Security Problems in Mobile Apps and
Static Analysis IdeasJaeho Shin
2010-10-01ROPAS Show&Tell
Contents
1. Mobile Apps and Security
2. Static Analysis Idea for Android “Permissions”
Mobile Apps and Security
Mobile Ecosystem
Users
Devices
OS
Apps
Developers
Distributors
Mobile Apps
User Developer
App
runs written by
Mobile Security Problems
MiserableUser
EvilDeveloper
MaliciousApp
runs written by
Call or send texts to toll numbers
Activate camera and take pictures or record videos for surveillance
Track geo-location
Disclose contacts and personal data
Eavesdrop on private conversations
Make loud noise or vibration
Make calls dropMake device unusable
Mobile Security Problems
MiserableUser
EvilDeveloper
MaliciousApp
runs written by
Call or send texts to toll numbers
Activate camera and take pictures or record videos for surveillance
Track geo-location
Disclose contacts and personal data
Eavesdrop on private conversations
Make loud noise or vibration
Make calls dropMake device unusable
Current Solution
User Developer
App
runs written by
A Trusted Distributor
downloadedfrom
checks and signs
OS Security Feature
restrictsprotects
Better Solution
User Developer
App
runs written by
A Trusted Distributor
downloadedfrom
verifies and signs with static analysis!
OS Security Feature
restrictsprotects
Static Analysis forAndroid “Permissions”
Android “Permissions”
String phoneNumber = "010-1234-5678";String message = "hello!";
SmsManager sms = SmsManager.getDefault();sms.sendTextMessage(phoneNumber, null, message, pi, null);
<uses-permission android:name="android.permission.SEND_SMS"/>
requirespermissiondeclaration in
Code Sending SMS
Android “Permissions”ACCESS_CHECKIN_PROPERTIESACCESS_COARSE_LOCATIONACCESS_FINE_LOCATIONACCESS_LOCATION_EXTRA_COMMANDSACCESS_MOCK_LOCATIONACCESS_NETWORK_STATEACCESS_SURFACE_FLINGERACCESS_WIFI_STATEACCOUNT_MANAGERAUTHENTICATE_ACCOUNTSBATTERY_STATSBIND_APPWIDGETBIND_DEVICE_ADMINBIND_INPUT_METHODBIND_WALLPAPERBLUETOOTHBLUETOOTH_ADMINBRICKBROADCAST_PACKAGE_REMOVEDBROADCAST_SMSBROADCAST_STICKYBROADCAST_WAP_PUSHCALL_PHONECALL_PRIVILEGEDCAMERACHANGE_COMPONENT_ENABLED_STATECHANGE_CONFIGURATIONCHANGE_NETWORK_STATECHANGE_WIFI_MULTICAST_STATECHANGE_WIFI_STATECLEAR_APP_CACHECLEAR_APP_USER_DATACONTROL_LOCATION_UPDATESDELETE_CACHE_FILESDELETE_PACKAGESDEVICE_POWERDIAGNOSTICDISABLE_KEYGUARD
DUMPEXPAND_STATUS_BARFACTORY_TESTFLASHLIGHTFORCE_BACKGET_ACCOUNTSGET_PACKAGE_SIZEGET_TASKSGLOBAL_SEARCHHARDWARE_TESTINJECT_EVENTSINSTALL_LOCATION_PROVIDERINSTALL_PACKAGESINTERNAL_SYSTEM_WINDOWINTERNETKILL_BACKGROUND_PROCESSESMANAGE_ACCOUNTSMANAGE_APP_TOKENSMASTER_CLEARMODIFY_AUDIO_SETTINGSMODIFY_PHONE_STATEMOUNT_FORMAT_FILESYSTEMSMOUNT_UNMOUNT_FILESYSTEMSPERSISTENT_ACTIVITYPROCESS_OUTGOING_CALLSREAD_CALENDARREAD_CONTACTSREAD_FRAME_BUFFERREAD_HISTORY_BOOKMARKSREAD_INPUT_STATEREAD_LOGSREAD_OWNER_DATAREAD_PHONE_STATEREAD_SMSREAD_SYNC_SETTINGSREAD_SYNC_STATSREBOOTRECEIVE_BOOT_COMPLETED
RECEIVE_MMSRECEIVE_SMSRECEIVE_WAP_PUSHRECORD_AUDIOREORDER_TASKSRESTART_PACKAGESSEND_SMSSET_ACTIVITY_WATCHERSET_ALWAYS_FINISHSET_ANIMATION_SCALESET_DEBUG_APPSET_ORIENTATIONSET_PREFERRED_APPLICATIONSSET_PROCESS_LIMITSET_TIMESET_TIME_ZONESET_WALLPAPERSET_WALLPAPER_HINTSSIGNAL_PERSISTENT_PROCESSESSTATUS_BARSUBSCRIBED_FEEDS_READSUBSCRIBED_FEEDS_WRITESYSTEM_ALERT_WINDOWUPDATE_DEVICE_STATSUSE_CREDENTIALSVIBRATEWAKE_LOCKWRITE_APN_SETTINGSWRITE_CALENDARWRITE_CONTACTSWRITE_EXTERNAL_STORAGEWRITE_GSERVICESWRITE_HISTORY_BOOKMARKSWRITE_OWNER_DATAWRITE_SECURE_SETTINGSWRITE_SETTINGSWRITE_SMSWRITE_SYNC_SETTINGS
ACCOUNTSCOST_MONEYDEVELOPMENT_TOOLSHARDWARE_CONTROLSLOCATIONMESSAGESNETWORKPERSONAL_INFOPHONE_CALLSSTORAGESYSTEM_TOOLS
Granting PermissionsUser App1. tries to install
Android
3. allows privileged operations to
2. asks to grant permissions
declared in
Problem
• Clumsy Developers just declare too strong permissions!
• Users get inured to colorful warnings from most of the apps!
• Android “Permissions” won’t work against malware :’(
Idea
Provide static analysis tools to make permission declaration more precise!
• Developer tool for weakening or automating permissions declaration
• Distributor tool for detecting unnecessary declaration
Developer Tool
1. Analyze app’s source code in Java and XML
2. Estimate calls to protected
• APIs
• Activities
• Broadcast Receivers
• Background Services
3. Fill or minimize declared permissions
Distributor Tool1. Analyze app’s Dalvik executable and XML in
its packaged binary .apk
2. Estimate calls to protected
• APIs
• Activities
• Broadcast Receivers
• Background Services
3. Detect unnecessary permissions
Thank you
References• Troy Vennon. “Android Malware: A Study of Known and Potential
Malware Threats.” SMobile Systems Whitepaper (2010)
• “Security and Permissions.” Android Developers web site
• Jesse Burns. "Exploratory Android Surgery." Black Hat Technical Security Conference USA (2009)
• Malware Examples
• TrojanSpy:AndroidOS/Tapsnake.A
• Trojan:AndroidOS/Fakeplayer.A
• 09Droid Debacle
• J2ME/GameSat.A
• iPhone/Privacy.A