1. Information Flow Analysis for Mobile Applications Banson Tong Mohammad Ghasembeigi Supervisor: Yulei Sui Assessor: Jingling Xue

2. Download Slides bit.ly/infoflowanalysis

3. Introduction

4. The Problem Focus on Android Dominates market share in every region globally (60.99% over iOS 31.76%) (netmarketshare, 2016) Current developments (R&D) all target Android OS Recent test reveal 15 of 30 randomly selected, free apps from the Play Store leak sensitive data (Network World, 2010) Users have limited control with permissions Must blindly trust app usage of sensitive data 20% of Android Apps seek access to sensitive data (SMobile, 2010) Sensitive data is leaked!

5. Literature Review

6. Literature Research papers M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical study of cryptographic misuse in android applications,” in Proceedings of the ACM Conference on Computer and Communications Security. ACM, 2013 Wolf, D.S.L., Surreptitious Sharing on Android Security Blogs Official Android Blog/Android mailing list Official analysis tool sites/tool publications Vulnerability tracker sites CVE Details Android Official site

7. Current Developments

8. FlowDroid Static taint analysis tool Utilises complete model of OS’s life cycle and callbacks Source-to-sink analysis method Focuses on Intra component data flow Open source Well known across all static analysis tools Widely used as a foundation for new emerging tools Paderborn University and TU Darmstadt https://blogs.uni-paderborn.de/sse/tools/flowdroid/

9. SuSi (Sources and Sinks) Used as an API by other taint checking tools (like FlowDroid) Can generate sources and sinks by inspecting Android OS Works with any version of Android High precision when compared to manually generating sources and sinks (92% precision) Tool is trained by on a set of pre classified apps Uses supervised machine learning approach Can be used to find missed taints Combined with extensive manual source/sink checking can produce very high precision (99%+) Open Source and maintained regularly Paderborn University and TU Darmstadt https://blogs.uni-paderborn.de/sse/tools/susi/

10. Amandroid Also a static analysis tool Does perform flow analysis on inter component communications Other distinct analysis capabilities: User password flow tracking Intent injection detection Crypto API misuse checking Open source Argus Laboratory (USF) and SAnToS Laboratory (Kansas State) http://amandroid.sireum.org/

11. DroidSafe Another static analysis tool Designed to remove malicious code from Android applications Utilizes the same source-to-sink method as FlowDroid Open source MIT (Project Leader: Michael Gordon) http://mit-pac.github.io/droidsafe-src/

12. IC3 Successor to Epicc (Effective and Precise ICC) Fundamental to analysis tools focusing on ICC (inter component communication) Aims to effectively connect components between applications Differs from other ICC analysis tools which analysis entry and exit points IC3 is more precise than Epicc but comes at a cost of being slower SIIS Laboratory (Penn. State University) http://siis.cse.psu.edu/ic3/index.html

13. DidFail One of the many tools that combines tools Utilizes FlowDroid for the intra component flow analysis Utilizes Epicc for both inter component data flows Carnegie Mellon University https://www.cert.org/secure-coding/tools/didfail.cfm

14. DroidBench A universal benchmark for all static analysis tools Benchmarks against a collection of faulty applications Tests cases include: Data leakages False positives Safe applications Others Developers of FlowDroid Paderborn University and TU Darmstadt https://blogs.uni-paderborn.de/sse/tools/droidbench/

15. Focus

16. Focus on vulnerabilities that potentially lead to leakage of sensitive data User passwords User details User activity So on Main focuses so far: Flow leakage:Static Analysis, Dynamic Analysis App translation API misuse Intent injection Fundamental bugs Focus

17. Information Flow Leakage Mohammad Ghasembeigi

18. Android OS Android 4.4 (KitKat) is still the dominant Android Version (February 2016, Google Reports). 35.5% of all Android devices that visit Google Play Majority of Analysis work is done on Android 4.4 Lots of tools rely on Dalvik VM (or extend Dalvik VM) Android 5.0 replaces Dalvik with Android Runtime (ART) Offers various performance improvements (notable battery life) Most analysis tools incompatible with Android 5.0 Minor focus areas: Exploring non-efficient patterns (code) Detecting energy intensive (battery draining) activities

19. Static Analysis Primary method for detecting Information Flow Leakage Used in almost all flow analysis tools Generally involves tracking information as it flows from a source to a sink Source - Android API call that injects sensitive information Sink - Android API call that may leak sensitive information Pros: Effective (high precision) Can scan entire codebase (high recall) Automated and relatively fast Cons: False positives/False negatives Vulnerabilities introduced in the runtime environment not found!

20. Source-to-Sink Example Source: FlowDroid, https://blogs.uni-paderborn.de/sse/tools/flowdroid/

21. Dynamic Analysis TaintDroid (joint study by Intel Labs, Penn. State, and Duke University) http://www.appanalysis.org/ Extension to Android 4.x VM Dalvik Requires custom firmware to run Involves tracking tainted data in real time Data that is sent over network or leaves the system is logged User is alerted of such activity (notification) DEMO: https://www.youtube.com/watch?v=qnLujX1Dw4Yhttps://www.youtube.com/watch?v=qnLujX1Dw4Y End goal is to create a privacy interface Allows users to configure privacy settings (as a whole) Allows users to control data usage per application Essentially a ‘privacy’ firewall for your phone

22. RoboVM Can translate android apps into iOS apps (Java bytecode to native ARM/x86) Used to be open source but is now commercial (boo!) Area that is picking up popularity quickly Promotes cross-platform rather than native app development Questions: Is behaviour consistent across devices? Are vulnerabilities platform specific? What are the risks involved? Discontinued as of 15th April 2016 Microsoft acquires parent company Xamarin Plans to combine Xamarin (similar tool with additional cloud testing platform) and RoboVM

23. Bugs and Vulnerabilities Banson Tong

24. Crypto API Misuse Arises when developers do not implement their crypto API correctly The default encryption mode - AES ECB Not completely secure - Conditional Can reveal plaintext information (length) Attackers exploit this insecure encryption in their applications

25. Intent Injections Intent is basically a command Used to activate activities, services etc. Exploits vulnerable apps when they are expecting an Intent from the OS Malicious applications sends Intents to vulnerable application Results: Unwanted launch of activities and services Access private data (logins, payment data, etc)

26. Surreptitious Sharing Exploits the Intent API Android uses Uniform Resource Identifiers (URI) - pointer to actual storage location Media/file sharing applications Attack vectors: Malicious app can fake crash and use a “report bug” button that starts a malicious Intent crafted for an email client with the URI pointing to a private file of this email app Malicious app can fake a “share” button which can send a URI pointing to a private file over a messenger application disguised as another file

27. Integer Overflows Quite hard to achieve in Java Attack vectors aimed more at system libraries Written in C/C++ Allows attacker to corrupt heap memory Can result in major security vulnerabilities such as Inserting malicious code into application Elevating permissions of attacker Most recent major security vulnerabilities Stagefright

28. An AOSP library Built in C++ Integer overflow exploitable Used to play media files (mp4, etc) Attackers send crafted MMS messages to target Able to gain remote control or execute malicious code Further details: CVE-2016-1621 CVE-2016-0815

29. Other notable vulnerabilities Certfi-gate vulnerability Exploits the mobile Remote Support Tools (mRTS) system Validation of remote support application exploitation mRTS is preloaded by manufacturers making it hard to patch Masquerade as original remote support to elevate permissions -> full control Further details: CVE-2016-0827 CVE-2016-0826

30. Future Plans

31. What’s next? Conduct a thorough (independent) analysis of each tool Each tool claims they are the best (biased) Use apk files with known vulnerabilities (450+ documented apps provided by IccTA to researchers) Document and provide a technical analysis for each tool (to identify strengths and weaknesses of each tool) Continue experimenting with tools on our test phone (running Android 4.4.4) Allows us to learn how to install/use each tool Continue reviewing open source code Allows us to learn about techniques shared across tools Continue reviewing literature Explains the tools open source code and methodologies New publications and technical reports are often released every 2-3 months

32. Mohammad Explore Xamarin and the benefits of cross-platform programming Build a module on top of TaintDroid to add configurable privacy settings Development started but halted now Build a FlowDroid module Improve precision compared to latest branch Target common vulnerabilities Keep recall consistent Contribute to Amandroid Challenges listed here: https://github.com/sireum/amandroid/blob/master/CHALLENGE.mdhttps://github.com/sireum/amandroid/blob/master/CHALLENGE.md

33. Banson Explore Xamarin and bugs/vulnerabilities that arise from app translation Create customised ‘test’ Android apps to target specific vulnerabilities Explore recent additions to the Play Store Analysis apps using a variety of tools Perform manual source code analysis to find missed taints/bugs Explore malicious apps Learn how malicious apps circumvent static analysis and dynamic analysis Propose a technique to stop such apps (ie flag various API calls as suspicious)

34. Questions and Answers

35. Thank you for coming