Conceptual evidence collection and analysis methodology for Android devices

Android devices continue to grow in popularity and capability meaning the need for a forensically sound evidence collection methodology for these devices also increases. This chapter proposes a methodology for evidence collection and analysis for Android devices that is, as far as practical, device agnostic. Android devices may contain a significant amount of evidential data that could be essential to a forensic practitioner in their investigations. However, the retrieval of this data requires that the practitioner understand and utilize techniques to analyze information collected from the device. The major contribution of this research is an in-depth evidence collection and analysis methodology for forensic practitioners.Comment: in Cloud Security Ecosystem (Syngress, an Imprint of Elsevier), 201

Graphical Security Sandbox For Linux Systems

It has become extremely difficult to distinguish a benign application from a malicious one as the number of untrusted applications on the Internet increases rapidly every year. In this project, we develop a lightweight application confinement mechanism for Linux systems in order to aid most users to increase their confidence in various applications that they stumble upon and use on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and imposes restrictions on its access to operating system resources during its execution. Using a simple but expressive policy language, users are able to create security policies. During the course of the traced application’s execution, sandboxing facility makes execution decisions according to the security policy specified and terminates the traced application if necessary. In the case of an activity that is not covered by the policy, the facility asks for user input through an user interface with a simple human readable format of the activity and uses that user input to make execution decisions and to improve the security policy. Our ultimate goal is to create a facility such that even casual users with minimal technical knowledge can use the tool without getting overwhelmed by it. We base our tool on system call interposition which has been a popular research area over the past fifteen years. Developed sandboxing facility offers an user-friendly, easy to use user-interface. It monitors the given application and detects activities that might possibly be system intrusions. Moreover, the tool offers logging and auditing mechanisms for post-execution analysis. We present our evaluation of the tool in terms of performance and overhead it generates when confining applications. We conclude that developed system is successful in detecting abnormal application activity according to specified security policies. It has been obtained that the tool adds a significant overhead to the target applications. However, this overhead does not pose usability issues as our target domain is personal use cases with small applications

Graphical Security Sandbox For Linux Systems

It has become extremely difficult to distinguish a benign application from a malicious one as the number of untrusted applications on the Internet increases rapidly every year. In this project, we develop a lightweight application confinement mechanism for Linux systems in order to aid most users to increase their confidence in various applications that they stumble upon and use on a daily basis. Developed sandboxing facility monitors a targeted application’s activity and imposes restrictions on its access to operating system resources during its execution. Using a simple but expressive policy language, users are able to create security policies. During the course of the traced application’s execution, sandboxing facility makes execution decisions according to the security policy specified and terminates the traced application if necessary. In the case of an activity that is not covered by the policy, the facility asks for user input through an user interface with a simple human readable format of the activity and uses that user input to make execution decisions and to improve the security policy. Our ultimate goal is to create a facility such that even casual users with minimal technical knowledge can use the tool without getting overwhelmed by it. We base our tool on system call interposition which has been a popular research area over the past fifteen years. Developed sandboxing facility offers an user-friendly, easy to use user-interface. It monitors the given application and detects activities that might possibly be system intrusions. Moreover, the tool offers logging and auditing mechanisms for post-execution analysis. We present our evaluation of the tool in terms of performance and overhead it generates when confining applications. We conclude that developed system is successful in detecting abnormal application activity according to specified security policies. It has been obtained that the tool adds a significant overhead to the target applications. However, this overhead does not pose usability issues as our target domain is personal use cases with small applications

Retrofitting privacy controls to stock Android

Android ist nicht nur das beliebteste Betriebssystem für mobile Endgeräte, sondern auch ein ein attraktives Ziel für Angreifer. Um diesen zu begegnen, nutzt Androids Sicherheitskonzept App-Isolation und Zugangskontrolle zu kritischen Systemressourcen. Nutzer haben dabei aber nur wenige Optionen, App-Berechtigungen gemäß ihrer Bedürfnisse einzuschränken, sondern die Entwickler entscheiden über zu gewährende Berechtigungen. Androids Sicherheitsmodell kann zudem nicht durch Dritte angepasst werden, so dass Nutzer zum Schutz ihrer Privatsphäre auf die Gerätehersteller angewiesen sind. Diese Dissertation präsentiert einen Ansatz, Android mit umfassenden Privatsphäreeinstellungen nachzurüsten. Dabei geht es konkret um Techniken, die ohne Modifikationen des Betriebssystems oder Zugriff auf Root-Rechte auf regulären Android-Geräten eingesetzt werden können. Der erste Teil dieser Arbeit etabliert Techniken zur Durchsetzung von Sicherheitsrichtlinien für Apps mithilfe von inlined reference monitors. Dieser Ansatz wird durch eine neue Technik für dynamic method hook injection in Androids Java VM erweitert. Schließlich wird ein System eingeführt, das prozessbasierte privilege separation nutzt, um eine virtualisierte App-Umgebung zu schaffen, um auch komplexe Sicherheitsrichtlinien durchzusetzen. Eine systematische Evaluation unseres Ansatzes konnte seine praktische Anwendbarkeit nachweisen und mehr als eine Million Downloads unserer Lösung zeigen den Bedarf an praxisgerechten Werkzeugen zum Schutz der Privatsphäre.Android is the most popular operating system for mobile devices, making it a prime target for attackers. To counter these, Android’s security concept uses app isolation and access control to critical system resources. However, Android gives users only limited options to restrict app permissions according to their privacy preferences but instead lets developers dictate the permissions users must grant. Moreover, Android’s security model is not designed to be customizable by third-party developers, forcing users to rely on device manufacturers to address their privacy concerns. This thesis presents a line of work that retrofits comprehensive privacy controls to the Android OS to put the user back in charge of their device. It focuses on developing techniques that can be deployed to stock Android devices without firmware modifications or root privileges. The first part of this dissertation establishes fundamental policy enforcement on thirdparty apps using inlined reference monitors to enhance Android’s permission system. This approach is then refined by introducing a novel technique for dynamic method hook injection on Android’s Java VM. Finally, we present a system that leverages process-based privilege separation to provide a virtualized application environment that supports the enforcement of complex security policies. A systematic evaluation of our approach demonstrates its practical applicability, and over one million downloads of our solution confirm user demand for privacy-enhancing tools

A taxonomy of attacks and a survey of defence mechanisms for semantic social engineering attacks

Social engineering is used as an umbrella term for a broad spectrum of computer exploitations that employ a variety of attack vectors and strategies to psychologically manipulate a user. Semantic attacks are the specific type of social engineering attacks that bypass technical defences by actively manipulating object characteristics, such as platform or system applications, to deceive rather than directly attack the user. Commonly observed examples include obfuscated URLs, phishing emails, drive-by downloads, spoofed web- sites and scareware to name a few. This paper presents a taxonomy of semantic attacks, as well as a survey of applicable defences. By contrasting the threat landscape and the associated mitigation techniques in a single comparative matrix, we identify the areas where further research can be particularly beneficial