I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis

Android applications may leak privacy data carelessly or maliciously. In this work we perform inter-component data-flow analysis to detect privacy leaks between components of Android applications. Unlike all current approaches, our tool, called IccTA, propagates the context between the components, which improves the precision of the analysis. IccTA outperforms all other available tools by reaching a precision of 95.0% and a recall of 82.6% on DroidBench. Our approach detects 147 inter-component based privacy leaks in 14 applications in a set of 3000 real-world applications with a precision of 88.4%. With the help of ApkCombiner, our approach is able to detect inter-app based privacy leaks

Improving Mobile-Malware Investigations with Static and Dynamic Code Analysis Techniques

Similar to the PC world, the abundance of mobile malware has become a serious threat to smartphone users. Thousands of new apps or app versions are uploaded to popular app stores every day. All of them need to be analyzed against violations of the app store's content policy. In particular, one wishes to detect whether an application contains malicious behavior. Similarly, antivirus companies check thousands of apps every day to determine whether or not they are malicious. Both app store operators and antivirus vendors face the same problem: it is generally challenging to tell apart malware from benign applications. This is because malware developers aim to hide their applications' malicious behavior as long as possible from being detected by applying different obfuscation techniques. The raising sophistication with which such measures are implemented pose a serious problem not just to automated malware detection approaches but also to the manual analysis of potential malware by human experts. In this dissertation, we propose a novel reverse engineering framework that includes different approaches for automatically extracting insights of the behavior of an Android application. In particular, we propose a novel approach, based on machine-learning, to automatically identify sensitive source and sink API methods. Furthermore, we propose an approach to automatically extract concrete runtime values, such as SMS messages or URLs, at any code location. The approach combines static and dynamic code analysis techniques in such a way that it is resistant against common obfuscation techniques. A further contribution is an approach that extracts concrete environment conditions that need to be fulfilled in order to reach a certain code location. This approach is based on code fuzzing that gets supported by static and dynamic code analysis techniques. All these approaches provide different insights into the analyzed application, in particular how and under which circumstances the application communicates with its environment. The reliable extraction of these insights requires novel solutions that address fundamental limitations of current static and dynamic code analysis approaches. We, therefore, also contribute new code analysis techniques that reduce well-known limitations of code analysis, such as reflective method calls or inter-component communications, resulting in incomplete callgraphs, or complex path conditions that result in reachability problems. All the insights that are extracted by our proposed approaches help human experts in speeding up their malware investigations. Manual malware investigations benefit from the automatic extraction of precise insights of the behavior of an application, which otherwise requires a time-consuming, manual analysis. On the other hand, existing automated code analysis approaches that are used during malware investigations benefit from our new techniques by reducing well-known limitations. This improves the detection rate of these approaches

How to do it Wrong: Smartphone Antivirus and Security Applications Under Fire: Presentation held at Dev Con 2016, 12th October 2016, Plymouth

Todays evil often comes in the form of ransomware, keyloggers, or spyware, against which AntiVirus applications are usually an end users only means of protection. But current security apps not only scan for malware, they also aid end users by detecting malicious URLs, scams or phishing attacks. Generally, security apps appear so self-evidently useful that institutions such as online-banking providers even require users to install anti-virus programs. In this talk, however, we show that the installation of security applications, at least in the context of smartphones, can sometimes open the phone to a number of attack vectors, making the system more instead of less vulnerable to attacks. In a recent research we conducted on Android security apps from renowned vendors such as Kaspersky, McAfee, Androhelm, Eset, Malwarebytes or Avira. When conducting a study of the apps security features (Antivirus and Privacy Protection, Device Protection, Secure Web Browsing, etc.) it came as a shock to us that every inspected application contained critical vulnerabilities, and that in the end no single of the promoted security features proved to be sufficiently secure. In a simple case, we would have been able to harm the app vendors business model by upgrading a trial version into a premium one at no charge. In other instances, attackers would be able to harm the end user by completely disabling the malware-scanning engine remotely. Or how about accessing confidential data by exploiting broken SSL communication, broken self-developed advanced crypto implementations or through SQL-injections? Yes, we can. On top, we were able to bypass the secure browsing protection and abuse it for code execution. The most alarming findings, however, were security applications that we were able to actually turn into a remote access trojan (RAT) or into ransomware. In light of all those findings, one must seriously question whether the advice to install a security app onto ones smartphone is a wise one. In this talk, we will not only explain our findings in detail but also propose possible security fixes

SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks

Today’s smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have proposed more and more sophisticated static and dynamic analysis tools as an aid to assess the behavior of such applications. Those tools, however, are only as good as the privacy policies they are configured with. Policies typically refer to a list of sources of sensitive data as well as sinks which might leak data to untrusted observers. Sources and sinks are a moving target: new versions of the mobile operating system regularly introduce new methods, and security tools need to be reconfigured to take them into account. In this work we show that, at least for the case of Android, the API comprises hundreds of sources and sinks. We propose SuSi, a novel and fully automated machine-learning approach for identifying sources and sinks directly from the Android source code. On our training set, SuSi achieves a recall and precision of more than 92%. To provide more fine-grained information, SuSi further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.), with an average precision and recall of about 89%. We also show that many current program analysis tools can be circumvented because they use hand-picked lists of source and sinks which are largely incomplete, hence allowing many potential data leaks to go unnoticed

A machine-learning approach for classifying and categorizing Android sources and sinks

Todays smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have addressed the problem with more and more sophisticated static and dynamic analysis tools as an aid to assess how apps use private user data. Those tools, however, rely on the manual configuration of lists of sources of sensitive data as well as sinks which might leak data to untrusted observers. Such lists are hard to come by. We thus propose SUSI, a novel machine-learning guided approach for identifying sources and sinks directly from the code of any Android API. Given a training set of hand-annotated sources and sinks, SUSI identifies other sources and sinks in the entire API. To provide more fine-grained information, SUSI further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.). For Android 4.2, SUSI identifies hundreds of sources and sinks with over 92% accuracy, many of which are missed by current information-flow tracking tools. An evaluation of about 11,000 malware samples confirms that many of these sources and sinks are indeed used. We furthermore show that SUSI can reliably classify sources and sinks even in new, previously unseen Android versions and components like Google Glass or the Chromecast API

Instrumenting Android and Java Applications as Easy as abc.

Program instrumentation is a widely used mechanism in different software engineering areas. It can be used for creating profilers and debuggers, for detecting programming errors at runtime, or for securing programs through inline reference monitoring. This paper presents a tutorial on instrumenting Android applications using Soot and the AspectBench compiler (abc). We show how two well- known monitoring languages –Tracematches and AspectJ– can be used for instrumenting Android applications. Furthermore, we also describe the more flexible approach of manual imperative instrumentation directly using Soot’s intermediate representation Jimple. In all three cases no source code of the target application is required

The soot-based toolchain for analyzing android apps

Due to the quality and security requirements that come with an always-on mobile device processing large amounts of highly sensitive information, Android apps are an important target for automated program analysis. Yet, research on new approaches in this field often requires a significant amount of work to be spent on engineering tasks that are not central to the concrete research question at hand. These programming and debugging tasks can significantly delay the progress of the field. We therefore argue that research in the field greatly benefits from having a universal platform of readily usable components and well-tested fundamental algorithms on top of which researchers can build their own prototypes. Besides decreasing the required engineering effort for each new piece of research, such a platform also provides a base for comparing different approaches within one uniform framework, thereby fostering comparability and reproducibility. In this paper, we present the Soot framework for program analysis and various highly integrated open-source tools and components built on top of it that were designed with re-usability in mind. These artifacts are already at the core of many research and commercial projects worldwide. Due to the shared platform, results from one tool can not only be used as inputs for the others, but individual data objects can be passed around to form one large API with which one can build new research prototypes with ease

A machine-learning approach for classifying and categorizing android sources and sinks

Today’s smartphone users face a security dilemma: many apps they install operate on privacy-sensitive data, although they might originate from developers whose trustworthiness is hard to judge. Researchers have addressed the problem with more and more sophisticated static and dynamic analysis tools as an aid to assess how apps use private user data. Those tools, however, rely on the manual configuration of lists of sources of sensitive data as well as sinks which might leak data to untrusted observers. Such lists are hard to come by. We thus propose SUSI, a novel machine-learning guided approach for identifying sources and sinks directly from the code of any Android API. Given a training set of hand-annotated sources and sinks, SUSI identifies other sources and sinks in the entire API. To provide more fine-grained information, SUSI further categorizes the sources (e.g., unique identifier, location information, etc.) and sinks (e.g., network, file, etc.). For Android 4.2, SUSI identifies hundreds of sources and sinks with over 92% accuracy, many of which are missed by current information-flow tracking tools. An evaluation of about 11,000 malware samples confirms that many of these sources and sinks are indeed used. We furthermore show that SUSI can reliably classify sources and sinks even in new, previously unseen Android versions and components like Google Glass or the Chromecast API