Remote backup and recovery service for Android device owners Company: Deutsche Telekom Academic advisor: Yuval Elovici Technical advisor : Assaf Shabtai Project Team: Limor Segev Eran Frieman Carmel Karni

Motivation. Part of Deutsche Telekom project: Backup and restore users’ Android terminals Remote monitoring and offline analysis of Android application Remote monitoring and offline analysis of Android application

Problem Domain An Android OS could be attacked by hackers: Open platform Users will access the Internet intensively Everyone can develop applications for Android

Problem Domain Cont. Successful attack on Androids may: Expose private information Prevent T-Mobile customers from using T- Mobile services Flood T-Mobile’s customer service infrastructure and personnel. No easy way exists to “fix” mobile devices and especially Android.

Scope and Purpose. Backup and restore users’ Android terminals: Develop a platform that will backup Android terminals and restore “last good snapshot” on demand. Backup of customers installed applications. Backup of applications must always be on a remote server.

Current Situation Backup is possible for: Documents Media files Not for Application files

The Solution Backup Application files on remote server Manage DB at server + Allow Security operations Enable restoration of phone last stable status

Customer’s Android device System Architecture 1. Downloading and installing a new application 2. System’s agent send the new application files (apk) to the external server 3. Sending the new application files (apk) to the storage server with additional information to enable restoring users’ systems 4. Backed-up application apk apk apk apk apk apk apk Internet Customer’s Android device Server Storage 5. Threat detection system checks files and alerts the server about threats

Customer’s Android device System Architecture 13.08.2007 Autor / Thema der Präsentation 8 3. Sending an alert to the user apk apk apk apk Internet Customer’s Android device Server Storage apk 2. Sending analysis result: “malicious application” Threat detection system checks apks with status “UNCHECKED”

Autor / Thema der Präsentation System Architecture 13.08.2007 apk apk Internet Storage Server NetShield Analysis Server apk

System Architecture Cont. The system includes 4 major components: Agent Server (which runs a threat detection system) Data Base Remote Desktop Client for reports

Main Functional Requirements Agent: Registration Login Monitor Send Application Files Change Device Backup Status Displaying Device Backup Status Server Updates / Warnings Display List of Applications Receive Application Files Display List of Received Files Restore application Handle Disconnections

Main Functional Requirements Server + Agent Management : Add/Remove/Update Agent Handling Registration Requests Handling Login Requests Receive and Store Files Send Updates / warnings / confirmations Verify Data Integrity Receive and Store Data Send Information and Files. Enable scanning of files

Agent Software Installation Main Functional Requirements Management: Manager Login Produce Reports Deployment and Installation : Agent Software Installation

Main Functional Requirements System View: Main Menu View Configuration view Login view Registration view Recovery view Applications List View

Non-Functional Requirements Speed, Capacity & Throughput Ninety five percent of all backup transaction will be completed within 10 seconds. The agent will use up to 20% of the CPU. Reliability support data recovery, including transmission-error detection and correction. Portability client side is dedicated to the Android OS.

Non-Functional Requirements Usability Extremely user-friendly. Does not require constant maintenance by the user. Possibility to configure most of the system operations to be done automatically Safety & Security The information sent between the server and the agents will be encrypted. Availability The server will be active at all times, waiting for agents requests or notifications from the Threats Detection System.

High level use cases view of the system

Use case: Install and Register Use Case ID 1 Primary Actor Owner (User) Brief Description The user registers to the server (including a login) Trigger The user installs the system application Preconditions The server is active Flow of Events # Actor System The user downloads the application 2 Auto installs itself on the device 3 Asks the user for registry data: Name, password 4 Enters the relevant details and confirms 5 Agent send the data to the server 6 The server writes the data to the database 7 The server sends confirmation to the user and log him in. Post-conditions The new user is registered to the system – i.e – his details were written to the db. Alternative flows and exceptions 6.a -The user is already registered and wants to recover his device -The system performs login -The server sends the appropriate files 6.b - The user name that was entered already exists in the database. - The server notify the user and asks for new user name

Use case: Install and Register

Use case: Login Login Use Case ID 2 Primary Actor Owner Brief Description The owner login to the server Trigger The owner asks to login Preconditions The application is installed on the device Flow of Events # Actor System 1 User hit the login button The agent asks the user for a username and password 3 Enters the relevant details and confirms 4 Agent send the data to the server 5 The server confirms username and password using the DB 6 Server sends confirmation to the agent 7 Agent informs the user that he is logged in Post-conditions The user is logged in Alternative flows and exceptions 1.a - An automatic login occurs -All the relevant data is saved by the agent, the user takes no part in the process

Use case: Login

Use case: Intercept Install Event Use Case ID 3 Primary Actors Owner Brief Description The Agent detects that a new app. Has been installed, asks the user if he wants to back it up. if so, sends the appropriate files to the server. Trigger The user installed a new application. Preconditions The Agent is enabled. Flow of Events # Actor System 1 Install an application. 2 Agent identify the installation Agent asks the owner whether to backup the application 4 Confirms the backup. 5 Agent collects relevant data and files 6 Agent sends apk signature to the server along with implicit login Post-conditions The application has been installed and was backed up on the server. Alternative flows and exceptions 4.a The user decide not to backup the app, the app is not backed up.

Use case: Intercept Install Event

Use case: Backup Application Use Case ID 4 Primary Actors Server Brief Description The server receives an application signature from the agent, checks if the files already exist in his data base, If not, the server gets the apk data saves them. The server then add the appropriate records to its data base. Trigger Agent sends apk signature to the server (including implicit login) Preconditions The Agent is enabled, the server is active Flow of Events # Actor System 1 Server searches for the apk signature in the database 2 Server doesn't find the app in the database. 3 Agent send apk file and data to the server Server stores application data in the db, and updates the application data to be "UNCHECKED" 5 Server sends confirmation to the agent 6 Agent informs the user of a successful backup. Post-conditions The application has been backed up on the server. 3.a The app exists in the database. The server just updates the user backup information without receiving files from the agent.

Use case: Backup Application

Use case: Hand-set Recovery Use Case ID 5 Primary Actors User Brief Description The user decides to recover a specific app. The agent receives the appropriate files from the server and then performs a recovery. Trigger The user asked to perform a recovery. Preconditions The applications designed to be recovered has a backup on the server. Flow of Events # Actor System 1 Asks to do a recovery. 2 The agent performs login, and asks for applications list 3 device is reverted to the factory settings. 4 A list of applications that have backups is presented to the user. Chooses specific apps to be recovered 6 Agent asks for specific apps from the server. 7 Server sends relevant applications and data 8 Agent sends confirmation to the server 9 Agent performs recovery of the desired apps. 10 Agent informs the user of a successful recovery. Post-conditions The applications have been recovered. Alternative flows and exceptions 5.a The agent receives a corrupted file from the server (e.g. due to connection problems). The agent request for resending of the information from the server.

Use case: Hand-set Recovery

Handle Android Malware Detection Threats detection application, owner Use case: Handle Android malware detection Handle Android Malware Detection Use Case ID 6 Primary Actor Threats detection application, owner Brief Description The Threats detection system detects an infection in a specific application stored on it. Trigger The threats detection system runs threats detection software, which detected an infection in an application and notified the agent about it. Preconditions The Threats detection system is active, server is active and the database contains applications. Flow of Events # Actors System 1 Sends a notification about an infected application 2 Server finds the infected application id inside the database (according to it's status – "INFECTED") 3 Locates all device owners ids which installed this application 4 The server adds the application details to the malicious applications table 5 Sends notification to all of the relevant device owners, instructing them to recover their device to previous state. The server asks the device owners if they want the malicious application to be on their recovery list for future recoveries Post-conditions All of the relevant device owners received a notification about the threat that was detected The device owners choose whether or not to keep the malicious application in their recovery lists. The infected application was documented and handled by the server

Use case: Handle Android malware detection

Use case: Manager Login Use Case ID 7 Primary Actor System Manager Brief Description The manager login to the server in order to get information stored Trigger The manager asks to login Preconditions The server is active, the GUI application is on. Flow of Events # Actor System 1 Manager hit the login button 2 The server asks the manager for a username and password 3 Enters the relevant details and confirms 4 The server confirms username and password using the DB 5 Server sends confirmation to the GUI Post-conditions The manager is logged in Alternative flows and exceptions 4.a - the server finds that the login data hasn’t matched the data stored inside the database - the server notifies the user and goes back to step 2.

Use case: Manager Login

Use case: Produce Reports Use Case ID 8 Primary Actor System Manager Brief Description The system manager asks the server to produce reports based on the data stored in the database. The reports could include: owners data, application data, roll-back data. Trigger The system manager asks for a report Preconditions The system manager started the server GUI application. Flow of Events # Actors System 1 Sends a request to produce report with query data 2 Server uses the query data and gets the desired information 3 Server displays the requested report Post-conditions The desired report is presented

Use case: Produce Reports

System Constraints Platform constraints Eclipse IDE SE project constraints If a device will be unavailable we will have to work on an emulator. If there will be no threat detection program we will build a simulation of one.

Risks The system that we are developing require root permissions of the Android OS, which are not granted naturally. The solution: There are known methods that will allow us to get Root Privileges.

The End