
return mURLFormatedParameters;}
IMEI
Florida Institute for Cybersecurity (FICS) Research
Registration and Login
15
com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback)
public void onClick(View r1){
... r7 = Host.getDeviceId(this$0.getApplicationContext());
LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ...}
IMEI
Is this necessarily bad?
Florida Institute for Cybersecurity (FICS) Research
Location• Found 13 apps with geographic location data
flows to the network
• Many were legitimate: weather, classifieds, points of interest, and social networking services
• Several instances sent to advertisers (same as TaintDroid). More on this shortly.
• Code recovery error in AdMob library.
16
Florida Institute for Cybersecurity (FICS) Research
Ad/Analytics Libraries• 51% of the apps included an ad or analytics
library (many also included custom functionality)
• A few libraries were used most frequently
• Use of phone identifiers and location sometimes configurable by developer
17
Num
ber
of li
brar
ies
1
10
100
1000
Number of apps
1 2 3 4 5 6 7 8
1
10815
3732
91
367
1 app has 8
Library Path # Apps Obtains
com/admob/android/ads 320 L
com/google/ads 206 -
com/flurry/android 98 -
com/qwapi/adclient/android 74 L, P, E
com/google/android/apps/analytics 67 -
com/adwhirl 60 L
com/mobclix/android/sdk 58 L, E
com/mellennialmedia/android 52 -
com/zestadz/android 10 -
com/admarvel/android/ads 8 -
com/estsoft/adlocal 8 L
com/adfonic/android 5 -
com/vdroid/ads 5 L, E
com/greystripe/android/sdk 4 E
com/medialets 4 L
com/wooboo/adlib_android 4 L, P, I
com/adserver/adview 3 L
com/tapjoy 3 -
com/inmobi/androidsdk 2 E
com/apegroup/ad 1 -
com/casee/adsdk 1 S
com/webtrents/mobile 1 L, E, S, I
Total Unique Apps 561
L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID
Florida Institute for Cybersecurity (FICS) Research
Developer Toolkits• We found identically implemented dangerous
functionality in the form of developer toolkits.
• Probing for permissions (e.g., Android API, catch SecurityException)
• Well-known brands sometimes commission developers that include dangerous functionality.
• “USA Today” and “FOX News” both developed by Mercury Intermedia(com/mercuryintermedia),which grabs IMEI on startup
18
Florida Institute for Cybersecurity (FICS) Research
Study Limitations• The sample set
• Code recovery failures
• Android IPC data flows
• Fortify SCA language
• Obfuscation
19
Florida Institute for Cybersecurity (FICS) Research
What this all means ...• Characterization of top 1,100 free apps (21+ MLOC) similar
to smaller, vertical studies (e.g., TaintDroid).
• Development of rules to identify vulnerabilities
• 27 Findings (more in Tech Report) providing insight into application developer behavior
• Several APIs need more oversight
• Phone identifiers are used in many different ways and are frequently sent to network servers.
• Many developers not sensitive to Intent API dangers
• Ad/Analytic libs in 51% -- as many as 8 in one app
• 4th party code is becoming a problem
20
Florida Institute for Cybersecurity (FICS) Research
Malware in Markets?• Android allows for users to select alternative
markets for downloading apps?
• Examples include Amazon (US), Ndoo (China), Anzhi (China), Softdroid (Russia)
• Is this good or bad?
• Malware has been detected in all of them…
21
Florida Institute for Cybersecurity (FICS) Research
Malware Detection (MAST)
• Rapid triage using permissions to detect “interesting” applications.• Chakradeo et al., MAST: Triage for Market-scale Mobile Malware
Analysis, In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2013.
22
-4
-3
-2
-1
0
1
2
-2.5 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2
Florida Institute for Cybersecurity (FICS) Research
Piracy Detection (DroidMoss)
• App similarity analysis to detect repackaging/piracy.• Zhou, et al. Detecting Repackaged Smartphone
Applications in Third-Party Android Marketplaces, Proceedings of CODASPY, 2012.
23
HashingExtraction
Feature
sequence
instruction
fingerprint
app Third Party
App Signatures
Third−party Apps
Author ID
FuzzyThird−party Apps
Author ID
app
fingerprint
Fuzzy
Hashing
instruction
sequenceExtraction
FeatureAndroidMarket Apps
App Signatures
AndroidMarket
Similarity
Scoring
Repackaged Apps
Figure 1: An Overview of DroidMOSS
feature directly. It turns out that it is not robust even for simpleobfuscation that could just change some string operands (such asstring names or hard-coded URLs). Because of that, we opt to makefurther abstraction by removing the operands and retaining only theopcode. The intuition is that it might be easy for repackagers tomodify or rename the (non-critical) operands, but much harder tochange the actual instructions. In the meantime, we also observethat apps intend to include various ad SDK libraries to fetch anddisplay ads. After being disassembled, these shared ad librariesunnecessarily introduce noise to our feature extraction. Fortunately,there are a limited number of them and our current prototype buildsa white-list to remove them from the extracted code.
For the author information, the META-INF subdirectory containsthe full developer certificate, from which we can obtain the devel-oper name, contact and organization information, as well as thepublic key fingerprints. For simplicity, we map each developer cer-tificate into one unique 32-bit identifier (or authorID). This uniqueidentifier is then integrated into the signature for comparison.
2.3 Fingerprint GenerationFor each app, our second step generates a fingerprint from the
extracted code. A common way of achieving that is throughhashing. Although hashing the entire code sequence of an app canuniquely determine whether two apps are the same, they are nothelpful to determine whether two files are similar. The reason issimply because one minor modification will dramatically changethe hashing value. From another perspective, calculating the editdistance between two given sequences is a well-known techniqueto measure their similarity. Unfortunately, it cannot be directlyapplied either. Considering each instruction sequence (of an app)could have hundreds of thousands of instructions, it will be veryexpensive to calculate one single edit distance between two apps,not to mention the large number of apps each needs to be pairedand compared with others.
In DroidMOSS, we adopt a specialized hashing technique calledfuzzy hashing [21]. Instead of directly processing or comparing theentire (long) instruction sequences, it first condenses each sequenceinto one much shorter fingerprint. The similarity between two appsis then calculated based on the shorter fingerprints, not the originalsequences. Therefore, a natural requirement for fuzzy hashing isthat the reduction into shorter fingerprints should minimize thechange, if any, to the similarity of two sequences.
To achieve that, we first divide the instruction sequence intosmaller pieces. Each piece is considered as an independent unit
Algorithm 1 Generate the app fingerprint
Input: Instruction sequence iseq of the appOutput: Fingerprint fpDescription: wsize - sliding window size, rp - reset point value,sw - content in sliding window, ph - the piece hash
1: set_wsize(wsize)2: set_resetpoint(rp)3: init_sliding_window(sw)4: init_piece_hash(ph)5: for all byte d from iseq do6: update_sliding_window(sw, d)7: rh← rolling_hash(sw)8: update_piece_hash(ph, d)9: if rh = rp then
10: fp← concatenate(fp, ph)11: init_piece_hash(ph)12: end if13: end for14: return fp
to contribute to the final fingerprint. Therefore, if the repackagingprocess changes one piece, its impact on the final fingerprint iseffectively localized and contained within this piece. For the restpieces that are not changed, their contributions to the final finger-print are still valid and persistent through the repackaging process,thus reflecting the similarity between the original app and therepackaged one. However, the challenge lies on the determinationof the boundary of each piece. In DroidMOSS, we use a slidingwindow that starts from the very beginning of the instruction se-quence and moves forward until its rolling hashing value equalsa pre-selected reset point, which determines the boundary of thecurrent piece. Specifically, if a reset point is reached, a new pieceshould be started. The concrete process is presented in Algorithm 1and visually summarized in Figure 2.
For further elaboration, suppose a repackaged app has addeda new instruction to invoke an external function. For simplicity,we assume the new instruction is inserted in the first piece of theinstruction sequence (i.e., piece 1 in Figure 2). Since our fuzzyhashing scheme uses a sliding window to calculate the rolling hashto determine the piece boundary, there are two possibilities aboutthe placement of the new instruction in the first piece, either fallingoutside or inside the last sliding window. The former affects only
Florida Institute for Cybersecurity (FICS) Research
Malware Installations
• DNS-based analysis shows that extremely small number of devices actually infected.• C. Lever et al., The Core of the Matter: Analyzing Malicious
Traffic in Cellular Carriers, In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2013.
24
50 100 150 200 250 300 350 400 450 500 550
04-1504-16
04-1704-18
04-1904-20
04-2105-13
05-1405-15
05-1605-17
05-1805-19
06-1706-18
06-1906-20
06-2106-22
06-23
nonmobimobi
Florida Institute for Cybersecurity (FICS) Research
Crypto• Java and Android were designed with
cryptography as a first class citizen
• Generic ciphers for data at rest
• TLS for a secure network channel
25
Florida Institute for Cybersecurity (FICS) Research
Crypto + Android• 10,327 out of 11,748 applications that use
cryptographic APIs – 88% overall – make at least one mistake.
26
M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An Empirical Study of Cryptographic Misuse in Android Applications,” in CCS 2013.
Florida Institute for Cybersecurity (FICS) Research
Android + TLS• 1,074/13,500 (8.0%) of the apps examined
contain SSL/TLS code that is potentially vulnerable to MITM attacks.
• In a dive of 100 selected apps, 41 were actually vulnerable
• It turns out that many developers were intentionally disabling certificate validation because the didn’t understand the warnings, or they didn’t have certs in their test environment
27
S. Fahl et al. “Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security,” in CCS 2012S. Fahl, et al. “Rethinking SSL Development in an Appified World,” in CCS 2013.
Florida Institute for Cybersecurity (FICS) Research
Branchless Banking a.k.a Mobile Money
Brad Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin Butler “Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World”,
Usenix Security 2015.
Florida Institute for Cybersecurity (FICS) Research
What About Artifacts?• The research community has created nearly
countless artifacts in this space.
• So, are they any good?
• Can anyone else use them?
• Can anyone else recreate results?
• How do they work against applications other than those the researchers picked?
29
Florida Institute for Cybersecurity (FICS) Research
Conclusions• Today’s mobile devices are more powerful than
your desktop computers from a decade ago.
• Think of all the things you can do now that you couldn’t conceive of then.
• Operating Systems are better, but lots of potential still exists for bad behavior.
• Such bad behavior has largely been seen almost exclusively through “good” applications, which use private data in unexpected ways.
30