Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
HybriDroid: Analysis Framework for
Android Hybrid Applications
Sungho Lee, Julian Dolby, Sukyoung Ryu
Programming Language Research Group
KAIST
June 13, 2015
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 1/45
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 2/45
Analyzing JavaScript
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 3/45
Analyzing JavaScript Web Applications
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 4/45
Analyzing JavaScript Web Applications in theWild
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 5/45
Analyzing JavaScript Web Applications in theWild (Mostly) Statically
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 6/45
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 7/45
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 8/45
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 9/45
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 10/45
Bittersweet ADB: Attacks and Defenses
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 11/45
Hey, You, Get Off of My UI
Injection of Malicious Activities and Fragments to Control UIFlows
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 12/45
Motivation
Many mobile platforms out there.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 13/45
Motivation
Many mobile platforms out there.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 14/45
Motivation
To support multiple platforms with native applications,
need to implement one application per platform;
need to repeat application development multiple times.
Web applications cannot use device features.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 15/45
Motivation
Hybrid applications could be one solution.
Hybrid applications use both HTML5 code (HTML, CSS,and JavaScript) and native device features, such as acamera or accelerometer.
Cross-platform tools to build hybrid applications:Apache Cordova, Appcelerator Titanium, Xamarin, . . .
“Gartner Says by 2016, More Than 50 Percent of MobileApps Deployed Will be Hybrid”http://www.gartner.com/newsroom/id/2324917
“Build Once, Run Everywhere”
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 16/45
Motivation
Security risks for hybrid applications
One Malware for multiple platforms!
“Building Hybrid Android Apps with Java and JavaScript”http://shop.oreilly.com/product/0636920028994.do
Challenges in analyzing hybrid applications
They are developed in multiple programming languageswith different data types, values, and semantics.Inter-language communications are not explicit butimplicit; they are not well documented.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 17/45
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 18/45
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 19/45
Hybrid Applications in Android
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 20/45
Implicit Inter-Language Communications
Android Java ⇒ JavaScript
WebView.loadUrl("javascript:request();")
WebView.loadUrl is usually for loading a given URL.
When the prefix of a string argument ofWebView.loadUrl is “javascript:”, it acts like theeval function.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 21/45
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebViewClient.shouldOverrideUrlLoading
WebChromeClient.onJsPrompt
WebView.addJavascriptInterface
(from hybrid applications developed in the Cordova framework)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 22/45
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebViewClient.shouldOverrideUrlLoading
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 23/45
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebChromeClient.onJsPrompt
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 24/45
Implicit Inter-Language Communications
JavaScript ⇒ Android Java
WebView.addJavascriptInterface
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 25/45
addJavascriptInterfacehttp://developer.android.com/reference/android/webkit/WebView.html
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 26/45
addJavascriptInterface
JavaScript can call the Java object’s methods.
It can not access the Java object’s fields.
Only public methods annotated with JavascriptInterface
can be accessed from JavaScript.
Type conversions and restrictions are not specified, but ...
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 27/45
Type Compatibility (by Experiments)
JavaScript ⇒ Android Java: function argument types
int float String boolean Object Array
Null 7(null) 7(null) 7(null) 7(null) 7(null) 7(null)Undefined 7 7 7("undefined") 7 7 7Number 3 3 3(type conversion) 7(false) 7(null) 7(null)Boolean 7(0) 7(0) 3(type conversion) 3 7(null) 7(null)String 7(0) 7(0) 3 7(false) 7(null) 7(null)Object 7(0) 7(0) 7("undefined") 7(false) 7(null) 7(null)Array 7(0) 7(0) 7("undefined") 7(false) 7(null) <
< = 3 if the Array element type is one of primitive types;null if the Array element type is Object;0 if the Array element type is int or float;false if the Array element type is boolean; or"undefined" if the Array element type is String.
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 28/45
Type Compatibility (by Experiments)
Android Java ⇒ JavaScript: function return types
int float String boolean Object Array
JavaScript 3 3(inexact) 3 3 7({}) 7(undefined)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 29/45
HybriDroid
Soundy analysis framework for Android hybrid applications
Support for partial but most implicit inter-language flowsbacked by APIs, blogs, and Dalvik VM source code
Support for partial but most type compatibilitybacked by experiments with trials & errors
Implementation on top of WALA
https://github.com/SunghoLee/WALA/tree/master/HybriDroid/src/kr/
ac/kaist/hybridroid/callgraph
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 30/45
HybriDroid Implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 31/45
HybriDroid Implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 32/45
HybriDroid Implementation
AndroidHybridCallGraphBuilder
Model addJavascriptInterface by binding the Javaobject (first argument) with the given name (secondargument) at the global scope of JavaScriptModel Android Java methods as mockup objects thatare accessible from JavaScript
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 33/45
HybriDroid Implementation
AndroidHybridAnalysisScope
Build a single analysis scope covering both Android Javaand JavaScriptReplace Java with Android Java in the sampleJavaJavaScriptAnalysisScope class
AndroidHybridMethodTargetSelector
Model invocation of Android Java methods fromJavaScript by selecting mockup objects constructed byAndroidHybridCallGraphBuilder as invocation targets
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 34/45
Applications
API misuse detection
Use of void results from Android Java methods inJavaScriptPassing values of incompatible types between AndroidJava methods and JavaScriptWrong number of arguments to Android Java methodsfrom JavaScript
Private data leakage detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 35/45
Application: API Misuse Detection (I)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 36/45
Application: API Misuse Detection (I)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 37/45
Application: API Misuse Detection (II)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 38/45
Application: API Misuse Detection (II)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 39/45
Application: API Misuse Detection (III)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 40/45
Application: API Misuse Detection (III)
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 41/45
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection
Private data “sources” and “sinks” via network may beanywhere in Android Java and JavaScript.
Track flows of private data via data flow analysis anddetect possible private data leakage.
Four kinds of private data flows
Android Java (source) ⇒ JavaScript (sink)
Android Java (source) ⇒ JavaScript ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java (sink)
JavaScript (source) ⇒ Android Java ⇒ JavaScript (sink)
Taint analysis based on WALA’s IFDS implementation
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 42/45
Application: Private Data Leakage Detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 43/45
Application: Private Data Leakage Detection
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 44/45
Limitations & Future Work
Cordova libraries
More implicit inter-language communications (?)
Android components
Concurrency
Events
Experiments with real-world hybrid applications
Sungho Lee, Julian Dolby, Sukyoung Ryu — HybriDroid: Analysis Framework for Android Hybrid Applications 45/45