3. Traditional computing vs. smartphones
• Smartphones: logical conclusion of access consolidation,
service decentralization, and commoditization of computing
• Usage model is very different
‣ Multi-user single machine to single-user multiple
machines
‣ Always on, always computing social instrument
‣ Enterprise: separate action from geography
• Changing Risk
‣ Necessarily contains secrets (often high value)
‣ Collects sensitive data as a matter of operation
‣ Drifts seamlessly between “unknown” networks
‣ Highly malleable development practices, largely
unknown developers
NC State - Prof. William Enck Page 3
4. Rethinking (host) Security
security == permissions
security 6= users
• Permissions define capabilities.
• Application markets deliver functionality
(free or paid) via packaged applications.
• Users make permission decisions.
• Applications are run within sandboxes
provided by the OS.
• Note: App markets don’t (and can’t)
provide security for everything.
NC State - Prof. William Enck Page 4
5. Research Questions
• Questions:
‣ What permissions do applications ask for?
‣ What do applications do with the permissions?
‣ What can applications do with the permissions?
NC State - Prof. William Enck Page 5
6. Example: Android Security
• Permissions granted to applications and never changed
‣ Permissions are enforced when an application
accesses a component, API, etc
‣ Runtime decisions look for assigned permissions
(access is granted IFF app A assigned perm X at install)
Application 1 Application 2
Permission A: ... B: l1 Permission
Labels X Labels
Inherit
l1,... C: l2 ...
Permissions
• Example permissions: location, phone IDs, microphone,
camera, address book, SMS, application “interfaces”
NC State - Prof. William Enck Page 6
7. Q1: what do applications ask for?
• Kirin certifies applications by vetting policies at
install-time (relies on runtime enforcement)
• Insight: app config and security policy is an upper
bound on runtime behavior.
• Kirin is a modified application installer
‣ Apps with unsafe policies are rejected
New Kirin Optional Extension
Kirin
Application Security
Security
Service
Rules
(1) Attempt Display risk ratings
Installation Pass/ to the user and
(2) (3) Fail
prompt for override.
(4)
Android Application Installer
NC State - Prof. William Enck Page 7
8. Kirin Security Policy
• Kirin enforces security invariants at install-time
• Local evaluation of two manifest artifacts
‣ The collection of requested permissions (uses-permission)
‣ The types of registered Intent message listeners
• Example:
‣ Do not allow an application with Location and Internet
permissions and receives the “booted” event
restrict
permission
[ACCESS_FINE_LOCATION,
INTERNET]
and
receive
[BOOT_COMPLETE]
NC State - Prof. William Enck Page 8
9. hird-party “restrict”. sets of “receive” restrictions. Then, create
of all The remainder of the rule is the conjunction
Policy Evaluation
also han- of permissions andit in R. strings received. Each set is den
and place action The set R directly corresponds to
her action either “permission”be formed in time respectively. size
rules and can or “receive”, linear to the sem
We now define the
set (proof by inspection). C ⇥ R ⌅ {true, false
5.2nowKSL thewe define of configurationrules. Let fpackag
Semanticsa set of configuration failsailKSL
restrict
permission
[ACCESS_FINE_LOCATION,
INTERNET]
Next a
and
receive
[BOOT_COMPLETE]
based on a
We define Let C be the set of all application t and r be: a r
tents. semantics KSL
possible configurations
C⇥R We⌅ {true, false} be a logic to to test if anaapplication
now define a simple function represent set of rules i
a package manifest. We need only capture the se
to • Policy evaluationusedset satisfiability expressible At )KSL. (P
encodeKSL. Let R KSL by ofLet ctrules of and the taction strings
configuration fails a bethe
in labels is rule. all be the configurationin target L
the application (P , for
invariants = ct ,
n applica- set oftivities, Services, O(n) Broadcastail(ctail(·)as:set of tp
application t and ri be apermissionwe define f A be ithe
the possible rule. Then, labelsClearly, f , r ) operates
‣ Invariant violations found in and w.r.t. policy size
and Receivers. Note
Section 4 (PtWet ) = cdefine,Activities, Services,Ai ⇤ Broadcast R
action strings useddoesthe)semanticsactionprovide At rules. time
, manifest, (Pi Ai = ri , Pi ⇤ canset and constant dyn
A now t by not specify ofPt strings used by Let
a of KSL
ted Model: C ⇥ R ⌅ {true, false} be a function R :test tuple appl
• by to receive Intents. Then, each rule ri Let F is C ⌅ R be a
an to a advantag
⇥ R to ourif an (2 P
Receivers; however, we to the input, as a hash table
t of KSL rules.ail(·)notation in time (P , A ) to ⇧ 2R for a specific s
Let operates
Clearly, f the f ail : r = linear use this fact
his section use in Section 7).iaWe defineLet RtTable 1: Applications
‣ We rules are tuples:
KSL configuration fails KSL rule. iconfiguration whichCan appi c refer to c ⇥ as fo
be the configuration a
on to can provide constant time set membership checks.
test if an application
s. ‣ permission labelsbe isnotationstrings (Pthe set rto allail(ctPai=a
application tthe ri tuple:rule. = forwe define where , r sp
Configuration policy a
Let FR A for We targetandfunction returning t ,rule) of, refer tot ) )
action ct Then,
use and a beApplication ADescription in ⇥
a i f
rules i
the configurationC ⌅ R : t FR (c
Ai 2R 2 .which an A )labels (P , A ) = rstrings used A ⇤ targ
Rf⇧ ⇥ t , ri ) as: t , applicationand action i , PiWalkie-Talkie styl
define ail(c for permission = ct ,Walki i Talkie fails: Pt by a At
‣ if (P t configuration
i ⇤ i
Let R where correspond toAt set2A .KSL rules. We cons
R Pt ⇥ 2P and a ⇥ of Then, we say the configur
Certified KSLf(ct ) = operates in to ail(ctR (c)} = input,Pthathas
if {ri |riPush For linear t )
⇧ R, f Talk , r rule let
‣t from theAt FRrules as follows. time each ito the⌃., Noteas beFR
A Clearly, ail(·)
i notation. i ⇤ i a th
⇤P F i
ates com-all sets3of “permission” restrictions,R. Finally, theif po
of as a hash tablethe standard notation 2 represent Shazam ct andUtility to identify
can provide constant time set membershipand let ARbe th
Then, we say the configuration ct passes a given KSL rule-set ithe
We use X checks. set
o the input, Let FRthat F (c ) set a function returning indicateofof r
: C is the be of allin time linear to theset which
installer to the ⇤. all
⌅ R operates subsets includingsize jour
uld notR (call = ⌃.X, which R t Inauguration Then, create r = (
be
F of t ) sets Note
NC State - Prof. William Enck of “receive” restrictions. Collaborative Page 9
10. Studying the (early) Market
• Evaluate 300+ popular Market apps (Jan 2009)
‣ 5 had both dangerous configuration and functionality (1.6%)
‣ 5 had dangerous configuration but not functionality (1.6%)
(1) An application must not have the SET_DEBUG_APP permission
(2) An application must not have the READ_PHONE_STATE, RECORD_AUDIO, and INTERNET permissions
(3) An application must not have the PROCESS_OUTGOING_CALL, RECORD_AUDIO, and INTERNET permissions
(4) An application must not have the ACCESS_FINE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions
(5) An application must not have the ACCESS_COARSE_LOCATION, INTERNET, and RECEIVE_BOOT_COMPLETE permissions
(6) An application must not have the RECEIVE_SMS and WRITE_SMS permissions
(7) An application must not have the SEND_SMS and WRITE_SMS permissions
(8) An application must not have the INSTALL_SHORTCUT and UNINSTALL_SHORTCUT permissions
(9) An application must not have the SET_PREFERRED_APPLICATION permission and receive Intents for the CALL action string
NC State - Prof. William Enck Page 10
11. Q2: What do the applications do?
• TaintDroid is a system-wide integration of taint
tracking into the Android platform
‣ VM Layer: variable tracking throughout Dalvik VM
‣ Native Layer: patches state after native method invocation
‣ Binder IPC Layer: extends tracking between applications
‣ Storage Layer: persistent tracking on files
Message-level tracking
Application Code Msg Application Code
Virtual Virtual Variable-level
Machine Machine tracking
Native System Libraries Method-level
tracking
File-level
Network Interface Secondary Storage
tracking
• TaintDroid is a firmware modification, not an app
NC State - Prof. William Enck Page 11
12. Dynamic Taint Analysis
• Dynamic taint analysis is a technique that tracks
information dependencies from an origin
• Conceptual idea:
c = taint_source()
‣ Taint source
...
‣ Taint propagation
a = b + c
‣ Taint sink
...
network_send(a)
• Limitations: performance and granularity is a trade-off
NC State - Prof. William Enck Page 12
13. Performance
CaffeineMark 3.0 benchmark • Memory overhead: 4.4%
(higher is better)
2000
Android • IPC overhead: 27%
1800
TaintDroid
1600
1400
• Macro-benchmark:
14% overhead
1200
1000
‣ App load: 3% (2ms)
800
‣ Address book: (< 20 ms)
600
400
5.5% create, 18% read
200
0
‣ Phone call: 10% (10ms)
sieve loop logic string float method total
‣ Take picture: 29% (0.5s)
CaffeineMark score roughly corresponds to
the number of Java instructions per second.
NC State - Prof. William Enck Page 13
14. Application Study
• Selected 30 applications with bias on popularity and
access to Internet, location, microphone, and camera
applications # permissions
The Weather Channel, Cetos, Solitarie, Movies, Babble,
Manga Browser 6
Bump, Wertago, Antivirus, ABC --- Animals, Traffic Jam,
Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite,
Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14
Stream, Ringtones
Layer, Knocking, Coupons, Trapster, Spongebot Slide,
ProBasketBall 6
MySpace, Barcode Scanner, ixMAT 3
Evernote 1
• Of 105 flagged connections, only 37 clearly legitimate
NC State - Prof. William Enck Page 14
15. Findings
• 15 of the 30 applications shared physical location
with an ad server (admob.com, ad.qwapi.com,
ads.mobclix.com, data.flurry.com)
‣ Most traffic was plaintext (e.g., AdMob HTTP GET):
...&s=a14a4a93f1e4c68&..&t=062A1CB1D476DE85
B717D9195A6722A9&d%5Bcoord%5D=47.6612278900
00006%2C-122.31589477&...
• 7 applications sent device (IMEI) and 2 apps sent
phone info (Ph. #, IMSI *, ICC-ID) to a remote server
without informing the user.
NC State - Prof. William Enck Page 15
16. Q3: What can the applications do?
• Static analysis: look at the possible paths and
interaction of data
‣ Very, very hard (often undecidable), but community has
learned that we can do a lot with small analyses.
• Step 1: ded decompiler for Android applications
• Step 2: static source code analysis for both
dangerous functionality and vulnerabilities
‣ What data could be exfiltrated from the application?
‣ Are developers safely using interfaces?
NC State - Prof. William Enck Page 16
17. ded Decompiler
Retargeting Process
• Android applications are written CFG
in Java, but compiled for the (1) DEX Parsing
Construction
optimized Dalvik VM language
Type Inference
Processing
Missing Type
Inference
Constant
Identification
‣ Non-trivial to retarget back to Java: (2) Java .class
Conversion
Constant Pool
Conversion
register vs. stack architecture,
Constant Pool
Translation
Method Code
Retargeting
constant pools, ambiguous scalar types, Bytecode
Reorganization
null references, etc. (3) Java .class
Optimization Instruction Set
Translation
• ded recovers source code from application package
‣ Retargeting: type inference, instruction translation, etc
‣ Optimization: use Soot to re-optimize for Java bytecode
‣ Decompilation: standard Java decompilation (Soot)
• Decompiled top 1,100 free apps from Android market:
over 21 million lines of source code
NC State - Prof. William Enck Page 17
18. Studying Application Security
• Queried for security properties using program analysis,
followed by manual inspection to understand purpose
• Used several types of analysis to design
security properties specific to Android
using the Fortify SCA framework
Analysis for Dangerous Behavior Analysis for Vulnerabilities
Misuse of Phone Identifiers Data flow analysis Leaking Information to Logs Data flow analysis
Exposure of Physical Location Data flow analysis Leaking Information to IPC Control flow analysis
Abuse of Telephony Services Semantic analysis Unprotected Broadcast Receivers Control flow analysis
Eavesdropping on Video Control flow analysis Intent Injection Vulnerabilities Control flow analysis
Eavesdropping on Audio Structural analysis (+CG) Delegation Vulnerabilities Control flow analysis
Botnet Characteristics (Sockets) Structural analysis Null Checks on IPC Input Control flow analysis
Havesting Installed Applications Structural analysis Password Management* Data flow analysis
Cryptography Misuse* Structural analysis
Also studied inclusion of advertisement and
Injection Vulnerabilities* Data flow analysis
analytics libraries and associated properties
* included with analysis framework
NC State - Prof. William Enck Page 18
19. Phone Identifiers
• We’ve seen phone identifiers (Ph.#, IMEI, IMSI, etc)
sent to network servers, but how are they used?
‣ Program analysis pin-pointed 33 apps leaking Phone IDs
• Finding 2 - device fingerprints
• Finding 3 - tracking actions
• Finding 4 - along with registration and login
NC State - Prof. William Enck Page 19
21. Device Fingerprints (2)
com.avantar.wny - com/avantar/wny/PhoneStats.java
public String toUrlFormatedString()
{
StringBuilder $r4;
if (mURLFormatedParameters == null)
IMEI
{
$r4 = new StringBuilder();
$r4.append((new StringBuilder("&uuid=")).append(URLEncoder.encode(mUuid)).toString());
$r4.append((new StringBuilder("&device=")).append(URLEncoder.encode(mModel)).toString());
$r4.append((new StringBuilder("&platform=")).append(URLEncoder.encode(mOSVersion)).toString());
$r4.append((new StringBuilder("&ver=")).append(mAppVersion).toString());
$r4.append((new StringBuilder("&app=")).append(this.getAppName()).toString());
$r4.append("&returnfmt=json");
mURLFormatedParameters = $r4.toString();
}
return mURLFormatedParameters;
}
NC State - Prof. William Enck Page 21
22. Tracking
com.froogloid.kring.google.zxing.client.android - Activity_Router.java (Main Activity)
public void onCreate(Bundle r1)
{ http://kror.keyringapp.com/service.php
...
IMEI = ((TelephonyManager) this.getSystemService("phone")).getDeviceId();
retailerLookupCmd = (new
StringBuilder(String.valueOf(constants.server))).append("identifier=").append(Encode
URL.KREncodeURL(IMEI)).append("&command=retailerlookup&retailername=").toString();
...
}
com.Qunar - net/NetworkTask.java
public void run()
{ http://client.qunar.com:80/QSearch
...
r24 = (TelephonyManager) r21.getSystemService("phone");
url = (new
StringBuilder(String.valueOf(url))).append("&vid=60001001&pid=10010&cid=C1000&uid=").appe
nd(r24.getDeviceId()).append("&gid=").append(QConfiguration.mGid).append("&msg=").append(
QConfiguration.getInstance().mPCStat.toMsgString()).toString();
...
}
NC State - Prof. William Enck Page 22
23. Registration and Login
com.statefarm.pocketagent - activity/LogInActivity$1.java (Button callback)
public void onClick(View r1) IMEI
{
...
r7 = Host.getDeviceId(this$0.getApplicationContext());
LogInActivity.access$1(this$0).setUniqueDeviceID(r7);
this$0.loginTask = new LogInActivity$LoginTask(this$0, null);
this$0.showProgressDialog(r2, 2131361798, this$0.loginTask);
r57 = this$0.loginTask;
r58 = new LoginTO[1];
r58[0] = LogInActivity.access$1(this$0);
r57.execute(r58);
...
}
Is this necessarily bad?
NC State - Prof. William Enck Page 23
24. Location
• Found 13 apps with geographic location data flows
to the network
‣ Many were legitimate: weather, classifieds, points of
interest, and social networking services
• Several instances sent to
advertisers (same as TaintDroid).
More on this shortly.
• Code recovery error in
AdMob library.
NC State - Prof. William Enck Page 24
25. Phone Misuse
• No evidence of abuse in our sample set
‣ Hard-coded numbers for SMS/voice (premium-rate)
‣ Background audio/video recording
‣ Socket API use (not HTTP wrappers)
‣ Harvesting list of installed applications
NC State - Prof. William Enck Page 25
26. Ad/Analytics Libraries
Library Path # Apps Obtains
• 51% of the apps included an ad or com/admob/android/ads 320 L
analytics library (many also included com/google/ads 206 -
com/flurry/android 98 -
custom functionality) com/qwapi/adclient/android 74 L, P, E
com/google/android/apps/analytics 67 -
• A few libraries were used most frequently com/adwhirl 60 L
com/mobclix/android/sdk 58 L, E
• Use of phone identifiers and location com/mellennialmedia/android 52 -
sometimes configurable by developer com/zestadz/android 10 -
com/admarvel/android/ads 8 -
1000 com/estsoft/adlocal 8 L
367 com/adfonic/android 5 -
Number of libraries
com/vdroid/ads 5 L, E
91
100 com/greystripe/android/sdk 4 E
32 37 1 app has com/medialets 4 L
15
8 10 8 libraries! com/wooboo/adlib_android 4 L, P, I
10 com/adserver/adview 3 L
com/tapjoy 3 -
com/inmobi/androidsdk 2 E
1 com/apegroup/ad 1 -
1 com/casee/adsdk 1 S
1 2 3 4 5 6 7 8 com/webtrents/mobile 1 L, E, S, I
Total Unique Apps 561
Number of apps L = Location; P = Ph#; E = IMEI; S = IMSI; I = ICC-ID
NC State - Prof. William Enck Page 26
28. Probing for Permissions (2)
com/casee/adsdk/AdFetcher.java
public static String getDeviceId(Context r0)
{
String r1;
r1 = "";
label_19:
{
if (deviceId != null)
{
if (r1.equals(deviceId) == false)
{
break label_19; Checks before accessing
}
}
if (r0.checkCallingOrSelfPermission("android.permission.READ_PHONE_STATE") == 0)
{
deviceId = ((TelephonyManager) r0.getSystemService("phone")).getSubscriberId();
}
} //end label_19:
...
}
NC State - Prof. William Enck Page 28
29. Developer Toolkits
• We found identically implemented dangerous
functionality in the form of developer toolkits.
‣ Probing for permissions (e.g., Android API,
catch SecurityException)
‣ Well-known brands sometimes
commission developers that
include dangerous functionality.
• “USA Today” and “FOX News”
both developed by
Mercury Intermedia
(com/mercuryintermedia),
which grabs IMEI on startup
NC State - Prof. William Enck Page 29
31. Intent Vulnerabilities
• Similar analysis rules as independently identified
by Chin et al. [Mobisys 2011]
• Leaking information to IPC - unprotected intent broadcasts
are common, occasionally contain info
• Unprotected broadcast receivers - a few apps receive custom
action strings w/out protection (lots of “protected bcasts”)
• Intent injection attacks - 16 apps had potential vulnerabilities
• Delegating control - pending intents are tricky to analyze
(notification, alarm, and widget APIs) --- no vulns found
• Null checks on IPC input - 3925 potential null dereferences in
591 apps (53%) --- most were in activity components
NC State - Prof. William Enck Page 31
32. Study Limitations
• The sample set
• Code recovery failures
• Android IPC data flows
• Fortify SCA language
• Obfuscation
NC State - Prof. William Enck Page 32
33. Summary
• What permissions do applications ask for?
‣ Kirin demonstrated how permission combinations can be
effectively used to certify applications at install-time.
• What do applications do with the permissions?
‣ TaintDroid “looks inside” of applications to understand how
privacy sensitive information is being used.
• What can applications do with the permissions?
‣ We used program analysis and manual inspection to
characterize implemented application behavior
NC State - Prof. William Enck Page 33
34. Thank you!
William Enck
Assistant Professor
Department of Computer Science
NC State University
enck@cs.ncsu.edu
http://www.enck.org
NC State - Prof. William Enck Page 34