ON THE SECURITY OF ANDROID COMMUNICATION APPS September 2015 By Shasi Pokharel Bachelor Of Information Technology (Honours) Supervisors: Dr. Raymond Choo, Dr. Jixue Liu
Jan 17, 2016
ON THE SECURITY OF ANDROID COMMUNICATION APPS
September 2015
ByShasi Pokharel
Bachelor Of Information Technology (Honours)
Supervisors: Dr. Raymond Choo,
Dr. Jixue Liu
Why Android:
Share of Total Smartphone Market: 82.8% iOS: 13.9% (up to Quarter 2, 2015; Source: idc.com)
Number of Apps in Google Play: 1.6 million App Store: 1.5 million (up to July, 2015; Source: statista.com)
Share of Mobile attack Target: 99% - as January, 2014; Source: Kaspersky Lab
Focus:
Study popular Android communication apps
An adversary model
Case study apps
Communication Apps:VoIP Apps: Growing popularity Free app to app call, Cheaper app to
phone call Voice Call, Video Call, Conference Call,
Text messages Cross-Platform
Mobile Browsers Application to browse web pages in
Mobile
VoIP Communication
Encoding/Decoding : Analog Voice > Digital data > Analog Voice
Characteristics of Codecs Bit rate (Kbps) Sample Size (Byte) Sample Interval (ms) Packet Per second (PPS)
Constant Bit Rate (CBR) or Variable Bit Rate(VBR)
Proprietary Codecs
Parts of VoIP Communication
Signalling Control Session (SIP) Session establishment Codec negotiation
RTP session Voice data transfer
Identify Codec from intercepted packets
If Signalling Control Session is not encrypted.
VoIP communication security
EncryptionSignalling Control Session EncryptionRTP packets Encryption
Proprietary Codec
Identify Codec from intercepted packets
If Signalling Control Session is encrypted:
Calculate bit rate for each seconds from RTP payloadIf (bitrate is constant)
Constant Bit rate(CBR) codec is used Select matching or closest bitrate codecs
If (bitrate is dynamic) Variable Bit rate (VBR) codec is used Select “opus” decoder tool for decoding
Formula 1: Calculate Bit rate from RTP payload
Input S = Sequence of RTP Packets
Output b = Bit rate of RTP Packets
Do:
Let S1 be the packets per second in S.
If the header of s[0] contains PT, then
Else:
Identify Codec from intercepted packets
Analyze intercepted
traffic in Wireshark
SIP has readable SDP section?
If PT value is readable
Calculate bit rate using Formula 1
Bit rate = 0?
Identify list of possible codecs
Encrypted media (cannot be decoded)
Encrypted media (cannot be decoded)
Get Codec from SDP.rtpmap
filtered by RTP.PT
Bit rate constant?
Check PT value in RTP header
Check Bit rate for multiple seconds
Return Codec(s)
NoYes
YesNo
Yes
No
Yes
Try(codec = “opus”)
No
Decoder Tools
For CBR codec: RTP to wave decoders are freely available:
G.711, G.722, GSM : decoded by CloudShark G.729, ILBC : decoder tool available for download
For VBR: we created a java applications Takes each RTP packet from captured file Decodes using official native libraries Add header for linear wave sound Save as wave file
Result
Part 2: Mobile BrowserLightweight Browsers: Faster for web page loading Growing popularity Limited Plugins
Selected Browsers for Experiment
Browser Cache
Saves web resources when downloaded for the first time
Are loaded to the browser, when user access the same site
Contain: HTML file, CSS, JavaScript and media files
Android File System for applications
• Internal Storage: MODE_PRIVATE; accessible only by creator application, by default
• External Storage: Accessible to all applications
Cache Storage of the browsers
Dolphin: Cache resources: /sdcard/TunnyBrowser/Cache/webViewCache Screenshots of tabs: /sdcard/TunnyBrowser/Cache/tablist_cache Speed dial URLs: /sdcard/TunnyBrowser/Cache/speeddial_covers
UC Browser: Cache resources: sdcard/UCDownloads/cache/com.UCMobile.inti/ Data Traffic detail: /sdcard/UCDownloads/config/TrafficStats.db Detailed browsing data:
/sdcard/UCDownloads/offline/ApplicationCache.db
Cache Storage of the browsers
Samsung Stock Browser: Cache resources: /data/data/com.sec.android.app.sbrowser/cache/Cache/ Screenshots :
/data/data/com.sec.android.app.sbrowser/files/thumbnail.bmp1 (Permission: Mode 644)
CM Browser: Cache Resources:
/data/data/com.ksmobile.cb/app_webview/Cache Browser History: /sdcard/CheetahBrowser/.data/
Why use External storage ?
• Larger Cache storage Capability
• Avoid risk of file deletion by System
Proposed adversary model
Adversary Capability: Install application in user’s device
Goals: Know URLs visited by user Know searched items : searched by user Know the content of the webpage, visited by user
Application
User Permission required: WRITE_EXTERNAL_STORAGE ACCESS_NETWORK_STATE
Permission granted by Android, without users approval READ_EXTERNAL_STORAGE INTERNET
Targeted activities of application
• Know, when user started using browser
• Copy cache files to the Internal storage
• Upload files to the server
• Change content (Poison) in cache
Work Flow of the application
Is WiFi Connected ?
UploadFile()
Yes
CopyFileToPrivateDir()NoCheck If Vulnerable Browser is Installed Yes StartCacheMonitor()
Input:OnFileAccessedEventInput:OnFileAccessedEvent Input:OnWiFiConnectedEventInput:OnWiFiConnectedEvent
Result
Video: Getting Browsed content From Samsung Stock browser.
Conclusion
Many Android users private information is at risk
Adversary can: Listen What the user is talking See what the user is Browsing
Thank You