Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.

Slides:

Advertisements

Similar presentations

NetServ Dynamic in-network service deployment Henning Schulzrinne (Columbia University) Srinivasan Seetharaman (Georgia Tech) Volker Hilt (Bell Labs)

Advertisements

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Aurasium: Practical Policy Enforcement for Android Applications

FireDroid: Hardening Security in Almost-Stock Android Giovanni Russello, Arturo Blas Jimenez, Habib Naderi, Wannes van der Mark 1 University of Auckland,

2014 Network and Distributed System Security Symposium AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijecking.

MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Northwestern University, IL, US,

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

Android Middleware Bo Pang

Presentation By Deepak Katta

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Performance Optimizing of Android Application Yu KANG 1.

#gsa2012 Android Basics By: Amr Mohsen

Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.

1 22 August 2001 The Security Architecture of the M&M Mobile Agent Framework P. Marques, N. Santos, L. Silva, J. Silva CISUC, University of Coimbra, Portugal.

UCognito: Private Browsing without Tears

AppShield: A Virtual File System in Enterprise Mobility Management Zhengyang Qu 1 Northwestern University, IL, US,

Android Security Auditing Slides and projects at samsclass.info.

2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.

ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.

Android Security Model that Provide a Base Operating System Presented: Hayder Abdulhameed.

Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Review of “Towards Taming Privilege-Escalation Attacks on Android” Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer, Ahmad-Reza Sadeghi, Bhargava.

Leave Me Alone: App- level Protection Against Runtime Information Gathering on Android NAN ZHANG, KAN YUAN, MUHAMMAD NAVEED†, XIAOYONG ZHOU AND XIAOFENG.

Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Wireless and Mobile Security

Android Permissions Demystified

Trusted Operating Systems

VMM Based Rootkit Detection on Android

DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.

COMPSCI 702 DeepDroid Dynamically Enforcing Enterprise Policy on Android Devices Presenter: Jie Yuan (Jeff)

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

Introduction to Android Programming

Module 51 (Mobile Device Fundamentals - Android)

Free for All! Assessing User Data Exposure to Advertising Libraries on Android Campbell Foskin.

Security and Programming Language Work on SmartPhones

Understanding Android Security

Android Access Control

Android System Security

TRUST:Team for Research in Ubiquitous Secure Technologies

Mobile Pen Testing w/ drozer

Understanding Android Security

Android Platform, Android App Basic Components

Emerging Platform#3 Android & Programming an App

NSA Security-Enhanced Linux (SELinux)

Chapter 10. Mobile Device Security

Android Access Control

Presentation transcript:

Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1

Motivation Four components Activity Service Broadcast receiver Content provider Security mechanisms Sandbox Permission Zero-permission app could also be dangerous 2

Android specific security risks Privilege escalation Component hijacking, confused deputy, stealing private data, modify critical settings, perform privileged actions Sandbox App a Permissions: - Ca1Ca2 Sandbox App b permission:p1 Cb1Cb2 Sandbox App c Cc1Cc2 p1 p2 √ allowed × not allowed 3

Related work CHEX [CCS’12] Static analysis method, can’t determine if the permission is really used while running can’t involve apps written by jni Towards Taming Privilege-Escalation Attacks on Android[NDSS’12] Flexible and Fine-Grained Mandatory Access Control on Android for Diverse Security and Privacy policies[USENIX’13] Need to recompile android framework and linux kernel Complicated and self-defined policies 4

Our approach Design and implement a tool that can be used by google play and users. Dynamic analysis PC Android App crawler Manifest and smali Exposed components Invoke the components on hooked android OS Trace the permissions used while the app is running Log analysis Run the application 5

Current progress Decompile successfully Have a systematic method to find exposed components and invoke them, except content provider Hook android framework successfully and get the log. We are working on content provider now. 6