Android ForensicsBYNeetu Yadav(13mcei12)Guide :Ms. Pooja ShahForensic Analysis of Android DevicesSUGGESSIONS GIVEN ::Do Cross referencingPerform Feasibility analysisRefine Challenges related to securing the app and app market
1ANDROIDOpen Source mobile device operating systemLinux 2.6 kernelDalvik Virtual MachineARM architectureKernal Enhancements for AndroidC library called BIONIC YAFFS flash file system
developed by Google based on the LINUX KERNEL . The Linux kernel was chosen due to its proven driver model, existing drivers, 3) Java runtime engine, optimized for the limited resources available on a mobile platform called the 4) . The widespread popularity of the ARM platform is largely due to its focus on power saving features. ARM is a RISC (Reduced Instruction Set Computer) architecture. emphasis on small code size and low-power operation is the main reason 5) Android is based on the Linux, but does not use a standard Linux kernel. The kernel enhancements of Android include alarm driver, ashmem (Android shared memory driver), binder driver(Inter-Process Communication Interface), power management, low memory killer, kernel debugger and logger. 6) This library was designed to have fast execution paths, avoid edge cases and remain a simple implementation. It is composed partly from the BSD C library combined with Android original source code. This results in a combination of the BSD and Android licenses covering the entire library. This library is especially suited to operate with the limited CPU and memory available on Android platforms. special security provisions were made in order to ensure the integrity of the system. 7) Android uses the YAFFS flash file system, the first NAND optimized Linux flash file system2Mobile Device ForensicsMobile device forensicsis a branch ofdigital forensicsrelating to recovery ofdigital evidenceor data from amobile deviceunderforensicallysound conditions.
Mobile device forensics is the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods. Several malicious applications, ranging from fake banking applications to an SMS Trojan embedded into a fake media player, have already been discovered on the Android Market since the beginning of this year3Motivation Android enabled mobile phones often used to :Manage personal dataPerform Variety of tasksReceive one time passwordsSynch to e-mail accountsPerform e-commerce transactionsPayment of house hold BillsFund TransferInternet of thingsApps with unecessary permissions2) such as making calls, surfing the web, or using location-based services. 3) smartphones is likely to contain evidence crucial for resolving a criminal case. This evidence can either be stored in persistent memory or as live data in the system's main memory. The latter is typically lost when a device runs out of battery power or is shut down, making it harder to recoverIt is quite obvious that the widely used platform is likely to be targeted more4Crimes Related with Android Devices(used as a tool)Software Theft(codebase)Terrorist ActivitiesFinancial CrimesMurder CasesPornography/Child PornographySexual Harassment CasesExample ::::A Smartphone can carry large volume of sensitive data. Software theft, an unhappy employ of a company used to carry all source code of the key software of the company in her smart phone. She first copied the code in her phones external storage and then deleted the same data from the phone. When her phone was observed at security check, nothing was found in her phone. When she reached home, she useda tool to recover the deleted data. This way she took all the data out from her company and latterly she sold the source code to the rival of her employer.
: Software theft is now a common attack. If codebase of your software is stolen and sold to your rival, he can make a great loss to your company. Your rivals are ready to invest huge money to obtain source code of your key software: Terrorists also use Smartphones to exchange and store the information. They use Smartphones to communicate with the other member of the terrorist organization. They also use GPS to find locations. They can store various data in the Smartphone like maps or photos of target locations, encrypted and stagno files, instructions etc. They can use the phone to click photos of target locations.: Every other bank is developing banking and other non-financial application to facilitate their mobile customers. These applications can be used for malicious activities by hackers. A Smartphone recovered in financial fraud cases can give many evidences about the case.: Even in murder or other criminal cases, a Smartphone can provide evidence useful in solving the case. Right from call records and SMSes to facebook records or GPS data can be recovered from the phone.: Pornography is fully banned in a number of countries. And child pornography is considered a big offence across the world. Smartphone can be used to store, view, capture and exchange such kind of materials.: Smartphone can play big role in sexual harassment kind of cases. If a Smartphone is discovered from accused, a forensic examiner can get treasures of information from the device.5Crimes Related with Android Devices(as a target)Mobile apps to launch phishing and Trojan attacksSpyEye , Zeus v2, Citadel , Bugat v2Malicious Repackaged ApplicationsUnder-regulated app marketLong lists of permissions that apps dont need
1)SpyEye automates the theft of confidential information and wages attacks through man-in-the-browser tactics2)Zeus already the most popular banking Trojan in use........... Aside from its credit card grabber plugin, the Trojan also possesses a DDoS tool which can enable the botmaster to recruit infected PCs for attacks on online targets. Using a banking Trojans botnet for DDoS attacks is one of the ways botmasters can monetize their botnets, charging hourly fees for the DDoS while they work on siphoning money out of infected users bank accounts. 3)Citadel-, a banking Trojan that was introduced to the underground in January, has evolved into the most sophisticated Trojan business model the world of commercial malware has ever known........................... the team behind it have taken this Trojan deeper underground, and although it is still considered commercial malware, it is much less available and can only be purchased by new buyers if they are vouched for by other cybercriminals. This move is likely intended to keep the Trojan from being too widely spread thus making sampling of the malware more difficult for researchers and keeping Citadel strains from being detected.4)Bugat v2 continues to have consistent presence on the global Trojan attack scene, accounting for an average of 14% of all financial Trojan attacks researched by RSA last year.
a principle of least authority, by which apps request the fewest number of permissions necessary for the software to operate, developers do not always follow this rule and users are faced with either allowing all of the permissions requested or not having access to the app.
A man-in-the-browser attack is designed to intercept data as it passes over a secure communication between a user and an online application. A Trojan embeds in a users browser application and can be programmed to trigger when a user accesses specific online sites, such as an online banking site. Once activated, a man-in-the-browser Trojan can intercept and manipulate any information a user submits online in real-time. The technology and skills required to launch a man-in-the-browser attack are not particularly new or advanced. 6Malicious Application Repackaging
Data found on the Android devices Text messages (SMS/MMS) Contacts Call logs E-mail messages Instant messenger/ Chat GPS coordinates Photos/ Video Driving directions Social media clients (Facebook, Twitter) Calendar appointments Financial information Shopping history Music collection files and files sharing (Hoog, 2011). Fine grain user ControlGiving the User more control Decide the extent of access to data Ability to deny access permission and still use appCustomize the data accessed by the application using stored samplesPreventing Android as a target
Google play and google account ::: After logging in, it will propose to install the app to the user'sphone next time it is connected to the internet. If the user agrees, he will not be asked again and the application will silently be installed on his phone (there is a small notification after the installation).
Refers to the process of analyzing a system to identify its components and their interrelationships, and create representations of the system in another form or a higher level of abstraction.
9Challenges Data PreservationData stored in the networkDecompiling the .apk fileVolatile data acquisitionIsolating the device (wireless connections)No Modification to target deviceImplications of granting specific permissionsRemoving access right of an app crashes itMalware in apps from android market(detection)
1)data that could be found in the volatile, RAM memory are Passwords ,Encryption keys and Usernames 2) Data that could be found in the Android devices could be broader than the data found in the personal computers. A reason for choosing the NAND Flash memory over the other types relies in its capabilities to store significant amount of data in relatively small physical size of the memory
4) Neither developers nor users are usually very familiar with the implications of requesting or granting specific permissions.Extra permissions may needlessly increase the potential damage of application vulnerabilities6) Apple_maintains_tightcontrolovertheirAppStore,requiringdevelopersto_submit_toa_sometimes_lengthy_reviewprocessandprovidingApplewiththefinalapprovalforanapp.Appscanbedeniedbasedonanumbeofcriteria,mostnotablyiftheycontainanycontentApplefeelsisobjectionable..Google,ontheotherhand,requiresverylittlereviewtopublishanappintheAndroidMarket.WhileGooglehastheabilitytoban_a_developer,removeanappfromtheAndroidMarket,andevenremotelyuninstallappsfromAndroidDevices,ingeneraltheirapproachto_app_management_is_handsoff.(Hoog)10ReferencesGiving the User Control over Android Permissions 6.858 Final Project - Fall 2012 ,Jonas Helfer & Ty Lin fhelfer,[email protected],December 15, 2012http://www.isecauditors.com/sites/default/files/files/OWASP_EU_Tour_2013_Bucharest_Android_reverse_engineering.pdfhttp://www.fortiguard.com/files/Insomnihack-Ruchna-Final.pdfhttp://digitalforensics.sans.org/blog/2011/06/09/android-mobile-malware-analysis-articlehttp://dl.packetstormsecurity.net/papers/presentations/HackingyourDroid-Slides.pdf