Enter Sandbox: Android Sandbox Comparison

Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google's mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.Comment: In Proceedings of the Third Workshop on Mobile Security Technologies (MoST) 2014 (http://arxiv.org/abs/1410.6674

Security and privacy in mobile environments

The number of smartphones is constantly increasing and they have become a central part of our lives. A big role for their success is the large number of available applications. While these applications open up a lot of opportunities for their users, they can also pose risks. With the amount of available applications, it is inevitable that they also include bad quality software. While these applications may not pose a direct risk to the device itself, many of them are communicating to some kind of back-end server on the internet. Furthermore, "free" applications often include some kind of advertisement, which needs to be loaded from a server again. We analyze the existing ecosystem of third party tracking in web and mobile applications and evaluate defenses according to their effectiveness in blocking tracking efforts. We show that there is still a lot of information transmitted in clear text, without the use of Transport Layer Security. In addition, even when TLS is used, this tracking information can still be used by attackers for certain kind of attacks. Based on our findings, we propose different approaches to protect user privacy and security. Specifically, we explore notary-based validation schemes for certificate validation and provide a longitudinal study of certificate validation capabilities of available notary services. Mobile apps already employ certificate pinning to prevent interception attacks. However, the application still needs to be updated when the corresponding certificate changes. We therefore provide an on-device certificate pinning solution, which utilizes notary services to update pinned certificates automatically and transparently for the user. Finally, we evaluate existing Android malware analysis platforms and provide metrics on the effectiveness and inter-dependencies of these services. This allows security analysts to select the best fitting system or subset of systems to accomplish their analysis task.14

AES-SEC: Improving software obfuscation through hardware-assistance (short paper)

While the resilience of software-only code obfuscation remains unclear and ultimately depends only on available resources and patience of the attacker, hardware-based software protection approaches can provide a much higher level of protection against program analysis. Almost no systematic research has been done on the interplay between hardware and software based protection mechanism. In this paper, we propose modifications to Intel's AES-NI instruction set in order to make it suitable for application in software protection scenarios and demonstrate its integration into a control flow obfuscation scheme. Our novel approach provides strong hardware-software binding and restricts the attack context to pure dynamic analysis - two major limiting factors of reverse engineering - to delay a successful attack against a program