Security in Android Applications - 2017-10-03¢  Security in Android Applications Insufficient Attack

  • View
    0

  • Download
    0

Embed Size (px)

Text of Security in Android Applications - 2017-10-03¢  Security in Android Applications...

  • Security in Android Applications Master Thesis

    Pascal Gadient

    Software Composition Group University of Bern Switzerland

  • Security in Android Applications

     Introduction

     What are security code smells?

     How prevalent are they?

     Why identifying security smells is helpful?

     Conclusion

    Agenda

    02

  • Security in Android Applications

    Software is Everywhere

    https://www.youtube.com/watch?v=SB_0vRnkeOk

    03

  • Security in Android Applications

    We Love Apps

    04

  • Security in Android Applications

    Mobile Device Addiction

    05

  • Security in Android Applications

    Mobile Security is Vital

    06

  • Security in Android Applications

    Software Insecurity Thrives

    07

  • Security in Android Applications

    Security Code Smell

    Definition:

    Symptoms in the code that indicate

    the prospect of security and privacy vulnerabilities

    08

  • Security in Android Applications

    Research Goals

     RQ1: What are the security code smells in Android apps?

     RQ2: How prevalent are security smells in benign apps?

     RQ3: To which extent identifying such smells facilitates detecting security vulnerabilities?

    09

  • Security in Android Applications

    Literature Review

    Inspection

    of citations and cited papers

    Agreement

    by discussion

    Collection

    of worklisted papers

    Reading

    of abstracts and introductions

    Keyword Search

    10

  • Security in Android Applications

    What are the security code smells in Android apps?

    11

  • Security in Android Applications

    Insufficient Attack Protection

     Unreliable Information Sources

     Untrustworthy / Outdated Libraries

     Native Code

     Open to Piggybacking

     Unnecessary Permissions

    12

  • Security in Android Applications

    Security Invalidation

     Weak Crypto Algorithm or Configuration

     Improper Certificate Use

     Unacknowledged Distribution

    13

  • Security in Android Applications

    Broken Access Control

     Insecure Inter-Component Communication

     Unprotected System Sockets

     Custom Scheme Channel

    14

  • Security in Android Applications

    Sensitive Data Exposure

     Insecure Storage

     Exposed Identifiers

    15

  • Security in Android Applications

    Lax Input Validation

     Unverified JavaScript Code

     Dynamic Code Loading

     SQL Injection

    16

  • Security in Android Applications

    How prevalent are security smells in apps?

    17

  • Security in Android Applications

    Scope of the Study

     Random apps from AndroZoo

     Corpora size:

    46,000 apps

    440 GB

     Lightweight analysis

     10 out of 28 smells analysed

    18

  • Security in Android Applications

    Subjects of the Study

    19

    Apktool

    Web parser

  • Security in Android Applications

    Prevalence of Smells

    20

    # of different smells apps suffer

  • Security in Android Applications

    Prevalence of Smells

    20

    # of different smells apps suffer

  • Security in Android Applications

    Prevalence of Smells

    20

    # of different smells apps suffer

  • Security in Android Applications

    Distribution of Each Smell

    21

    # o

    f ap

    p s

    af fe

    ct ed

    1%

    10% 11% 12%

    33% 36%

    41% 44%

    61%

    85%

  • Security in Android Applications

    Distribution of Each Smell

    21

    # o

    f ap

    p s

    af fe

    ct ed

    1%

    10% 11% 12%

    33% 36%

    41% 44%

    61%

    85%

  • Security in Android Applications

    Distribution of Each Smell

    21

    # o

    f ap

    p s

    af fe

    ct ed

    1%

    10% 11% 12%

    33% 36%

    41% 44%

    61%

    85%

  • Security in Android Applications

    Distribution of Each Smell

    21

    # o

    f ap

    p s

    af fe

    ct ed

    1%

    10% 11% 12%

    33% 36%

    41% 44%

    61%

    85%

  • Security in Android Applications

    Distribution of Each Smell in API Levels

    22

    API level

    % o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    Distribution of Each Smell in API Levels

    22

    API level

    % o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    Distribution of Each Smell in API Levels

    22

    API level

    % o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    Distribution of Each Smell in API Levels

    22

    API level

    % o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    The Impact of Number of Downloads

    23

    popularity

    # o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    The Impact of User Ratings

    24

    user ratings

    # o

    f se

    cu ri

    ty s

    m el

    ls

  • Security in Android Applications

    To which extent identifying security smells facilitates detecting vulnerabilities?

    25

  • Security in Android Applications

    Study Design

    26

    ?

  • Security in Android Applications

    Result

    27

    le v el

    o f

    ag re

    em en

    t

  • Security in Android Applications

    Where Vulnerability Reports Failed?

     Header Attachment

    Data sensitivity of headers

     Improper Certificate Validation

    Customised TrustManagers with pinning support

     Insecure Network Protocol

    Local web resources in middleware

     Exposed Clipboard

    Data sensitivity of content

    28

  • Security in Android Applications

    Summary

    29

  • Security in Android Applications

    Our Contribution

     Increase in security awareness

     Evaluation of security smell distribution

     Lightweight analysis assessment

     In future: In-depth exploration

    30

  • Security in Android Applications

    Thank you for your attention!

    31