Abstract
The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commercial solutions for Runtime Application Self-Protection (RASP) to harden apps and ensure their integrity even on compromised devices. In this paper, we assess the RASP market for Android by providing an overview of the available products and their features. Furthermore, we describe an in-depth case study for a leading RASP product—namely Promon Shield—which is being used by approximately 100 companies to protect over 100 million end users worldwide. We demonstrate two attacks against Promon Shield: The first removes the entire protection scheme statically from an app, while the second disables all security measures dynamically at runtime.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_1
Bianchi, A., Gustafson, E., Fratantonio, Y., Kruegel, C., Vigna, G.: Exploitation and mitigation of authentication schemes based on device-public information. In: Proceedings of the 33rd Annual Computer Security Applications Conference, ACSAC 2017, pp. 16–27. ACM, New York (2017)
Bichsel, B., Raychev, V., Tsankov, P., Vechev, M.T.: Statistical deobfuscation of android applications. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 343–355 (2016)
Chow, S., Eisen, P., Johnson, H., Van Oorschot, P.C.: White-box cryptography and an AES implementation. In: Nyberg, K., Heys, H. (eds.) SAC 2002. LNCS, vol. 2595, pp. 250–270. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36492-7_17
Collberg, C., Nagra, J.: Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection, 1st edn. Addison-Wesley Professional, Boston (2009)
Duan, Y., Zhang, M., Bhaskar, A.V., Yin, H., Pan, X., Li, T., Wang, X., Wang, X.: Things you may not know about android (un)packers: a systematic study based on whole-system emulation. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, 18–21 February 2018, San Diego, California, USA (2018)
Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.A.: A survey of mobile malware in the wild. In: Jiang, X., Bhattacharya, A., Dasgupta, P., Enck, W. (eds.) Proceedings of the 1st ACM Workshop Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2011, SPSM 2011, 17 October 2011, Chicago, IL, USA, pp. 3–14. ACM (2011)
Fratantonio, Y., Qian, C., Chung, S.P., Lee, W.: Cloak and dagger: from two permissions to complete control of the UI feedback loop. In: 2017 IEEE Symposium on Security and Privacy, SP 2017, 22–26 May 2017, San Jose, CA, USA, pp. 1041–1057 (2017)
Gartner Inc.: Market guide for application shielding, June 2017. https://www.gartner.com/doc/3747622/market-guide-application-shielding
Goubin, L., Masereel, J.-M., Quisquater, M.: Cryptanalysis of white box DES implementations. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 278–295. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77360-3_18
Haupert, V., Müller, T.: On app-based matrix code authentication in online banking. In: Furnell, S., Mori, P., Camp, O. (eds.) Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, 22–24 February 2018, Funchal, Madeira, Portugal, pp. 149–160 (2018)
Jung, J., Kim, J.Y., Lee, H., Yi, J.H.: Repackaging attack on android banking applications and its countermeasures. Wireless Pers. Commun. 73(4), 1421–1437 (2013)
Kim, T., Ha, H., Choi, S., Jung, J., Chun, B.: Breaking ad-hoc runtime integrity protection mechanisms in android financial apps. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2017, 2–6 April 2017, Abu Dhabi, United Arab Emirates, pp. 179–192 (2017)
Kim, Y., Daly, R., Kim, J., Fallin, C., Lee, J., Lee, D., Wilkerson, C., Lai, K., Mutlu, O.: Flipping bits in memory without accessing them: an experimental study of DRAM disturbance errors. In: ACM/IEEE 41st International Symposium on Computer Architecture, ISCA 2014, 14–18 June 2014, Minneapolis, MN, USA, pp. 361–372 (2014)
Kocher, P., Genkin, D., Gruss, D., Haas, W., Hamburg, M., Lipp, M., Mangard, S., Prescher, T., Schwarz, M., Yarom, Y.: Spectre attacks: exploiting speculative execution. CoRR abs/1801.01203 (2018). http://arxiv.org/abs/1801.01203
Krügel, C., Robertson, W.K., Valeur, F., Vigna, G.: Static disassembly of obfuscated binaries. In: Proceedings of the 13th USENIX Security Symposium, 9–13 August 2004, San Diego, CA, USA, pp. 255–270 (2004)
Luu, D.: How out of date are android devices? (2017). https://danluu.com/android-updates
Maier, D., Müller, T., Protsenko, M.: Divide-and-conquer: why android malware cannot be stopped. In: Ninth International Conference on Availability, Reliability and Security, ARES 2014, 8–12 September 2014, Fribourg, Switzerland, pp. 30–39. IEEE Computer Society (2014)
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Balzarotti, D., Caballero, J. (eds.) Proceedings of the Seventh European Workshop on System Security, EuroSec 2014, 13 April 2014, Amsterdam, The Netherlands, pp. 5:1–5:6. ACM (2014)
Promon AS: Shield: application protection and security for mobile apps. https://promon.co/products/mobile-app-security
Protsenko, M., Kreuter, S., Müller, T.: Dynamic self-protection and tamperproofing for android apps using native code. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, 24–27 August 2015, Toulouse, France, pp. 129–138 (2015)
Ren, C., Chen, K., Liu, P.: Droidmarking: resilient software watermarking for impeding android application repackaging. In: Crnkovic, I., Chechik, M., Grünbacher, P. (eds.) ACM/IEEE International Conference on Automated Software Engineering, ASE 2014, 15–19 September 2014, Vasteras, Sweden, pp. 635–646. ACM (2014)
Saxena, A., Wyseur, B.: On white-box cryptography and obfuscation. CoRR abs/0805.4648 (2008). http://arxiv.org/abs/0805.4648
Schrittwieser, S., Katzenbeisser, S., Kinder, J., Merzdovnik, G., Weippl, E.R.: Protecting software through obfuscation: can it keep pace with progress in code analysis? ACM Comput. Surv. 49(1), 4:1–4:37 (2016)
Tanriverdi, H.: Überweisung vom Hacker. Süddeutsche Zeitung 73(270), (2017)
Thomas, D.R., Beresford, A.R., Rice, A.C.: Security metrics for the android ecosystem. In: Lie, D., Wurster, G. (eds.) Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015, 12 October 2015, Denver, Colorado, USA, pp. 87–98. ACM (2015)
van der Veen, V., Fratantonio, Y., Lindorfer, M., Gruss, D., Maurice, C., Vigna, G., Bos, H., Razavi, K., Giuffrida, C.: Drammer: deterministic rowhammer attacks on mobile platforms. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 24–28 October 2016, Vienna, Austria, pp. 1675–1689 (2016)
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Moriai, S., Jaeger, T., Sakurai, K. (eds.) 9th ACM Symposium on Information, Computer and Communications Security, ASIA CCS 2014, 03–06 June 2014, Kyoto, Japan, pp. 447–458. ACM (2014)
Wu, L., Grace, M.C., Zhou, Y., Wu, C., Jiang, X.: The impact of vendor customizations on android security. In: 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, 4–8 November 2013, Berlin, Germany, pp. 623–634 (2013)
Xue, L., Luo, X., Yu, L., Wang, S., Wu, D.: Adaptive unpacking of android apps. In: 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE), pp. 358–369 (2017)
Yang, W., Zhang, Y., Li, J., Shu, J., Li, B., Hu, W., Gu, D.: AppSpear: bytecode decrypting and DEX reassembling for packed android malware. In: Bos, H., Monrose, F., Blanc, G. (eds.) RAID 2015. LNCS, vol. 9404, pp. 359–381. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26362-5_17
Zhang, Y., Luo, X., Yin, H.: DexHunter: toward extracting hidden code from packed android applications. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 293–311. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24177-7_15
Zhou, X., Lee, Y., Zhang, N., Naveed, M., Wang, X.: The peril of fragmentation: security hazards in android device driver customizations. In: 2014 IEEE Symposium on Security and Privacy, SP 2014, 18–21 May 2014, Berkeley, CA, USA, pp. 409–423 (2014)
Acknowledgments
We wish to thank our shepherd Yanick Fratantonio and the anonymous reviewers for their helpful comments. Furthermore, we appreciate Felix Freiling’s support during the disclosure process.
The work presented in this paper was conducted within the research project “Software-based Hardening for Mobile Applications” and was partially funded by the German Federal Ministry of Education and Research (BMBF).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Haupert, V., Maier, D., Schneider, N., Kirsch, J., Müller, T. (2018). Honey, I Shrunk Your App Security: The State of Android App Hardening. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-93411-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93410-5
Online ISBN: 978-3-319-93411-2
eBook Packages: Computer ScienceComputer Science (R0)