AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach

The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution

Contactless payments :usability at the cost of security?

PhD ThesisEMV (Europay, MasterCard, Visa), commonly termed “Chip & PIN”, is becoming the dominant card based payment technology globally. The EMV Chip & PIN transaction protocol was originally designed to operate in an environment where the card was physically inserted into the POS terminal / ATM and used a wired connection to communicate. The introduction of EMV contactless payments technology raises an interesting question “has usability been improved at the cost of security?”. Specifically, to make contactless payments more convenient / usable, a wireless interface has been added to EMV cards and PIN entry has been waived for contactless payments. Do these new usability features make contactless cards less secure? This PhD thesis presents an analysis of the security of the EMV contactless payments. It considers the security of the EMV contactless transaction protocols as stand-alone processes and the wider impact of contactless technology upon the security of the EMV card payment system as a whole. The thesis contributes a structured analysis methodology which identifies vulnerabilities in the EMV protocol and demonstrates the impact of these vulnerabilities on the EMV payment system. The analysis methodology comprises UML diagrams and reference tables which describe the EMV protocol sequences, a protocol emulator which implements the protocol, a Z abstract model of the protocol and practical demonstrations of the research results. Detailed referencing of the EMV specifications provide a documented link between the exploitable vulnerabilities observed in real EMV cards and the source of the vulnerability in the EMV specifications. Our analysis methodology has identified two previously undocumented vulnerabilities in the EMV contactless transaction protocol. The potential existence of these vulnerabilities was identified using the Z abstract model with the protocol emulator providing experimental confirmation of the potential for real-world exploitation of the vulnerabilities and test results quantifying the extent of the impact. Once a vulnerability has been shown to be exploitable using the protocol emulator, we use practical demonstrations to show that these vulnerabilities can be exploited in the real-world using off-the-shelf equipment. This presents a stronger impact message when presenting our research results to a nontechnical audience. This has helped to raise awareness of security issues relating to EMV contactless cards, with our work appearing in the media, radio and TV

Mobile Math learning application For children (Fun Math)

This project is about evolving Android Application that will carry the board of mobile learning inside, throughout implementing math learning or math practicing theories and methods with proper usability. First of all the author of project has carried out research about math learning and practicing strategies and identified some common-used methods that are used in learning simple math for kids. It was decided that the most appropriate method to be integrated into mobile learning is Inductive and Deductive Methods, which will provide fast learning and efficient time react skills. Far ahead, research continued on mobile learning. How learning ideas and strategies could be implemented in mobile application. Afterward with a humble success, the research part was finished, author switched to learning Google AppInventor web application, which aids to develop software application for running on Android based OS platform. Application has been developed and graphical interface was implemented. After downloading apk file into the phone’s memory, software ran successfully. Surveys were conducted to find out satisfaction of user in using developed app and 9/10 people reported satisfactory functionality of the system, 10/10 reported good usability features, 7/10 reported good design of the interface

Automating NFC Message Sending for Good and Evil

Near Field Communication (NFC) is an emerging proximity wireless technology used for triggering automatic interactions between mobile devices. In standard NFC usage, one message is sent per device contact, then the devices must be physically separated and brought together again. In this paper, we present a mechanism for automatically sending multiple messages without any need to physically decouple the devices. After an introduction to NFC and related security issues, we discuss the motivation for—and an implementation of—an automation framework for sending repeated NFC messages without any need for human interaction. Then we consider how such an automated mechanism can be used for both a denial of service attack and as a platform for fuzz testing. We present experimental evidence on the efficacy of automated NFC as a vector for achieving these goals. We conclude with suggestions for future work and provide some overall insights

The Dangers of Verify PIN on Contactless Cards

Contactless / Near Field Communication (NFC) card payments are being introduced around the world, allowing customers to use a card to pay for small purchases by simply placing the card onto the Point of Sale terminal. Although the terminal needs to be able to verify a PIN, it is not clear if such PIN verification features should be available on the NFC card itself. We show that contactless Visa payment cards have (largely redundant) functionality, Verify PIN, which makes them vulnerable to new forms of wireless attack. Based on careful examination of the Europay, MasterCard and Visa (EMV) protocol and experiments with the Visa fast Dynamic Data Authentication transaction protocol, we provide a set of building blocks for possible attacks. These building blocks are data skimming, Verify PIN and transaction relay, which we implement and experiment with. Based on these building blocks, we propose a number of realistic attacks, including a denial-of-service attack and a newly developed realistic PIN guessing attack. The conclusion of our work is that implementing Verify PIN functionality on NFC cards has no demonstrated benefits and opens up new avenues of attack

Securing Arm Platform: From Software-Based To Hardware-Based Approaches

With the rapid proliferation of the ARM architecture on smart mobile phones and Internet of Things (IoT) devices, the security of ARM platform becomes an emerging problem. In recent years, the number of malware identified on ARM platforms, especially on Android, shows explosive growth. Evasion techniques are also used in these malware to escape from being detected by existing analysis systems. In our research, we first present a software-based mechanism to increase the accuracy of existing static analysis tools by reassembleable bytecode extraction. Our solution collects bytecode and data at runtime, and then reassemble them offline to help static analysis tools to reveal the hidden behavior in an application. Further, we implement a hardware-based transparent malware analysis framework for general ARM platforms to defend against the traditional evasion techniques. Our framework leverages hardware debugging features and Trusted Execution Environment (TEE) to achieve transparent tracing and debugging with reasonable overhead. To learn the security of the involved hardware debugging features, we perform a comprehensive study on the ARM debugging features and summarize the security implications. Based on the implications, we design a novel attack scenario that achieves privilege escalation via misusing the debugging features in inter-processor debugging model. The attack has raised our concern on the security of TEEs and Cyber-physical System (CPS). For a better understanding of the security of TEEs, we investigate the security of various TEEs on different architectures and platforms, and state the security challenges. A study of the deploying the TEEs on edge platform is also presented. For the security of the CPS, we conduct an analysis on the real-world traffic signal infrastructure and summarize the security problems

Enabling the Virtual Phones to remotely sense the Real Phones in real-time: A Sensor Emulation initiative for virtualized Android-x86

Smartphones nowadays have the ground-breaking features that were only a figment of one’s imagination. For the ever-demanding cellphone users, the exhaustive list of features that a smartphone supports just keeps getting more exhaustive with time. These features aid one’s personal and professional uses as well. Extrapolating into the future the features of a present-day smartphone, the lives of us humans using smartphones are going to be unimaginably agile. With the above said emphasis on the current and future potential of a smartphone, the ability to virtualize smartphones with all their real-world features into a virtual platform, is a boon for those who want to rigorously experiment and customize the virtualized smartphone hardware without spending an extra penny. Once virtualizable independently on a larger scale, the idea of virtualized smartphones with all the virtualized pieces of hardware takes an interesting turn with the sensors being virtualized in a way that’s closer to the real-world behavior. When accessible remotely with the real-time responsiveness, the above mentioned real-world behavior will be a real dealmaker in many real-world systems, namely, the life-saving systems like the ones that instantaneously get alerts about harmful magnetic radiations in the deep mining areas, etc. And these life-saving systems would be installed on a large scale on the desktops or large servers as virtualized smartphones having the added support of virtualized sensors which remotely fetch the real hardware sensor readings from a real smartphone in real-time. Based on these readings the lives working in the affected areas can be alerted and thus saved by the people who are operating the at the desktops or large servers hosting the virtualized smartphones