Teaching Android Mobile Securitypeople.rennes.inria.fr/Jean-Francois.Lalande/talks/... · Applications DEV app development MAL malware reverse PROJ AOSP classes BANK banking app reverse

Introduction Labs Evaluation Conclusion

Teaching Android Mobile Security

Jean-François Lalande Valérie Viet Triem Tong Pierre GrauxGuillaume Hiet Wojciech Mazurczyk Habiba Chaoui Pascal Berthomé

SIGCSE’19

MinneapolisFebruary 28th 2019

2 / 30

Android security?

Research

Attacks:design,models

Counter-measures:

protect,detect

Experiment,Visualize

Teaching

Malware?

Permissions?

Developapps?

2 / 30

Android security?

Research

Attacks:design,models

Counter-measures:

protect,detect

Experiment,Visualize

Teaching

Malware?

Permissions?

Developapps?

3 / 30

Android complexity

Thesis: working on security requires a deep understanding of Android

4 / 30

Android complexity

Thesis: working on security requires a deep understanding of Android

5 / 30

Bloom’s taxonomy

We used the levels of the cognitive process:

Remember – (you know about security?)UnderstandApplyAnalyze(Evaluate)(Create) – (student project, possibly linked with research)

6 / 30

Designing security labs with Bloom’s taxonomy

Soft.components

Cognitiveprocess Remember Understand Apply Analyze Eval. Create

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

banking app reverse COVcovert channels

CLASSvulnerable class loader

DVM & ARTPACK

reverse packersAOSP internals

INSTcompile, flash MEM

memory forensicKERN

ROP programmingKernel

Cognitive Process

TO DESIGN

7 / 30

Outline

1 Introduction

2 Labs

3 Evaluation

4 Conclusion

8 / 30

DEV Lab: Android Development

Classical Android development labs.

Basic graphical interfacesMessaging componentsConcurrency, Synchronization, SensorsSecurity, Wear OS, Firebase Cloud Messaging

Learning outcomes: architecture of an app, REST communications

9 / 30

INST Lab - Compiling, Modifying, Flashing

Using real device for:Developing, testingFlashing, customizing ROMs

We use these smartphonesNexus 5, 5XSony Xperia X (premium series)

Kernel debugging on a Nexus 5X

Learning outcomes:Customize Android, compile and install.

10 / 30

Soft.components

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

DVM & ARTPACK

memory forensicKERN

Cognitive Process

11 / 30

MAL Lab - Malware Reverse Engineering

Reverse engineering activities (2 examples from 6):

Ransomware: programming an antidote (bytecode editing)Spyware: capturing and sniffing HTTP requests for a dead remote server

Tools:Reverse: Bytecode Viewer, JadxSoot: parsing Java bytecodeNetwork tunneling: Ngrok

Learning outcomes:Security analysts adapt their methodology to the nature of the threat.

12 / 30

BANK Lab - Banking Application Reverse

Reverse engineering banking appsSteeling credentials

Tools:Jadx, Burp, Andbug

Learning outcomes:Comprehend the countermeasures ofregular apps.Try to bypass countermeasures.

13 / 30

Soft.components

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

DVM & ARTPACK

memory forensicKERN

Cognitive Process

14 / 30

COV Lab - Developing Covert Channels

Exfiltrate data using a covert channelsExploit operating systems flawsDiscuss countermeasures

Tools:Android Studio

Learning outcomes:Comprehend cover channels.Bypass security policies.

15 / 30

MEM Lab - Memory Dump Forensic

Forensic of a memory dumpRecover credentials

Tools:Volatility

Learning outcomes:Comprehend the leaks induced by the memorymanagement.Simple forensic of memory dumps.

16 / 30

Soft.components

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

DVM & ARTPACK

memory forensicKERN

Cognitive Process

17 / 30

CLASS Lab - Vulnerable Class Loader

Attack study:A vulnerable class loader

Tools:Android Studio, Jadx

Learning outcomes:Conduct an investigation.Find vulnerabilities.

18 / 30

PACK Lab - Packers

Reversing: why methods body are empty ?Obfuscated codeNative code packer unpacking bytecode atruntime

Tools:IDA pro, radar2

Learning outcomes:Analyze a packer.Combining static and dynamic analysis.

19 / 30

KERN Lab - Kernel ROP Attacks

We provide a vulnerable kernel driver.

Exploiting this vulnerability.Use ROP for putting a payload in memoryOvercome R and X memory exclusion

⇒ One of the most technically difficult labs!

Learning outcomes:Learning the security internals of AndroidDesigning attacks against the sytem.

20 / 30

Soft.components

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

DVM & ARTPACK

memory forensicKERN

Cognitive Process

21 / 30

Soft.components

ApplicationsDEV

app development

MALmalware reverse

AOSP classesBANK

DVM & ARTPACK

memory forensicKERN

Cognitive Process

22 / 30

Online material

Goal: reuse these labs for your own needs !

gitlab.inria.fr/jlalande/teaching-android-mobile-security/

Full text of 4 labs (2 more to come !)

23 / 30

Outline

1 Introduction

2 Labs

3 Evaluation

4 Conclusion

24 / 30

Evaluation survey

87 answers over 200 students88% followed the labs few months before6 labs evaluated

France: CentraleSupélec, INSA CVLPoland: Warsaw University of Technology,Morocco: Ibn Tofail University

25 / 30

Global quality of the labs

Students are happy with our labs :)

26 / 30

Labs provided me a fine understanding of Android security

Students do not over estimate their security skills. . .

27 / 30

Labs evaluation

Each lab was separately evaluated with this ranking [Campbell et al., SIGCSE’15]:

1. Unknown (No trace in my memory);2. Discovering (I recall some of the content);3. Intermediate (I understood most of the content);4. Good knowledge (I am able to do the lab again, without a supervisor and with

the help of documents);5. Advanced (I can reuse my knowledge in another use case).

GoalEvaluate a knowledge increment δ and a raw skill level m for each lab.

28 / 30

Labs evaluation results

Increment δ: +1.85: shifting from "Discovering" to "Good knowledge"Raw self-evaluation m of skills: 3.31 (="Intermediate")

INSTMAL

COV CLASS

1 2 3 4 5

1. Unknown2. Discovering3. Intermediate4. Good knowledge5. Advanced

29 / 30

Conclusion

A full set of labs for mobile securityFrom application level to kernel attacksWith Bloom’ taxonomy in mindMaterial available online

Perspectives

Play all the labs for the same studentsSubmit to Clark.center ?

c⃝Inria / C. Morel

Questions?

Jean-Francois Lalandejean-francois.lalande@irisa.fr

Teaching Android Mobile Securitypeople.rennes.inria.fr/Jean-Francois.Lalande/talks/... · Applications DEV app development MAL malware reverse PROJ AOSP classes BANK banking app reverse

Documents

180 Degree rule, Reverse shot reverse

Apps Marathon - Reverse callerID app

Water pumps for Desalination APP 21-30 - WordPress.com ·.....

STATE OF SECURITY IN THE APP...

Reverse Mortgage Pros - Free Reverse Mortgage Advice

App Note: Reverse engineering pharmaceutical formulation...

Temporal Reverse EngineeringTemporal Reverse...

Lookbook The Wrap 2019 - Anton Dell€¦ · Reverse!...

Reverse Innovation Aruna Naik BUS 527. Reverse innovation.

Top 10 Reasons to install the Skyward app on your mobile...

Diversity generating reverse transcriptase Reverse...

Développement Android -...

Android Malware Analysis: from technical difficulties to...

img.gaadicdn.com...Mahindra BLUESENSE Mobile App Intellipark...

iPhone Rootkit? There's an App for that! - Reverse...

Opgal Therm-App Infrared Camera & Ulis IR Microbolometer...