THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

Slides:

Advertisements

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Advertisements

Why Eve & Mallory Love Android

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

An Application Package Configuration Approach to Mitigating Android SSL Vulnerabilities Vasant Tendulkar NC State University William.

Cryptography and Network Security

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

How Secure Are Your On-Line Payments? Brad Rand V.P. Information Technology Infrastructure Manager Information Security Officer.

101 P C O L S Recommended Role: New and Existing Cardholders How to Redeem a Cardholder Token in AIM I N T E R A C T I V E T U T O R I A L.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

10/20/2009 Loomi Liao.  The problems  Some anti-phishing solutions  The Web Wallet solutions  The Web Wallet User Interface  User study  Discussion.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

A Guide to Getting Started

Incident Response Updated 03/20/2015

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Presentation By Deepak Katta

Unsafe Exposure Analysis of Mobile In-App Advertisements Offense: Rachel Stonehirsch.

Motivation. Part of Deutsche Telekom project:

UniMate Usage Guide SecuTech’s UniMate introductory usage guide, this presentation is intended for new users.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

DroidKungFu and AnserverBot

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Byron Alleman Will Galloway Jesse McCall. Permission Based Security Model Users can only use features for which their permissions grant them access Abstracts.

Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

Lesson 15 Client Side Vulnerabilities and you. Active Server Pages MS’s answer to the scripting world of PERL and CGI on Unix Usually Written In Visual.

WEB PRICING SYSTEM User Manual. Click here to Log In The Defense Commissary Agency Vendor Price Change system is located at

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Dongwan Shin and Rodrigo Lopes In Proc. 27 th Annual Computer Security Applications.

CSE 548 Advanced Computer Network Security Document Search in MobiCloud using Hadoop Framework Sayan Cole Jaya Chakladar Group No: 1.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Android Security Auditing Slides and projects at samsclass.info.

CSCI 1033 Computer Hardware Course Overview. Go to enter TA in the “Enter Promotion Code” box on the bottom right corner.

IPSOS / Vodafone / Novartis Kenya 17 December 2014.

Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.

Wireless and Mobile Security

Title of Presentation DD/MM/YYYY © 2015 Skycure Why Are Hackers Winning the Mobile Malware Battle.

MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.

Adding Trojans to Apps Slides and projects at samsclass.info.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Mobile Security By Jenish Jariwala. What is Mobile Security?  Mobile Security is the protection of smartphones, tablets, laptops and other portable computing.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu.

Dextrosoft SCHEDULED PHONE BACKUP Backup your mobile life Version Copyright © 2015 Dextrosoft Private Limited. All Rights Reserved.

Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.

Downloading the App 1 Go to the right store. Access the App Store on iOS devices, the Play Store on Android, and for a.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

Android and IOS Permissions Why are they here and what do they want from me?

Windows Vista Configuration MCTS : Internet Explorer 7.0.

“What the is That? Deception and Countermeasures in the Android User Interface” Presented by Luke Moors.

How to Enable Account Key Sign Instead Of Password In Yahoo? For more details:

Presented by Edith Ngai MPhil Term 3 Presentation

Cryptography and Network Security

How to Redeem a Cardholder Token in AIM

Secure Software Confidentiality Integrity Data Security Authentication

MOA Delta Mobile OA Installation Guide 2015/12/16.

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

MOA Delta Mobile OA Installation Guide 2015/12/16.

Presented by Hussein Almulla

Cryptography and Network Security

Multifactor Authentication & First Time Login

MyLion Registration Website | Mobile device

Vulnerability in an Android App I Found last November - Attack and Countermeasure - Ken Okuyama Sony Digital Network Applications.

Measuring and Mitigating Security and Privacy Issues on Android Applications Lucky ONWUZURIKE November 15, 2018.

Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019

Mobile Security What is mobile secuirty & Identifying smartphone security holes& Sayed Hashimi Proposal Project.

Cryptography and Network Security

Presentation transcript:

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay

WHY ANDROID OS? Open Source, Distributed Environment Unofficial App Developers No Filtering of Apps on App Store Installation of apps from Unknown Sources Presence of Third party App Stores Irrelevant Permissions for Apps OS Updates, Security Patches Distribution Delay

Android Threats Source:

Risks Involved User Privacy Violations Call Logs ids Contacts Browsing History Photos Loss of Control of Device Consumption of Resources

EXISTING SECURITY MODEL Permissions SSL Implementations Sand Boxing File Storage Intents and Binders Signatures File Access

Types of System Permissions Normal: A lower-risk permission, minimal risk to other applications or the system or the user, automatically granted. Dangerous: A higher-risk permission, access to private user data or control over the device, displayed to the user and require confirmation before proceeding. Signature: If the certificates match, the system automatically grants the permission without notifying the user or asking for the user's explicit approval.

Source: http-//

Attacks Permissions Repackaging Apps Denial of Service Attacks Colluding Web View Man-in-The-Middle Malwares and Adware Certificates

An Example of Repackaging Attack Source: Repackaging Attack on Android Banking Applications, Wireless Pers. Commun. (2013) 73:1421–1437

Malware in Android Source: G DATA Mobile Malware Report Q4/2015

Malware in Android (contd.) Current situation: Experts identify a new Android malware strain every 11 seconds [1] Andr/PJApps-C Andr/BBridge-A Andr/BatteryD-A Andr/Generic-S Andr/DrSheep-A [2]

SSL Implementation in Android SSL: JSSE TrustManager HostnameVerifier Methods for Detecting Vulnerabilities ◦ Static Analysis: Decompiled apps using dex2jar and analyzed the code. ◦ Dynamic Analysis: Simulated three MiTM scenarios S1: An advanced adversary that has its certificate installed on the user’s device. S2: An SSL implementation accepting all certificates. S3: An implementation not performing hostname verification correctly.

SSL Handshake

Results for Static Analysis 93 of the 100 apps include SSL code. 46 of the 93 SSL-enabled apps define a TrustManager that actually accepts all certificates. 48 of the 93 apps include HostnameVerifier that accepts all hostnames. 41 of those 48 define a verifier that always returns true, while the other 7 define a hostname verifier that returns true without any check.

Results for Dynamic Analysis Starting with S1 (an attacker having its certificate installed on the user’s device): 91 apps establish login connections and give access to secure pages, leaking sensitive information. In scenario S2 (an attacker presenting an invalid certificate): 23 of the apps complete the connection, with 9 of them leaking sensitive information. In scenario S3 (an attacker presenting a certificate with wrong credentials): 29 of the apps establish a connection, with 11 of them revealing sensitive information. A total of 20 apps are vulnerable in all three scenarios, with 9 of them revealing sensitive information.

Results for Dynamic Analysis (contd.) Only 9 of the 100 apps do not establish connections in any of the three attack scenarios considered. Only 3 apps present the user with an error message indicating that the connection was refused due to an SSL certificate error. Other apps keep loading indefinitely, crash, display a message trying to redirect the user to a web browser, display a blank screen or some generic message.

Summary Apps with correct implementation of SSL pinning are not vulnerable to MiTM attacks Apps with a vulnerable TrustManager establish connections in the presence of an attack Apps using AllowAllHostnameVerifier or with a vulnerable HostnameVerifier also establish connections. Apps are vulnerable to powerful adversaries with a certificate on the user’s device.

Proposed Solutions Should not rely on the user to fix problems, as users have often no idea as to what warnings actually mean or what is the right course of action. Rather than using a TrustManager that accepts all certificates, developers should enable SSL pinning. Use of self-signed root certificates. Developers should create a keystore with self-signed root certificate to sign any number of end-entity certificates to be employed on servers. The keystore is then used to create a TrustManager. The analysis of private information leakage and SSL vulnerabilities should be part of the vetting process performed by app markets. Design meaningful mechanisms for visual feedback.

Reference [1] G DATA Mobile Malware Report Threat Report Q4/2015 [2] [3] Lucky Onwuzurike, Emiliano De Cristofaro, “Danger is My Middle Name: Experimenting with SSL Vulnerabilities in Android Apps”, WiSec '15 Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, 2015