Skip to main content
SpringerLink
Log in

Honey, I Shrunk Your App Security: The State of Android App Hardening

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2018)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10885))

Abstract

The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commercial solutions for Runtime Application Self-Protection (RASP) to harden apps and ensure their integrity even on compromised devices. In this paper, we assess the RASP market for Android by providing an overview of the available products and their features. Furthermore, we describe an in-depth case study for a leading RASP product—namely Promon Shield—which is being used by approximately 100 companies to protect over 100 million end users worldwide. We demonstrate two attacks against Promon Shield: The first removes the entire protection scheme statically from an app, while the second disables all security measures dynamically at runtime.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 74.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1

    Chapter  Google Scholar 

  2. Bianchi, A., Gustafson, E., Fratantonio, Y., Kruegel, C., Vigna, G.: Exploitation and mitigation of authentication schemes based on device-public information. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, pp. 16–27. ACM, New York (2017)

    Google Scholar 

  3. Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.T.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 343–355 (2016)

    Google Scholar 

  4. Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17

    Chapter  MATH  Google Scholar 

  5. Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, 1st edn. Addison-Wesley Professional, Boston (2009)

    Google Scholar 

  6. Duan, Y., Zhang, M., Bhaskar, A.V., Yin, H., Pan, X., Li, T., Wang, X., Wang, X.: Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, 18–21 February 2018, San Diego, California, USA (2018)

    Google Scholar 

  7. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.A.: A survey of mobile malware in the wild. In: Jiang, X., Bhattacharya, A., Dasgupta, P., Enck, W. (eds.) Proceedings of the 1st ACM Workshop Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2011, SPSM 2011, 17 October 2011, Chicago, IL, USA, pp. 3–14. ACM (2011)

    Google Scholar 

  8. Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, 22–26 May 2017, San Jose, CA, USA, pp. 1041–1057 (2017)

    Google Scholar 

  9. Gartner Inc.: Market guide for application shielding, June 2017. https://www.gartner.com/doc/3747622/market-guide-application-shielding

  10. Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_18

    Chapter  Google Scholar 

  11. Haupert, V., Müller, T.: On app-based matrix code authentication in online banking. In: Furnell, S., Mori, P., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, 22–24 February 2018, Funchal, Madeira, Portugal, pp. 149–160 (2018)

    Google Scholar 

  12. Jung, J., Kim, J.Y., Lee, H., Yi, J.H.: Repackaging attack on android banking applications and its countermeasures. Wireless Pers. Commun. 73(4), 1421–1437 (2013)

    Article  Google Scholar 

  13. Kim, T., Ha, H., Choi, S., Jung, J., Chun, B.: Breaking ad-hoc runtime integrity protection mechanisms in android financial apps. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, 2–6 April 2017, Abu Dhabi, United Arab Emirates, pp. 179–192 (2017)

    Google Scholar 

  14. Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, 14–18 June 2014, Minneapolis, MN, USA, pp. 361–372 (2014)

    Google Scholar 

  15. Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. CoRR abs/1801.01203 (2018). http://arxiv.org/abs/1801.01203

  16. Krügel, C., Robertson, W.K., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security Symposium, 9–13 August 2004, San Diego, CA, USA, pp. 255–270 (2004)

    Google Scholar 

  17. Luu, D.: How out of date are android devices? (2017). https://danluu.com/android-updates

  18. Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why android malware cannot be stopped. In: Ninth International Conference on Availability, Reliability and Security, ARES 2014, 8–12 September 2014, Fribourg, Switzerland, pp. 30–39. IEEE Computer Society (2014)

    Google Scholar 

  19. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Balzarotti, D., Caballero, J. (eds.) Proceedings of the Seventh European Workshop on System Security, EuroSec 2014, 13 April 2014, Amsterdam, The Netherlands, pp. 5:1–5:6. ACM (2014)

    Google Scholar 

  20. Promon AS: Shield: application protection and security for mobile apps. https://promon.co/products/mobile-app-security

  21. Protsenko, M., Kreuter, S., Müller, T.: Dynamic self-protection and tamperproofing for android apps using native code. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, 24–27 August 2015, Toulouse, France, pp. 129–138 (2015)

    Google Scholar 

  22. Ren, C., Chen, K., Liu, P.: Droidmarking: resilient software watermarking for impeding android application repackaging. In: Crnkovic, I., Chechik, M., Grünbacher, P. (eds.) ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, 15–19 September 2014, Vasteras, Sweden, pp. 635–646. ACM (2014)

    Google Scholar 

  23. Saxena, A., Wyseur, B.: On white-box cryptography and obfuscation. CoRR abs/0805.4648 (2008). http://arxiv.org/abs/0805.4648

  24. Schrittwieser, S., Katzenbeisser, S., Kinder, J., Merzdovnik, G., Weippl, E.R.: Protecting software through obfuscation: can it keep pace with progress in code analysis? ACM Comput. Surv. 49(1), 4:1–4:37 (2016)

    Article  Google Scholar 

  25. Tanriverdi, H.: Überweisung vom Hacker. Süddeutsche Zeitung 73(270), (2017)

    Google Scholar 

  26. Thomas, D.R., Beresford, A.R., Rice, A.C.: Security metrics for the android ecosystem. In: Lie, D., Wurster, G. (eds.) Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015, 12 October 2015, Denver, Colorado, USA, pp. 87–98. ACM (2015)

    Google Scholar 

  27. van der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C., Vigna, G., Bos, H., Razavi, K., Giuffrida, C.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 1675–1689 (2016)

    Google Scholar 

  28. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Moriai, S., Jaeger, T., Sakurai, K. (eds.) 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, 03–06 June 2014, Kyoto, Japan, pp. 447–458. ACM (2014)

    Google Scholar 

  29. Wu, L., Grace, M.C., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on android security. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, 4–8 November 2013, Berlin, Germany, pp. 623–634 (2013)

    Google Scholar 

  30. Xue, L., Luo, X., Yu, L., Wang, S., Wu, D.: Adaptive unpacking of android apps. In: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 358–369 (2017)

    Google Scholar 

  31. Yang, W., Zhang, Y., Li, J., Shu, J., Li, B., Hu, W., Gu, D.: AppSpear: bytecode decrypting and DEX reassembling for packed android malware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 359–381. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_17

    Chapter  Google Scholar 

  32. Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_15

    Chapter  Google Scholar 

  33. Zhou, X., Lee, Y., Zhang, N., Naveed, M., Wang, X.: The peril of fragmentation: security hazards in android device driver customizations. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, 18–21 May 2014, Berkeley, CA, USA, pp. 409–423 (2014)

    Google Scholar 

Download references

Acknowledgments

We wish to thank our shepherd Yanick Fratantonio and the anonymous reviewers for their helpful comments. Furthermore, we appreciate Felix Freiling’s support during the disclosure process.

The work presented in this paper was conducted within the research project “Software-based Hardening for Mobile Applications” and was partially funded by the German Federal Ministry of Education and Research (BMBF).

Author information

Authors and Affiliations

  1. Friedrich-Alexander University Erlangen-Nürnberg (FAU), Erlangen, Germany

    Vincent Haupert, Nicolas Schneider & Tilo Müller

  2. TU Berlin, Berlin, Germany

    Dominik Maier

  3. TU Munich, Munich, Germany

    Julian Kirsch

Authors
  1. Vincent Haupert
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dominik Maier
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nicolas Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Julian Kirsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tilo Müller
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vincent Haupert .

Editor information

Editors and Affiliations

  1. Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

    Cristiano Giuffrida

  2. CEA, Palaiseau, France

    Sébastien Bardin

  3. Université Paris-Saclay, Evry, France

    Gregory Blanc

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Haupert, V., Maier, D., Schneider, N., Kirsch, J., Müller, T. (2018). Honey, I Shrunk Your App Security: The State of Android App Hardening. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-93411-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-93410-5

  • Online ISBN: 978-3-319-93411-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation