Towards Principled Dynamic Analysis on Android

The vast amount of information and services accessible through mobile handsets running the Android operating system has led to the tight integration of such devices into our daily routines. However, their capability to capture and operate upon user data provides an unprecedented insight into our private lives that needs to be properly protected, which demands for comprehensive analysis and thorough testing. While dynamic analysis has been applied to these problems in the past, the corresponding literature consists of scattered work that often specializes on sub-problems and keeps on re-inventing the wheel, thus lacking a structured approach. To overcome this unsatisfactory situation, this dissertation introduces two major systems that advance the state-of-the-art of dynamically analyzing the Android platform. First, we introduce a novel, fine-grained and non-intrusive compiler-based instrumentation framework that allows for precise and high-performance modification of Android apps and system components. Second, we present a unifying dynamic analysis platform with a special focus on Android’s middleware in order to overcome the common challenges we identified from related work. Together, these two systems allow for a more principled approach for dynamic analysis on Android that enables comparability and composability of both existing and future work.Die enorme Menge an Informationen und Diensten, die durch mobile Endgeräte mit dem Android Betriebssystem zugänglich gemacht werden, hat zu einer verstärkten Einbindung dieser Geräte in unseren Alltag geführt. Gleichzeitig erlauben die dabei verarbeiteten Benutzerdaten einen beispiellosen Einblick in unser Privatleben. Diese Informationen müssen adäquat geschützt werden, was umfassender Analysen und gründlicher Prüfung bedarf. Dynamische Analysetechniken, die in der Vergangenheit hier bereits angewandt wurden, fokussieren sich oftmals auf Teilprobleme und reimplementieren regelmäßig bereits existierende Komponenten statt einen strukturierten Ansatz zu verfolgen. Zur Überwindung dieser unbefriedigenden Situation stellt diese Dissertation zwei Systeme vor, die den Stand der Technik dynamischer Analyse der Android Plattform erweitern. Zunächst präsentieren wir ein compilerbasiertes, feingranulares und nur geringfügig eingreifendes Instrumentierungsframework für präzises und performantes Modifizieren von Android Apps und Systemkomponenten. Anschließend führen wir eine auf die Android Middleware spezialisierte Plattform zur Vereinheitlichung von dynamischer Analyse ein, um die aus existierenden Arbeiten extrahierten, gemeinsamen Herausforderungen in diesem Gebiet zu überwinden. Zusammen erlauben diese beiden Systeme einen prinzipienorientierten Ansatz zur dynamischen Analyse, welcher den Vergleich und die Zusammenführung existierender und zukünftiger Arbeiten ermöglicht

Universal Mobile Service Execution Framework for Device-To-Device Collaborations

There are high demands of effective and high-performance of collaborations between mobile devices in the places where traditional Internet connections are unavailable, unreliable, or significantly overburdened, such as on a battlefield, disaster zones, isolated rural areas, or crowded public venues. To enable collaboration among the devices in opportunistic networks, code offloading and Remote Method Invocation are the two major mechanisms to ensure code portions of applications are successfully transmitted to and executed on the remote platforms. Although these domains are highly enjoyed in research for a decade, the limitations of multi-device connectivity, system error handling or cross platform compatibility prohibit these technologies from being broadly applied in the mobile industry. To address the above problems, we designed and developed UMSEF - an Universal Mobile Service Execution Framework, which is an innovative and radical approach for mobile computing in opportunistic networks. Our solution is built as a component-based mobile middleware architecture that is flexible and adaptive with multiple network topologies, tolerant for network errors and compatible for multiple platforms. We provided an effective algorithm to estimate the resource availability of a device for higher performance and energy consumption and a novel platform for mobile remote method invocation based on declarative annotations over multi-group device networks. The experiments in reality exposes our approach not only achieve the better performance and energy consumption, but can be extended to large-scaled ubiquitous or IoT systems

Optimal Framework for Level Based Access Control for VM Auditing on Cloud

The growth in the cloud computing have motivated and enable lot of application developer to deploy the applications on cloud. The major challenge of hosting on cloud is the service provider or the application provider must comply to a good number of rules. These compliance reports are time to time validated and checked by external auditors. The auditing process for the cloud services are critical and the access controls must be enabled. Due to the higher complexity and less flexibility of the virtual machines, most of the cases this access control mechanism is compromised. This work proposes four algorithms to identify and enhance the LBAC mechanism for cloud services with access updates based on time variant characteristics analysis and predictive analysis with selective cryptographic methods. The proposed model produces significantly improved results to overcome three major issues in the cloud service management as selective LBAC, static privileges and open access control for the auditors.  &nbsp

Secure Communication in Disaster Scenarios

Während Naturkatastrophen oder terroristischer Anschläge ist die bestehende Kommunikationsinfrastruktur häufig überlastet oder fällt komplett aus. In diesen Situationen können mobile Geräte mithilfe von drahtloser ad-hoc- und unterbrechungstoleranter Vernetzung miteinander verbunden werden, um ein Notfall-Kommunikationssystem für Zivilisten und Rettungsdienste einzurichten. Falls verfügbar, kann eine Verbindung zu Cloud-Diensten im Internet eine wertvolle Hilfe im Krisen- und Katastrophenmanagement sein. Solche Kommunikationssysteme bergen jedoch ernsthafte Sicherheitsrisiken, da Angreifer versuchen könnten, vertrauliche Daten zu stehlen, gefälschte Benachrichtigungen von Notfalldiensten einzuspeisen oder Denial-of-Service (DoS) Angriffe durchzuführen. Diese Dissertation schlägt neue Ansätze zur Kommunikation in Notfallnetzen von mobilen Geräten vor, die von der Kommunikation zwischen Mobilfunkgeräten bis zu Cloud-Diensten auf Servern im Internet reichen. Durch die Nutzung dieser Ansätze werden die Sicherheit der Geräte-zu-Geräte-Kommunikation, die Sicherheit von Notfall-Apps auf mobilen Geräten und die Sicherheit von Server-Systemen für Cloud-Dienste verbessert

A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks

Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection

Investigating mis-implementation of SSL libraries in android applications

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.This thesis presents our analysis of applications that are popular at the market against SSL miss-implementation. 8.882 applications analyzed and as a result 2.354 applications have at least one miss use of SSL libraries which are Custom TrustManager, Custom HostnameVeriers and WebViewClient libraries. After analysis phase we have created a proof of concept application as an Xposed framework plugin to identify vulnerabilities. Ourconclusionisthat27percentofapplicationshaveavulnerabilityfromSSLconnection stand point. The main reasons for these vulnerabilities are developer errors and third party generators or libraries. Using third party libraries can cause security bugs which leads to informations leakage or exploitation.Declaration of Authorship ii Abstract iv Öz v Acknowledgments vii List of Figures x List of Tables xi Abbreviations xii 1 Introduction 1 2 SSL & SSL Applications in Android 3 3 Application Testing Methodology 5 3.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3 Inspection of results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4.1 CERT Transparent Proxy Capture Appliance (Tapioca) . . . . . . 10 3.4.2 Nogotofail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.5 Cross Reference Traversing . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.6 Analysis and Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 Proposed Solution 13 4.1 Xposed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Trust But Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5 Development Best Practices for Security & Privacy 15 5.1 Certicate Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2 Certicate pinning in Android . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3 Alternative Methods for Certicate Validation . . . . . . . . . . . . . . . . 20 6 Related Work 22 7 Conclusions 2 A Cross Reference Traversing 26 Bibliography

ANDRODET: An adaptive Android obfuscation detector

Obfuscation techniques modify an app's source (or machine) code in order to make it more difficult to analyze. This is typically applied to protect intellectual property in benign apps, or to hinder the process of extracting actionable information in the case malware. Since malware analysis often requires considerable resource investment, detecting the particular obfuscation technique used may contribute to apply the right analysis tools, thus leading to some savings. In this paper, we propose ANDRODET, a mechanism to detect three popular types of obfuscation in Android applications, namely identifier renaming, string encryption, and control flow obfuscation. ANDRODET leverages online learning techniques, thus being suitable for resource-limited environments that need to operate in a continuous manner. We compare our results with a batch learning algorithm using a dataset of 34,962 apps from both malware and benign apps. Experimental results show that online learning approaches are not only able to compete with batch learning methods in terms of accuracy, but they also save significant amount of time and computational resources. Particularly, ANDRODET achieves an accuracy of 92.02% for identifier renaming detection, 81.41% for string encryption detection, and 68.32% for control flow obfuscation detection, on average. Also, the overall accuracy of the system when apps might be obfuscated with more than one technique is around 80.66%. (C) 2018 The Authors. Published by Elsevier B.V.This work has been partially supported by MINECO grantTIN2016-79095-C2-2-R (SMOG-DEV) and CAM grant S2013/ICE-3095 (CIBERDINE), co-funded with European FEDER funds. Furthermore, it has been partially supported by the UC3M’sgrant Programa de Ayudas para la Movilida

On the performance of WebAssembly

Dissertação de mestrado integrado em Informatics EngineeringThe worldwide Web has dramatically evolved in recent years. Web pages are dynamic, expressed by pro grams written in common programming languages given rise to sophisticated Web applications. Thus, Web browsers are almost operating systems, having to interpret/compile such programs and execute them. Although JavaScript is widely used to express dynamic Web pages, it has several shortcomings and performance inefficiencies. To overcome such limitations, major IT powerhouses are developing a new portable and size/load efficient language: WebAssembly. In this dissertation, we conduct the first systematic study on the energy and run-time performance of WebAssembly and JavaScript on the Web. We used micro-benchmarks and real applications to have more realistic results. The results show that WebAssembly, while still in its infancy, is starting to already outperform JavaScript, with much more room to grow. A statistical analysis indicates that WebAssembly produces significant performance differences compared to JavaScript. However, these differences differ between micro-benchmarks and real-world benchmarks. Our results also show that WebAssembly improved energy efficiency by 30%, on average, and show how different WebAssembly behaviour is among three popular Web Browsers: Google Chrome, Microsoft Edge, and Mozilla Firefox. Our findings indicate that WebAssembly is faster than JavaScript and even more energy-efficient. Our benchmarking framework is also available to allow further research and replication.A Web evoluiu dramaticamente em todo o mundo nos últimos anos. As páginas Web são dinâmicas, expressas por programas escritos em linguagens de programação comuns, dando origem a aplicativos Web sofisticados. Assim, os navegadores Web são quase como sistemas operacionais, tendo que interpre tar/compilar tais programas e executá-los. Embora o JavaScript seja amplamente usado para expressar páginas Web dinâmicas, ele tem várias deficiências e ineficiências de desempenho. Para superar tais limitações, as principais potências de TI estão a desenvolver uma nova linguagem portátil e eficiente em tamanho/carregamento: WebAssembly. Nesta dissertação, conduzimos o primeiro estudo sistemático sobre o desempenho da energia e do tempo de execução do WebAssembly e JavaScript na Web. Usamos micro-benchmarks e aplicações reais para obter resultados mais realistas. Os resultados mostram que WebAssembly, embora ainda esteja na sua infância, já está começa a superar o JavaScript, com muito mais espaço para crescer. Uma análise estatística indica que WebAssembly produz diferenças de desempenho significativas em relação ao JavaScript. No entanto, essas diferenças diferem entre micro-benchmarks e benchmarks de aplicações reais. Os nossos resultados também mostram que o WebAssembly melhorou a eficiência energética em 30%, em média, e mostram como o comportamento do WebAssembly é diferente entre três navegadores Web populares: Google Chrome, Microsoft Edge e Mozilla Firefox. As nossas descobertas indicam que o WebAssembly é mais rápido que o JavaScript e ainda mais eficiente em termos de energia. A nossa benchmarking framework está disponível para permitir pesquisas adicionais e replicação