Smartphone Security for Android Applications

(1)

17.09.2013 | Secure Software Engineering Group | Steven Arzt and Siegfried Rasthofer | 1

Smartphone Security for Android

Applications

Steven Arzt

Siegfried Rasthofer

(Eric Bodden)

(2)

About Us

Steven Arzt

Siegfried Rasthofer

Eric Bodden

• PhD-Students at the Secure Software

Engineering Group (Eric Bodden)

• Master in IT-Security

• Research Interests:

• Applied Software Security on Mobile

Devices (Android Security)

• Static/Dynamic Code Analysis

(3)

About the Course

• Lab Course

• 6 Credit Points

• Teams of 1-3 Students

• Team and Topic Registration due on Friday, October 25

th

• Contact us via e-mail:

[email protected]

,

(4)

Proposed Topics

1. Android App Obfuscator

2. Android App Deobfuscator

3. Jimple Integration into Eclipse

4. Flow-Insensitive Data Flow Analysis

5. Runtime Code Patches on Android

6. Monitoring Android Apps for Runtime Code Changes

7. DroidBase: Detailed Android App Search Engine

Own topic proposals are welcome!

(5)

T1: Android App Obfuscator (1)

• Make reverse engineering / code understanding harder

• Raise the bar for static and dynamic analysis tools

• Hide behavior in applications, but retain functionality

• Automatic code generation and transformation

• User selects transformations to apply, rest is fully automatic

• Plugin infrastructure for new transformations

(6)

T1: Android App Obfuscator (2)

SmsManager manager =

new

SmsManager();

manager.sendTextMessage(

"0900013131313"

,

""

,

"Hello World"

,

null

,

null

);

String rawName =

"tntnbobhfs"

;

String className =

""

;

for

(

char

c : rawName.toCharArray()) {

if

(className.length() == 0 || className.length() == 3)

c = Character.

toUpperCase(c);

className += Character.

toString((

char

) (c - 1));

}

Class c = Class.

forName(

"android.telephony."

+ className);

Method m = c.getMethod(

"sendTextMessage"

, String.

class

, String.

class

, String.

class

,

PendingIntent.

class

, PendingIntent.

class

);

Object mgr = c.newInstance();

m.invoke(mgr,

"0900013131313"

,

""

,

"Hello World"

,

null

,

null

);

Maybe encrypt

Obfuscate constants

Add Unused Computation

Change Class Name

Change Method Name

(7)

T1: Android App Obfuscator (3)

TelephonyManager telephonyManager = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE

);

String imei = obfuscate(telephonyManager.getDeviceId());

Log.

i(

"INFO"

,

imei

);

private

String obfuscate(String imei){

String result =

""

;

for

(

char

c : imei.toCharArray()){

switch

(c) {

case

'0'

: result +=

'a'

;

break

;

case

'1'

: result +=

'b'

;

break

;

case

'2'

: result +=

'c'

;

break

;

case

'3'

: result +=

'd'

;

break

;

case

'4'

: result +=

'e'

;

break

;

case

'5'

: result +=

'f'

;

break

;

case

'6'

: result +=

'g'

;

break

;

case

'7'

: result +=

'h'

;

break

;

case

'8'

: result +=

'i'

;

break

;

case

'9'

: result +=

'j'

;

break

;

default

: System.err

.println(

"Problem in obfuscate for character: "

+ c);

}

return

result;

}

(8)

T1: Android App Obfuscator (4)

• Many more ideas

• Control flow obfuscation using GOTOs

• Exploit virtual dispatch / override semantics, reflection/invokedynamic?

• Distribute data across instance / static fields, parameters, …

• Generate / decrypt and execute code at runtime

• Generate constants using runtime information

• Dynamic analysis tool and debugger detection

• …

• Be creative with own ideas!

• Related work will be provided!

(9)

T2: Android App Deobfuscator

• Detect and remove obfuscations where possible

• Remap simple reflective calls to targets

• Simulate app execution and generate new code

(10)

T3: Jimple Integration into Eclipse (1)

(11)

T3: Jimple Integration into Eclipse (2)

What is Jimple?

• Java but Simple 

• Used as intermediate representation for Java/Android

Source and Bytecode

• Three-operand language

• No invocation stacks

• Only few opcodes

public void <init>() {

de.ecspride.RV2013 $r0;

android.telephony.SmsManager $r1;

$r0 := @this: de.ecspride.RV2013;

specialinvoke $r0.<android.app.Activity: void <init>()>();

$r1 = staticinvoke <android.telephony.SmsManager:

android.telephony.SmsManager getDefault()>();

$r0.<de.ecspride.RV2013: android.telephony.SmsManager

smsManager> = $r1;

return;

}

(12)

T3: Jimple Integration into Eclipse (3)

• Build on existing Soot plugin

• Code highlighting and syntax checking

• “Open declaration”

• Type hierarchy

• “Search for references”

• Refactorings, especially variable and method renaming

• Integration into Eclipse’s project model

• Decompile APK to Jimple

• Compile Jimple to APK

(13)

T4: Flow-Insensitive Data Flow Analysis (1)

Follow the flow of data through the program:

TelephonyManager mgr = (TelephonyManager)

this

.getSystemService(TELEPHONY_SERVICE

);

SmsManager sms = SmsManager.

getDefault();

String imei = mgr.getDeviceId()

;

sms.sendTextMessage(

"+49 1234"

,

null

, imei,

null

,

null

);

imei =

""

;

Flow sensitivity is precise, but may be costly

• Use flow-insensitive pre-analysis

(14)

T4: Flow-Insensitive Data Flow Analysis (2)

• FlowDroid: Highly precise taint analysis

• Mostly fast

• Still quite (time & memory) expensive in some cases

• Efficient detection of “goodware”

• No precise analysis necessary

Highly Precise Taint Analysis for Android Application

Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre

Bartel, Jacques Klein, Yves le Traon, Damien Octeau and Patrick McDaniel

(15)

T5: Runtime Code Patches on Android (1)

(16)

T5: Runtime Code Patches on Android (2)

1. Custom loader spawns new Dalvik VM for app

2. Loader modifies Dalvik data structures to change app



Rewrite app in memory



Completely replace app in memory

(17)

T6: Monitoring for Apps Runtime Code

Changes

• Protect Dalvik data structures against manipulation

• Ideas:

• Use a monitoring loader that gets loaded first

• Periodically poll and compare against checksum

• Place native code inside the app into a sandbox

• Intercept memory accesses to protected locations

(18)

T7: DroidBase: Detailed Android App Search

Engine (1)

(19)

T7: DroidBase: Detailed Android App Search

Engine (2)

(20)

T7: DroidBase: Detailed Android App Search

Engine (3)

Why?

-

Easily search for specific type of Android app

-

Base for nice statistics

-

How many apps do have aggressive Ads?

-

What kind of apps do specific developers develop?

-

How many apps do include native code/reflections/JavaScript?

-

...

-

Interesting for researchers – download mechanism

-

Easily detection of apps with known vulnerabilities

(21)

Lab Grading

Well-documented code

60%

Final presentation

20%

(22)

Proposed Topics

1. Android App Obfuscator

2. Android App Deobfuscator

3. Jimple Integration into Eclipse

4. Flow-Insensitive Data Flow Analysis

5. Runtime Code Patches on Android

6. Monitoring Android Apps for Runtime Code Changes

7. DroidBase: Detailed Android App Search Engine

Own topic proposals are welcome!

(23)

Steven Arzt and Siegfried Rasthofer

Secure Software Engineering Group (EC-SPRIDE)

Email:

[email protected]

Blog:

http://sse-blog.ec-spride.de

Website:

http://sse.ec-spride.de

Team and Topic Registration due on

Friday, October 25

th