GROUP SOFTWARE ENGINEERING Large-scale value extraction in mobile applications Eric Bodden Siegfried Rasthofer Steven Arzt Robert Hahn Max Kolhagen
GROUP
SOFTWAREENGINEERING
Large-scalevalue extraction in mobile applications
Eric BoddenSiegfried Rasthofer
Steven ArztRobert Hahn
Max Kolhagen
GROUP
SOFTWAREENGINEERING
A talk in two chapters…
2
New Technology: Harvester [NDSS’16]
Mass analysiswith disturbing findings
enables…
GROUP
SOFTWAREENGINEERING
Chapter 1: Harvester
Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden NDSS 2016
GROUP
SOFTWAREENGINEERING
This we would still hope for…
4
@Overrideprotected void onCreate(Bundle paramBundle) {
SmsManager manager = SmsManager.getDefault();manager.sendTextMessage("3353", null, "798657", null, null);
}
FakePlayer 2010
GROUP
SOFTWAREENGINEERING
But this is what we get…
5
public static void gdadbjrj(String paramString1,String paramString2) throws Exception{ // Get class instanceClass clz = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af") ); Object localObject = clz.getMethod(
gdadbjrj.gdadbjrj("]a9maFVM.9")).invoke(null); // Get method nameString s = gdadbjrj.gdadbjrj(“BaRIta*9caBBV]a");// Build parameter listClass c = Class.forName(
gdadbjrj.gdadbjrj("VRIf3+InVTTnSaRI+R]KR9aR9"));Class[] arr = new Class[] {
nglpsq.cbhgc, nglpsq.cbhgc, nglpsq.cbhgc, c, c }; // Get method and invoke itclz.getMethod(s, arr).invoke(localObject, paramString1,
null, paramString2, null, null);}
SmsManager.sendTextMessage(...)
GROUP
SOFTWAREENGINEERING
Contributions
6
C1: Fully-Automatic Extraction of Runtime Data
C2: Fully-Automatic Resolving of Reflective
C3: Improving the Coverage of Existing off-the-shelf Static and Dynamic Analysis Tools
GROUP
SOFTWAREENGINEERING
7
HarvestersendTextMessage(num, text)Class.forName(className)
sendTextMessage(“004242“, “loc_Other“)sendTextMessage(“008888“, “loc_US“)Class.forName(“SmsManager“)
GROUP
SOFTWAREENGINEERING
nr+="4242"
8
if(Build.FINGERPRINT.startsWith("generic"))
msg=AES.decrypt("1234","fri$ds\&S")
nr="00"
if(simCountryIso().equals("US"))
nr+="8888"
sendTextMessage(nr,msg)
...
StaticAnalysis?
DynamicAnalysis?
GROUP
SOFTWAREENGINEERING
Static Analysis +
Dynamic Analysis
9
GROUP
SOFTWAREENGINEERING
10
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
if(simCountryIso().equals("US"))
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
11
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
if(simCountryIso().equals("US"))
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
12
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
if(simCountryIso().equals("US"))
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
13
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
if(simCountryIso().equals("US"))
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
xmsg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
x
14
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
if(simCountryIso().equals("US"))
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
if(simCountryIso().equals("US"))
x
15
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
x
16
if(Build.FINGERPRINT.startsWith("generic"))
nr="00"
nr+="4242" nr+="8888"
sendTextMessage(nr,msg)
...
Environment
if(EXECUTOR_1)
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
17
nr="00"
nr+="4242" nr+="8888"
Log(nr,msg)
if(EXECUTOR_1)
sendTextMessage(nr,msg)
main(){Callee1(false);Callee1(true);}
Callee1(booleanEXECUTOR_1){
}
msg=AES.decrypt("1234","fri$ds\&S")
GROUP
SOFTWAREENGINEERING
Harvester enablesde-obfuscation
18
Class c = Class.forName(gdadbjrj.gdadbjrj(„VRIf3+InVTTnSaRI+R]KR9aR9“));...
Class c = Class.forName("SmsManager");...
SmsManager.sendTextMessage(a, b, c, d, e);SmsManager
...
GROUP
SOFTWAREENGINEERING
19
Efficiency:
Interesting findings:
Recall:
Precision:
16,799 Malware Samples
• Premium-rate numbers• C&C messages• URLs (URIs)• Encryption key for WhatsApp data• … and more
< 3 minutes
87%
100%
we manually looked into 12 samples
Our approach works pretty well since none designs a malware that is combined to an environment variable
GROUP
SOFTWAREENGINEERING
Chapter 2: Let there be light…
Chapter 2: Let there be light!
GROUP
SOFTWAREENGINEERING
21
GROUP
SOFTWAREENGINEERING
22
IaaS PaaS
SaaS
??
GROUP
SOFTWAREENGINEERING
23
BaaS
GROUP
SOFTWAREENGINEERING
24
Secure?
GROUP
SOFTWAREENGINEERING
25
GROUP
SOFTWAREENGINEERING
Backend-as-a-Service
26
BaaS SDK
Cloud
APP
GROUP
SOFTWAREENGINEERING
Backend-as-a-Service
27
GROUP
SOFTWAREENGINEERING
Backend-as-a-Service
28
User Administration
GROUP
SOFTWAREENGINEERING
29
DB connection
BaaS SDK
AmazonS3Client s3Client = new AmazonS3Client(new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );
GROUP
SOFTWAREENGINEERING
30
DB connectionAmazonS3Client s3Client = new AmazonS3Client(
new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );
BaaS SDK
“When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key.
Anyone who has your access key has the same level of access to your AWS resources that you do.“ Source: http://docs.aws.amazon.com/
“ACCESS_KEY_ID“, “SECRET_KEY“
GROUP
SOFTWAREENGINEERING
31
DB connectionAmazonS3Client s3Client = new AmazonS3Client(
new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );
BaaS SDK
“…The AWS SDKs use your access keys to sign requests for you so that you don't have to handle the signing process…” http://docs.aws.amazon.com/
“…Secret access keys are, as the name implies, secrets, like your password…”
Jim Scharf Director, AWS Identity and Access Management
(username) (password)“ACCESS_KEY_ID“, “SECRET_KEY“
GROUP
SOFTWAREENGINEERING
IT-Security 101
32
Peter
“Hi, I am Peter”Identification
“My password is Secret123”Authentication
"I am allowed to access foo.txt”Authorization
Server
GROUP
SOFTWAREENGINEERING
=??
App-Authentication Model
33
App“Hi, I am app <Application ID>”Identification
“My <Secret Key> is in the app” ???Authentication
Server
GROUP
SOFTWAREENGINEERING
34
Server
Peter
Howard
Peter?
Howard? Eve?
App-Authentication Model
GROUP
SOFTWAREENGINEERING
How are developers coping?
35
[...]“The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys. I want to know what is the best thing to encrypt, obfuscate or whatever to make this secure.“[...] (Source: stackoverflow.com)
“Few ideas, in my opinion only first one gives some guarantee: 1. Keep your secrets on some server on internet, and when needed just
grab them and use. 2. Put your secrets in jni code 3. use obfuscator 4. Put your secret key as last pixels of one of your image in assets “
(Source: stackoverflow.com)
Q:
R:
NO!!!!
GROUP
SOFTWAREENGINEERING
Security Analysis
36
GROUP
SOFTWAREENGINEERING
Manual Pre-Analysis (here: Parse)
37
public void onCreate() { java.lang.String $S1, $S2; $S1 = “34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"; $S2 = “pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3"; staticinvoke <Parse: void initialize(Context, String, String)>(this, $S1, $S2); }
+
”Users” Table
GROUP
SOFTWAREENGINEERING
Manual Pre-Analysis (here: Parse)
• Commerciallyavailable
• Ask for a free trial license
• More information on features and inner workings are in the proceedings
38
GROUP
SOFTWAREENGINEERING
39
Results of Pre-analysis
Were able to access all recordsOnly few developers actually used obfuscation
GROUP
SOFTWAREENGINEERING
40
Let’s get our fingers dirty! Time for mass analysis!
GROUP
SOFTWAREENGINEERING
Mass analysis
41
GROUP
SOFTWAREENGINEERING
Example exploit data set
42
“34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"
“pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3"
“CreditCardDataTable"
“ContactDataTable"
...
BaaS API
GROUP
SOFTWAREENGINEERING
Disturbing findings…
GROUP
SOFTWAREENGINEERING
Parse-enabled Goodware
44
In-app purchase info
Location data
Facebook-Infos - “Frieds” - Blocked “Friends”
Contact dataVerified
email addresses
Birthdays Phone numbers
PhotosCar-accidentreports
GROUP
SOFTWAREENGINEERING
45
We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer, Eric Bodden, Carlos Castillo, Alex Hinchliffe VirusBulletin 2015, AVAR 2015
Intercepted SMSmessages C&C Tasks
C&C CommandsStolen data
Parse-enabled Malware!!
GROUP
SOFTWAREENGINEERING
Responsible-Disclosure ProcessParse (Facebook)
46
Full access to 100 tables Partial access to 32 tables ( ~56 Mio Data)
Contacted Facebook with a few samples
Facebook verified it and asked for more data
We provided all information
28th April 2015
5th May 2015
18th May 2015
12th Nov 2015 Full access to 99 tables Partial access to 33 tables
20th May 2015 Facebook forwarded everything to Parse (we assume they contacted the developers)
GROUP
SOFTWAREENGINEERING
Results Amazon
47
Server Backups Baby-growth data More photos
GROUP
SOFTWAREENGINEERING
Results Amazon
48
Private messages Lottery data Website contents !!!
GROUP
SOFTWAREENGINEERING
Stay tuned for more…
49
GROUP
SOFTWAREENGINEERING
Prof. Dr. Eric BoddenChair for Software EngineeringHeinz Nixdorf Institut Zukunftsmeile 1 33102 Paderborn
Telefon: +49 5251 60-3313 [email protected]
https://www.hni.uni-paderborn.de/swt/
https://blogs.uni-paderborn.de/sse/
50