Security in Android Applications - Portalscg.unibe.ch/download/softwarecomposition/2017-08-29... · 2017-10-03 · Security in Android Applications Insufficient Attack Protection

Security in Android ApplicationsMaster Thesis

Pascal Gadient

Software Composition GroupUniversity of BernSwitzerland

Security in Android Applications

Introduction

What are security code smells?

How prevalent are they?

Why identifying security smells is helpful?

Conclusion

Agenda

02


Software is Everywhere

https://www.youtube.com/watch?v=SB_0vRnkeOk

03


We Love Apps

04


Mobile Device Addiction

05


Mobile Security is Vital

06


Software Insecurity Thrives

07


Security Code Smell

Definition:

Symptoms in the code that indicate

the prospect of security and privacy vulnerabilities

08


Research Goals

RQ1: What are the security code smells in Android apps?

RQ2: How prevalent are security smells in benign apps?

RQ3: To which extent identifying such smells facilitates detecting security vulnerabilities?

09


Literature Review

Inspection

of citations and cited papers

Agreement

by discussion

Collection

of worklisted papers

Reading

of abstracts and introductions

KeywordSearch

10


What are the security code smells in Android apps?

11


Insufficient Attack Protection

Unreliable Information Sources

Untrustworthy / Outdated Libraries

Native Code

Open to Piggybacking

Unnecessary Permissions

12


Security Invalidation

Weak Crypto Algorithm or Configuration

Improper Certificate Use

Unacknowledged Distribution

13


Broken Access Control

Insecure Inter-Component Communication

Unprotected System Sockets

Custom Scheme Channel

14


Sensitive Data Exposure

Insecure Storage

Exposed Identifiers

15


Lax Input Validation

Unverified JavaScript Code

Dynamic Code Loading

SQL Injection

16


How prevalent are security smells in apps?

17


Scope of the Study

Random apps from AndroZoo

Corpora size:

46,000 apps

440 GB

Lightweight analysis

10 out of 28 smells analysed

18


Subjects of the Study

19

Apktool

Web parser


Prevalence of Smells

20

# of different smells apps suffer



20




20



Distribution of Each Smell

21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%



21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%



21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%



21

# o

f ap

ps

affe

cted

1%

10% 11% 12%

33%36%

41%44%

61%

85%


Distribution of Each Smell in API Levels

22

API level

% o

f se

curi

ty s

mel

ls



22

API level

% o

f se

curi

ty s

mel

ls



22

API level

% o

f se

curi

ty s

mel

ls



22

API level

% o

f se

curi

ty s

mel

ls


The Impact of Number of Downloads

23

popularity

# o

f se

curi

ty s

mel

ls


The Impact of User Ratings

24

user ratings

# o

f se

curi

ty s

mel

ls


To which extent identifying security smells facilitates detecting vulnerabilities?

25


Study Design

26

?


Result

27

level

of

agre

emen

t


Where Vulnerability Reports Failed?

Header Attachment

Data sensitivity of headers

Improper Certificate Validation

Customised TrustManagers with pinning support

Insecure Network Protocol

Local web resources in middleware

Exposed Clipboard

Data sensitivity of content

28


Summary

29


Our Contribution

Increase in security awareness

Evaluation of security smell distribution

Lightweight analysis assessment

In future: In-depth exploration

30


Thank youfor your attention!

31

Documents

Security in Android Applications - Portalscg.unibe.ch/download/softwarecomposition/2017-08-29... · 2017-10-03 · Security in Android Applications Insufficient Attack Protection