App Markets - Universität des Saarlandes · - Method restructuring (e.g., move methods to other classes, split methods into smaller ones or combine methods, etc.) - Control flow

1

App Markets

Android Security - SS 2016

SECURITY IMPACT OF MARKETS

§ Marketsstreamlinetheprocessoffindingandinstallingapplications

- Formaeasy-to-usecentralsoftwaredistributionchannelevenformostcasualusers

§ Assuch,marketscanbe

- Averypowerfulfirstlineofdefenseagainstmaliciousorvulnerableapplications

- …averypowerfulattackeragainsttheend-user

2Android Security - SS 2016

MARKETS AS FIRST LINE OF DEFENSE

§ Marketoperatorshaveinterestina”healthyecosystem”

- Noharmfulapplicationsfortheuserarebeingdistributedviathemarket(spyware,fraudapps,ransomware,backdoors,spam,…)

• Infact,mostuserswouldexpectthisfromthemarket

• But:Commonnotionofsecurityandprivacyhard,verysubjective(functionalitydesiredbyoneuser,considerharmfulbyother)


MALWARE DISTRIBUTION [9]

32

6058

21

40

GooglePlay*

eoeMarket

alcatelclub

gfan

mmoovv

*Hasremotekillcapability

[Zhouetal.,NDSS2012]

Android Security - SS 2016 4

MALWARE DISTRIBUTION [6]


MALWARE PREVALENCE [68,6]

§ Scanned1.2millionappsfrom33markets(mostinChina)

§ 127,429malwarediscovered,atleast20likelyzero-dayapps

- 34,026ofthoseweremissedbyexistingscannersonVirusTotal(syndicates≈50differentAVproducts)

- 30,552fromPlay

§ MalwareGenomeProject:


MALWARE PREVALENCE [69]

§ Google’sself-reporting:

- <1%ofdeviceswithharmfulappfor2015

- ≈0.5%ofalldevicesonaveragehadharmfulappinstalled

7

GhostPushcampaign



§ Marketoperatorshaveinterestina”healthyecosystem”

- Noharmfulapplicationsfortheuserarebeingdistributedviathemarket(spyware,fraudapps,ransomware,backdoors,spam,…)

• Infact,mostuserswouldexpectthisfromthemarket

• But:Commonnotionofsecurityandprivacyhard,verysubjective(functionalitydesiredbyoneuser,considerharmfulbyother)

- Appdeveloperswanttheirintellectualpropertyandrevenuebeingprotected(apppiracy,siphoningadrevenues,...)

• Appdeveloperswilldemandthisfromthemarket


REPACKAGING [9,10]

§ APKissimplyanarchivefileformat

- Unzip,modifycontent,re-zip

- Easytomakeanapplicationmalicious(trojan,virus,changeadIDs)

§ But:APKsaresigned.Whyisrepackagingpossible?

- Technicallyeasytoremove(“strip”)theoriginalsignatureandre-signthere-packagedAPKwithanewcertificate

- Certificateareself-signed(easy);andeverybodycanbeadeveloperontheAndroidmarketandbeabletosignappsforpublication(stilleasy)

§ Doesnotallowmaliciousupdates,butbreakstrust-on-first-install

§ Repackagingoneofthemajorattackvectorsonalternativemarkets

- Distributemalware

- Siphonadrevenuefromlegitimate/originaldevelopers


IMPACT OF ANDROID APPLICATION PLAGIARISM [11]

§ InvestigationHTTPadvertisingtrafficgeneratedbymobileapplicationsatatier-1UScellularcarrierfor12daysin2012- Analysisof265,359freeapplicationsfrom17Androidmarketsaroundthe

world• Detect“clones”ofapps:5,431cloneclustersconsistingof44,268unique

applications

• Beabletoidentifyoriginalapps’andtheirclones’trafficinthecapturedtraces(admob ids,strings,etc)

10

Lost revenue calculated to be between 10–50%!



§ Market’spossibilitiesonimprovingandmaintainingthehygieneoftheappecosystem

- Imposeandenforcepolicies,e.g.,dataaccessanddistribution,userconsentandtransparency(appvetting)

- Warnusersabout(potentially)harmfulapplicationsontheirdevicesandletusersdecidetokeepthoseappsornot

• forthreatsthatareundisputedlymalwaretakeautomaticmeasuresandinformusersafterfact

- Warndevelopersaboutvulnerable(external)codeandbadsecuritypracticesintheirsubmittedapps

• blockapppublicationunlessfixed


GOOGLE’S SELF-DEFINED ROLE [69]

§ Forinstance,Google’sperspectiveonitsroleintheecosystem:



§ Attheheartofthosemeasures:

- Monitoringthecurrentstateoftheecosystematlarge,e.g.,marketservicesrunningontheend-userdevicesasdatacollectionpoints


GOOGLE’S DATA COLLECTION [69]

“Throughaggregated,anonymizedsecuritydatasentfromuserdevices,wegatherinformationandmonitorthegeneralstateoftheAndroidecosystem.TheseservicesscanforPotentiallyHarmfulApplicationsatinstalltime,performregularscansofinstalledapplications,andprovideuserprotection.TheservicesalsoautomaticallysendanonymizeddatabacktoGoogle,whichweusetomonitortheoverallcleanlinessoftheAndroidecosystem.”

“Attheendof2015,Googleprovidedover400milliondevicesecurityscanseachday,contributingbillionsofpiecesofnewdatatoouranalysisengineeveryday.”



§ Attheheartofthosemeasures:

- Monitoringthecurrentstateoftheecosystematlarge,e.g.,marketservicesrunningontheend-userdevicesasdatacollectionpoints

- Analyzingsubmittedanddiscoveredapps• Staticanalysis:Extractapplicationfeaturesandcomparedtoexpectedgood/badbehavior,cananalyzeappsatlarge-scale

• Dynamicanalysis:Complementsstaticanalysis,discoverruntimebehavior(e.g.,networkconnections)andcanusestaticanalysisresultsasinput

• Heuristics,signatures,andsimilarityanalysis:Compareappsignature(e.g.,hashofcode)tolistofknownappsforidentification,compareapp’ssimilaritytootherknowngood/badbehavior(e.g.,usingmachinelearning)

• Externalinformation:E.g.,inputbypartnersandindependentresearchers,backgroundinformationontheappdeveloper


STATIC ANALYSIS:DROIDMOSS [12]

§ Pair-wisesimilaritymeasurementbetweenappsusingfuzzyhashingbasedonapps’features

- Studyresult:Clonedappsmainlyusedtosiphonadrevenue;fewcaseswithbackdoors/malware


STATIC ANALYSIS:DNADROID [13]

§ Pair-wiseProgramDependenceGraphcomparisonforclonedetection

§ Shouldberobustagainst- Highlevelmodifications(e.g.,packagenamechanges,methodname

changes,etc.)- Methodrestructuring(e.g.,movemethodstootherclasses,splitmethods

intosmalleronesorcombinemethods,etc.)- Controlflowalternatives(e.g.,swappingif-else branches,changefor into

while loops,etc.)- Add/deletingthatisirrelevantforcomputedresults- Reorderingofcodesegments


STATIC ANALYSIS:PIGGYAPP [10]

§ Efficientlydetectrepackagedand“piggybacked”apps


Detectprimaryandsecondary codemoduleswithintheProgramDependenceGraphObservations:• Piggybackedcodenotpartofprimarycode• Cloneshaveshared/similarprimarycode

Primarycode(accordingtoManifest)

STATIC ANALYSIS:MASSVETT [68]

§ Difference/Commonprogramcode/viewcomponentscomparisonbetweensubjectandallother appstodetectrepackagedapps

- Efficientalgorithm(≈10sperapp),scanned1.2millionapps

• Mapsfeaturesofapp’sControlFlowGraphintoavalue(geometriccenter)whichcanbecomparedbetweenappsforsimilarity


Establishrelationbetweenappsbased onViews:detectappswithsimilarviewstructures(priorresults:mostrepackagedappskeepviewstructure)

DiffCom analysistodetectmaliciouscode

STATIC ANALYSIS:DROIDRANGER [9]


§ Detectingmalicious(unknown)apps

Basedonsetof requestedpermissions(earlierworkrevealedthatpermission-setsofmalware

significantlydifferfrombenignapps)

Basedonsuspiciousbehavior(e.g.,fetchandexecutecode)

STATIC ANALYSIS:DREBIN[70]

§ On-device analysisofapps:gathervariousfeaturesfromapp’scodeandmanifest,embedtheminajointvectorspace,suchthattypicalpatternsindicativeofmalwarecanbeidentifiedusingmachinelearningtechniques


Features:Hardwarecomponents,requestedpermissions,appcomponents,intent-filters,APIcalls,usedpermissions,networkaddresses

SupportVectorMachines,producesefficientandexplainabledecisionmode;efficientherebecauseofthesparsevectorspace(545kdifferentfeatures)

STATIC ANALYSIS:RISKRANKER [71]

§ Detectingmalwarewithoutrelyingonsamples/signaturesofmalware

- Detected322zero-daymalwaresamplesfrom11familiesintestset


§ Riskanalysis:Categorizeappsintorisklevels

§ First-orderanalysis(scalability):Exposehighormediumriskapps- Detectattackcodeusing

exploitsignatures- ProtectedAPIslikepremium

SMScalledwithoutuserinteraction

§ Second-orderanalysis:Analyzeforsuspiciousbehavior(e.g.includedchildAPKs,decryptionroutinesforpayload)

STATIC ANALYSIS:MAST[72]

§ MobileApplicationSecurityTriage:Directcostlyanalysistotheappswiththehighestpotentialtoexhibitmaliciousbehavior

- MultipleCorrespondenceAnalysis(=correlationbetweenmultiplecategoricaldata)onattributesextractedfromappstorankapps→Find95%ofmalwareatcostofanalyzing13%ofnon-maliciousapps

- Attributes:114permissions,92intent-filters,existenceofnativecode,presenceofzipfiles;trainedwith15kapps700malwaresamples


Outlierindicatespotentialharmfulappforfurtheranalysis

STATIC ANALYSIS:CHABADA[73]

§ Clusterappsbytheircategoryanddetectanomaliesw.r.t.toAPIusagetoflagpotentialmalware

- Flagged56%ofnovelmalwarew/oneedfortrainingmalwaresignatures/patterns


TopicmodelingwithLatentDirichlet Allocation(LDA)todeterminetopicfromappdescription

One-classSVMbasedanomalyclassification,createsrankedlistofapplicationsforeachcluster

Outlierscanbepotentialmalware,spyware,etc.orsimplyuncommonlybehavingapps

STATIC ANALYSIS:WHYPER [74]&AUTOCOG [75]

§ ExaminewhetherappdescriptionjustifiestheneedfortherequestedpermissionsusingNLPtechniques(“description-to-permissionfidelity”)

- Focusonprivacyinfringementsinrelativelybenignapplicationsandon“userunderstandablepermissions”


Mobileappsarepredominantlythinclients,andactionsandresourcesprovidedbytheapplicationframeworkAPIdocumentscancovermostofthe

functionalityperformedbythesethinclients

STATIC ANALYSIS:DESCRIBEME [76]

§ Automaticallygeneratesecurity-centricappdescriptionsfromprogramanalysisusingNaturalLanguageGeneration(NLG)


Revealtriggeringconditionsofcriticaloperations,entrypointdiscoverytogivecontext(GUIelements),

dataflowanalysistoexploreAPIdependencies

Description:OnceaGUIcomponentisclicked,theappretrievesyourphonenumber,andencodesthedataintoformat“100/app_id=an1005/ani=%s/dest=%s/phone_number=%s/company=%s/”,andsendsdatatonetwork,dependingoniftheuserselectstheButton“Confirm”.

COLLABORATIVE VERIFICATION OF INFORMATION FLOWS [77]

§ Marketoperatorandappdevelopers(here”vendor”)collaborate

- Vendorannotatessourcecodewithinfoflowtypequalifiers

- Marketanalyzes/verifiesannotatedappsourcecode,compilesit,anddistributesit

• Auditofinformationflowdonemorequicklyandwithhigherconfidence


High-leveldescriptionofintendedinfoflowsfrom

userperspective(“location→network”)

ANDROID-SPECIFIC CHALLENGES OF STATIC ANALYSIS (1)

§ Androidapps’lifecycle:Severalentrypointstoapps(components),callbacksfromtheapplicationframework,async.executingcomponents

- Problem:Traditionalexecutablesonlyonesingleentrypoint

- CHEX[78]:Detecting“componenthijacking”attacks(permissionleakage,unauthorizeddataaccess,intentspoofing)usingreachabilityanalysisonPDG;noveltechniquetodiscovercomponententrypointsand“appsplitting”tomodeltheasynchronousexecutionsofmultipleentrypoints(split=subsetoftheappcodethatisreach- ablefromaparticularentrypointmethod)

- FlowDroid [79]:statictaintanalysisforAndroidapplicationswithprecisemodelofAndroid’slifecycle(andContext,Flow,Field,Object-sensitive)



§ Appcomponentscancommunicatewitheachother(ICC;Inter-ComponentCommunication)suchasIntents,callingServicesorContentProviders

- Problem:Analysissofaronlywithinsinglecomponents,butnotflowtrackingacrosscomponents

- Epicc [80]:ResolvesICCcallparameters,butdoesnotlinkcomponents

- Amandroid [81]:Points-toinformationforallobjectsinanappinaflowandcontext-sensitivewayacrosscomponentsthatcanbeleveragedinsecurityanalysis,linkssourceandtargetcomponent

- IccTA [82]:Inter-componentcommunicationTaintAnalysistoolfordetectionofICClinksandleaks,considersallcomponenttypes,genericenoughforanydata-flowanalysis



§ Dataandcontrolflowscanoccursthroughtheapplicationframeworkservices/appsbetweenappcomponents(implicitflowtransitionfacilitatedbytheframework)

- Problem:Blindspotinthecurrentdataandcontrolflowanalysis

- Edgeminer [83]:automaticallygenerateAPIsummariesthatdescribeimplicitcontrolflowtransitionsthroughtheAndroidframework;canbeusedinsecurityanalysistodetectsuchimplicitflowsthroughtheframework

• ImprovedFlowDroid’s detectionratesignificantly


GENERAL CHALLENGES OF STATIC ANALYSIS

§ Staticanalysiscanbeverylarge-scaling,but…

- Overapproximation

• Analysisoftenassumesthatmorebehaviorsarepossiblethanactuallywouldbe

• Analysisisundecidableinallgeneralityduetohaltingproblem

- Challengedbyencrypted,interpreted,ordynamicallyloadedcode

§ Thus:Complementedoftenwithsmall-scalingdynamictesting


DYNAMIC ANALYSIS:TAINTDROID [84]

§ Taint-trackingsystemfortheAndroidmiddlewareandkernel

- VariabletrackingthroughouttheDalvik VM

- Extendstrackingbetweenapplications(BinderIPC)andstorage(extendedattributes)

32

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Dynamic Taint Analysis

• Dynamic taint analysis is a technique that tracks information dependencies from an origin

• Conceptual idea:

‣ Taint source

‣ Taint propagation

‣ Taint sink

• Limitations: performance and granularity is a trade-off5

c = taint_source()...a = b + c...network_send(a)

Systems and Internet Infrastructure Security Laboratory (SIIS) Page

TaintDroid• TaintDroid is a system-wide integration of taint

tracking into the Android platform

‣ Variable tracking throughout Dalvik VM environment‣ Patches state after native method invocation‣ Extends tracking between applications and to storage

• TaintDroid is a firmware modification, not an app6

Network Interface

Native System Libraries

Virtual Machine

Virtual Machine

Application Code Application CodeMsg

Secondary Storage

Message-level tracking

Variable-leveltracking

Method-leveltracking

File-leveltracking


DYNAMIC ANALYSIS:TAINTDROID [84]

§ Taintsourcesandsinkscarefullyintegratedintotheexistingarchitecturalframework

§ Sources

- Low-bandwidthsensors:location,accelerometer

- High-bandwidthsensors:microphone,camera

- Informationdatabases:addressbook,SMSstorage

- Deviceidentifiers:IMEI,IMSI,phonenumber

§ Sinks

- Networksockets

§ Limitations:onlyexplicitdataflows,nativecode


DYNAMIC ANALYSIS:VETDROID [85]

§ Reconstructsensitivebehaviorofappsfromapermissionuseperspective

§ ExtendsTaintDroid:

- TaintsreturneddatafromAPIcallsthatrequiredapermissionwiththatspecificpermission

• Benefit:Automaticallytrackanyprotecteddatainsteadofonlypre-definedonesasinTaintDroid

- Tracksusageofthisdataacrossapplicationtoprofiletheapp’spermissionusagebehavior

• E.g.,doesappleaktainteddatatonetworkorfile,doesappinterruptorderedbroadcasts(forinstanceSMSreceived),etc.

- Usesprofilestobetterunderstandtheworkingsofmalwareandtovetappsforundesiredbehavior


DYNAMIC ANALYSIS:DROIDSCOPE [86]

§ Virtualization-basedmalwareanalysisplatform

- InstrumentedAndroidemulator

- ReconstructbothOS-levelandJava-levelsemantics

• VMintrospection


PROBLEM OF DYNAMIC ANALYSIS:CODE COVERAGE

§ Codecoverageproblemwithautomatedtestingofapp:

- Asforstaticanalysis:Multipleentrypointsinapplicationlife-cycle:Receivers(aseventtriggersandcallbacksviaIntents),Services,ContentProviders,Listeners…

• Traditionalexecutableshaveasingleentrypoint

- Appsusuallystronglyuser-drivenandinteractionnecessaryforhighcodecoverage:InputtoActivities(buttons,credentials,permissiongranting,useraccounts,contactsentries,…)


§ TaintDroid:NoautomatedtestingofappsVetDroid:Rudimentary“applicationdriver”usingMonkeytool&eventinjection;leavesthischallengeopen

DYNAMIC ANALYSIS:SMARTDROID [87]

§ Hybridapproach(staticanddynamicanalysis)torevealUI-basedtriggerconditionsinAndroidapps- Staticanalysis:

ExtractexpectedActivityswitchpathsbyanalyzingActivityandFunctionCallGraphs

- Dynamicanalysis:TraverseeachUIelementautomaticallyandexploretheUIinteractionpathsthatleadtowardssensitiveAPIcalls

§ Limitations:- NodatadependencyinACG

- Nologic-basedtriggers• “Pressbutton5timestotrigger”

- Obfuscationandreflection


Modifiedemulator

DYNAMIC ANALYSIS:APPSPLAYGROUND [88]

§ AppsPlayground:AutomateanalysisofAndroidapps


Triger codeineventreceivers(locationchange,etc.)

ExploretheGUIviafuzztesting,intelligentexecution torecognizeheuristicallywhichdatahastobeputintoGUIandguideexploration

Averagecodecoverage:33%fortestapps

DYNAMIC ANALYSIS:COPPERDROID [89]

§ AutomaticVMI-basedanalysissystemtoreconstructthebehaviorofAndroidapps(malware)

- Monitorslow-levelinteractionsbetweenappandsystem(dex andnativecode,independentlyofobfuscation/reflection)

• Canreconstructcomplexintra- andinter-processcommunicationwhosesemanticsareusuallycontextualizedthroughcomplexobjects

• Recreateresources(e.g.,files,networkcommunication,etc.)byinferringdatadependenciesbetweensystemcalls(forwardslicinganddef-usechainsbetweencalls)

- Appsimulationtechniquetotriggerhighcoverageofcode

• Leveragestaticanalysisofanappasinputfortargetedsimulationstrategyusingsimpleinputs(sendingtargetedIntents,eventslikephonecallorlocationupdate,keyboardinput,…)


DYNAMIC ANALYSIS:DROIDMATE [90]/BOXMATE [91]

§ AutomaticGUIexecutiongeneratorforapps:automaticallyinteractwithGUIelementsofanapptotriggerasmuchlogicaspossible

- Appisinstrumentedwithmonitoringcode

- Startingfromthemainactivityexploresappinafeedbackloop

- ExplorationstrategybasedondisplayedGUIelementsandmonitoredeventsafterlastaction

- Actioncanbeclick,long-click,presshome,pressback,reset,terminate

- Explorationuntilterminationcriterionismet


DYNAMIC ANALYSIS:BRAHMASTRA [92]

§ Testing3rd partycomponentsofapps

- StaticcallgraphanalysistoconstructchainofActivitiesandinteractionstoreach3rd partycomponents

- Rewritingtheappto“jumpstart”3rd partycomponents

• Appautomaticallymakesseriesofcallstoopenthe3rd partycomponentasfastaspossible(e.g.,pruneprefixActivities)

- Runtimeanalyzertocollectinformationaboutthe3rd partycomponents

§ Analysisof3rd partycodein2.7xmoreappsanddecreasetestdurationbyfactor7


DYNAMIC ANALYSIS:APPAUDIT [93]

§ Goal:Usingsynergyofstaticanalysisanddynamicanalysistospeedupanalysisandreduceeffectsofoverapproximation ofstaticanalysis

§ Approach:Dynamicanalysisthatcansimulatetheexecutionofpart oftheprogramandperformcustomizedchecksateachprogramstate

- Evaluation:Comparativereportsofleaks,nofalsepositive,8.3xfaster,90%lessmemoryconsumption


LargelyinspiredbytechniquesusedinJITcompilersandimprovementstosymbolicexecution

PROBLEM:LOGIC BOMBS

§ Logicandtimebombscanmakeitveryhardtodetectmaliciousbehavioranddistinguishbenignappsfrommalware


if(Build.FINGERPRINT.startsWith("generic"))return; //we are running in an emulator

String messageText = simCountryIso().equals("US") ? US : INTERN;String clazz = decrypt("fri$ds\&S"); 5 String method = decrypt("dvdf4$DCS");Class.forName(clazz).getMethod(method).invoke("+01234",null,messageText,null,null);

Date now = new Date();Date target = new Date(22,12,2016);

if (now.after(target)) {// do evil

} else {// do unsuspicious

}

STATIC ANALYSIS:APPCONTEXT,HARVESTER,TRIGGERSCOPE

§ AppContext [94]:Identifyandextractthecontextsandeventsthattriggersecuritysensitivebehaviors

- Maliciousnessofsecurity-sensitivebehaviormorecloselyrelatedtotheintentionofthebehavior(reflectedviacontext)thantothetypeofresourceaccessed

§ Harvester[95]:Extractruntimevaluesevenfromobfuscatedcodethatusesreflection,hidessensitivevaluesinnativecode,loadscodedynamicallyorusesanti-analysistechniques

- forcedexecution:explicitlytriggersalldifferentbehaviors

§ TriggerScope [96]:Focusondetectingthetriggerchecksinsteadofbehavior


GOOGLE’S SELF-REPORTED MARKET SECURITY [69]

§ VerifyAppscloud-basedservicetocheckeveryapppriortoinstallationifpotentiallyharmful

- Warnuserorremoveautomaticallywithoutuserconfirmation


APP VERIFICATION [69]

DatacollectioninVerifyApps(Rareappcollection):

“VerifyAppsprotectsusersagainstapplicationsthatareinstalledfromanysource—whethertheycomefromGooglePlayoroutsideofPlay—soitisimportantthatoursystemshavevisibilityintoasmanyapplicationsaspossible.AllapplicationsthataresubmittedtoGooglePlayundergoareview.Similarly,allapplicationsthatGoogle’scloud-basedsystemsareabletolocateonpublicwebsitesarereviewed.

Startingin2015,userscansendapplicationsfromtheirdevicetoGoogleforreview.”

Technical:Extractingfeaturesandthencheckforsimilaritieswithexistingharmfulapps



§ SafetyNet attestAPItohelpdeveloperscheckdeviceintegrity- Devicescontributesecurity-relatedinformationcloud-basedservices,

includinginformationaboutsecurityevents,logs,configurationinformation,andothersecurity-relevantinformation

- Whenavulnerabilityisfixed,codeisinsertedintotheplatform(orapp)whichgeneratesalogwhenapotentialexploitattemptisdetected.Thislogcontainsinformationrequiredtotrackexploitationtrendsandbetterunderstandtheeffectivenessofoursecurityimprovements.

- SafetyNet usedactivenetworkprobestoidentifycaseswherethesystemcertificatestorehasbeenmanipulated.

- AnomalyCorrelationEngine monitorsforchangesinkeydevicesecurityindicators andexamineswhichappschangedsincelastsecurestate;monitoringacrossmanydevicesallowspinpointingrelevantapps

- On-deviceclienthashessystempartitionandcomparesagainstacloud-basedservice withacollectionofknownsystempartitions



§ Machinelearningtoseepatternsandconnectionshumanswouldmiss,continuousmonitoringandrefinementtoimproveprecision- Endof2015:ongoingautomatedanalysisofover35millionAPKs

(everyversioneverpublishedonPlayaswellasallcollectedones)- TensofthousandofCPUcoresandterabytesofRAM,petabytesof

storage§ Inputs:Staticanalysis,dynamicanalysis,3rd partyreports,developer

relationships,signatures,SafetyNet,heuristicsandsimilarityanalysis,humananalysts- SA:findinglinkedfunctionalityacrosscomponents,detectingSSL

misconfigurations- DA:simulatelargenumberofdifferentdevicesanddetectanomalies,use

SAresultstoincreaseDAcodecoverage- Honeypotswithfakeaccountdata- Decomposeappsintofeaturesandanalyzefeaturesimilaritytosee

relationsbetweenappsusingadv.machinelearning- Over90%oftimesauserinstallsappnotfromPlay,theappisknownand

canbecheckedagainstsignature- MonitoringC&Ccommunicationtodetectmalwareinstallcommands



§ AppSecurityImprovementProgramidentifiesappsinGooglePlaythathaveknownsecurityvulnerabilities(throughincorrectcodingpracticesorbyusingknownvulnerablelibraries),notifiesthedevelopersoftheirapp’svulnerabilities,andencouragesthemtoxthevulnerabilities

- DevelopersarealertedviaemailandthePlayDeveloperConsole

- 2015:100kappsimproved

• coveringknownvulnerabilitiesinthefollowinglibraries:Vungle,ApacheCordova,WebView SSL,GnuTLS,andVitamio


ENCRYPTED APKS AND FORWARD LOCKING

§ SinceAndroid4.1supportfordeliveringencryptedAPKs

§ Forwardlocking(orcopyprotection)

- Goal:preventpaidcontentfrombeing(easily)stolenfromdevices

- Since4.1:Encryptedappcontainers(AndroidSecureExternalCaches(ASEC))togetherwithfilesystemaccesscontroltostoreappcontentsmoreprotected

§ Result:APKsaretransferredandstoredinencryptedform

- UsedbyPlayandavailabletocustomappinstallers

- However:Ifdevicebeingrooted,protectedcontentorencryptionkeyscouldbeextracted(butstillbetterthanw/oencryption)


PROBLEM:MULTI-MARKET ECOSYSTEM [97]

§ Problem:Multi-marketslimit/eliminatesecuritycharacteristicsofsinglemarketmodels

- Kill-switches(whichmarketauthorizedtokillwhichapps?)

- Developernameconsistency

§ Approach:Appinstaller(Meteor)withextensiblesetofconfigurablesecurityinformationsourcesandkill-switchauthorities


Additionalappinfos:virusreports,privacyviolations,expertratings,otherappsbysamedeveloper(appdatabases)

Crucial:connect packagesignaturestodeveloper/application(developerregistries)

UniversalappID={Hash(packagename,dev.cert),Hash(binary)}

MARKET AS THE ATTACKER [98]

§ Marketsattractivetargetstobecoerced/pressuredintodistributingmalicioussoftware(updates)toorwithholdingapps/updatesfromtargetedusers

§ EasywithAndroid’scurrentappsigningmodelandmarket’sintransparency (blindtrustbyusers)


§ ApplicationTransparency(AT):threedifferentkindsofcryptographicproofsthatallowsuserstoverifytheauthenticityofappsprovidedbyappmarkets(usinglogserversandauditors)- ProofofPresence:Informationaboutpresence

ofanappinmarket- ProofofCurrency:Informationabout

currentness ofanapp’sversion- ProofofAbsence:Verifythatappindeeddoes

notexistonmarket

Documents

App Markets - Universität des Saarlandes · - Method restructuring (e.g., move methods to other classes, split methods into smaller ones or combine methods, etc.) - Control flow