Target Fragmentation in Android Apps

Slides:



Advertisements
Similar presentations
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Advertisements

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
© Leaf Solutions, LLC. All Rights Reserved What’s New in Everett Microsoft.Net V1.1.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.
An Evaluation of the Google Chrome Extension Security Architecture
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.
Security of Mobile Applications Vitaly Shmatikov CS 6431.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
SharePoint is only an application so it has to run on top of Windows Server Windows 2008 R2 SP1 or Windows 2012 Standard, Enterprise, or Data Center Still.
Incident Response Updated 03/20/2015
Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.
Android for Java Developers Denver Java Users Group Jan 11, Mike
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
 Android OS: Java  iOS: Objective C NSArray * foo = [[NSArray alloc]
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:
CS 155 Spring 2016 Mobile Malware John Mitchell.
Mobile Device and Platform Security – Part II
Tips for using Java with Internet Explorer
What is Information Security?
SharePoint 101 – An Overview of SharePoint 2010, 2013 and Office 365
IT Security Awareness Day October 19, 2016
BUILD SECURE PRODUCTS AND SERVICES
Lesson 19: Configuring and Managing Updates
Introducing, Installing, and Upgrading Windows 7
More Security and Programming Language Work on SmartPhones
Understanding Android Security
CSE Retargeting to AE, IPE, and NoDN Hosted Resources
Software Packaging and Releasing
Android System Security
How to Install Aptoide Apk on Android
Overview – SOE PatchTT December 2013.
APK Downloader
MOA Delta Mobile OA Installation Guide 2015/12/16.
5.0 : Windows Operating System
Multiprocessor Cache Coherency
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Introduction to Computers
Introduction With TimeCard users can tag SharePoint events with information that converts them into time sheets. This way they can report.
How to Fix Windows 10 Update Error 0x ?.
Microsoft Inspire 9/17/2018 2:10 PM Proactive Insights
MonoGame and Windows 8.
Ways to Secure CMS Websites. The most widely used Content Management Systems are Wordpress, Joomla and Drupal as per statistics. The highest CMS platforms.
Contact Norton Antivirus | Norton Antivirus Support UK
Nessus Vulnerability Scanning
Web Penetration Testing and Ethical Hacking Capture the Flag
Developing and Supporting Apps in Windows as a Service (WaaS)
Analyzing WebView Vulnerabilities in Android Applications
CNA Processes CVE Team.
Microsoft Ignite NZ October 2016 SKYCITY, Auckland.
Chapter 2: The Linux System Part 2
Using K2 applications How can users interact with K2 applications?
HAPPY NEW YEAR! Lesson 7: If-statements unplugged
Backup and restoration of data, redundancy
What's in an Ad? Connor Leonhardt.
SharePoint Online Authentication Patterns
Mobile Device and Platform Security – Part II
Understanding Android Security
Buffer Overflow Slide Set #7 Textbook Chapter 10 Clicker Questions
Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama Sony Digital Network Applications.
Protecting Browsers from Extension Vulnerabilities
Presentation transcript:

Target Fragmentation in Android Apps Patrick Mutchler John Mitchell Yeganeh Safaei Adam Doupe

Takeaways Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread

Roadmap What is target fragmentation? Target fragmentation statistics Security consequences Outline

Roadmap What is target fragmentation? Target fragmentation statistics Security consequences

Android Developer Reference “If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running. Android Developer Reference Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.

Android Developer Reference “If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running. Android Developer Reference Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.

Android Developer Reference “If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.” Android Developer Reference Describe targetSdkVersion design Not all old code is used.

Roadmap What is target fragmentation? Target fragmentation statistics Security consequences Set up outdatedness here!

Dataset 1,232,696 Android Apps Popularity, Category, Update, and Developer metadata Collected between May 2012 and Dec 2015 Broken into five datasets by collection date

How do we measure outdatedness? Describe targetSdkVersion design Not all old code is used.

Outdatedness Android 5.0 Released Android 5.1 Released App Collected We aren’t just concerned with whether an app is out of date. We are concerned with how out of date that app is. Define outdatedness.

Cumulative distribution of outdatedness for apps collected in December 2015 8% of apps target the most current version (6.0, released in October) 50% of apps target versions at least 500 days out of date 20% of apps target versions at least 1000 days out of date

Cumulative distributions for different install counts. Apps installed 10m times are a bit better but target fragmentation is still a severe problem. Fewer than 20% target 6.0. 80th percentile is still about two years out of date.

Compare two datasets, each collected two months after an OS release. Curves track pretty closely, suggesting that we aren’t just seeing weird behavior with 6.0 right now. TODO - relabel dataset names in the legend

What causes outdatedness? Describe targetSdkVersion design Not all old code is used.

Negligent Outdatedness App Updated Android 5.0 Released Android 5.1 Released Android 6.0 Released App Collected Lets be even more generous and account for stale apps on the app store. Define negligent outdatedness

Compare negligent outdatedness and outdatedness curves Compare negligent outdatedness and outdatedness curves. Shows that stale apps are not the primary cause of outdatedness.

Silver Lining Describe targetSdkVersion design Not all old code is used.

A small silver lining Describe targetSdkVersion design Not all old code is used.

Roadmap What is target fragmentation? Target fragmentation statistics Security consequences Outline

Extra.SHOW_FRAGMENT “Attacked Fragment” Fragment Injection Vulnerable App PreferenceActivity Attacked Fragment Malicious Intent Extra.SHOW_FRAGMENT “Attacked Fragment” Extra.SHOW_FRAG_ARG Data Other Extras securityintelligence.com/new-vulnerability-android-framework-fragment-injection/ Introduce and explain fragment injection attack

Fragment Injection Fixed in Android 4.4 Developers implement isValidFragment to authorize fragments // Put this in your app protected boolean isValidFragment(String fName){ return MyFrag.class.getName().equals(fName); } Describe the solution for fragment injection. Fixed on Sep 3rd 2013. But what happens when you don’t implement isValidFragment?

Fragment Injection Vulnerable if: - Targets 4.3 or lower (31%) - Some class inherits from PreferenceActivity (4.8%) - That class is exported (1.1%) - That class does not override isValidFragment (0.55%) 4.2% of apps vulnerable if no fix was ever implemented Vulnerability rates. The “fix” has only reduced the vuln rate to 20% of what it would be if no fix was ever implemented.

Mixed Content in WebView Define mixed content and explain what webview is.

Mixed Content in WebView Major web browsers block Mixed Content In Android 5.0, WebViews block Mixed Content by default Can override default with setMixedContentMode() Explain mixed content changes

We cannot directly measure the number of “vulnerable” apps that allow mixed content because it is possible to do so safely. Instead we try to understand the number of apps that “accidentally” allow mixed content.

Assume that the % of apps that want to allow mixed content is constant Red bar are apps that allow mixed content unnecessarily Red bar represents 18% of apps from December

Recap Android apps can run using outdated OS behavior - The large majority of Android apps do this - Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem - “Patched” security vulnerabilities still exist in the wild - “Risky by default” behavior is widespread Big takeaways from this paper Make third point into a sentence Make this last point punchier

SOP for file: URLs in WebView In Android 4.1 separate file: URLs are treated as unique origins Can override with setAllowFileAccessFromFileURLs()

Difference is 64%. 15% of apps target <16 9.6% of all apps

Difference is 64%. 15% of apps target <16 9.6% of all apps You can see this going two ways: One is that developers who use Feature X are more likely to retarget when a security change comes to Feature X One is that developers who use Feature X are *less* likely to retarget when a change comes to Feature X because it breaks their code Apps that use PreferenceActivity target 19+ 66% of the time while the general population targets 19+ 69% of the time. Apps that use WebView... Apps that export Content Providers

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.