30
Florida Institute for Cybersecurity (FICS) Research CS 5410 - Computer and Network Security: Mobile Phone Security Professor Patrick Traynor Fall 2017

CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Embed Size (px)

Citation preview

Page 1: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

CS 5410 - Computer and Network Security: Mobile Phone Security

Professor Patrick TraynorFall 2017

Page 2: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Announcements• All that remains now is the Final Exam and

the Final Poster presentation.

• Start thinking about how you should prepare!

2

Page 3: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

And what about apps?

3

Page 4: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

What is Android?• The most popular smartphone operating system --

led by Google

• Complete software stack

• Open source (Apache v2 license) ... mostly

• Open Handset Alliance ... 30+ industrial partners

• Google, T-Mobile, Sprint, HTC, LG, Motorola, Samsung, Broadcom, Intent, NVIDIA, Qualcomm, and many more.

4

Page 5: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Android Phones• An Android contains a number of “applications”

• Android comes installed with a number of basic systems tools, e.g., dialer, address book, etc.

• Developers use the Android API to construct applications.• All apps are written in Java and executed within a custom Java

virtual machine.

• Each application package is contained in a jar file (.apk)

• Applications are installed by the user

• No “app store” required, just build and go.• Open access to data and voice services

5

Page 6: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Architecture• The Android smartphone operating system is built upon

Linux and includes many libraries and a core set of applications.

• The middleware makes it interesting

• Not focused on UNIX processes

• Uses the Binder component framework

• Originally part of BeOS, then enhancedby Palm, now used in Android

• Applications consist of many components of different types

• Applications interact via components

• We focus on security with respect to the component API

6

Phone Application

Contacts Application

Maps Application

Android Middleware

Linux

Reference

Monitor

Policy

Binder

Component

Framework

Page 7: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Component Model• While each application runs as its own UNIX uid,

sharing can occur through application-level interactions

• Interactions based on components

• Different component types

• Activity

• Service

• Content Provider

• Broadcast Receiver

• Target component in the same or different application

7

Starting an Activity for a Result

ActivityActivity

start

return

Communicating with a Service

Activity

callback

Service

call

start/stop/bind

Querying a Content Provider

Activity

Read/WriteQuery

return

Content Provider

Receiving an Intent Broadcast

System

Activity

Service

Broadcast Receiver

SendIntent

Page 8: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

The Android Manifest• Manifest files are the technique for describing the

contents of an application package (i.e., resource file)• Each Android application has a special

AndroidManifest.xml file (included in the .apk package)• describes the contained components

• components cannot execute unless they are listed

• specifies rules for “auto-resolution”• specifies access rules• describes runtime dependencies• optional runtime libraries• required system permissions

8

Page 9: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Manifest Specification

9

Page 10: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Authorization• Is this a good or bad way to do authorization?

10

Page 11: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Android Security• Applications are sandboxed using the Dalvik Virtual

Machine.

• Communication can occur through the previously discussed mechanisms.

• Assuming that the underlying isolation mechanisms are sufficient, where are attacks most likely to be found in these devices?

• Dalvik is being replaced by the Android Runtime (ART).

• Largely the same, except uses Ahead-of-Time (AOT) compilation, has improved garbage collection.

11

Page 12: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Studying Apps• Decompiled top 1,100 free apps from Android

market: over 21 million lines of source code

• We use static analysis to identify both dangerous behavior and vulnerabilities followed by inspection

• Must identify specific properties for analysis

• Note: Static analysis says what can happen not what does

12

Page 13: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Phone Identifiers• We’ve seen phone identifiers (Ph.#, IMEI,

IMSI, etc) sent to network servers, but how are they used?

• Program analysis pin-pointed 33 apps leaking Phone IDs

• Finding 2 - device fingerprints

• Finding 3 - tracking actions

• Finding 4 - along with registration and login

13

Page 14: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Device Fingerprints

14

com.avantar.wny - com/avantar/wny/PhoneStats.javapublic String toUrlFormatedString(){

StringBuilder $r4; if (mURLFormatedParameters == null) { $r4 = new StringBuilder(); $r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString()); $r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString()); $r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString()); $r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString()); $r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString()); $r4.append("&returnfmt=json"); mURLFormatedParameters = $r4.toString(); }

return mURLFormatedParameters;}

IMEI

Page 15: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Registration and Login

15

com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback)

public void onClick(View r1){

... r7 = Host.getDeviceId(this$0.getApplicationContext());

LogInActivity.access$1(this$0).setUniqueDeviceID(r7); this$0.loginTask = new LogInActivity$LoginTask(this$0, null); this$0.showProgressDialog(r2, 2131361798, this$0.loginTask); r57 = this$0.loginTask; r58 = new LoginTO[1]; r58[0] = LogInActivity.access$1(this$0); r57.execute(r58); ...}

IMEI

Is this necessarily bad?

Page 16: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Location• Found 13 apps with geographic location data

flows to the network

• Many were legitimate: weather, classifieds, points of interest, and social networking services

• Several instances sent to advertisers (same as TaintDroid). More on this shortly.

• Code recovery error in AdMob library.

16

Page 17: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Ad/Analytics Libraries• 51% of the apps included an ad or analytics

library (many also included custom functionality)

• A few libraries were used most frequently

• Use of phone identifiers and location sometimes configurable by developer

17

Num

ber

of li

brar

ies

1

10

100

1000

Number of apps

1 2 3 4 5 6 7 8

1

10815

3732

91

367

1 app has 8

Library Path # Apps Obtains

com/admob/android/ads 320 L

com/google/ads 206 -

com/flurry/android 98 -

com/qwapi/adclient/android 74 L, P, E

com/google/android/apps/analytics 67 -

com/adwhirl 60 L

com/mobclix/android/sdk 58 L, E

com/mellennialmedia/android 52 -

com/zestadz/android 10 -

com/admarvel/android/ads 8 -

com/estsoft/adlocal 8 L

com/adfonic/android 5 -

com/vdroid/ads 5 L, E

com/greystripe/android/sdk 4 E

com/medialets 4 L

com/wooboo/adlib_android 4 L, P, I

com/adserver/adview 3 L

com/tapjoy 3 -

com/inmobi/androidsdk 2 E

com/apegroup/ad 1 -

com/casee/adsdk 1 S

com/webtrents/mobile 1 L, E, S, I

Total Unique Apps 561

L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID

Page 18: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Developer Toolkits• We found identically implemented dangerous

functionality in the form of developer toolkits.

• Probing for permissions (e.g., Android API, catch SecurityException)

• Well-known brands sometimes commission developers that include dangerous functionality.

• “USA Today” and “FOX News” both developed by Mercury Intermedia(com/mercuryintermedia),which grabs IMEI on startup

18

Page 19: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Study Limitations• The sample set

• Code recovery failures

• Android IPC data flows

• Fortify SCA language

• Obfuscation

19

Page 20: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

What this all means ...• Characterization of top 1,100 free apps (21+ MLOC) similar

to smaller, vertical studies (e.g., TaintDroid).

• Development of rules to identify vulnerabilities

• 27 Findings (more in Tech Report) providing insight into application developer behavior

• Several APIs need more oversight

• Phone identifiers are used in many different ways and are frequently sent to network servers.

• Many developers not sensitive to Intent API dangers

• Ad/Analytic libs in 51% -- as many as 8 in one app

• 4th party code is becoming a problem

20

Page 21: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Malware in Markets?• Android allows for users to select alternative

markets for downloading apps?

• Examples include Amazon (US), Ndoo (China), Anzhi (China), Softdroid (Russia)

• Is this good or bad?

• Malware has been detected in all of them…

21

Page 22: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Malware Detection (MAST)

• Rapid triage using permissions to detect “interesting” applications.• Chakradeo et al., MAST: Triage for Market-scale Mobile Malware

Analysis, In Proceedings of the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2013.

22

-4

-3

-2

-1

0

1

2

-2.5 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2

Page 23: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Piracy Detection (DroidMoss)

• App similarity analysis to detect repackaging/piracy.• Zhou, et al. Detecting Repackaged Smartphone

Applications in Third-Party Android Marketplaces, Proceedings of CODASPY, 2012.

23

HashingExtraction

Feature

sequence

instruction

fingerprint

app Third Party

App Signatures

Third−party Apps

Author ID

FuzzyThird−party Apps

Author ID

app

fingerprint

Fuzzy

Hashing

instruction

sequenceExtraction

FeatureAndroidMarket Apps

App Signatures

AndroidMarket

Similarity

Scoring

Repackaged Apps

Figure 1: An Overview of DroidMOSS

feature directly. It turns out that it is not robust even for simpleobfuscation that could just change some string operands (such asstring names or hard-coded URLs). Because of that, we opt to makefurther abstraction by removing the operands and retaining only theopcode. The intuition is that it might be easy for repackagers tomodify or rename the (non-critical) operands, but much harder tochange the actual instructions. In the meantime, we also observethat apps intend to include various ad SDK libraries to fetch anddisplay ads. After being disassembled, these shared ad librariesunnecessarily introduce noise to our feature extraction. Fortunately,there are a limited number of them and our current prototype buildsa white-list to remove them from the extracted code.

For the author information, the META-INF subdirectory containsthe full developer certificate, from which we can obtain the devel-oper name, contact and organization information, as well as thepublic key fingerprints. For simplicity, we map each developer cer-tificate into one unique 32-bit identifier (or authorID). This uniqueidentifier is then integrated into the signature for comparison.

2.3 Fingerprint GenerationFor each app, our second step generates a fingerprint from the

extracted code. A common way of achieving that is throughhashing. Although hashing the entire code sequence of an app canuniquely determine whether two apps are the same, they are nothelpful to determine whether two files are similar. The reason issimply because one minor modification will dramatically changethe hashing value. From another perspective, calculating the editdistance between two given sequences is a well-known techniqueto measure their similarity. Unfortunately, it cannot be directlyapplied either. Considering each instruction sequence (of an app)could have hundreds of thousands of instructions, it will be veryexpensive to calculate one single edit distance between two apps,not to mention the large number of apps each needs to be pairedand compared with others.

In DroidMOSS, we adopt a specialized hashing technique calledfuzzy hashing [21]. Instead of directly processing or comparing theentire (long) instruction sequences, it first condenses each sequenceinto one much shorter fingerprint. The similarity between two appsis then calculated based on the shorter fingerprints, not the originalsequences. Therefore, a natural requirement for fuzzy hashing isthat the reduction into shorter fingerprints should minimize thechange, if any, to the similarity of two sequences.

To achieve that, we first divide the instruction sequence intosmaller pieces. Each piece is considered as an independent unit

Algorithm 1 Generate the app fingerprint

Input: Instruction sequence iseq of the appOutput: Fingerprint fpDescription: wsize - sliding window size, rp - reset point value,sw - content in sliding window, ph - the piece hash

1: set_wsize(wsize)2: set_resetpoint(rp)3: init_sliding_window(sw)4: init_piece_hash(ph)5: for all byte d from iseq do6: update_sliding_window(sw, d)7: rh← rolling_hash(sw)8: update_piece_hash(ph, d)9: if rh = rp then

10: fp← concatenate(fp, ph)11: init_piece_hash(ph)12: end if13: end for14: return fp

to contribute to the final fingerprint. Therefore, if the repackagingprocess changes one piece, its impact on the final fingerprint iseffectively localized and contained within this piece. For the restpieces that are not changed, their contributions to the final finger-print are still valid and persistent through the repackaging process,thus reflecting the similarity between the original app and therepackaged one. However, the challenge lies on the determinationof the boundary of each piece. In DroidMOSS, we use a slidingwindow that starts from the very beginning of the instruction se-quence and moves forward until its rolling hashing value equalsa pre-selected reset point, which determines the boundary of thecurrent piece. Specifically, if a reset point is reached, a new pieceshould be started. The concrete process is presented in Algorithm 1and visually summarized in Figure 2.

For further elaboration, suppose a repackaged app has addeda new instruction to invoke an external function. For simplicity,we assume the new instruction is inserted in the first piece of theinstruction sequence (i.e., piece 1 in Figure 2). Since our fuzzyhashing scheme uses a sliding window to calculate the rolling hashto determine the piece boundary, there are two possibilities aboutthe placement of the new instruction in the first piece, either fallingoutside or inside the last sliding window. The former affects only

Page 24: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Malware Installations

• DNS-based analysis shows that extremely small number of devices actually infected.• C. Lever et al., The Core of the Matter: Analyzing Malicious

Traffic in Cellular Carriers, In Proceedings of the ISOC Network & Distributed System Security Symposium (NDSS), 2013.

24

50 100 150 200 250 300 350 400 450 500 550

04-1504-16

04-1704-18

04-1904-20

04-2105-13

05-1405-15

05-1605-17

05-1805-19

06-1706-18

06-1906-20

06-2106-22

06-23

nonmobimobi

Page 25: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Crypto• Java and Android were designed with

cryptography as a first class citizen

• Generic ciphers for data at rest

• TLS for a secure network channel

25

Page 26: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Crypto + Android• 10,327 out of 11,748 applications that use

cryptographic APIs – 88% overall – make at least one mistake.

26

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An Empirical Study of Cryptographic Misuse in Android Applications,” in CCS 2013.

Page 27: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Android + TLS• 1,074/13,500 (8.0%) of the apps examined

contain SSL/TLS code that is potentially vulnerable to MITM attacks.

• In a dive of 100 selected apps, 41 were actually vulnerable

• It turns out that many developers were intentionally disabling certificate validation because the didn’t understand the warnings, or they didn’t have certs in their test environment

27

S. Fahl et al. “Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security,” in CCS 2012S. Fahl, et al. “Rethinking SSL Development in an Appified World,” in CCS 2013.

Page 28: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Branchless Banking a.k.a Mobile Money

Brad Reaves, Nolen Scaife, Adam Bates, Patrick Traynor, and Kevin Butler “Mo(bile) Money, Mo(bile) Problems: Security Analysis of Branchless Banking Apps in the Developing World”,

Usenix Security 2015.

Page 29: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

What About Artifacts?• The research community has created nearly

countless artifacts in this space.

• So, are they any good?

• Can anyone else use them?

• Can anyone else recreate results?

• How do they work against applications other than those the researchers picked?

29

Page 30: CS 5410 - Computer and Network Security: Mobile … Network Security: Mobile Phone Security Professor Patrick Traynor ... (Ph.#, IMEI, IMSI, etc) sent to network servers, ... •Finding

Florida Institute for Cybersecurity (FICS) Research

Conclusions• Today’s mobile devices are more powerful than

your desktop computers from a decade ago.

• Think of all the things you can do now that you couldn’t conceive of then.

• Operating Systems are better, but lots of potential still exists for bad behavior.

• Such bad behavior has largely been seen almost exclusively through “good” applications, which use private data in unexpected ways.

30