Investigating mis-implementation of SSL libraries in android applications

Tezin basılısı İstanbul Şehir Üniversitesi Kütüphanesi'ndedir.This thesis presents our analysis of applications that are popular at the market against SSL miss-implementation. 8.882 applications analyzed and as a result 2.354 applications have at least one miss use of SSL libraries which are Custom TrustManager, Custom HostnameVeriers and WebViewClient libraries. After analysis phase we have created a proof of concept application as an Xposed framework plugin to identify vulnerabilities. Ourconclusionisthat27percentofapplicationshaveavulnerabilityfromSSLconnection stand point. The main reasons for these vulnerabilities are developer errors and third party generators or libraries. Using third party libraries can cause security bugs which leads to informations leakage or exploitation.Declaration of Authorship ii Abstract iv Öz v Acknowledgments vii List of Figures x List of Tables xi Abbreviations xii 1 Introduction 1 2 SSL & SSL Applications in Android 3 3 Application Testing Methodology 5 3.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.2 Static Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.3 Inspection of results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.4 Dynamic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.4.1 CERT Transparent Proxy Capture Appliance (Tapioca) . . . . . . 10 3.4.2 Nogotofail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 3.5 Cross Reference Traversing . . . . . . . . . . . . . . . . . . . . . . . . . . 11 3.6 Analysis and Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4 Proposed Solution 13 4.1 Xposed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.2 Trust But Verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 5 Development Best Practices for Security & Privacy 15 5.1 Certicate Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2 Certicate pinning in Android . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.3 Alternative Methods for Certicate Validation . . . . . . . . . . . . . . . . 20 6 Related Work 22 7 Conclusions 2 A Cross Reference Traversing 26 Bibliography

An Empirical Study on Android-related Vulnerabilities

Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the software-vulnerabilities landscape. Several studies investigated the software-vulnerabilities phenomenon in the context of mobile apps and, more in general, mobile devices. Most of these studies focused on vulnerabilities that could affect mobile apps, while just few investigated vulnerabilities affecting the underlying platform on which mobile apps run: the Operating System (OS). Also, these studies have been run on a very limited set of vulnerabilities. In this paper we present the largest study at date investigating Android-related vulnerabilities, with a specific focus on the ones affecting the Android OS. In particular, we (i) define a detailed taxonomy of the types of Android-related vulnerability; (ii) investigate the layers and subsystems from the Android OS affected by vulnerabilities; and (iii) study the survivability of vulnerabilities (i.e., the number of days between the vulnerability introduction and its fixing). Our findings could help OS and apps developers in focusing their verification & validation activities, and researchers in building vulnerability detection tools tailored for the mobile world

How Smart is your Android Smartphone?

Smart phones are ubiquitous today. These phones generally have access to sensitive personal information and, consequently, they are a prime target for attackers. A virus or worm that spreads over the network to cell phone users could be particularly damaging. Due to a rising demand for secure mobile phones, manufacturers have increased their emphasis on mobile security. In this project, we address some security issues relevant to the current Android smartphone framework. Specifically, we demonstrate an exploit that targets the Android telephony service. In addition, as a defense against the loss of personal information, we provide a means to encrypt data stored on the external media card. While smartphones remain vulnerable to a variety of security threats, this encryption provides an additional level of security

Security Code Smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201

R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections

The influence of Deep Learning on image identification and natural language processing has attracted enormous attention globally. The convolution neural network that can learn without prior extraction of features fits well in response to the rapid iteration of Android malware. The traditional solution for detecting Android malware requires continuous learning through pre-extracted features to maintain high performance of identifying the malware. In order to reduce the manpower of feature engineering prior to the condition of not to extract pre-selected features, we have developed a coloR-inspired convolutional neuRal networks (CNN)-based AndroiD malware Detection (R2-D2) system. The system can convert the bytecode of classes.dex from Android archive file to rgb color code and store it as a color image with fixed size. The color image is input to the convolutional neural network for automatic feature extraction and training. The data was collected from Jan. 2017 to Aug 2017. During the period of time, we have collected approximately 2 million of benign and malicious Android apps for our experiments with the help from our research partner Leopard Mobile Inc. Our experiment results demonstrate that the proposed system has accurate security analysis on contracts. Furthermore, we keep our research results and experiment materials on http://R2D2.TWMAN.ORG.Comment: Verison 2018/11/15, IEEE BigData 2018, Seattle, WA, USA, Dec 10-13, 2018. (Accepted