Assignment 1: Java and Android Security Programming
FIT5003 Software Security S1 2020 Faculty of Information Technology, Monash University
Submission Guidelines
• Deadline: Assignment 1 Report submission is due on Monday 18 th May 2020, 8:00 AM.
• DemonstrationDeadline:ThedemonstrationviaPanoptoplatformortheinterviewmustbeshared/- conducted before Wednesday 20th May 2020, 23:59 PM.
• Submission Files:
1. A report in PDF file format of maximum 6 pages as a reference. Appendices and References are
excluded from the page count.
2. Appropriate Android Studio Project compressed as a zip or rar file
3. …
Notes:
1. A handwritten document is not acceptable and will not be marked even if converted and sub-
mitted electronically.
• Individual Assignment: This is an individual assignment so each student should work on the as- signment tasks alone.
• Submission Platform:
– Electronic submission via Moodle for the report.
– Electronic submission via Moodle for the assignment task code and apks
– Share of video interview files with your tutor via the Monash panopto service
• Filename Format: Name your files for different assignment tasks as follows:
1. Submission via moodle: report_SID.pdf
2. Sharing via Panopto: A1_interview_SID as title, in case of an interview.
3. Submission via moodle of assignment task files: use A1_task_number_SID and the appropriate file extension for the relevant task
• Late Submission Policy: Submit a special consideration form to formally request a late submission. For this semester, special consideration requests should be send directly to the faculty and not just the tutor team. However, do inform the teaching team of your request.
• Late Submission Penalty: A late submitted assignment without prior approval will receive a late penalty of 20% deduction per day (including Saturday and Sunday) or part thereof, after the due date and time.
• Plagiarism: It is an academic requirement that your submitted work be original. Zero marks will be awarded for the whole submission if there is any evidence of copying, collaboration, pasting from websites, or copying from textbooks.
Note: Plagiarism policy applies to all assessments.
1
1
• Grading Procedure:
– To receive a grade for the assignment you must demonstrate and explain your work by creating a video recording of maximum 20 minutes using Panopto platform and share it with your tutor.
– You must only demonstrate what you have submitted via report. The different deadline for recording is to allow you to find a suitable time to record your demonstration.
– If you have any privacy concern regarding the Panopto platform then you need to raise it with your tutor by Monday 11th May 2020. Requests for interviews after this date will not be
accepted.
– You can use the report and any other notes you have prepared beforehand to help you explain and demonstrate your work.
• IT Use Policy: Your submission must comply with Monash University’s IT Use Policy.
Marks
• This assignment is worth 30% of the total unit marks. • The assignment is marked out of 30 nominal marks.
Task 1: Android Java-Based application (20 Marks)
In the Android Studio that is provided, there is a sketched Android Application that is using the default or a custom made Keystore in order to digitally signed a text message that is provided by the user. The user is capable of choosing the Java keystore that he wants to use as long as it is already stored in some common Android folder. The Android Application consists of two Activities, a public one (called PrivateUserActivity and a private one called PrivateActivity. When the application start, the Public activity (PrivateUserActivity) is loaded. The PrivateUserActivity lets the user to write the path where a custom keystore is going to be used. There is also a text field where the user can write the pass- word that is needed in order to correctly open the keystore. There are also three buttons that have the functionality shown in the following figure (1).
1. Task 1.1 (15 Marks) Implement the functionality of the Private Activity PrivateActivity so that:
• it collects and processes the information coming from PrivateUserActivity
• it extracts from the keystore the information regarding the keys and certificates and shows in the textview the key aliases, the certificate type and the cipher that is been used.
• when the user places in the textbox shown in the Figure 1 one of the key alias and has added a text in the other textbox (also shown in the figure 1) if the “Return Result” button is pressed, then the provided user text is digitally signed using the keys in the chosen alias.
• the provided digital signature is returned to PrivateActivity and is printed in the appl screen using the Toast class (see relevant code inside the provided Android project)
2. Task 1.2 (5 Marks): Based on the existing design approach and functionality that appears on the provided Android Application as well as the code that you have developed to solve Task 1.1, explain possible design issues that can compromize the security of this Android Application.
2
i
2
Info: Some Notes-Hints:
• There is a class in the PrivateUserActivity.java that is used for storing the keystore infor- mation. When such info are provided by the user then an object of this class is created, it is serialized and send using the Android intent mechanism to the PrivateActivity.java
• Messages between the two Activities are passed using the Android external intent mechanism
• Keep in mind that each application needs to have certain permissions to perform actions related to the Android system
Task 2. Android Repacking for Information Disclosure (10 marks)
Figure 1: Android Application Expected Functionality
Steps for this task:
1. Choose an Android app to attack.There exist several apk repositories over the internet where you can download apks (eg. https://www.androiddrawer.com/). You can also use https://apkpure.com/
i
2. Select the location where the code will be changed. This can be a single place or multiple places. The complexity of considered places will be taken into account when marking.
Info: After repackaging, if the app can no longer be installed, you need to choose another app for repackaging. Reporting this and explain why it cannot be installed can be a plus to this assignment.
3
3. Do the actual change (attack). There are various tools can be used for this action. For simplicity, ApkTool can be used to modify the code at the Smali code level. For flexibility, Soot can be leveraged to instrument the code in Android APK files. No matter which tool is selected, the final attack should be done automatically.
i
Info:
Information about Sout can be found from the official website: https://github.com/Sable/soot
And information about apktool can be found in:
https://ibotpeaches.github.io/Apktool/
You can find a small tutorial on Sout in: https://www.abartel.net/dexpler/
Also, you can find several Android Application reverse engineering tools in the latest Kali Linux ver- sions
4