Harvesting Developer Credentials in Android Apps

Slides:



Advertisements
Similar presentations
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Advertisements

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
VM: Chapter 5 Guiding Principles for Software Security.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
2. Setting Up Your Android Development Environment.
Amazon EC2 Quick Start adapted from EC2_GetStarted.html.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
APT29 HAMMERTOSS Jayakrishnan M.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat
Chapter 3.  Help you understand different types of servers commonly found on a network including: ◦ File Server ◦ Application Server ◦ Mail Server ◦
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Smart Machines, Smart Privacy: Rules of the Road and Challenges Ahead The views expressed are those of the speaker and not necessarily those of the FTC.
.Net and Web Services Security CS795. Web Services A web application Does not have a user interface (as a traditional web application); instead, it exposes.
Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
CompSci 725 RiskRanker Authors Michael Grace - North Carolina State University, Raleigh, NC, USA & NQ Mobile Security Research Center, Beijing, China Yajin.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 The SqlConnection Object ADO.NET - Lesson 02  Training time: 10 minutes 
Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Stealing Passwords Remotely & Malware Analysis PacITPros May 8, 2012.
Under The Guidance of Smt. Ch.Ratna Kumari Asst.Professor Submitted by M Ravi Kumar Roll No:10021F0006 M.C.A.
Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.
Wireless and Mobile Security
Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
SCSC 455 Computer Security Chapter 3 User Security.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
The overview How the open market works. Players and Bodies  The main players are –The component supplier  Document  Binary –The authorized supplier.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
AppAudit Effective Real-time Android Application Auditing Andrew Jeong
1© Copyright 2012 EMC Corporation. All rights reserved. Next Generation Authentication Bring Your Own security impact Tim Dumas – Technology Consultant.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
How to develop a VoIP softphone in C# by using OZEKI VoIP SIP SDK This presentation demonstrates the first steps concerning to how to develop a fully-functional.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Module 51 (Mobile Device Fundamentals - Android)
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Saving private Token.
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
SQL Injection Attacks Many web servers have backing databases
SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,
Audit Findings: SQL Database
Presented by Hussein Almulla
Chapter 27: System Security
The 1st International Open Science Conference
Mobile App Advertisements
HACKIN G CITRIX.
6. Application Software Security
Leo McCavana, OWASP Belfast, October 1st, 2015
Presentation transcript:

Harvesting Developer Credentials in Android Apps 8th ACM Conference on Security and Privacy in Wireless and Mobile Networks, New York City, Jun 24-26 Harvesting Developer Credentials in Android Apps Yajin Zhou, Lei Wu, Zhi Wang, Xuxian Jiang North Carolina State University Florida State University Qihoo 360 Presenter: Yue Chen

Apps are Becoming Popular

Third-party Services Require Authentication Authentication Request APP Authentication Request APP

Protecting Developer Credentials is Hard 1 .method public static SendMailInBackground 2 new-instance v3, Lcom/pompeiicity/funpic/Email; 3 const-string v7, 4 const-string v8, 5 invoke-direct {v3, v7, v8}, Lcom/pompeiicity/funpic/Email;-> 6 <init>(Ljava/lang/String;Ljava/lang/String;)V 7 ... 8 .end method "whav*****@gmail.com" "jea****"

Credential Leak is Dangerous "whav*****@gmail.com" "jea****" ......

CredMiner: Mine Credentials from Apps App Repo Select Candidate Apps Identify Data Sources Reconstruct Credentials Validate Credentials

Select Candidate Apps Apps that use interesting libraries (i.e., libraries that accept plaintext credentials) JavaMail Library Amazon AWS Library ……

Identify Data Sources String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd); 3. Find Source 2. Backtrack Credentials (Backward Slicing) Locate Sink Methods

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd);

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd);

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd);

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd);

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); System.out.println(“Authenticating…"); return new PasswordAuthentication(user, passwd);

Program Slicing Example String _user, _passwd; _user = “edcba"; _passwd = “54321"; String user = new StringBuilder(_user).reverse().toString(); String passwd = new StringBuilder(_passwd).reverse().toString(); return new PasswordAuthentication(user, passwd);

Backward Slicing Dalvik byte-code is register-based. Instruction Simple Example (backward): Instruction Tracked Registers v -> Interesting Library v move v2, v v2 move v3,v4 (Ignored) const-string v2, "abcde" (Done) Generated Program Slice: const-string v2, "abcde" move v2,v v -> Interesting Library Next page: A real-world example

Reconstruct Credentials Use an execution engine (in Python) to execute (forward) the program slice. Create mock objects on demand, to run the program slice. Execution Engine Plaintext Credentials Program Slice

Reconstruct Credentials Emulated java.lang.StringBuilder.append(char):

Validate Credentials Run the app in an Android emulator and monitor its execution. Compare the run-time parameters to those recovered by CredMiner. Monitor the interaction with remote servers. Username, Password Login Succeed!

Evaluation Distribution of Collected Apps:

Evaluation Overall Result: 237 candidate apps use the JavaMail library. 196 candidate apps use the Amazon AWS SDK. 51.1% (121/237) and 67.3% (132/196) of these candidate apps are vulnerable. Distribution of Vulnerable Apps:

Evaluation – Email Credentials 121/237 (51.1%) are vulnerable 11 apps having more than 50,000 downloads. 8/1404 malware are vulnerable! Only 2 of these malware protect their accounts with custom string encoding schemes

Evaluation – Email Credentials Case Study: A popular app with more than 1,000,000 downloads. JavaMail is used to send pin recovery email. Email credential is obfuscated with AES. The encrypted credential is encoded again in Base64. The key to decrypt is only encoded in Base64. the initial vector for AES is simply a constant string. The decrypted password is abc123**.

Evaluation – Email Credentials Leaked credentials: Total vs. Valid

Evaluation – Amazon AWS Credentials Background: Permanent credential? Background: Permanent credential? (Anonymous) token vending machine (TVM):

Evaluation – Amazon AWS Credentials Problem: Mis-configure the TVM servers. Fail to constrain the privilege of the temporary credential. Result: 132/196 (67.3%) are vulnerable 24% have more than 50,000 downloads Case study: One app from Google Play, has more than 5,000,000 downloads. The temporary credential is not properly confined, the attacker is able to enumerate the UIDs and access other app users’ files. (We created two accounts and conducted this experiment.)

Takeaway Never embed developers’ credentials in the app. Use secure solutions from service providers correctly. > Insecure sample code provided by service providers can mislead developers. Use secure samples! > There are no clear instructions about how to use the SDKs securely. Simple, clean, and secure documents! A secure default configuration of the services!

Thank you! Q&A

Backup Slides

Program Slicing Example int i; int sum = 0; int product = 1; for(i = 1; i < N; ++i) { sum = sum + i; product = product * i; } write(sum); write(product);

Program Slicing Example int i; int sum = 0; int product = 1; for(i = 1; i < N; ++i) { sum = sum + i; product = product * i; } write(sum); write(product);

Program Slicing Example int i; int sum = 0; for(i = 1; i < N; ++i) { sum = sum + i; } write(sum);

Identify Data Sources Username: abcde Password: 123456 Interesting Library

Identify Data Sources Username: edcba Password: 654321 Reverse() Interesting Library

Identify Data Sources Username: edcba Password: 654321 Reverse() 3. Finding Source Methods Username: edcba Password: 654321 2. Backtracking Credentials Reverse() Interesting Library 1. Locating Sink Methods

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.