4 research outputs found
Enter Sandbox: Android Sandbox Comparison
Expecting the shipment of 1 billion Android devices in 2017, cyber criminals
have naturally extended their vicious activities towards Google's mobile
operating system. With an estimated number of 700 new Android applications
released every day, keeping control over malware is an increasingly challenging
task. In recent years, a vast number of static and dynamic code analysis
platforms for analyzing Android applications and making decision regarding
their maliciousness have been introduced in academia and in the commercial
world. These platforms differ heavily in terms of feature support and
application properties being analyzed. In this paper, we give an overview of
the state-of-the-art dynamic code analysis platforms for Android and evaluate
their effectiveness with samples from known malware corpora as well as known
Android bugs like Master Key. Our results indicate a low level of diversity in
analysis platforms resulting from code reuse that leaves the evaluated systems
vulnerable to evasion. Furthermore the Master Key bugs could be exploited by
malware to hide malicious behavior from the sandboxes.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies
(MoST) 2014 (http://arxiv.org/abs/1410.6674
Security and privacy in mobile environments
The number of smartphones is constantly increasing and they have become a central part of our lives. A big role for their success is the large number of available applications. While these applications open up a lot of opportunities for their users, they can also pose risks. With the amount of available applications, it is inevitable that they also include bad quality software. While these applications may not pose a direct risk to the device itself, many of them are communicating to some kind of back-end server on the internet. Furthermore, "free" applications often include some kind of advertisement, which needs to be loaded from a server again. We analyze the existing ecosystem of third party tracking in web and mobile applications and evaluate defenses according to their effectiveness in blocking tracking efforts. We show that there is still a lot of information transmitted in clear text, without the use of Transport Layer Security. In addition, even when TLS is used, this tracking information can still be used by attackers for certain kind of attacks. Based on our findings, we propose different approaches to protect user privacy and security. Specifically, we explore notary-based validation schemes for certificate validation and provide a longitudinal study of certificate validation capabilities of available notary services. Mobile apps already employ certificate pinning to prevent interception attacks. However, the application still needs to be updated when the corresponding certificate changes. We therefore provide an on-device certificate pinning solution, which utilizes notary services to update pinned certificates automatically and transparently for the user. Finally, we evaluate existing Android malware analysis platforms and provide metrics on the effectiveness and inter-dependencies of these services. This allows security analysts to select the best fitting system or subset of systems to accomplish their analysis task.14
AES-SEC: Improving software obfuscation through hardware-assistance (short paper)
While the resilience of software-only code obfuscation remains unclear and ultimately depends only on available resources and patience of the attacker, hardware-based software protection approaches can provide a much higher level of protection against program analysis. Almost no systematic research has been done on the interplay between hardware and software based protection mechanism. In this paper, we propose modifications to Intel's AES-NI instruction set in order to make it suitable for application in software protection scenarios and demonstrate its integration into a control flow obfuscation scheme. Our novel approach provides strong hardware-software binding and restricts the attack context to pure dynamic analysis - two major limiting factors of reverse engineering - to delay a successful attack against a program