Advertisement

Honey, I Shrunk Your App Security: The State of Android App Hardening

  • Vincent HaupertEmail author
  • Dominik Maier
  • Nicolas Schneider
  • Julian Kirsch
  • Tilo Müller
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10885)

Abstract

The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commercial solutions for Runtime Application Self-Protection (RASP) to harden apps and ensure their integrity even on compromised devices. In this paper, we assess the RASP market for Android by providing an overview of the available products and their features. Furthermore, we describe an in-depth case study for a leading RASP product—namely Promon Shield—which is being used by approximately 100 companies to protect over 100 million end users worldwide. We demonstrate two attacks against Promon Shield: The first removes the entire protection scheme statically from an app, while the second disables all security measures dynamically at runtime.

Notes

Acknowledgments

We wish to thank our shepherd Yanick Fratantonio and the anonymous reviewers for their helpful comments. Furthermore, we appreciate Felix Freiling’s support during the disclosure process.

The work presented in this paper was conducted within the research project “Software-based Hardening for Mobile Applications” and was partially funded by the German Federal Ministry of Education and Research (BMBF).

References

  1. 1.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44647-8_1CrossRefGoogle Scholar
  2. 2.
    Bianchi, A., Gustafson, E., Fratantonio, Y., Kruegel, C., Vigna, G.: Exploitation and mitigation of authentication schemes based on device-public information. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, pp. 16–27. ACM, New York (2017)Google Scholar
  3. 3.
    Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.T.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 343–355 (2016)Google Scholar
  4. 4.
    Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003).  https://doi.org/10.1007/3-540-36492-7_17CrossRefzbMATHGoogle Scholar
  5. 5.
    Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, 1st edn. Addison-Wesley Professional, Boston (2009)Google Scholar
  6. 6.
    Duan, Y., Zhang, M., Bhaskar, A.V., Yin, H., Pan, X., Li, T., Wang, X., Wang, X.: Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, 18–21 February 2018, San Diego, California, USA (2018)Google Scholar
  7. 7.
    Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.A.: A survey of mobile malware in the wild. In: Jiang, X., Bhattacharya, A., Dasgupta, P., Enck, W. (eds.) Proceedings of the 1st ACM Workshop Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2011, SPSM 2011, 17 October 2011, Chicago, IL, USA, pp. 3–14. ACM (2011)Google Scholar
  8. 8.
    Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, 22–26 May 2017, San Jose, CA, USA, pp. 1041–1057 (2017)Google Scholar
  9. 9.
    Gartner Inc.: Market guide for application shielding, June 2017. https://www.gartner.com/doc/3747622/market-guide-application-shielding
  10. 10.
    Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007).  https://doi.org/10.1007/978-3-540-77360-3_18CrossRefGoogle Scholar
  11. 11.
    Haupert, V., Müller, T.: On app-based matrix code authentication in online banking. In: Furnell, S., Mori, P., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, 22–24 February 2018, Funchal, Madeira, Portugal, pp. 149–160 (2018)Google Scholar
  12. 12.
    Jung, J., Kim, J.Y., Lee, H., Yi, J.H.: Repackaging attack on android banking applications and its countermeasures. Wireless Pers. Commun. 73(4), 1421–1437 (2013)CrossRefGoogle Scholar
  13. 13.
    Kim, T., Ha, H., Choi, S., Jung, J., Chun, B.: Breaking ad-hoc runtime integrity protection mechanisms in android financial apps. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, 2–6 April 2017, Abu Dhabi, United Arab Emirates, pp. 179–192 (2017)Google Scholar
  14. 14.
    Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, 14–18 June 2014, Minneapolis, MN, USA, pp. 361–372 (2014)Google Scholar
  15. 15.
    Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. CoRR abs/1801.01203 (2018). http://arxiv.org/abs/1801.01203
  16. 16.
    Krügel, C., Robertson, W.K., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security Symposium, 9–13 August 2004, San Diego, CA, USA, pp. 255–270 (2004)Google Scholar
  17. 17.
    Luu, D.: How out of date are android devices? (2017). https://danluu.com/android-updates
  18. 18.
    Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why android malware cannot be stopped. In: Ninth International Conference on Availability, Reliability and Security, ARES 2014, 8–12 September 2014, Fribourg, Switzerland, pp. 30–39. IEEE Computer Society (2014)Google Scholar
  19. 19.
    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Balzarotti, D., Caballero, J. (eds.) Proceedings of the Seventh European Workshop on System Security, EuroSec 2014, 13 April 2014, Amsterdam, The Netherlands, pp. 5:1–5:6. ACM (2014)Google Scholar
  20. 20.
    Promon AS: Shield: application protection and security for mobile apps. https://promon.co/products/mobile-app-security
  21. 21.
    Protsenko, M., Kreuter, S., Müller, T.: Dynamic self-protection and tamperproofing for android apps using native code. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, 24–27 August 2015, Toulouse, France, pp. 129–138 (2015)Google Scholar
  22. 22.
    Ren, C., Chen, K., Liu, P.: Droidmarking: resilient software watermarking for impeding android application repackaging. In: Crnkovic, I., Chechik, M., Grünbacher, P. (eds.) ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, 15–19 September 2014, Vasteras, Sweden, pp. 635–646. ACM (2014)Google Scholar
  23. 23.
    Saxena, A., Wyseur, B.: On white-box cryptography and obfuscation. CoRR abs/0805.4648 (2008). http://arxiv.org/abs/0805.4648
  24. 24.
    Schrittwieser, S., Katzenbeisser, S., Kinder, J., Merzdovnik, G., Weippl, E.R.: Protecting software through obfuscation: can it keep pace with progress in code analysis? ACM Comput. Surv. 49(1), 4:1–4:37 (2016)CrossRefGoogle Scholar
  25. 25.
    Tanriverdi, H.: Überweisung vom Hacker. Süddeutsche Zeitung 73(270), (2017)Google Scholar
  26. 26.
    Thomas, D.R., Beresford, A.R., Rice, A.C.: Security metrics for the android ecosystem. In: Lie, D., Wurster, G. (eds.) Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015, 12 October 2015, Denver, Colorado, USA, pp. 87–98. ACM (2015)Google Scholar
  27. 27.
    van der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C., Vigna, G., Bos, H., Razavi, K., Giuffrida, C.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 1675–1689 (2016)Google Scholar
  28. 28.
    Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Moriai, S., Jaeger, T., Sakurai, K. (eds.) 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, 03–06 June 2014, Kyoto, Japan, pp. 447–458. ACM (2014)Google Scholar
  29. 29.
    Wu, L., Grace, M.C., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on android security. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, 4–8 November 2013, Berlin, Germany, pp. 623–634 (2013)Google Scholar
  30. 30.
    Xue, L., Luo, X., Yu, L., Wang, S., Wu, D.: Adaptive unpacking of android apps. In: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 358–369 (2017)Google Scholar
  31. 31.
    Yang, W., Zhang, Y., Li, J., Shu, J., Li, B., Hu, W., Gu, D.: AppSpear: bytecode decrypting and DEX reassembling for packed android malware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 359–381. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-26362-5_17CrossRefGoogle Scholar
  32. 32.
    Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24177-7_15CrossRefGoogle Scholar
  33. 33.
    Zhou, X., Lee, Y., Zhang, N., Naveed, M., Wang, X.: The peril of fragmentation: security hazards in android device driver customizations. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, 18–21 May 2014, Berkeley, CA, USA, pp. 409–423 (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Vincent Haupert
    • 1
    Email author
  • Dominik Maier
    • 2
  • Nicolas Schneider
    • 1
  • Julian Kirsch
    • 3
  • Tilo Müller
    • 1
  1. 1.Friedrich-Alexander University Erlangen-Nürnberg (FAU)ErlangenGermany
  2. 2.TU BerlinBerlinGermany
  3. 3.TU MunichMunichGermany

Personalised recommendations