Novel Attacks and Defenses in the Userland of Android

In the last decade, mobile devices have spread rapidly, becoming more and more part of our everyday lives; this is due to their feature-richness, mobility, and affordable price. At the time of writing, Android is the leader of the market among operating systems, with a share of 76% and two and a half billion active Android devices around the world. Given that such small devices contain a massive amount of our private and sensitive information, the economic interests in the mobile ecosystem skyrocketed. For this reason, not only legitimate apps running on mobile environments have increased dramatically, but also malicious apps have also been on a steady rise. On the one hand, developers of mobile operating systems learned from security mistakes of the past, and they made significant strides in blocking those threats right from the start. On the other hand, these high-security levels did not deter attackers. In this thesis, I present my research contribution about the most meaningful attack and defense scenarios in the userland of the modern Android operating system. I have emphasized "userland'' because attack and defense solutions presented in this thesis are executing in the userspace of the operating system, due to the fact that Android is slightly different from traditional operating systems. After the necessary technical background, I show my solution, RmPerm, in order to enable Android users to better protect their privacy by selectively removing permissions from any app on any Android version. This operation does not require any modification to the underlying operating system because we repack the original application. Then, using again repackaging, I have developed Obfuscapk; it is a black-box obfuscation tool that can work with every Android app and offers a free solution with advanced state of the art obfuscation techniques -- especially the ones used by malware authors. Subsequently, I present a machine learning-based technique that focuses on the identification of malware in resource-constrained devices such as Android smartphones. This technique has a very low resource footprint and does not rely on resources outside the protected device. Afterward, I show how it is possible to mount a phishing attack -- the historically preferred attack vector -- by exploiting two recent Android features, initially introduced in the name of convenience. Although a technical solution to this problem certainly exists, it is not solvable from a single entity, and there is the need for a push from the entire community. But sometimes, even though there exists a solution to a well-known vulnerability, developers do not take proper precautions. In the end, I discuss the Frame Confusion vulnerability; it is often present in hybrid apps, and it was discovered some years ago, but I show how it is still widespread. I proposed a methodology, implemented in the FCDroid tool, for systematically detecting the Frame Confusion vulnerability in hybrid Android apps. The results of an extensive analysis carried out through FCDroid on a set of the most downloaded apps from the Google Play Store prove that 6.63% (i.e., 1637/24675) of hybrid apps are potentially vulnerable to Frame Confusion. The impact of such results on the Android users' community is estimated in 250.000.000 installations of vulnerable apps

ATTACKS AND COUNTERMEASURES FOR WEBVIEW ON MOBILE SYSTEMS

ABSTRACT All the mainstream mobile operating systems provide a web container, called ``WebView\u27\u27. This Web-based interface can be included as part of the mobile application to retrieve and display web contents from remote servers. WebView not only provides the same functionalities as web browser, more importantly, it enables rich interactions between mobile apps and webpages loaded inside WebView. Through its APIs, WebView enables the two-way interaction. However, the design of WebView changes the landscape of the Web, especially from the security perspective. This dissertation conducts a comprehensive and systematic study of WebView\u27s impact on web security, with a particular focus on identifying its fundamental causes. This dissertation discovers multiple attacks on WebView, and proposes new protection models to enhance the security of WebView. The design principles of these models are also described as well as the prototype implementation in Android platform. Evaluations are used to demonstrate the effectiveness and performance of these protection models

An Empirical Study on Android-related Vulnerabilities

Mobile devices are used more and more in everyday life. They are our cameras, wallets, and keys. Basically, they embed most of our private information in our pocket. For this and other reasons, mobile devices, and in particular the software that runs on them, are considered first-class citizens in the software-vulnerabilities landscape. Several studies investigated the software-vulnerabilities phenomenon in the context of mobile apps and, more in general, mobile devices. Most of these studies focused on vulnerabilities that could affect mobile apps, while just few investigated vulnerabilities affecting the underlying platform on which mobile apps run: the Operating System (OS). Also, these studies have been run on a very limited set of vulnerabilities. In this paper we present the largest study at date investigating Android-related vulnerabilities, with a specific focus on the ones affecting the Android OS. In particular, we (i) define a detailed taxonomy of the types of Android-related vulnerability; (ii) investigate the layers and subsystems from the Android OS affected by vulnerabilities; and (iii) study the survivability of vulnerabilities (i.e., the number of days between the vulnerability introduction and its fixing). Our findings could help OS and apps developers in focusing their verification & validation activities, and researchers in building vulnerability detection tools tailored for the mobile world

Reaching across - managing variants of one application on multiple platforms

The number of platforms to support in today's software projects are many and there are a wide range of differences to consider. There are tons of programming languages on the market and each platform, both mobile and desktop, have different preferences on how to develop applications. This do often result in multiple applications, similar to the end user but different to the developers. The same functionality has to be developed and maintained in multiple versions of the application in different ways. To solve these issues there is a need to think of the applications and platform in a new way. They have to be unified and commonalities has to be found or made. New application structures and tools are also needed to keep the platforms in sync. When developing those concepts each platform’s flexibility must be protected. Each platform has it’s own advantages and features like a GPS and camera and they have to be available to build a competitive product. This report concludes that web technology such as HTML5, JavaScript and CSS is a promising way to introduce common parts in the application. This helps to manage the platforms in one way and reduces the differences. To retain the platform specifics, language bridges are used to directly communicate with the native platform from the web parts. This enables the full strength of each platform and makes the solution a fully featured competitor to native applications

Peer-to-Peer File Sharing WebApp: Enhancing Data Security and Privacy through Peer-to-Peer File Transfer in a Web Application

Peer-to-peer (P2P) networking has emerged as a promising technology that enables distributed systems to operate in a decentralized manner. P2P networks are based on a model where each node in the network can act as both a client and a server, thereby enabling data and resource sharing without relying on centralized servers. The P2P model has gained considerable attention in recent years due to its potential to provide a scalable, fault-tolerant, and resilient architecture for various applications such as file sharing, content distribution, and social networks.In recent years, researchers have also proposed hybrid architectures that combine the benefits of both structured and unstructured P2P networks. For example, the Distributed Hash Table (DHT) is a popular hybrid architecture that provides efficient lookup and search algorithms while maintaining the flexibility and adaptability of the unstructured network.To demonstrate the feasibility of P2P systems, several prototypes have been developed, such as the BitTorrent file-sharing protocol and the Skype voice-over-IP (VoIP) service. These prototypes have demonstrated the potential of P2P systems for large-scale applications and have paved the way for the development of new P2P-based systems

Agile Beeswax: Mobile App Development Process and Empirical Study in Real Environment

Mobile application development is a highly competitive environment; agile methodologies can enable teams to provide value faster, with higher quality and predictability, and a better attitude to deal with the continuous changes that will arise in the mobile context application (App), and the positive impact of that on sustainable development through continuous progress. App development is different from other types of software. For this reason, our objective is to present a new agilebased methodology for app development that we call Agile Beeswax. Agile Beeswax is conceived after identifying the mobile development process’s issues and challenges, and unique requirements. Agile Beeswax is an incremental, iterative development process composed of two main iterative loops (sprints), the incremental design loop and the incremental development loop, and one bridge connecting these two sprints. Agile Beeswax is structured in six phases, idea and strategy, user experience design, user interface design, design to development, handoff and technical decisions, development, and deployment and monitoring. One of its main strengths is that it has been created with academic and business perspectives to bring these two communities closer. To achieve this purpose, our research methodology comprises four main phases: Phase 1: Extensive literature review of mobile development methodologies, Phase 2: Interviews with mobile application developers working in small to medium software companies, Phase 3: Survey to extract valuable knowledge about mobile development (which was carefully designed based on the results of the first and the second phases), and Phase 4: Proposal of a new methodology for the agile development of mobile applications. With the aim of integrating both perspectives, the survey was answered by a sample of 35 experts, including academics and developers. Interesting results have been collected and discussed in this paper (on issues such as the development process, the tools used during this process, and the general issues and challenges they encountered), laying the foundations of the methodology Agile Beeswax proposed to develop mobile apps. Our results and the proposed methodology are intended to serve as support for mobile application developers.Spanish Government European Commission RTI2018-096986-B-C3