Short Message Service (SMS) Command and Control (C2) Awareness in Android-based Smartphones using Kernel-Level Auditing

This thesis addresses the emerging threat of botnets in the smartphone domain and focuses on the Android platform and botnets using short message service (SMS) as the command and control (C2) channel. With any botnet, C2 is the most important component contributing to its overall resilience, stealthiness, and effectiveness. This thesis develops a passive host-based approach for identifying covert SMS traffic and providing awareness to the user. Modifying the kernel and implementing this awareness mechanism is achieved by developing and inserting a loadable kernel module that logs all inbound SMS messages as they are sent from the baseband radio to the application processor. The design is successfully implemented on an HTC Nexus One Android smartphone and validated with tests using an Android SMS bot from the literature. The module successfully logs all messages including bot messages that are hidden from user applications. Suspicious messages are then identified by comparing the SMS application message list with the kernel log\u27s list of events. This approach lays the groundwork for future host-based countermeasures for smartphone botnets and SMS-based botnets

A New Covert Channel Over Cellular Network Voice Channel

Smartphone security has become increasingly more significant as smartphones become a more important part of many individuals\u27 daily lives. Smartphones undergo all computer security issues; however, they also introduce a new set of security issues as various capabilities are added. Smartphone security researchers pay more attention to security issues inherited from the traditional computer security field than smartphone-related security issues. The primary network that smartphones are connected to is the cellular network, but little effort has been directed at investigating the potential security issues that could threaten this network and its end users. A new possible threat that could occur in the cellular network is introduced in this paper. This research proves the ability to use the cellular network voice channel as a covert channel that can convey covert information as speech, thus breaking the network policies. The study involves designing and implementing multiple subsystems in order to prove the theory. First, a software audio modem that is able to convert digital data into audio waves and inject the audio waves to the GSM voice channel was developed. Moreover, a user-mode rootkit was implemented in order to open the voice channels by stealthily answering the incoming voice call, thus breaking the security mechanisms of the smartphone. Multiple scenarios also were tested in order to verify the effectiveness of the proposed covert channel. The first scenario is a covert communication between two parties that intends to hide their communications by using a network that is unknown to the adversary and not protected by network security guards. The two parties communicate through the cellular network voice channel to send and receive text messages. The second scenario is a side channel that is able to leak data such as SMS or the contact of a hacked smartphone through the cellular network voice channel. The third scenario is a botnet system that uses the voice channel as command and control channel (C2). This study identifies a new potential smartphone covert channel, so the outcome should be setting countermeasures against this kind of breach

Security Investigation on Remote Access Methods of Virtual Private Network

Remote access is one of the prevalent business trends in today2019;s computing pervasive business environments. The ease of access to internal private networks over the internet by telecommuter devices has given birth too many security threats to the endpoint devices. The application client software and data at rest on the endpoint of remote access methods such as: Tunneling, Portal, Desktop Applications and Direct Access do not offer protection for the communication between the VPN gateway and internal resources. This paper, therefore investigate the security pitfalls of remote access for establishing virtual private network methods. To address these challenges, a remote access method to secure endpoint communication is proposed. The study adopted investigative research design by use of empirical review on the security aspect of the current state VPN Remote Access methods. This necessitates the review of the research article on the current state and related works which leads to critiques and offer proposed solution to remote access endpoint VPN. The scope of this study is limited to secure virtual private network endpoint data communication. In this paper, an investigation of these access technologies given

“And all the pieces matter...” Hybrid Testing Methods for Android App's Privacy Analysis

Smartphones have become inherent to the every day life of billions of people worldwide, and they are used to perform activities such as gaming, interacting with our peers or working. While extremely useful, smartphone apps also have drawbacks, as they can affect the security and privacy of users. Android devices hold a lot of personal data from users, including their social circles (e.g., contacts), usage patterns (e.g., app usage and visited websites) and their physical location. Like in most software products, Android apps often include third-party code (Software Development Kits or SDKs) to include functionality in the app without the need to develop it in-house. Android apps and third-party components embedded in them are often interested in accessing such data, as the online ecosystem is dominated by data-driven business models and revenue streams like advertising. The research community has developed many methods and techniques for analyzing the privacy and security risks of mobile apps, mostly relying on two techniques: static code analysis and dynamic runtime analysis. Static analysis analyzes the code and other resources of an app to detect potential app behaviors. While this makes static analysis easier to scale, it has other drawbacks such as missing app behaviors when developers obfuscate the app’s code to avoid scrutiny. Furthermore, since static analysis only shows potential app behavior, this needs to be confirmed as it can also report false positives due to dead or legacy code. Dynamic analysis analyzes the apps at runtime to provide actual evidence of their behavior. However, these techniques are harder to scale as they need to be run on an instrumented device to collect runtime data. Similarly, there is a need to stimulate the app, simulating real inputs to examine as many code-paths as possible. While there are some automatic techniques to generate synthetic inputs, they have been shown to be insufficient. In this thesis, we explore the benefits of combining static and dynamic analysis techniques to complement each other and reduce their limitations. While most previous work has often relied on using these techniques in isolation, we combine their strengths in different and novel ways that allow us to further study different privacy issues on the Android ecosystem. Namely, we demonstrate the potential of combining these complementary methods to study three inter-related issues: • A regulatory analysis of parental control apps. We use a novel methodology that relies on easy-to-scale static analysis techniques to pin-point potential privacy issues and violations of current legislation by Android apps and their embedded SDKs. We rely on the results from our static analysis to inform the way in which we manually exercise the apps, maximizing our ability to obtain real evidence of these misbehaviors. We study 46 publicly available apps and find instances of data collection and sharing without consent and insecure network transmissions containing personal data. We also see that these apps fail to properly disclose these practices in their privacy policy. • A security analysis of the unauthorized access to permission-protected data without user consent. We use a novel technique that combines the strengths of static and dynamic analysis, by first comparing the data sent by applications at runtime with the permissions granted to each app in order to find instances of potential unauthorized access to permission protected data. Once we have discovered the apps that are accessing personal data without permission, we statically analyze their code in order to discover covert- and side-channels used by apps and SDKs to circumvent the permission system. This methodology allows us to discover apps using the MAC address as a surrogate for location data, two SDKs using the external storage as a covert-channel to share unique identifiers and an app using picture metadata to gain unauthorized access to location data. • A novel SDK detection methodology that relies on obtaining signals observed both in the app’s code and static resources and during its runtime behavior. Then, we rely on a tree structure together with a confidence based system to accurately detect SDK presence without the need of any a priory knowledge and with the ability to discern whether a given SDK is part of legacy or dead code. We prove that this novel methodology can discover third-party SDKs with more accuracy than state-of-the-art tools both on a set of purpose-built ground-truth apps and on a dataset of 5k publicly available apps. With these three case studies, we are able to highlight the benefits of combining static and dynamic analysis techniques for the study of the privacy and security guarantees and risks of Android apps and third-party SDKs. The use of these techniques in isolation would not have allowed us to deeply investigate these privacy issues, as we would lack the ability to provide real evidence of potential breaches of legislation, to pin-point the specific way in which apps are leveraging cover and side channels to break Android’s permission system or we would be unable to adapt to an ever-changing ecosystem of Android third-party companies.The works presented in this thesis were partially funded within the framework of the following projects and grants: • European Union’s Horizon 2020 Innovation Action program (Grant Agreement No. 786741, SMOOTH Project and Grant Agreement No. 101021377, TRUST AWARE Project). • Spanish Government ODIO NºPID2019-111429RB-C21/PID2019-111429RBC22. • The Spanish Data Protection Agency (AEPD) • AppCensus Inc.This work has been supported by IMDEA Networks InstitutePrograma de Doctorado en Ingeniería Telemática por la Universidad Carlos III de MadridPresidente: Srdjan Matic.- Secretario: Guillermo Suárez-Tangil.- Vocal: Ben Stoc

Light Auditor: Power Measurement Can Tell Private Data Leakage Through IoT Covert Channels

Despite many conveniences of using IoT devices, they have suffered from various attacks due to their weak security. Besides well-known botnet attacks, IoT devices are vulnerable to recent covert-channel attacks. However, no study to date has considered these IoT covert-channel attacks. Among these attacks, researchers have demonstrated exfiltrating users\u27 private data by exploiting the smart bulb\u27s capability of infrared emission. In this paper, we propose a power-auditing-based system that defends the data exfiltration attack on the smart bulb as a case study. We first implement this infrared-based attack in a lab environment. With a newly-collected power consumption dataset, we pre-process the data and transform them into two-dimensional images through Continous Wavelet Transformation (CWT). Next, we design a two-dimensional convolutional neural network (2D-CNN) model to identify the CWT images generated by malicious behavior. Our experiment results show that the proposed design is efficient in identifying infrared-based anomalies: 1) With much fewer parameters than transfer-learning classifiers, it achieves an accuracy of 88% in identifying the attacks, including unseen patterns. The results are similarly accurate as the sophisticated transfer-learning CNNs, such as AlexNet and GoogLeNet; 2) We validate that our system can classify the CWT images in real time

It\u27s my iPad! Protecting Critical Data on Personal Mobile Devices in the Medical Setting

The pervasiveness of mobile devices has forced many organizations to support connectivity of corporate and private devices. Corporate devices are highly configurable regarding authentication, encryption, and remote wiping. BlackBerry devices can be fully deployed and managed using a centralized Blackberry Enterprise Server, however when a user owned device connects to enterprise servers, data security becomes a concern. Introduce a litany of complex legislative rulings and laws concerning protected data across various business domains and now personal mobile devices become security risks. This paper will discuss current issues in securing personal mobile devices in the healthcare environment and present possible solutions

CamFlow: Managed Data-sharing for Cloud Services

A model of cloud services is emerging whereby a few trusted providers manage the underlying hardware and communications whereas many companies build on this infrastructure to offer higher level, cloud-hosted PaaS services and/or SaaS applications. From the start, strong isolation between cloud tenants was seen to be of paramount importance, provided first by virtual machines (VM) and later by containers, which share the operating system (OS) kernel. Increasingly it is the case that applications also require facilities to effect isolation and protection of data managed by those applications. They also require flexible data sharing with other applications, often across the traditional cloud-isolation boundaries; for example, when government provides many related services for its citizens on a common platform. Similar considerations apply to the end-users of applications. But in particular, the incorporation of cloud services within `Internet of Things' architectures is driving the requirements for both protection and cross-application data sharing. These concerns relate to the management of data. Traditional access control is application and principal/role specific, applied at policy enforcement points, after which there is no subsequent control over where data flows; a crucial issue once data has left its owner's control by cloud-hosted applications and within cloud-services. Information Flow Control (IFC), in addition, offers system-wide, end-to-end, flow control based on the properties of the data. We discuss the potential of cloud-deployed IFC for enforcing owners' dataflow policy with regard to protection and sharing, as well as safeguarding against malicious or buggy software. In addition, the audit log associated with IFC provides transparency, giving configurable system-wide visibility over data flows. [...]Comment: 14 pages, 8 figure