SlideShare une entreprise Scribd logo

18-mobile-malware.pptx

Télécharger en tant que PPTX, PDF
S
sundar110567

This document summarizes mobile malware and security issues in Android apps. It discusses identifying malware at app stores rather than on devices. It also describes a study that analyzed over 1 million Android apps from the Google Play store, finding that 85% used web interfaces and many were vulnerable. Additionally, it covers how outdated Android apps may disable security patches by targeting older Android versions and behaving in riskier default ways.

Internet
1  sur  92
Mobile Malware John Mitchell CS 155 Spring 2016
Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
Malware Trends
W
Based on FairPlay vulnerability • Requires malware on user PC, installation of malicious app in App Store • Continues to work after app removed from store • Silently installs app on phone
Android malware 2015
Current Android Malware Description AccuTrack This application turns an Android smartphone into a GPS tracker. Ackposts This Trojan steals contact information from the compromised device and uploads them to a remote server. Acnetdoor This Trojan opens a backdoor on the infected device and sends the IP address to a remote server. Adsms This is a Trojan which is allowed to send SMS messages. The distribution channel ... is through a SMS message containing the download link. Airpush/StopSMS Airpush is a very aggresive Ad-Network. … BankBot This malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices. http://forensics.spreitzenbarth.de/android-malware/
Trends 2014-15
Android free antivirus apps … 1. Comodo Security & Antivirus 2. CM Security Antivirus AppLock 3. 360 Security - Antivirus Boost 4. Sophos Free Antivirus and Security 5. Malwarebytes Anti- Malware 6. Bitdefender Antivirus Free http://www.androidcentral.com/top-free-antivirus-apps-android
• “Even security companies know the risk is low — that's why apps are packaged with other selling points.” - AndroidCentral • Kevin Haley, Symantec's Director of Symantec Security Response: – "Symantec sees an important role to play in helping to protect data and mobile devices from being exposed to risk," … – "While Symantec sees its purpose in the mobile landscape as providing security against malware, fraud and scams; we also protect devices against loss and theft — loss of the device itself, as well as the information on it. In addition, Symantec helps businesses protect and manage their data being stored or transmitted through the mobile devices of their employees." http://www.androidcentral.com/antivirus-android-do-you-need-it
Android malware example
Install malicious “conference app”
Malware behavior triggered by C&C server (Chuli)
Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
STAMP Admission System Static Dynamic STAMP Static Analysis More behaviors, fewer details Dynamic Analysis Fewer behaviors, more details Alex Aiken, John Mitchell, Saswat Anand, Jason Franklin Osbert Bastani, Lazaro Clapp, Patrick Mutchler, Manolis Papadakis
Abstract program execution • States: mapping of variable names to values • Transitions: relation on pairs of states • Traces: sequence of states or state, transition pairs
Analysis Convert bytecode to intermediate format (called Quads) Step 1 Compute call graph using Class Hierarchy Analysis Step 2 Build an edge-labeled graph G by processing Quads of each class Step 3 Add new edges to G as per a set of rules until no rules apply Step 4
Data Flow Analysis getLoc() sendSMS() sendInet() Source: Location Sink: SMS Sink: Internet Location SMS Location Internet • Source-to-sink flows o Sources: Location, Calendar, Contacts, Device ID etc. o Sinks: Internet, SMS, Disk, etc.
Data Flow Analysis in Action • Vulnerability Discovery Privacy Policy This app collects your: Contacts Phone Number Address FB API Send Internet Source: FB_Data Sink: Internet Web Source: Untrusted_Data SQL Stmt Sink: SQL • Malware/Greyware Analysis o Data flow summaries enable enterprise-specific policies • API Misuse and Data Theft Detection • Automatic Generation of App Privacy Policies o Avoid liability, protect consumer privacy
Challenges • Android is 3.4M+ lines of complex code o Uses reflection, callbacks, native code • Scalability: Whole system analysis impractical • Soundness: Avoid missing flows • Precision: Minimize false positives
STAMP Approach • Model Android/Java o Sources and sinks o Data structures o Callbacks o 500+ models • Whole-program analysis o Context sensitive Android Models App App Too expensive! OS HW
Data We Track (Sources) • Account data • Audio • Calendar • Call log • Camera • Contacts • Device Id • Location • Photos (Geotags) • SD card data • SMS 30+ types of sensitive data
Data Destinations (Sinks) • Internet (socket) • SMS • Email • System Logs • Webview/Browser • File System • Broadcast Message 10+ types of exit points
Currently Detectable Flow Types Unique Flow Types = Sources x Sink 396 Flow Types
Example Analysis Contact Sync for Facebook (unofficial) Description: This application allows you to synchronize your Facebook contacts on Android. IMPORTANT: * "Facebook does not allow [sic] to export phone numbers or emails. Only names, pictures and statuses are synced." * "Facebook users have the option to block one or all apps. If they opt for that, they will be EXCLUDED from your friends list." Privacy Policy: (page not found)
Chuli source-to-sink flows
Possible Flows from Permissions Sources Sinks INTERNET READ_CONTACTS WRITE_SETTINGS READ_SYNC_SETTINGS WRITE_CONTACTS READ_SYNC_STATS GET_ACCOUNTS WRITE_SECURE_SETTINGS WRITE_SETTINGS INTERNET
Expected Flows Sources Sinks INTERNET READ_CONTACTS WRITE_SETTINGS READ_SYNC_SETTINGS WRITE_CONTACTS READ_SYNC_STATS GET_ACCOUNTS WRITE_SECURE_SETTINGS WRITE_SETTINGS INTERNET
Observed Flows FB API Write Contacts Send Internet Source: FB_Data Sink: Contact_Book Sink: Internet Read Contacts Source: Contacts
Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna
Mobile Apps
Mobile Apps
Mobile Apps
• Mobile web app: embeds a fully functional web browser as a UI element Mobile Web Apps
Obj foo = new Object(); addJavascriptInterface(foo, ‘f’); JavaScript Bridge Java JavaScript
JavaScript Bridge Java JavaScript f.bar();
Security Concerns • Who can access the bridge? – Everyone
Isolated in Browser
No origin distinction in WebView Java JavaScript f.bar();
Static Analysis • How many mobile web apps? • How many use JavaScript Bridge? • How many vulnerable?
Experimental Results • 737,828 free apps from Google Play (Oct ’13) • 563,109 apps embed a browser • 219,404 use the JavaScript Bridge • 107,974 have at least one security violation
Most significant vulnerabilities 1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
“You should restrict the web-pages that can load inside your WebView with a whitelist.” - Facebook
“…only loading content from trusted sources into WebView will help protect users.” - Adrian Ludwig, Google
1. Navigate to untrusted content
// In app code myWebView.loadUrl(“foo.com”);
<!-- In HTML --> <a href=“foo.com”>click!</a>
<!-- More HTML --> <iframe src=“foo.com”/>
// In JavaScript window.location = “foo.com”;
public boolean shouldOverrideUrlLoading( WebView view, String url){ // False -> Load URL in WebView // True -> Prevent the URL load }
public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }
Reach Untrusted Content? • 40,084 apps with full URLs and use JavaScript Bridge • 13,683 apps (34%) can reach untrusted content
Use HTTPS? • 152,706 apps with partially computed URLs • 87,968 apps (57%) with HTTP URLs
Handling SSL Errors onReceivedSslError 1. handler.proceed() 2. handler.cancel() 3. view.loadUrl(...)
Mishandling SSL Errors • 117,974 apps implement onReceivedSslError • 29,652 apps (25%) must ignore errors
Vulnerability % Relevant % Vulnerable Unsafe Nav 15 34 HTTP 40 56 Unsafe HTTPS 27 29 Primary results
Popularity
Outdated Apps
29% unsafe nav Libraries 51% HTTP 53% unsafe HTTPS
Additional security issues Based on 998,286 free web apps from June 2014
Takeaways • Apps must not load untrusted content into WebViews • Able to identify violating apps using static analysis • Vulnerabilities are present in the entire app ecosystem
Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
Target Fragmentation in Android Apps Patrick Mutchler John Mitchell Yeganeh Safaei Adam Doupe
Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Takeaways Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread
What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
“If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running. - Android Developer Reference
“If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running. - Android Developer Reference
“If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.” - Android Developer Reference
What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
1,232,696 Android Apps Popularity, Category, Update, and Developer metadata Collected between May 2012 and Dec 2015 Broken into five datasets by collection date Dataset
Android 5.0 Released Android 5.1 Released Android 6.0 Released App Collecte d Outdatedness
App Collecte d Outdatedness App Updated Negligent Outdatedness Android 5.0 Released Android 5.1 Released Android 6.0 Released
What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
Fragment Injection Vulnerable App PreferenceActivity Attacked Fragment Malicious Intent Extra.SHOW_FRAGMENT “Attacked Fragment” Extra.SHOW_FRAG_ARG Data Other Extras securityintelligence.com/new-vulnerability-android-framework-fragment-injection/
Fragment Injection Fixed in Android 4.4 Developers implement isValidFragment to authorize fragments // Put this in your app protected boolean isValidFragment(String fName){ return MyFrag.class.getName().equals(fName); }
Fragment Injection Vulnerable if: - Targets 4.3 or lower (31%) - Some class inherits from PreferenceActivity (4.8%) - That class is exported (1.1%) - That class does not override isValidFragment (0.55%) 4.2% of apps vulnerable if no fix was ever implemented
Mixed Content in WebView
Mixed Content in WebView Major web browsers block Mixed Content In Android 5.0, WebViews block Mixed Content by default Can override default with setMixedContentMode()
SOP for file:// URLs in WebView Android 4.1 separate file:// URLs are treated as unique origins Can override with setAllowFileAccessFromFileURLs()
Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread Recap
Summary • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches

Recommandé

Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityDistil Networks
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon Berlin
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 

Recommandé

Mobile Enterprise Application Platform
Mobile Enterprise Application PlatformMobile Enterprise Application Platform
Mobile Enterprise Application PlatformNugroho Gito
 
Mobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the AttackerMobile Application Security Threats through the Eyes of the Attacker
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
 
Keeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityKeeping up with the Revolution in IT Security
Keeping up with the Revolution in IT SecurityDistil Networks
 
Transforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsTransforming Risky Mobile Apps into Self Defending Apps
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
 
Droidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon2013 security genes_trendmicro
Droidcon2013 security genes_trendmicroDroidcon Berlin
 
Malware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthMalware on Smartphones and Tablets - The Inconvenient Truth
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsAlan Kan
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Application security
Application securityApplication security
Application securityHagar Alaa el-din
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Krisshhna Daasaarii
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessPriyanka Aash
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile AppsSophos Benelux
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats ColumnInformationSecurity
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016Quick Heal Technologies Ltd.
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 

Contenu connexe

Similaire à 18-mobile-malware.pptx

Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessPriyanka Aash
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecuritySubho Halder
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumZimperium
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securitySam Bowne
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsCognizant
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyMichael Davis
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperHarsimran Walia
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSTobias Koprowski
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
 

Similaire à 18-mobile-malware.pptx (20)

Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Application security
Application securityApplication security
Application security
 
Mobile Apps Security Testing -1
Mobile Apps Security Testing -1Mobile Apps Security Testing -1
Mobile Apps Security Testing -1
 
Building an Android Scale Incident Response Process
Building an Android Scale Incident Response ProcessBuilding an Android Scale Incident Response Process
Building an Android Scale Incident Response Process
 
Unicom Conference - Mobile Application Security
Unicom Conference - Mobile Application SecurityUnicom Conference - Mobile Application Security
Unicom Conference - Mobile Application Security
 
Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...Essentials of Web Application Security: what it is, why it matters and how to...
Essentials of Web Application Security: what it is, why it matters and how to...
 
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - ZimperiumDeutsche Telekom Partnering Operating Alliance Summit - Zimperium
Deutsche Telekom Partnering Operating Alliance Summit - Zimperium
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
CNIT 128 8: Mobile development security
CNIT 128 8: Mobile development securityCNIT 128 8: Mobile development security
CNIT 128 8: Mobile development security
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложенийSECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
SECON'2017, Чемёркин Юрий, Безопасность данных мобильных приложений
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Mobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, SolutionsMobile Banking Security: Challenges, Solutions
Mobile Banking Security: Challenges, Solutions
 
Top Application Security Threats
Top Application Security Threats Top Application Security Threats
Top Application Security Threats
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
 
ISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and PrivacyISACA CACS 2012 - Mobile Device Security and Privacy
ISACA CACS 2012 - Mobile Device Security and Privacy
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
I haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaperI haz you and pwn your maal whitepaper
I haz you and pwn your maal whitepaper
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
Mobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging RisksMobile Payments: Protecting Apps and Data from Emerging Risks
Mobile Payments: Protecting Apps and Data from Emerging Risks
 

Dernier

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Sheetaleventcompany
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...singhpriety023
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Onlineanilsa9823
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...Neha Pandey
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.soniya singh
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLimonikaupta
 

Dernier (20)

Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
VIP Model Call Girls Hadapsar ( Pune ) Call ON 9905417584 Starting High Prof...
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service OnlineCALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
CALL ON ➥8923113531 🔝Call Girls Lucknow Lucknow best sexual service Online
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Sarai Rohilla Escort Service Delhi N.C.R.
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
(INDIRA) Call Girl Pune Call Now 8250077686 Pune Escorts 24x7
 

18-mobile-malware.pptx

  • 2. Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
  • 4. W
  • 5.
  • 6. Based on FairPlay vulnerability • Requires malware on user PC, installation of malicious app in App Store • Continues to work after app removed from store • Silently installs app on phone
  • 8. Current Android Malware Description AccuTrack This application turns an Android smartphone into a GPS tracker. Ackposts This Trojan steals contact information from the compromised device and uploads them to a remote server. Acnetdoor This Trojan opens a backdoor on the infected device and sends the IP address to a remote server. Adsms This is a Trojan which is allowed to send SMS messages. The distribution channel ... is through a SMS message containing the download link. Airpush/StopSMS Airpush is a very aggresive Ad-Network. … BankBot This malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices. http://forensics.spreitzenbarth.de/android-malware/
  • 10. Android free antivirus apps … 1. Comodo Security & Antivirus 2. CM Security Antivirus AppLock 3. 360 Security - Antivirus Boost 4. Sophos Free Antivirus and Security 5. Malwarebytes Anti- Malware 6. Bitdefender Antivirus Free http://www.androidcentral.com/top-free-antivirus-apps-android
  • 11. • “Even security companies know the risk is low — that's why apps are packaged with other selling points.” - AndroidCentral • Kevin Haley, Symantec's Director of Symantec Security Response: – "Symantec sees an important role to play in helping to protect data and mobile devices from being exposed to risk," … – "While Symantec sees its purpose in the mobile landscape as providing security against malware, fraud and scams; we also protect devices against loss and theft — loss of the device itself, as well as the information on it. In addition, Symantec helps businesses protect and manage their data being stored or transmitted through the mobile devices of their employees." http://www.androidcentral.com/antivirus-android-do-you-need-it
  • 14. Malware behavior triggered by C&C server (Chuli)
  • 15. Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
  • 16. STAMP Admission System Static Dynamic STAMP Static Analysis More behaviors, fewer details Dynamic Analysis Fewer behaviors, more details Alex Aiken, John Mitchell, Saswat Anand, Jason Franklin Osbert Bastani, Lazaro Clapp, Patrick Mutchler, Manolis Papadakis
  • 17. Abstract program execution • States: mapping of variable names to values • Transitions: relation on pairs of states • Traces: sequence of states or state, transition pairs
  • 18. Analysis Convert bytecode to intermediate format (called Quads) Step 1 Compute call graph using Class Hierarchy Analysis Step 2 Build an edge-labeled graph G by processing Quads of each class Step 3 Add new edges to G as per a set of rules until no rules apply Step 4
  • 19. Data Flow Analysis getLoc() sendSMS() sendInet() Source: Location Sink: SMS Sink: Internet Location SMS Location Internet • Source-to-sink flows o Sources: Location, Calendar, Contacts, Device ID etc. o Sinks: Internet, SMS, Disk, etc.
  • 20. Data Flow Analysis in Action • Vulnerability Discovery Privacy Policy This app collects your: Contacts Phone Number Address FB API Send Internet Source: FB_Data Sink: Internet Web Source: Untrusted_Data SQL Stmt Sink: SQL • Malware/Greyware Analysis o Data flow summaries enable enterprise-specific policies • API Misuse and Data Theft Detection • Automatic Generation of App Privacy Policies o Avoid liability, protect consumer privacy
  • 21. Challenges • Android is 3.4M+ lines of complex code o Uses reflection, callbacks, native code • Scalability: Whole system analysis impractical • Soundness: Avoid missing flows • Precision: Minimize false positives
  • 22. STAMP Approach • Model Android/Java o Sources and sinks o Data structures o Callbacks o 500+ models • Whole-program analysis o Context sensitive Android Models App App Too expensive! OS HW
  • 23. Data We Track (Sources) • Account data • Audio • Calendar • Call log • Camera • Contacts • Device Id • Location • Photos (Geotags) • SD card data • SMS 30+ types of sensitive data
  • 24. Data Destinations (Sinks) • Internet (socket) • SMS • Email • System Logs • Webview/Browser • File System • Broadcast Message 10+ types of exit points
  • 25. Currently Detectable Flow Types Unique Flow Types = Sources x Sink 396 Flow Types
  • 26. Example Analysis Contact Sync for Facebook (unofficial) Description: This application allows you to synchronize your Facebook contacts on Android. IMPORTANT: * "Facebook does not allow [sic] to export phone numbers or emails. Only names, pictures and statuses are synced." * "Facebook users have the option to block one or all apps. If they opt for that, they will be EXCLUDED from your friends list." Privacy Policy: (page not found)
  • 28. Possible Flows from Permissions Sources Sinks INTERNET READ_CONTACTS WRITE_SETTINGS READ_SYNC_SETTINGS WRITE_CONTACTS READ_SYNC_STATS GET_ACCOUNTS WRITE_SECURE_SETTINGS WRITE_SETTINGS INTERNET
  • 30. Observed Flows FB API Write Contacts Send Internet Source: FB_Data Sink: Contact_Book Sink: Internet Read Contacts Source: Contacts
  • 31. Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
  • 32. A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna
  • 36. • Mobile web app: embeds a fully functional web browser as a UI element Mobile Web Apps
  • 37. Obj foo = new Object(); addJavascriptInterface(foo, ‘f’); JavaScript Bridge Java JavaScript
  • 39. Security Concerns • Who can access the bridge? – Everyone
  • 41. No origin distinction in WebView Java JavaScript f.bar();
  • 42. Static Analysis • How many mobile web apps? • How many use JavaScript Bridge? • How many vulnerable?
  • 43. Experimental Results • 737,828 free apps from Google Play (Oct ’13) • 563,109 apps embed a browser • 219,404 use the JavaScript Bridge • 107,974 have at least one security violation
  • 44. Most significant vulnerabilities 1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
  • 45. 1. Loading untrusted web content 2. Leaking URLs to foreign apps 3. Exposing state changing navigation to foreign apps
  • 46. “You should restrict the web-pages that can load inside your WebView with a whitelist.” - Facebook
  • 47. “…only loading content from trusted sources into WebView will help protect users.” - Adrian Ludwig, Google
  • 48. 1. Navigate to untrusted content
  • 49. // In app code myWebView.loadUrl(“foo.com”);
  • 50. <!-- In HTML --> <a href=“foo.com”>click!</a>
  • 51. <!-- More HTML --> <iframe src=“foo.com”/>
  • 53. public boolean shouldOverrideUrlLoading( WebView view, String url){ // False -> Load URL in WebView // True -> Prevent the URL load }
  • 54. public boolean shouldOverrideUrlLoading( WebView view, String url){ String host = new URL(url).getHost(); if(host.equals(“stanford.edu”)) return false; log(“Overrode URL: ” + url); return true; }
  • 55. Reach Untrusted Content? • 40,084 apps with full URLs and use JavaScript Bridge • 13,683 apps (34%) can reach untrusted content
  • 56. Use HTTPS? • 152,706 apps with partially computed URLs • 87,968 apps (57%) with HTTP URLs
  • 57. Handling SSL Errors onReceivedSslError 1. handler.proceed() 2. handler.cancel() 3. view.loadUrl(...)
  • 58. Mishandling SSL Errors • 117,974 apps implement onReceivedSslError • 29,652 apps (25%) must ignore errors
  • 59. Vulnerability % Relevant % Vulnerable Unsafe Nav 15 34 HTTP 40 56 Unsafe HTTPS 27 29 Primary results
  • 63. Additional security issues Based on 998,286 free web apps from June 2014
  • 64. Takeaways • Apps must not load untrusted content into WebViews • Able to identify violating apps using static analysis • Vulnerabilities are present in the entire app ecosystem
  • 65. Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches
  • 66. Target Fragmentation in Android Apps Patrick Mutchler John Mitchell Yeganeh Safaei Adam Doupe
  • 67. Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Takeaways Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread
  • 68. What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
  • 69. What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
  • 70. “If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running. - Android Developer Reference
  • 71. “If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running. - Android Developer Reference
  • 72. “If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.” - Android Developer Reference
  • 73. What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
  • 74. 1,232,696 Android Apps Popularity, Category, Update, and Developer metadata Collected between May 2012 and Dec 2015 Broken into five datasets by collection date Dataset
  • 76.
  • 77.
  • 79.
  • 80. What is target fragmentation? Target fragmentation statistics Security consequences Roadmap
  • 81. Fragment Injection Vulnerable App PreferenceActivity Attacked Fragment Malicious Intent Extra.SHOW_FRAGMENT “Attacked Fragment” Extra.SHOW_FRAG_ARG Data Other Extras securityintelligence.com/new-vulnerability-android-framework-fragment-injection/
  • 82. Fragment Injection Fixed in Android 4.4 Developers implement isValidFragment to authorize fragments // Put this in your app protected boolean isValidFragment(String fName){ return MyFrag.class.getName().equals(fName); }
  • 83. Fragment Injection Vulnerable if: - Targets 4.3 or lower (31%) - Some class inherits from PreferenceActivity (4.8%) - That class is exported (1.1%) - That class does not override isValidFragment (0.55%) 4.2% of apps vulnerable if no fix was ever implemented
  • 84. Mixed Content in WebView
  • 85. Mixed Content in WebView Major web browsers block Mixed Content In Android 5.0, WebViews block Mixed Content by default Can override default with setMixedContentMode()
  • 86.
  • 87.
  • 88. SOP for file:// URLs in WebView Android 4.1 separate file:// URLs are treated as unique origins Can override with setAllowFileAccessFromFileURLs()
  • 89.
  • 90.
  • 91. Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread Recap
  • 92. Summary • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches

Notes de l'éditeur

  1. 30 seconds
  2. 5 minutes
  3. 29% unsafe nav 51% http 53% https
  4. Outline
  5. Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.
  6. Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.
  7. Describe targetSdkVersion design Not all old code is used.
  8. Set up outdatedness here!
  9. We aren’t just concerned with whether an app is out of date. We are concerned with how out of date that app is. Define outdatedness.
  10. Cumulative distribution of outdatedness for apps collected in December 2015 8% of apps target the most current version (6.0, released in October) 50% of apps target versions at least 500 days out of date 20% of apps target versions at least 1000 days out of date
  11. Cumulative distributions for different install counts. Apps installed 10m times are a bit better but target fragmentation is still a severe problem. Fewer than 20% target 6.0. 80th percentile is still about two years out of date.
  12. Lets be even more generous and account for stale apps on the app store. Define negligent outdatedness
  13. Compare negligent outdatedness and outdatedness curves. Shows that stale apps are not the primary cause of outdatedness.
  14. Outline
  15. Introduce and explain fragment injection attack
  16. Describe the solution for fragment injection. Fixed on Sep 3rd 2013. But what happens when you don’t implement isValidFragment?
  17. Vulnerability rates. The “fix” has only reduced the vuln rate to 20% of what it would be if no fix was ever implemented.
  18. Define mixed content and explain what webview is.
  19. Explain mixed content changes
  20. We cannot directly measure the number of “vulnerable” apps that allow mixed content because it is possible to do so safely. Instead we try to understand the number of apps that “accidentally” allow mixed content.
  21. Assume that the % of apps that want to allow mixed content is constant Red bar are apps that allow mixed content unnecessarily Red bar represents 18% of apps from December
  22. Difference is 64%. 15% of apps target <16 9.6% of all apps
  23. Difference is 64%. 15% of apps target <16 9.6% of all apps You can see this going two ways: One is that developers who use Feature X are more likely to retarget when a security change comes to Feature X One is that developers who use Feature X are *less* likely to retarget when a change comes to Feature X because it breaks their code Apps that use PreferenceActivity target 19+ 66% of the time while the general population targets 19+ 69% of the time. Apps that use WebView... Apps that export Content Providers
  24. Big takeaways from this paper Make third point into a sentence Make this last point punchier