Teaching Android Mobile Securitypeople.rennes.inria.fr/Jean-Francois.Lalande/talks/... · Applications DEV app development MAL malware reverse PROJ AOSP classes BANK banking app reverse

Introduction Labs Evaluation Conclusion

Teaching Android Mobile Security

Jean-François Lalande Valérie Viet Triem Tong Pierre GrauxGuillaume Hiet Wojciech Mazurczyk Habiba Chaoui Pascal Berthomé

SIGCSE’19

MinneapolisFebruary 28th 2019

2 / 30


Android security?

Research

Attacks:design,models

Counter-measures:

protect,detect

Experiment,Visualize

Teaching

Malware?

Permissions?

Developapps?

2 / 30


Android security?

Research

Attacks:design,models

Counter-measures:

protect,detect

Experiment,Visualize

Teaching

Malware?

Permissions?

Developapps?

3 / 30


Android complexity

Thesis: working on security requires a deep understanding of Android

4 / 30


Android complexity

Thesis: working on security requires a deep understanding of Android

5 / 30


Bloom’s taxonomy

We used the levels of the cognitive process:

Remember – (you know about security?)UnderstandApplyAnalyze(Evaluate)(Create) – (student project, possibly linked with research)

6 / 30


Designing security labs with Bloom’s taxonomy

Soft.components

Cognitiveprocess Remember Understand Apply Analyze Eval. Create

ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK

banking app reverse COVcovert channels

CLASSvulnerable class loader

DVM & ARTPACK

reverse packersAOSP internals

INSTcompile, flash MEM

memory forensicKERN

ROP programmingKernel

Cognitive Process

TO DESIGN

7 / 30


Outline

1 Introduction

2 Labs

3 Evaluation

4 Conclusion

8 / 30


DEV Lab: Android Development

Classical Android development labs.

Basic graphical interfacesMessaging componentsConcurrency, Synchronization, SensorsSecurity, Wear OS, Firebase Cloud Messaging

Learning outcomes: architecture of an app, REST communications

9 / 30


INST Lab - Compiling, Modifying, Flashing

Using real device for:Developing, testingFlashing, customizing ROMs

We use these smartphonesNexus 5, 5XSony Xperia X (premium series)

Kernel debugging on a Nexus 5X

Learning outcomes:Customize Android, compile and install.

10 / 30



Soft.components


ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK



DVM & ARTPACK



memory forensicKERN


Cognitive Process

11 / 30


MAL Lab - Malware Reverse Engineering

Reverse engineering activities (2 examples from 6):

Ransomware: programming an antidote (bytecode editing)Spyware: capturing and sniffing HTTP requests for a dead remote server

Tools:Reverse: Bytecode Viewer, JadxSoot: parsing Java bytecodeNetwork tunneling: Ngrok

Learning outcomes:Security analysts adapt their methodology to the nature of the threat.

12 / 30


BANK Lab - Banking Application Reverse

Reverse engineering banking appsSteeling credentials

Tools:Jadx, Burp, Andbug

Learning outcomes:Comprehend the countermeasures ofregular apps.Try to bypass countermeasures.

13 / 30



Soft.components


ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK



DVM & ARTPACK



memory forensicKERN


Cognitive Process

14 / 30


COV Lab - Developing Covert Channels

Exfiltrate data using a covert channelsExploit operating systems flawsDiscuss countermeasures

Tools:Android Studio

Learning outcomes:Comprehend cover channels.Bypass security policies.

15 / 30


MEM Lab - Memory Dump Forensic

Forensic of a memory dumpRecover credentials

Tools:Volatility

Learning outcomes:Comprehend the leaks induced by the memorymanagement.Simple forensic of memory dumps.

16 / 30



Soft.components


ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK



DVM & ARTPACK



memory forensicKERN


Cognitive Process

17 / 30


CLASS Lab - Vulnerable Class Loader

Attack study:A vulnerable class loader

Tools:Android Studio, Jadx

Learning outcomes:Conduct an investigation.Find vulnerabilities.

18 / 30


PACK Lab - Packers

Reversing: why methods body are empty ?Obfuscated codeNative code packer unpacking bytecode atruntime

Tools:IDA pro, radar2

Learning outcomes:Analyze a packer.Combining static and dynamic analysis.

19 / 30


KERN Lab - Kernel ROP Attacks

We provide a vulnerable kernel driver.

Exploiting this vulnerability.Use ROP for putting a payload in memoryOvercome R and X memory exclusion

⇒ One of the most technically difficult labs!

Learning outcomes:Learning the security internals of AndroidDesigning attacks against the sytem.

20 / 30



Soft.components


ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK



DVM & ARTPACK



memory forensicKERN


Cognitive Process

21 / 30



Soft.components


ApplicationsDEV

app development

MALmalware reverse

PROJ

AOSP classesBANK



DVM & ARTPACK



memory forensicKERN


Cognitive Process

22 / 30


Online material

Goal: reuse these labs for your own needs !

gitlab.inria.fr/jlalande/teaching-android-mobile-security/

Full text of 4 labs (2 more to come !)



23 / 30


Outline

1 Introduction

2 Labs

3 Evaluation

4 Conclusion

24 / 30


Evaluation survey

87 answers over 200 students88% followed the labs few months before6 labs evaluated

France: CentraleSupélec, INSA CVLPoland: Warsaw University of Technology,Morocco: Ibn Tofail University

25 / 30


Global quality of the labs

Students are happy with our labs :)

26 / 30


Labs provided me a fine understanding of Android security

Students do not over estimate their security skills. . .

27 / 30


Labs evaluation

Each lab was separately evaluated with this ranking [Campbell et al., SIGCSE’15]:

1. Unknown (No trace in my memory);2. Discovering (I recall some of the content);3. Intermediate (I understood most of the content);4. Good knowledge (I am able to do the lab again, without a supervisor and with

the help of documents);5. Advanced (I can reuse my knowledge in another use case).

GoalEvaluate a knowledge increment δ and a raw skill level m for each lab.

28 / 30


Labs evaluation results

Increment δ: +1.85: shifting from "Discovering" to "Good knowledge"Raw self-evaluation m of skills: 3.31 (="Intermediate")

INSTMAL

MEM

COV CLASS

DEV

1 2 3 4 5

1. Unknown2. Discovering3. Intermediate4. Good knowledge5. Advanced

29 / 30


Conclusion

A full set of labs for mobile securityFrom application level to kernel attacksWith Bloom’ taxonomy in mindMaterial available online

Perspectives

Play all the labs for the same studentsSubmit to Clark.center ?

c⃝Inria / C. Morel

Questions?

Jean-Francois [email protected]

Documents

Teaching Android Mobile Securitypeople.rennes.inria.fr/Jean-Francois.Lalande/talks/... · Applications DEV app development MAL malware reverse PROJ AOSP classes BANK banking app reverse