We are happy to announce our new publication “Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques” which will be presented at NDSS 2016. Harvester combines static and dynamic code analysis techniques to extract runtime values (e.g. URLs, SMS messages/numbers, etc.) from Android binaries. Furthermore, it can also be used for de-obfuscating Android applications. More details can be found here.
Looking forward to a great conference.
We presented our Backend-as-a-Service investigation at Blackhat Europe 2015.
The slides are available here. The paper contains more details and you can find it here.
Update: First news report available here.
A joint project together with McAfee (Intel Security) revealed very interesting insights into current Android Malware, in particular into Command and Control communications. We will be presenting our results at the VirusBulletin 2015 conference. We are also planning to publish a blog post with more concrete information, but if you are at VirusBulletin conference, feel free to join our talk on Thursday 1 October 09:00 – 09:30.
Title: We know what you did this summer: Android banking trojan exposing its sins in the cloud
With the help of CodeInspect, Appicaptor and an internally developed tool, researchers from TU Darmstadt and Fraunhofer SIT have found that many mobile applications store private information in the cloud, in an easily accessible manner.
Many users of mobile applications want their data to be synced across multiple platforms (iOS/Android/Windows/OSX/…). For app developers it is typically hard to support synchronization, as they need to set up backend servers on which the data can be stored and synchronized. Cloud providers such as Amazon and Parse.com therefore provide backends as a service (BaaS). With BaaS, app developers can simply connect to pre-configured servers using a few lines of program code. This makes data storage and synchronization through the cloud very easy. Some apps use BaaS to share public data, which is ok as long as the data is configured to be read-only. Many apps, however, use BaaS also to store confidential data such as user names, email addresses, contact information, passwords and other secrets, photos and generally any kind of data one can think of. Such data should only be accessible to the individual app user who stored the data. The researchers found more than 56 million sets of unprotected data, including email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. Read the official release here.
With the help of our new CodeInspect tool, we – together with the McAfee Research Lab – have identified a new threat campaign currently underway in South Korea;
attempting to exploit the huge media frenzy surrounding the release of the movie ‘The Interview’. Continue reading
We are very happy to announce a new tool in our toolchain: CodeInspect – A Jimple-based Reverse-Engineering framework for Android and Java applications.
Developing an Android application in an IDE is very convenient since features like code completion, “Open Declaration“, renaming variables, searching files etc. help the developer a lot. Especially code-debugging is a very important feature in IDEs. Usually, all those features are available for the source code and not for the bytecode, since they support the developer not a reverse-engineer. Well, but all those features would be be also very helpful for reverse-engineering Android or Java applications. This is the reason why we came up with a new reverse-engineering framework that works on the intermediate representation Jimple and supports all the features above and a lot more. In the following we give a detailed description about CodeInspect and its features. Continue reading
We are happy to announce IccTA, a new tool for tracking data flows between Android components and even between Android applications. IccTA is a joined work together with Li Li, Alexandre Bartel, Jacques Klein, Yves Le Traon from the University of Luxembourg, Damien Octeau and Patrick McDaniel from the Pennsylvania State University, Steven Arzt, Siegfried Rasthofer and Eric Bodden from EC SPRIDE. IccTA is a tool performing static taint analysis for one or multiple Android applications. It leverages Epicc to connect Android components and FlowDroid to model the life-cycles of components and perform the taint analysis.
The taint analysis is performed intra- and inter-components, which improves the precision of the analysis. IccTA outperforms all other available tools (FlowDroid and AppScan) by reaching a precision of 95.0% and a recall of 82.6% on DroidBench.
When analyzing multiple applications, IccTA first merges them into one then performs the analysis.
Almost exactly the same moment, there came up an additional tool call DidFail from the Carnegie Mellon University, which is a similar approach to IccTA.
IccTA and DidFail both rely on Epicc and FlowDroid to find data leaks between components of Android applications. They can both detect intra- and inter-component leaks within a single application or between multiple applications. Even though they leverage the same tools to compute links between components and perform data-flow analysis, the implementations differ in term of precision.
In the following we would like to do a rough comparison of both tools:
Our taint-analysis framework FlowDroid was awarded the Artifact Evaluation Award at PLDI 2014. This year, out of 20 submitted artifacts, only 12 were found to meet or exceed the expectations and awarded accordingly. For FlowDroid, apparently the expectations of all three reviewers were exceeded. Thanks a lot to Christian Fritz for the initial implementation and to Steven Arzt for making this a nice and round distribution!
Christian Fritz has just submitted his Master Thesis on FlowDroid. It gives many additional details not mentioned in our earlier Tech Report. You can check it out here:
FlowDroid: A Precise and Scalable Data Flow Analysis for Android (Christian Fritz), Master thesis, TU Darmstadt, July 2013.
In our new technical report Highly Precise Taint Analysis for Android Applications we present our new tool FlowDroid which implements a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications.
Furthermore, we also created an Android benchmark suite, DroidBench, as a testing ground for static and dynamic security tools.
This is joint work with Alexandre Bartel, Jacques Klein and Yves le Traon from the University of Luxembourg and with Damien Octeau and Patrick McDaniel from Penn State University.