app markets - universität des saarlandes · - method restructuring (e.g., move methods to other...
TRANSCRIPT
1
App Markets
Android Security - SS 2016
SECURITY IMPACT OF MARKETS
§ Marketsstreamlinetheprocessoffindingandinstallingapplications
- Formaeasy-to-usecentralsoftwaredistributionchannelevenformostcasualusers
§ Assuch,marketscanbe
- Averypowerfulfirstlineofdefenseagainstmaliciousorvulnerableapplications
- …averypowerfulattackeragainsttheend-user
2Android Security - SS 2016
MARKETS AS FIRST LINE OF DEFENSE
§ Marketoperatorshaveinterestina”healthyecosystem”
- Noharmfulapplicationsfortheuserarebeingdistributedviathemarket(spyware,fraudapps,ransomware,backdoors,spam,…)
• Infact,mostuserswouldexpectthisfromthemarket
• But:Commonnotionofsecurityandprivacyhard,verysubjective(functionalitydesiredbyoneuser,considerharmfulbyother)
3Android Security - SS 2016
MALWARE DISTRIBUTION [9]
32
6058
21
40
GooglePlay*
eoeMarket
alcatelclub
gfan
mmoovv
*Hasremotekillcapability
[Zhouetal.,NDSS2012]
Android Security - SS 2016 4
MALWARE DISTRIBUTION [6]
Android Security - SS 2016 5
MALWARE PREVALENCE [68,6]
§ Scanned1.2millionappsfrom33markets(mostinChina)
§ 127,429malwarediscovered,atleast20likelyzero-dayapps
- 34,026ofthoseweremissedbyexistingscannersonVirusTotal(syndicates≈50differentAVproducts)
- 30,552fromPlay
§ MalwareGenomeProject:
6Android Security - SS 2016
MALWARE PREVALENCE [69]
§ Google’sself-reporting:
- <1%ofdeviceswithharmfulappfor2015
- ≈0.5%ofalldevicesonaveragehadharmfulappinstalled
7
GhostPushcampaign
Android Security - SS 2016
MARKETS AS FIRST LINE OF DEFENSE
§ Marketoperatorshaveinterestina”healthyecosystem”
- Noharmfulapplicationsfortheuserarebeingdistributedviathemarket(spyware,fraudapps,ransomware,backdoors,spam,…)
• Infact,mostuserswouldexpectthisfromthemarket
• But:Commonnotionofsecurityandprivacyhard,verysubjective(functionalitydesiredbyoneuser,considerharmfulbyother)
- Appdeveloperswanttheirintellectualpropertyandrevenuebeingprotected(apppiracy,siphoningadrevenues,...)
• Appdeveloperswilldemandthisfromthemarket
8Android Security - SS 2016
REPACKAGING [9,10]
§ APKissimplyanarchivefileformat
- Unzip,modifycontent,re-zip
- Easytomakeanapplicationmalicious(trojan,virus,changeadIDs)
§ But:APKsaresigned.Whyisrepackagingpossible?
- Technicallyeasytoremove(“strip”)theoriginalsignatureandre-signthere-packagedAPKwithanewcertificate
- Certificateareself-signed(easy);andeverybodycanbeadeveloperontheAndroidmarketandbeabletosignappsforpublication(stilleasy)
§ Doesnotallowmaliciousupdates,butbreakstrust-on-first-install
§ Repackagingoneofthemajorattackvectorsonalternativemarkets
- Distributemalware
- Siphonadrevenuefromlegitimate/originaldevelopers
9Android Security - SS 2016
IMPACT OF ANDROID APPLICATION PLAGIARISM [11]
§ InvestigationHTTPadvertisingtrafficgeneratedbymobileapplicationsatatier-1UScellularcarrierfor12daysin2012- Analysisof265,359freeapplicationsfrom17Androidmarketsaroundthe
world• Detect“clones”ofapps:5,431cloneclustersconsistingof44,268unique
applications
• Beabletoidentifyoriginalapps’andtheirclones’trafficinthecapturedtraces(admob ids,strings,etc)
10
Lost revenue calculated to be between 10–50%!
Android Security - SS 2016
MARKETS AS FIRST LINE OF DEFENSE
§ Market’spossibilitiesonimprovingandmaintainingthehygieneoftheappecosystem
- Imposeandenforcepolicies,e.g.,dataaccessanddistribution,userconsentandtransparency(appvetting)
- Warnusersabout(potentially)harmfulapplicationsontheirdevicesandletusersdecidetokeepthoseappsornot
• forthreatsthatareundisputedlymalwaretakeautomaticmeasuresandinformusersafterfact
- Warndevelopersaboutvulnerable(external)codeandbadsecuritypracticesintheirsubmittedapps
• blockapppublicationunlessfixed
11Android Security - SS 2016
GOOGLE’S SELF-DEFINED ROLE [69]
§ Forinstance,Google’sperspectiveonitsroleintheecosystem:
12Android Security - SS 2016
MARKETS AS FIRST LINE OF DEFENSE
§ Attheheartofthosemeasures:
- Monitoringthecurrentstateoftheecosystematlarge,e.g.,marketservicesrunningontheend-userdevicesasdatacollectionpoints
13Android Security - SS 2016
GOOGLE’S DATA COLLECTION [69]
“Throughaggregated,anonymizedsecuritydatasentfromuserdevices,wegatherinformationandmonitorthegeneralstateoftheAndroidecosystem.TheseservicesscanforPotentiallyHarmfulApplicationsatinstalltime,performregularscansofinstalledapplications,andprovideuserprotection.TheservicesalsoautomaticallysendanonymizeddatabacktoGoogle,whichweusetomonitortheoverallcleanlinessoftheAndroidecosystem.”
“Attheendof2015,Googleprovidedover400milliondevicesecurityscanseachday,contributingbillionsofpiecesofnewdatatoouranalysisengineeveryday.”
14Android Security - SS 2016
MARKETS AS FIRST LINE OF DEFENSE
§ Attheheartofthosemeasures:
- Monitoringthecurrentstateoftheecosystematlarge,e.g.,marketservicesrunningontheend-userdevicesasdatacollectionpoints
- Analyzingsubmittedanddiscoveredapps• Staticanalysis:Extractapplicationfeaturesandcomparedtoexpectedgood/badbehavior,cananalyzeappsatlarge-scale
• Dynamicanalysis:Complementsstaticanalysis,discoverruntimebehavior(e.g.,networkconnections)andcanusestaticanalysisresultsasinput
• Heuristics,signatures,andsimilarityanalysis:Compareappsignature(e.g.,hashofcode)tolistofknownappsforidentification,compareapp’ssimilaritytootherknowngood/badbehavior(e.g.,usingmachinelearning)
• Externalinformation:E.g.,inputbypartnersandindependentresearchers,backgroundinformationontheappdeveloper
15Android Security - SS 2016
STATIC ANALYSIS:DROIDMOSS [12]
§ Pair-wisesimilaritymeasurementbetweenappsusingfuzzyhashingbasedonapps’features
- Studyresult:Clonedappsmainlyusedtosiphonadrevenue;fewcaseswithbackdoors/malware
Android Security - SS 2016 16
STATIC ANALYSIS:DNADROID [13]
§ Pair-wiseProgramDependenceGraphcomparisonforclonedetection
§ Shouldberobustagainst- Highlevelmodifications(e.g.,packagenamechanges,methodname
changes,etc.)- Methodrestructuring(e.g.,movemethodstootherclasses,splitmethods
intosmalleronesorcombinemethods,etc.)- Controlflowalternatives(e.g.,swappingif-else branches,changefor into
while loops,etc.)- Add/deletingthatisirrelevantforcomputedresults- Reorderingofcodesegments
Android Security - SS 2016 17
STATIC ANALYSIS:PIGGYAPP [10]
§ Efficientlydetectrepackagedand“piggybacked”apps
Android Security - SS 2016 18
Detectprimaryandsecondary codemoduleswithintheProgramDependenceGraphObservations:• Piggybackedcodenotpartofprimarycode• Cloneshaveshared/similarprimarycode
Primarycode(accordingtoManifest)
STATIC ANALYSIS:MASSVETT [68]
§ Difference/Commonprogramcode/viewcomponentscomparisonbetweensubjectandallother appstodetectrepackagedapps
- Efficientalgorithm(≈10sperapp),scanned1.2millionapps
• Mapsfeaturesofapp’sControlFlowGraphintoavalue(geometriccenter)whichcanbecomparedbetweenappsforsimilarity
Android Security - SS 2016 19
Establishrelationbetweenappsbased onViews:detectappswithsimilarviewstructures(priorresults:mostrepackagedappskeepviewstructure)
DiffCom analysistodetectmaliciouscode
STATIC ANALYSIS:DROIDRANGER [9]
Android Security - SS 2016 20
§ Detectingmalicious(unknown)apps
Basedonsetof requestedpermissions(earlierworkrevealedthatpermission-setsofmalware
significantlydifferfrombenignapps)
Basedonsuspiciousbehavior(e.g.,fetchandexecutecode)
STATIC ANALYSIS:DREBIN[70]
§ On-device analysisofapps:gathervariousfeaturesfromapp’scodeandmanifest,embedtheminajointvectorspace,suchthattypicalpatternsindicativeofmalwarecanbeidentifiedusingmachinelearningtechniques
Android Security - SS 2016 21
Features:Hardwarecomponents,requestedpermissions,appcomponents,intent-filters,APIcalls,usedpermissions,networkaddresses
SupportVectorMachines,producesefficientandexplainabledecisionmode;efficientherebecauseofthesparsevectorspace(545kdifferentfeatures)
STATIC ANALYSIS:RISKRANKER [71]
§ Detectingmalwarewithoutrelyingonsamples/signaturesofmalware
- Detected322zero-daymalwaresamplesfrom11familiesintestset
Android Security - SS 2016 22
§ Riskanalysis:Categorizeappsintorisklevels
§ First-orderanalysis(scalability):Exposehighormediumriskapps- Detectattackcodeusing
exploitsignatures- ProtectedAPIslikepremium
SMScalledwithoutuserinteraction
§ Second-orderanalysis:Analyzeforsuspiciousbehavior(e.g.includedchildAPKs,decryptionroutinesforpayload)
STATIC ANALYSIS:MAST[72]
§ MobileApplicationSecurityTriage:Directcostlyanalysistotheappswiththehighestpotentialtoexhibitmaliciousbehavior
- MultipleCorrespondenceAnalysis(=correlationbetweenmultiplecategoricaldata)onattributesextractedfromappstorankapps→Find95%ofmalwareatcostofanalyzing13%ofnon-maliciousapps
- Attributes:114permissions,92intent-filters,existenceofnativecode,presenceofzipfiles;trainedwith15kapps700malwaresamples
Android Security - SS 2016 23
Outlierindicatespotentialharmfulappforfurtheranalysis
STATIC ANALYSIS:CHABADA[73]
§ Clusterappsbytheircategoryanddetectanomaliesw.r.t.toAPIusagetoflagpotentialmalware
- Flagged56%ofnovelmalwarew/oneedfortrainingmalwaresignatures/patterns
Android Security - SS 2016 24
TopicmodelingwithLatentDirichlet Allocation(LDA)todeterminetopicfromappdescription
One-classSVMbasedanomalyclassification,createsrankedlistofapplicationsforeachcluster
Outlierscanbepotentialmalware,spyware,etc.orsimplyuncommonlybehavingapps
STATIC ANALYSIS:WHYPER [74]&AUTOCOG [75]
§ ExaminewhetherappdescriptionjustifiestheneedfortherequestedpermissionsusingNLPtechniques(“description-to-permissionfidelity”)
- Focusonprivacyinfringementsinrelativelybenignapplicationsandon“userunderstandablepermissions”
Android Security - SS 2016 25
Mobileappsarepredominantlythinclients,andactionsandresourcesprovidedbytheapplicationframeworkAPIdocumentscancovermostofthe
functionalityperformedbythesethinclients
STATIC ANALYSIS:DESCRIBEME [76]
§ Automaticallygeneratesecurity-centricappdescriptionsfromprogramanalysisusingNaturalLanguageGeneration(NLG)
Android Security - SS 2016 26
Revealtriggeringconditionsofcriticaloperations,entrypointdiscoverytogivecontext(GUIelements),
dataflowanalysistoexploreAPIdependencies
Description:OnceaGUIcomponentisclicked,theappretrievesyourphonenumber,andencodesthedataintoformat“100/app_id=an1005/ani=%s/dest=%s/phone_number=%s/company=%s/”,andsendsdatatonetwork,dependingoniftheuserselectstheButton“Confirm”.
COLLABORATIVE VERIFICATION OF INFORMATION FLOWS [77]
§ Marketoperatorandappdevelopers(here”vendor”)collaborate
- Vendorannotatessourcecodewithinfoflowtypequalifiers
- Marketanalyzes/verifiesannotatedappsourcecode,compilesit,anddistributesit
• Auditofinformationflowdonemorequicklyandwithhigherconfidence
Android Security - SS 2016 27
High-leveldescriptionofintendedinfoflowsfrom
userperspective(“location→network”)
ANDROID-SPECIFIC CHALLENGES OF STATIC ANALYSIS (1)
§ Androidapps’lifecycle:Severalentrypointstoapps(components),callbacksfromtheapplicationframework,async.executingcomponents
- Problem:Traditionalexecutablesonlyonesingleentrypoint
- CHEX[78]:Detecting“componenthijacking”attacks(permissionleakage,unauthorizeddataaccess,intentspoofing)usingreachabilityanalysisonPDG;noveltechniquetodiscovercomponententrypointsand“appsplitting”tomodeltheasynchronousexecutionsofmultipleentrypoints(split=subsetoftheappcodethatisreach- ablefromaparticularentrypointmethod)
- FlowDroid [79]:statictaintanalysisforAndroidapplicationswithprecisemodelofAndroid’slifecycle(andContext,Flow,Field,Object-sensitive)
Android Security - SS 2016 28
ANDROID-SPECIFIC CHALLENGES OF STATIC ANALYSIS (2)
§ Appcomponentscancommunicatewitheachother(ICC;Inter-ComponentCommunication)suchasIntents,callingServicesorContentProviders
- Problem:Analysissofaronlywithinsinglecomponents,butnotflowtrackingacrosscomponents
- Epicc [80]:ResolvesICCcallparameters,butdoesnotlinkcomponents
- Amandroid [81]:Points-toinformationforallobjectsinanappinaflowandcontext-sensitivewayacrosscomponentsthatcanbeleveragedinsecurityanalysis,linkssourceandtargetcomponent
- IccTA [82]:Inter-componentcommunicationTaintAnalysistoolfordetectionofICClinksandleaks,considersallcomponenttypes,genericenoughforanydata-flowanalysis
Android Security - SS 2016 29
ANDROID-SPECIFIC CHALLENGES OF STATIC ANALYSIS (3)
§ Dataandcontrolflowscanoccursthroughtheapplicationframeworkservices/appsbetweenappcomponents(implicitflowtransitionfacilitatedbytheframework)
- Problem:Blindspotinthecurrentdataandcontrolflowanalysis
- Edgeminer [83]:automaticallygenerateAPIsummariesthatdescribeimplicitcontrolflowtransitionsthroughtheAndroidframework;canbeusedinsecurityanalysistodetectsuchimplicitflowsthroughtheframework
• ImprovedFlowDroid’s detectionratesignificantly
Android Security - SS 2016 30
GENERAL CHALLENGES OF STATIC ANALYSIS
§ Staticanalysiscanbeverylarge-scaling,but…
- Overapproximation
• Analysisoftenassumesthatmorebehaviorsarepossiblethanactuallywouldbe
• Analysisisundecidableinallgeneralityduetohaltingproblem
- Challengedbyencrypted,interpreted,ordynamicallyloadedcode
§ Thus:Complementedoftenwithsmall-scalingdynamictesting
Android Security - SS 2016 31
DYNAMIC ANALYSIS:TAINTDROID [84]
§ Taint-trackingsystemfortheAndroidmiddlewareandkernel
- VariabletrackingthroughouttheDalvik VM
- Extendstrackingbetweenapplications(BinderIPC)andstorage(extendedattributes)
32
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
Dynamic Taint Analysis
• Dynamic taint analysis is a technique that tracks information dependencies from an origin
• Conceptual idea:
‣ Taint source
‣ Taint propagation
‣ Taint sink
• Limitations: performance and granularity is a trade-off5
c = taint_source()...a = b + c...network_send(a)
Systems and Internet Infrastructure Security Laboratory (SIIS) Page
TaintDroid• TaintDroid is a system-wide integration of taint
tracking into the Android platform
‣ Variable tracking throughout Dalvik VM environment‣ Patches state after native method invocation‣ Extends tracking between applications and to storage
• TaintDroid is a firmware modification, not an app6
Network Interface
Native System Libraries
Virtual Machine
Virtual Machine
Application Code Application CodeMsg
Secondary Storage
Message-level tracking
Variable-leveltracking
Method-leveltracking
File-leveltracking
Android Security - SS 2016
DYNAMIC ANALYSIS:TAINTDROID [84]
§ Taintsourcesandsinkscarefullyintegratedintotheexistingarchitecturalframework
§ Sources
- Low-bandwidthsensors:location,accelerometer
- High-bandwidthsensors:microphone,camera
- Informationdatabases:addressbook,SMSstorage
- Deviceidentifiers:IMEI,IMSI,phonenumber
§ Sinks
- Networksockets
§ Limitations:onlyexplicitdataflows,nativecode
33Android Security - SS 2016
DYNAMIC ANALYSIS:VETDROID [85]
§ Reconstructsensitivebehaviorofappsfromapermissionuseperspective
§ ExtendsTaintDroid:
- TaintsreturneddatafromAPIcallsthatrequiredapermissionwiththatspecificpermission
• Benefit:Automaticallytrackanyprotecteddatainsteadofonlypre-definedonesasinTaintDroid
- Tracksusageofthisdataacrossapplicationtoprofiletheapp’spermissionusagebehavior
• E.g.,doesappleaktainteddatatonetworkorfile,doesappinterruptorderedbroadcasts(forinstanceSMSreceived),etc.
- Usesprofilestobetterunderstandtheworkingsofmalwareandtovetappsforundesiredbehavior
Android Security - SS 2016 34
DYNAMIC ANALYSIS:DROIDSCOPE [86]
§ Virtualization-basedmalwareanalysisplatform
- InstrumentedAndroidemulator
- ReconstructbothOS-levelandJava-levelsemantics
• VMintrospection
Android Security - SS 2016 35
PROBLEM OF DYNAMIC ANALYSIS:CODE COVERAGE
§ Codecoverageproblemwithautomatedtestingofapp:
- Asforstaticanalysis:Multipleentrypointsinapplicationlife-cycle:Receivers(aseventtriggersandcallbacksviaIntents),Services,ContentProviders,Listeners…
• Traditionalexecutableshaveasingleentrypoint
- Appsusuallystronglyuser-drivenandinteractionnecessaryforhighcodecoverage:InputtoActivities(buttons,credentials,permissiongranting,useraccounts,contactsentries,…)
36Android Security - SS 2016
§ TaintDroid:NoautomatedtestingofappsVetDroid:Rudimentary“applicationdriver”usingMonkeytool&eventinjection;leavesthischallengeopen
DYNAMIC ANALYSIS:SMARTDROID [87]
§ Hybridapproach(staticanddynamicanalysis)torevealUI-basedtriggerconditionsinAndroidapps- Staticanalysis:
ExtractexpectedActivityswitchpathsbyanalyzingActivityandFunctionCallGraphs
- Dynamicanalysis:TraverseeachUIelementautomaticallyandexploretheUIinteractionpathsthatleadtowardssensitiveAPIcalls
§ Limitations:- NodatadependencyinACG
- Nologic-basedtriggers• “Pressbutton5timestotrigger”
- Obfuscationandreflection
Android Security - SS 2016 37
Modifiedemulator
DYNAMIC ANALYSIS:APPSPLAYGROUND [88]
§ AppsPlayground:AutomateanalysisofAndroidapps
38Android Security - SS 2016
Triger codeineventreceivers(locationchange,etc.)
ExploretheGUIviafuzztesting,intelligentexecution torecognizeheuristicallywhichdatahastobeputintoGUIandguideexploration
Averagecodecoverage:33%fortestapps
DYNAMIC ANALYSIS:COPPERDROID [89]
§ AutomaticVMI-basedanalysissystemtoreconstructthebehaviorofAndroidapps(malware)
- Monitorslow-levelinteractionsbetweenappandsystem(dex andnativecode,independentlyofobfuscation/reflection)
• Canreconstructcomplexintra- andinter-processcommunicationwhosesemanticsareusuallycontextualizedthroughcomplexobjects
• Recreateresources(e.g.,files,networkcommunication,etc.)byinferringdatadependenciesbetweensystemcalls(forwardslicinganddef-usechainsbetweencalls)
- Appsimulationtechniquetotriggerhighcoverageofcode
• Leveragestaticanalysisofanappasinputfortargetedsimulationstrategyusingsimpleinputs(sendingtargetedIntents,eventslikephonecallorlocationupdate,keyboardinput,…)
39Android Security - SS 2016
DYNAMIC ANALYSIS:DROIDMATE [90]/BOXMATE [91]
§ AutomaticGUIexecutiongeneratorforapps:automaticallyinteractwithGUIelementsofanapptotriggerasmuchlogicaspossible
- Appisinstrumentedwithmonitoringcode
- Startingfromthemainactivityexploresappinafeedbackloop
- ExplorationstrategybasedondisplayedGUIelementsandmonitoredeventsafterlastaction
- Actioncanbeclick,long-click,presshome,pressback,reset,terminate
- Explorationuntilterminationcriterionismet
40Android Security - SS 2016
DYNAMIC ANALYSIS:BRAHMASTRA [92]
§ Testing3rd partycomponentsofapps
- StaticcallgraphanalysistoconstructchainofActivitiesandinteractionstoreach3rd partycomponents
- Rewritingtheappto“jumpstart”3rd partycomponents
• Appautomaticallymakesseriesofcallstoopenthe3rd partycomponentasfastaspossible(e.g.,pruneprefixActivities)
- Runtimeanalyzertocollectinformationaboutthe3rd partycomponents
§ Analysisof3rd partycodein2.7xmoreappsanddecreasetestdurationbyfactor7
Android Security - SS 2016 41
DYNAMIC ANALYSIS:APPAUDIT [93]
§ Goal:Usingsynergyofstaticanalysisanddynamicanalysistospeedupanalysisandreduceeffectsofoverapproximation ofstaticanalysis
§ Approach:Dynamicanalysisthatcansimulatetheexecutionofpart oftheprogramandperformcustomizedchecksateachprogramstate
- Evaluation:Comparativereportsofleaks,nofalsepositive,8.3xfaster,90%lessmemoryconsumption
Android Security - SS 2016 42
LargelyinspiredbytechniquesusedinJITcompilersandimprovementstosymbolicexecution
PROBLEM:LOGIC BOMBS
§ Logicandtimebombscanmakeitveryhardtodetectmaliciousbehavioranddistinguishbenignappsfrommalware
Android Security - SS 2016 43
if(Build.FINGERPRINT.startsWith("generic"))return; //we are running in an emulator
String messageText = simCountryIso().equals("US") ? US : INTERN;String clazz = decrypt("fri$ds\&S"); 5 String method = decrypt("dvdf4$DCS");Class.forName(clazz).getMethod(method).invoke("+01234",null,messageText,null,null);
Date now = new Date();Date target = new Date(22,12,2016);
if (now.after(target)) {// do evil
} else {// do unsuspicious
}
STATIC ANALYSIS:APPCONTEXT,HARVESTER,TRIGGERSCOPE
§ AppContext [94]:Identifyandextractthecontextsandeventsthattriggersecuritysensitivebehaviors
- Maliciousnessofsecurity-sensitivebehaviormorecloselyrelatedtotheintentionofthebehavior(reflectedviacontext)thantothetypeofresourceaccessed
§ Harvester[95]:Extractruntimevaluesevenfromobfuscatedcodethatusesreflection,hidessensitivevaluesinnativecode,loadscodedynamicallyorusesanti-analysistechniques
- forcedexecution:explicitlytriggersalldifferentbehaviors
§ TriggerScope [96]:Focusondetectingthetriggerchecksinsteadofbehavior
Android Security - SS 2016 44
GOOGLE’S SELF-REPORTED MARKET SECURITY [69]
§ VerifyAppscloud-basedservicetocheckeveryapppriortoinstallationifpotentiallyharmful
- Warnuserorremoveautomaticallywithoutuserconfirmation
Android Security - SS 2016 45
APP VERIFICATION [69]
DatacollectioninVerifyApps(Rareappcollection):
“VerifyAppsprotectsusersagainstapplicationsthatareinstalledfromanysource—whethertheycomefromGooglePlayoroutsideofPlay—soitisimportantthatoursystemshavevisibilityintoasmanyapplicationsaspossible.AllapplicationsthataresubmittedtoGooglePlayundergoareview.Similarly,allapplicationsthatGoogle’scloud-basedsystemsareabletolocateonpublicwebsitesarereviewed.
Startingin2015,userscansendapplicationsfromtheirdevicetoGoogleforreview.”
Technical:Extractingfeaturesandthencheckforsimilaritieswithexistingharmfulapps
46Android Security - SS 2016
GOOGLE’S SELF-REPORTED MARKET SECURITY [69]
§ SafetyNet attestAPItohelpdeveloperscheckdeviceintegrity- Devicescontributesecurity-relatedinformationcloud-basedservices,
includinginformationaboutsecurityevents,logs,configurationinformation,andothersecurity-relevantinformation
- Whenavulnerabilityisfixed,codeisinsertedintotheplatform(orapp)whichgeneratesalogwhenapotentialexploitattemptisdetected.Thislogcontainsinformationrequiredtotrackexploitationtrendsandbetterunderstandtheeffectivenessofoursecurityimprovements.
- SafetyNet usedactivenetworkprobestoidentifycaseswherethesystemcertificatestorehasbeenmanipulated.
- AnomalyCorrelationEngine monitorsforchangesinkeydevicesecurityindicators andexamineswhichappschangedsincelastsecurestate;monitoringacrossmanydevicesallowspinpointingrelevantapps
- On-deviceclienthashessystempartitionandcomparesagainstacloud-basedservice withacollectionofknownsystempartitions
Android Security - SS 2016 47
GOOGLE’S SELF-REPORTED MARKET SECURITY [69]
§ Machinelearningtoseepatternsandconnectionshumanswouldmiss,continuousmonitoringandrefinementtoimproveprecision- Endof2015:ongoingautomatedanalysisofover35millionAPKs
(everyversioneverpublishedonPlayaswellasallcollectedones)- TensofthousandofCPUcoresandterabytesofRAM,petabytesof
storage§ Inputs:Staticanalysis,dynamicanalysis,3rd partyreports,developer
relationships,signatures,SafetyNet,heuristicsandsimilarityanalysis,humananalysts- SA:findinglinkedfunctionalityacrosscomponents,detectingSSL
misconfigurations- DA:simulatelargenumberofdifferentdevicesanddetectanomalies,use
SAresultstoincreaseDAcodecoverage- Honeypotswithfakeaccountdata- Decomposeappsintofeaturesandanalyzefeaturesimilaritytosee
relationsbetweenappsusingadv.machinelearning- Over90%oftimesauserinstallsappnotfromPlay,theappisknownand
canbecheckedagainstsignature- MonitoringC&Ccommunicationtodetectmalwareinstallcommands
Android Security - SS 2016 48
GOOGLE’S SELF-REPORTED MARKET SECURITY [69]
§ AppSecurityImprovementProgramidentifiesappsinGooglePlaythathaveknownsecurityvulnerabilities(throughincorrectcodingpracticesorbyusingknownvulnerablelibraries),notifiesthedevelopersoftheirapp’svulnerabilities,andencouragesthemtoxthevulnerabilities
- DevelopersarealertedviaemailandthePlayDeveloperConsole
- 2015:100kappsimproved
• coveringknownvulnerabilitiesinthefollowinglibraries:Vungle,ApacheCordova,WebView SSL,GnuTLS,andVitamio
Android Security - SS 2016 49
ENCRYPTED APKS AND FORWARD LOCKING
§ SinceAndroid4.1supportfordeliveringencryptedAPKs
§ Forwardlocking(orcopyprotection)
- Goal:preventpaidcontentfrombeing(easily)stolenfromdevices
- Since4.1:Encryptedappcontainers(AndroidSecureExternalCaches(ASEC))togetherwithfilesystemaccesscontroltostoreappcontentsmoreprotected
§ Result:APKsaretransferredandstoredinencryptedform
- UsedbyPlayandavailabletocustomappinstallers
- However:Ifdevicebeingrooted,protectedcontentorencryptionkeyscouldbeextracted(butstillbetterthanw/oencryption)
Android Security - SS 2016 50
PROBLEM:MULTI-MARKET ECOSYSTEM [97]
§ Problem:Multi-marketslimit/eliminatesecuritycharacteristicsofsinglemarketmodels
- Kill-switches(whichmarketauthorizedtokillwhichapps?)
- Developernameconsistency
§ Approach:Appinstaller(Meteor)withextensiblesetofconfigurablesecurityinformationsourcesandkill-switchauthorities
51Android Security - SS 2016
Additionalappinfos:virusreports,privacyviolations,expertratings,otherappsbysamedeveloper(appdatabases)
Crucial:connect packagesignaturestodeveloper/application(developerregistries)
UniversalappID={Hash(packagename,dev.cert),Hash(binary)}
MARKET AS THE ATTACKER [98]
§ Marketsattractivetargetstobecoerced/pressuredintodistributingmalicioussoftware(updates)toorwithholdingapps/updatesfromtargetedusers
§ EasywithAndroid’scurrentappsigningmodelandmarket’sintransparency (blindtrustbyusers)
52Android Security - SS 2016
§ ApplicationTransparency(AT):threedifferentkindsofcryptographicproofsthatallowsuserstoverifytheauthenticityofappsprovidedbyappmarkets(usinglogserversandauditors)- ProofofPresence:Informationaboutpresence
ofanappinmarket- ProofofCurrency:Informationabout
currentness ofanapp’sversion- ProofofAbsence:Verifythatappindeeddoes
notexistonmarket