Harvester will be presented at NDSS 2016

We are happy to announce our new publication “Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques” which will be presented at NDSS 2016. Harvester combines static and dynamic code analysis techniques to extract runtime values (e.g. URLs, SMS messages/numbers, etc.) from Android binaries. Furthermore, it can also be used for de-obfuscating Android applications. More details can be found here.

Looking forward to a great conference.

SSE Group contributes to McAfee’s Q4 Threat Report

As a follow up to our BlackHat EU 2015 presentation about benign applications not securing user data in the cloud (Backend-as-a-Service) we also looked into malicious applications whether we can find similar data leakages. In a collaboration with McAfee Security Lab (Intel Security Lab) we analyzed 294,817 malware-laden mobile apps and found that 16 of them are connected with vulnerable Backend-as-a-Service instances implemented in Facebook Parse. Since the malware authors did not secure the backend (BaaS-backend) securely we had access to the complete database including Command&Control (C&C) communications and tasks for victims. This gave us very interesting insights about current state-of-the-art C&C communication/protocols in the context of mobile malware.
The results were presented at VirusBulletin 2015 and AVAR 2015. More details can be looked up from our whitepaper and the corresponding slides. This project is also part of McAfee’s Q4 Threat report.

Media report:

What provokes Android users into revealing private information? – Paper accepted at HICCS

permissionRequest

 

In a joined work together with Nicole Eling and Prof. Buxmann from TU Darmstadt, we published a very interesting market experiment on users’ reaction to fine-grained permission requests. This work thus explores the following research questions using a self-developed mobile application:

 

  1. How does the precision of an information request influence users’ disclosure of personal information?
  2. Is this effect different for users with different security backgrounds?

Continue reading

SSE Group together with Intel Security are presenting at VirusBulletin 2015 conference

A joint project together with McAfee (Intel Security) revealed very interesting insights into current Android Malware, in particular into Command and Control communications. We will be presenting our results at the VirusBulletin 2015 conference. We are also planning to publish a blog post with more concrete information, but if you are at VirusBulletin conference, feel free to join our talk on Thursday 1 October 09:00 – 09:30.

Title: We know what you did this summer: Android banking trojan exposing its sins in the cloud

Continue reading

SSE Group is presenting at Black Hat Europe 2015

At this year Black Hat Europe conference, we will talk about our Backend-As-A-Service investigation, which we published a couple of months ago.

The talk will contain a full disclosure about our investigation including details about our automatic “exploit generator”.

Title of the talk: “(IN-)SECURITY OF BACKEND-AS-A-SERVICE PROVIDERS”
Abstract

If you are around, feel free to join our talk and also to meet at the conference.

SSE Group Detects Massive Data Leaks in Apps using Backend-as-a-Service

appdatathreat_pressebild

With the help of CodeInspect, Appicaptor and an internally developed tool, researchers from TU Darmstadt and Fraunhofer SIT have found that many mobile applications store private information in the cloud, in an easily accessible manner.

Many users of mobile applications want their data to be synced across multiple platforms (iOS/Android/Windows/OSX/…). For app developers it is typically hard to support synchronization, as they need to set up backend servers on which the data can be stored and synchronized. Cloud providers such as Amazon and Parse.com therefore provide backends as a service (BaaS). With BaaS, app developers can simply connect to pre-configured servers using a few lines of program code. This makes data storage and synchronization through the cloud very easy. Some apps use BaaS to share public data, which is ok as long as the data is configured to be read-only. Many apps, however, use BaaS also to store confidential data such as user names, email addresses, contact information, passwords and other secrets, photos and generally any kind of data one can think of. Such data should only be accessible to the individual app user who stored the data. The researchers found more than 56 million sets of unprotected data, including email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. Read the official release here.

Slides and Live-Demo about CodeInspect from the CARO 2015 workshop are online

We gave a talk about CodeInspect at the CARO 2015 workshop in Hamburg. The slides and the live-demo (video) are available here: https://goo.gl/LblcR5

The main elements of the CodeInspect demo are:

  • Jimple manipulation
  • Interactive debugging
  • Hyperlinks in XML files (e.g., layout.xml or AndroidManifest.xml)
  • Java Source Code Enhancement

If you are interested in further videos about CodeInspect, you can find them here: http://sseblog.ec-spride.de/2014/12/codeinspect/

Enjoy!