Going Na)ve: Using a Large-Scale Analysis of Android Apps to Create a Prac)cal Na)ve-Code Sandboxing Policy Vitor Afonso, Antonio Bianchi, Yanick Fratantonio, Adam Doupe, Mario Polino, Paulo de Geus , Christopher Kruegel, and Giovanni Vigna Sudeep Nanjappa Jayakumar
30
Embed
Going Nave: Using a Large-Scale Analysis of Android Apps ... · Android Security Mechanisms: ... • Malicious apps can use nave code to hide malicious ac)ons from stac analysis of
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
• Sandbox isasecuritymechanismforsepara)ngrunningprograms. It isocenusedto execute untested or untrusted programs or code, possibly from unverified oruntrusted third par)es, suppliers, users or websites, without risking harm to thehostmachineoropera)ngsystem.
• A sandbox is implemented by execu)ng the socware in a restricted opera)ngsystemenvironment, thus controlling the resources (for example, file descriptors,memory,filesystemspace,etc.)thataprocessmayuse.
SandboxSecurityRelevance• Least-Privilege: The na)ve code of the app should have access only to what is
• Compartmentaliza5on:Thena)ve codeof the app should communicatewith theJavapartonlyusingspecific,limitedchannels,sothatthena)vecomponentcannotmodify, interactwith,orotherwisealtertheJavarun)meandcodeinunexpectedways.
2. Thecollecteddataisanalyzedandac)onableinsightsareprovidedintohowthebenign apps use the na)ve code . Here the raw data ismade available for thecommunity.
3. Finally the results are shown that elimina)ng permissions of na)ve code is notidealasthepolicywouldbreaktheappsinthedataset.
BackgroundTounderstandtheanalysis,itisnecessarytoreviewtheandroidsecuritymechanismson how na)ve code is used in android systems, what damage it can cause andpreviouslyproposedsandboxingmechanisms.• AndroidSecurityMechanisms• Na)veCode• MaliciousCode• Na)veCodeSandboxingmechanisms
Evalua)on&Insights• Analysis is limited to 2minutes to keep it feasible andGoogleMonkey to s)mulate the appwith
random events, andwe then automa)cally generated a series of targeted events to s)mulate allac)vi)es,services,andbroadcastreceiversdefinedintheapplica)on.
• During dynamic analysis, 33.6% (149,949) of the apps iden)fied by sta)c analysis as poten)allyhavingna)vecodeactuallyexecutedthena)vecode.
• The ac)ons were split into those performed by sharedlibraries(includingthoseperformedduringlibraryloading,na)vemethods, and na)ve ac)vi)es) and those that arethe result of invoking custom, executable, and binariesthroughExecmethods.
Thistablepresentswhatgroupsofmethodsfromthe framework were called, along with theamount of apps that called methods in eachgroup.
BinderTransac)ons
• 1.64%(2,457)oftheappsthatreachedna)vecode during dynamic analysis performedBindertransac)ons.
• Themost common class remotely invoked bythisprocess is IServiceManager,whichcanbeusedtolistservices,addaservice,andgetanobjecttoaBinderinterface.
• AllappsthatusedthisclassobtainedanobjecttoaBinderinterfaceandtwoappsalsouseditto list services. This data shows that usingBinder transac)ons from na)ve code is notcommon.
Iden)fied7appsthatmodifytheJavasec)onoftheappfromna)vecode.Alltheseappsperformthisac)onfromthelibrarylibAPKProtect.so. Itharderforreverseengineeringtoolstodecompiletheapp.3. Forkandino5fy: 57 apps were iden)fied that create a child process in na)ve code and use ino)fy tomonitortheapps’directory,inordertoiden)fywhentheyareuninstalled
adopted at large-scale, and the performance overhead of isola)ng na)ve code could be higher,usingamore-sophis)catedinstrumenta)ontoolcouldpossiblyimprovetheamountofna)vecodebehavior.Deployingtheautoma)callygeneratedpoliciesinana)vesandboxwithrepor)ngmodewouldhelptoobservethebehaviorsthatthepolicieswouldblock.
2. Another limita)on is that theauthors approach restricts access topermissions fromna)ve code,butits)llallowsthena)vecodetoinvoke(some)Javamethods.Thiswoulddras)callyreducethepossibilityofintroducingmaliciousbehaviors.
of .NET applica)ons, whereas Robusta [33] focuses on the isola)on of na)ve code used by Javaapplica)ons
Conclusion
• Developers are allowed tomix Java code and na)ve code enables developers tofully harness the compu)ng power ofmobile devices but this feature doesmoreharmthandoinggood.
• Na)ve code sandboxing is the e correct approach to properly limit its poten)allymaliciousside-effects.
• This paper demonstrates an approach to automa)cally generate an effec)ve andprac)calna)vecodesandboxingpolicy.