CodeInspect says “Hello World”: A new Binary Analysis Tool for Android and Java Bytecode

We are very happy to announce a new tool in our toolchain: CodeInspect – A Jimple-based Reverse-Engineering framework for Android and Java applications.

Developing an Android application in an IDE is very convenient since features like code completion, Open Declaration, renaming variables, searching files etc. help the developer a lot. Especially code-debugging is a very important feature in IDEs. Usually, all those features are available for the source code and not for the bytecode, since they support the developer not a reverse-engineer. Well, but all those features would be be also very helpful for reverse-engineering Android or Java applications. This is the reason why we came up with a new reverse-engineering framework that works on the intermediate representation Jimple and supports all the features above and a lot more. In the following we give a detailed description about CodeInspect and its features. Continue reading

Denial-of-App Attack on Android will be presented at SPSM 2014

On 7th November, we are presenting our “Denial-of-App Attack” at the SPSM 2014 workshop in Scottsdale, Arizona (USA). 

Continue reading

Android Security Acknowledgements

Stephan, Steven and Me have been added to the list of Android Security Acknowledgements:

Thanks Android Security Team!

DroidForce accepted at ARES’14

We are proud that our paper “DROIDFORCE: Enforcing Complex, Data-Centric, System-Wide Policies in Android” has been accepted at this year’s ARES conference. It was a collaborative paper together with Enrico Lovat (TU Munich) from the group of Prof. Dr. Alexander Pretschner. The abstract of the paper:

Smartphones are nowadays used to store and process many kinds of privacy-sensitive data such as contacts, photos, and e-mails. Sensors provide access to the phone’s physical location, and can record audio and video. While this is convenient for many applications, it also makes smartphones a worthwhile target for attackers providing malicious applications. Current approaches to runtime enforcement try to mitigate unauthorized leaks of confidential data. However, they are often capable of enforcing only a very limited set of policies, like preventing data leaks only within single components or monitoring access only to specific sensitive system resources.

In this work, we present DROIDFORCE, an approach for enforcing complex, data-centric, system-wide policies on Android applications. DROIDFORCE allows users to specify fine-grained constraints on how and when which data may be processed on their phones, regardless of whether the malicious behavior is distributed over different colluding components or even applications. Policies can be dynamically exchanged at runtime and no modifications to the operating system nor root access to the phone are required.

DROIDFORCE works purely on the application level. It provides a centralized policy decision point as a dedicated Android application and it instruments a decentralized policy enforcement point into every target application. Analyzing and instrumenting an application takes in total less than a minute and secured applications exhibit no noticeable slowdown in practice. 

The complete paper can be downloaded from here (note: it is only a preprint, the final version will be published at ARES in September).

Easily Extracting (“encrypted”) Messages from Threema, TextSecure, Chadder, WhatsApp, Hangouts and Co.

Max Kolhagen (bachelor student) and Siegfried Rasthofer demonstrate how a malicious application with no permission can be used to read incoming messages from WhatsApps, Hangouts, etc. and even “encrypted” messages sent through Threema, TextSecure or Chadder with ease.

Continue reading

IccTA vs. DidFail: Inter-Component, Inter-Application Data Flow Analysis in Android Applications

We are happy to announce IccTA, a new tool for tracking data flows between Android components and even between Android applications. IccTA is a joined work together with Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon from the University of Luxembourg, Damien Octeau and Patrick McDaniel from the Pennsylvania State University, Steven Arzt, Siegfried Rasthofer and Eric Bodden from EC SPRIDE. IccTA is a tool performing static taint analysis for one or multiple Android applications. It leverages Epicc to connect Android components and FlowDroid to model the life-cycles of components and perform the taint analysis.

The taint analysis is performed intra- and inter-components, which improves the precision of the analysis. IccTA outperforms all other available tools (FlowDroid and AppScan) by reaching a precision of 95.0% and a recall of 82.6% on DroidBench.
When analyzing multiple applications, IccTA first merges them into one then performs the analysis.

Almost exactly the same moment, there came up an additional tool call DidFail from the Carnegie Mellon University, which is a similar approach to IccTA.
IccTA and DidFail both rely on Epicc and FlowDroid to find data leaks between components of Android applications. They can both detect intra- and inter-component leaks within a single application or between multiple applications. Even though they leverage the same tools to compute links between components and perform data-flow analysis, the implementations differ in term of precision.

In the following we would like to do a rough comparison of both tools:
Continue reading

NDSS 2014: Paper and Slides are online

The slides as well as the paper about SuSi (NDSS 2014) are online.

Google Confirms Denial-of-“App” Attack – Likely All Android Versions Affected

Together with their colleague Stephan Huber from Fraunhofer SIT, Steven Arzt and Siegfried Rasthofer from the SSE group discovered a security issue present in all current versions of Android. As Google now confirmed, the attack vector allows to forbid the future installation of arbitrary Android apps at the choice of the attacker. For instance, it can be used to forbid the installation of the facebook app for basically the entire lifetime of the mobile device until a factory reset has been performed or the issue is fixed manually which, however, requires root access to the device and some expertise in the Android OS. Update: The attack itself requires no root access.

We tested the attack on Android Version 4.x and 2.3.6. It is likely that this attack affects ALL Android versions, though. We wish to note, though, that this vulnerability was discovered under lab conditions, and that there is currently no indication that the vulnerability is exploited in the wild.

We are currently in contact with the Android security team to fix this problem. A detailed explanation of the attack will be published after a fix is available.

Schutzmaßnahmen gegen datenschutzunfreundliche Smartphone-Apps

(This article is only available in German. It is about the legal aspects of approaches that try to protect the privacy in mobile apps, with respect to German law).

Zusammen mit Prof. Dr. Alexander Roßnagel und Dr. Philipp Richter (beide juristische Fakultät an der Universität Kassel) haben wir einen Artikel in der DuD (Datenschutz und Datensicherheit) veröffentlicht, der technische Möglichkeiten für den Privatsphärenschutz auf mobilen Geräten auf rechtliche Aspekte hin untersucht.


Technische Möglichkeiten und rechtliche Zulässigkeit des Selbstdatenschutzes bei Apps

Privacy Enhancing Technologies, die den Umgang von Smartphone-Apps mit personenbezogenen Daten überwachen und unerwünschte Übermittlungen verhindern, können mit dem Urheberrecht in Konflikt geraden. Der Beitrag untersucht die technischen Möglichkeiten des Selbstdatenschutzes und nimmt eine erste rechtliche Bewertung vor. 

Update: Der Artikel kann hier von unserer Webseite geladen werden.

JavaScript in Android Apps – An Attack Vector

One week ago, Trustlook publised a blog post about the addJavascriptInterface Code execution Vulnerability in Android’s WebView. Accordingly to that post, we describe the attack in detail and also show Android’s changes in the OS in order to mitigate this JavaScript attack.

Continue reading