Smartphone Security for Android Applications

Course Description

In this lab, we will apply concepts from IT security, program analysis, and program transformation to solve practical problems in the area of smartphone security with a focus on the Android application layer. The lab combines theoretical concepts with industry-style best-practices and requirements of real-world malware and application analysts.

In the introductory meeting, we will present selected open topics in the field and students can form subgroups to work on one of these topics. We will regularly meet with the subgroups to discuss progress and next steps. At the end of the term, each group has to give a presentation in front of the whole class and deliver a written report.

Course Information

  • TUCaN ID: 20-00-0739
  • Course Type: Seminar (3CP)
  • Language: English
  • Organizational Meeting: Tuesday 13.10.15 — 17:00 to 18:40 — Fraunhofer SIT, Raum München
  • Class Meetings: We meet with every sub-group every week to discuss progress and decide on the next steps.
  • Instructor: Steven Arzt, Siegfried Rasthofer
  • Individual Office Hours: by appointment
  • Teaching Assistant: Johannes Späth

Evaluation Criteria

Well-documented code: 50%
Final report: 20%
Final presentation: 20%
Demonstration on real examples: 10%

Proposed Topics

In the introductory meeting, we will present the following topics. Participants can, however, also propose their own topics in the field of smartphone security.

  1. Runtime Observation of Android apps. Not all information about an application is available during static inspection. Modern malware apps are highly obfuscated, use reflection to hide the targets of method calls, load and execute code from remote servers, and encrypt parts of the code. To help the analyst, students who chose this topic will implement a runtime monitor that captures system events like network connections or code loading, and integrate the aggregated results into an interactive analysis environment.
  2. Security Analysis Dashboard. Modern (malware) apps can be large and highly complex. For an analyst, it is challenging to find a starting point for investigating the trustworthiness of an app or assess the misdemeanor conducted by the app. In this project, students will review, assess and rate various techniques for automatically identifying suspicious code positions and create a guided process that helps a human analyst to focus his efforts.
  3. Memory Dump Analysis. For applications that load code at runtime, it is hard to obtain a full analyzable instance of the app statically. One would have to mimic the download, potential decryption, and loading steps and merge the code by hand. To simplify this process, the students in this group will implement a memory dump technique which obtains a full copy of the app from memory at runtime and perform the analyses on that dump.