Presentation is loading. Please wait.

Presentation is loading. Please wait.

Target Fragmentation in Android Apps

Published byTomas Krause Modified over 6 years ago

Similar presentations

Presentation on theme: "Target Fragmentation in Android Apps"— Presentation transcript:

1 Target Fragmentation in Android Apps
Patrick Mutchler John Mitchell Yeganeh Safaei Adam Doupe

2 Takeaways Android apps can run using outdated OS behavior The large majority of Android apps do this Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem “Patched” security vulnerabilities still exist in the wild “Risky by default” behavior is widespread

3 Roadmap What is target fragmentation? Target fragmentation statistics
Security consequences Outline

4 Roadmap What is target fragmentation? Target fragmentation statistics
Security consequences

5 Android Developer Reference
“If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running. Android Developer Reference Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.

6 Android Developer Reference
“If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running. Android Developer Reference Story to explain why targetSdkVersion exists. Requiring code changes to run on new OS versions hurts forwards compatibility.

7 Android Developer Reference
“If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.” Android Developer Reference Describe targetSdkVersion design Not all old code is used.

8 Roadmap What is target fragmentation? Target fragmentation statistics
Security consequences Set up outdatedness here!

9 Dataset 1,232,696 Android Apps Popularity, Category, Update, and Developer metadata Collected between May 2012 and Dec 2015 Broken into five datasets by collection date

10 How do we measure outdatedness?
Describe targetSdkVersion design Not all old code is used.

11 Outdatedness Android 5.0 Released Android 5.1 Released
App Collected We aren’t just concerned with whether an app is out of date. We are concerned with how out of date that app is. Define outdatedness.

12 Cumulative distribution of outdatedness for apps collected in December 2015
8% of apps target the most current version (6.0, released in October) 50% of apps target versions at least 500 days out of date 20% of apps target versions at least 1000 days out of date

13 Cumulative distributions for different install counts.
Apps installed 10m times are a bit better but target fragmentation is still a severe problem. Fewer than 20% target th percentile is still about two years out of date.

14 Compare two datasets, each collected two months after an OS release.
Curves track pretty closely, suggesting that we aren’t just seeing weird behavior with 6.0 right now. TODO - relabel dataset names in the legend

15 What causes outdatedness?
Describe targetSdkVersion design Not all old code is used.

16 Negligent Outdatedness
App Updated Android 5.0 Released Android 5.1 Released Android 6.0 Released App Collected Lets be even more generous and account for stale apps on the app store. Define negligent outdatedness

17 Compare negligent outdatedness and outdatedness curves
Compare negligent outdatedness and outdatedness curves. Shows that stale apps are not the primary cause of outdatedness.

18 Silver Lining Describe targetSdkVersion design
Not all old code is used.

19 A small silver lining Describe targetSdkVersion design
Not all old code is used.

20

21

22 Roadmap What is target fragmentation? Target fragmentation statistics
Security consequences Outline

23 Extra.SHOW_FRAGMENT “Attacked Fragment”
Fragment Injection Vulnerable App PreferenceActivity Attacked Fragment Malicious Intent Extra.SHOW_FRAGMENT “Attacked Fragment” Extra.SHOW_FRAG_ARG Data Other Extras securityintelligence.com/new-vulnerability-android-framework-fragment-injection/ Introduce and explain fragment injection attack

24 Fragment Injection Fixed in Android 4.4 Developers implement isValidFragment to authorize fragments // Put this in your app protected boolean isValidFragment(String fName){ return MyFrag.class.getName().equals(fName); } Describe the solution for fragment injection. Fixed on Sep 3rd 2013. But what happens when you don’t implement isValidFragment?

25 Fragment Injection Vulnerable if: Targets 4.3 or lower (31%) Some class inherits from PreferenceActivity (4.8%) That class is exported (1.1%) That class does not override isValidFragment (0.55%) 4.2% of apps vulnerable if no fix was ever implemented Vulnerability rates. The “fix” has only reduced the vuln rate to 20% of what it would be if no fix was ever implemented.

26 Mixed Content in WebView
Define mixed content and explain what webview is.

27 Mixed Content in WebView
Major web browsers block Mixed Content In Android 5.0, WebViews block Mixed Content by default Can override default with setMixedContentMode() Explain mixed content changes

28 We cannot directly measure the number of “vulnerable” apps that allow mixed content because it is possible to do so safely. Instead we try to understand the number of apps that “accidentally” allow mixed content.

29 Assume that the % of apps that want to allow mixed content is constant
Red bar are apps that allow mixed content unnecessarily Red bar represents 18% of apps from December

30 Recap Android apps can run using outdated OS behavior The large majority of Android apps do this Including popular and well maintained apps Outdated security code invisibly permeates the app ecosystem “Patched” security vulnerabilities still exist in the wild “Risky by default” behavior is widespread Big takeaways from this paper Make third point into a sentence Make this last point punchier

31

32 SOP for file: URLs in WebView
In Android 4.1 separate file: URLs are treated as unique origins Can override with setAllowFileAccessFromFileURLs()

33 Difference is 64%. 15% of apps target <16 9.6% of all apps

34 Difference is 64%. 15% of apps target <16 9.6% of all apps You can see this going two ways: One is that developers who use Feature X are more likely to retarget when a security change comes to Feature X One is that developers who use Feature X are *less* likely to retarget when a change comes to Feature X because it breaks their code Apps that use PreferenceActivity target % of the time while the general population targets % of the time. Apps that use WebView... Apps that export Content Providers

Download ppt "Target Fragmentation in Android Apps"

Similar presentations

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
LeadManager™- Internet Marketing Lead Management Solution May, 2009.

LeadManager™- Internet Marketing Lead Management Solution May, 2009.
© 2001 3 Leaf Solutions, LLC. All Rights Reserved What’s New in Everett Microsoft.Net V1.1.

© Leaf Solutions, LLC. All Rights Reserved What’s New in Everett Microsoft.Net V1.1.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.

Chromium OS Chase Rogers. User Interface Unobtrusive Use small amount of screen space Combine apps and web pages into one tab strip Floating Windows Search.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.

A Large-Scale Study of Mobile Web App Security Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
SharePoint is only an application so it has to run on top of Windows Server Windows 2008 R2 SP1 or Windows 2012 Standard, Enterprise, or Data Center Still.

SharePoint is only an application so it has to run on top of Windows Server Windows 2008 R2 SP1 or Windows 2012 Standard, Enterprise, or Data Center Still.
Incident Response Updated 03/20/2015

Incident Response Updated 03/20/2015
Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.

Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.
Android for Java Developers Denver Java Users Group Jan 11, 2012 -Mike

Android for Java Developers Denver Java Users Group Jan 11, Mike
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim 09.11.2004.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,

Webview and Web services. Web Apps You can make your web content available to users in two ways in a traditional web browser in an Android application,
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Similar presentations

Ads by Google