introducing a s e f · - parth patel $ whoami_ agenda manual research automation - a s e f let’s...
TRANSCRIPT
INTRODUCING..... A S E F
Android Security Evaluation Framework
- Parth Patel
$ whoami_
Agenda
Manual Research
Automation - A S E F
Let’s solve problems
Conclusion
Android OS
Open Source
Security Evaluation of
Android Apps
Android APP Store
Attacker
User
Attacker
Developer
Developer
Developer
Android APP Store
?
Developer
Attacker
Bouncer
Developer
Developer
Attacker
Android APP Store
?
Developer
Attacker
Bouncer
Developer
Developer
Attacker
A A
A
?
Developer Attacker
User
Permissions
Manual Research
“Behavioral Analysis”of Apps
Android SDK - Emulator (Android Virtual Device - AVD) - Android Debug Bridge - adb - Android Asset Packaging Tool - aapt
Wireshark
dex2jar
IDE - eclipse
Utilities for Behavioral Analysis
Limitations of
‘Manual Research’
Introducing .....
A S E F
A S E F
A S E F as a Black Box
MalwareAggressive Adware
Bandwidth
Vulnerabilities
Passive Active Interpret
Initialization
Normalization
Organization
Launch
Test Cycle
Parsing
Analyzing
Results
A S E F
Configurator adb refresh Device Detect(virtual/physical)
i/p A S E F Phase 1: Passive
Initialization Mode
Default Virtual Device =Google Safe Browsing API =Host IP = interface =
Creates Virtual Device
Session cleanup Enable USB debugging
Array of .apk path
Location of an APP
A S E F Phase 1: Passive
Normalization Mode
Extractor
Location of APPs
Extracted APPs
A S E F Phase 1: Passive
Organization Mode
ConverterTest Result
Archive
%HAPK->{$apk} = ( { pkgnm => $PKGNM , launchact => $LAUNCHACT , vercode => $VERCODE , vername => $VERNAME , applable => $APPLABLE , adbstart => "" , adbstop => ""}, );
TEST_05_11_12-19:53:56
TEST_05_11_12-20:20:19
TEST_05_13_12-11:38:28
TEST_NIGHTLY_SCAN2
1.apk2.apk3.apk
adb_log.txtnetwork_traffic.txtadb_log.txtnetwork_traffic.txtadb_log.txtnetwork_traffic.txt
Virtual Device
Launcher
Boot Boot check
Running
Not Running
Display unlock
A S E F Phase II : Active
Launch Mode
Installation mode
Launch mode
Activity mode
Uninstallation mode
stop - adb logcat
stop - tcpdump
start-timestamp
stop-timestamp
kernel log memory dump services running
kernel log memory dump services running
kernel log memory dump services running
kernel log memory dump services running
Extensive mode
Tm
Tm
Tm
A S E F Phase II : Active
Test Cycle
start - adb log
start - tcpdump
NetworkActivity
URLs/IPs
Google’s Safe Browsing API malware
aggressive adwareAccess rate of URL/IP
Traffic Analyzer
Data tx / BandWidthData usage
Bandwidth
Associated Permissions
Unique permissions of AppsPermission mapping
Unique APIs API mapping
Decompilation/ APIs used
Reconstructing source code
apk unzip dex2jar jar2class class2jad Source Code
Black listing Found/Add App to the blacklist Black listed
A S E F Phase III : Interpret
Parsing Mode Analyzing Mode Results
Vulnerability Detector
Signatures Vulnerabilities%HVULN
%HAPK
A S E F
Demo
Statistics & Results
Apps leaking private information
Safe Apps- 74
Total Apps = 80
6 Apps - Leaking private data
IMIE number
phone number
Bandwidth Usage
Data usage - 3 min Test Cycle
bytes
Aggressive Adware
(No of Servers accessed) / App 3 min Test Cycle
(Access-rate) / App 3 min Test Cycle
Threshold
Ad Requests @ 1.333 req/sec
Aggressive Adware
Permission mapping
Permission distribution - 1000 game apps
Internet
Vibrate
Send SMS
Write Contacts
Read Contacts
mount/unmount filesystem
Vulnerability Scanning
0
20
40
60
80
No of Apps
No of total Apps No of Vulnerable Apps
75
Non-updated Android Apps
0
20
40
60
80
No of Apps
No of total Apps No of Vulnerable Apps
75
12
A S E F Scan - Before updates
Adobe Flash PlayerMozilla Firefox
0
20
40
60
80
No of Apps
No of total Apps No of Vulnerable Apps
75
0
20
40
60
80
No of Apps
No of total Apps No of Vulnerable Apps
75
6
A S E F Scan - After updates
Extending the Framework
Installation mode
Launch mode
Activity mode
Uninstallation mode
stop - adb logcat
stop - tcpdump
start-timestamp
stop-timestamp
start - adb log
start - tcpdump
start - cmd line tool
stop - cmd line tool
Command line tools
Extending the Framework
Let’s solve problems....
A S E F to scan an APP STORE
Protect & Promote
A S E F in
Large Organizations
THE NIGHT PHOENIX
Android APP
ANDROID
NIGHT PHOENIX
apkzip
Extractor of A S E F
NIGHT PHOENIX & A S E F
A S E FServer
@ of .apk path
unzip
Package Manager
NIGHT PHOENIX ??
Alarm Manager
Who watches THE WATCHMEN
Internet
Write externalstorage
THE NIGHT PHOENIX
THE DARK PHOENIX
It is just the beginning ........
Next Generation of A S E F
Scalability - Load balancer module
Offline scanning - Crawler module
A S E F in cloud
Automated/Custom signature generation
Distinguishing updates - Security Fixes
UI reporting with correlated results and statistics
Conclusion ?
A S E F
Thank You
Twitter : @parth_84
email : [email protected]://code.google.com/p/asef/
https://community.qualys.com/blogs/securitylabs/2012/07/25/android-security-evaluation-framework--a-s-e-f