Secure and Reliable Mobile Application: Challenges and … · Secure and Reliable Mobile...
109
Secure and Reliable Mobile Application: Challenges and Approaches Dr. Hossain Shahriar Kennesaw State University, USA [email protected] For SAC 2016 Attendees Only
Transcript of Secure and Reliable Mobile Application: Challenges and … · Secure and Reliable Mobile...
Secure and Reliable Mobile Application: Challenges and
ApproachesDr. Hossain Shahriar
Kennesaw State University, USA
For SAC 2016 Attendees Only
Background Android is a popular platform among users and running mobile applications
Android dominates the market with a 82.8% share as of 2015
Much ahead of competitors like Apple (iOS), Windows (iPhone), RIM (BlackBerry)
Source: International Data Corporation, http://www.idc.com/prodserv/smartphone-os-market-share.jsp
Trends: From Handsets to Apps
Source: App Economy Forecasts 2013-2016 report, VisionMobile
2012 the app economy was worth $53Bn, reaching $143Bn
Background
One in eight developers currently implement mobile applications.
Revenue from mobile apps is expected to rise from $68 Billons in 2013 to $143 Billions in 2016
How many mobile apps are available for download?
Number of apps available for download in leading app stores as of July 2015…
Source: http://www.statista.com/
Q: What type of apps are widely used?
Mobile application usage growth
App type Messaging & social apps, +203%
utilities & productivity, +149%
Games, +66%
Source: https://software.intel.com/en-us/blogs/2014/01/13/mobile-app-growth-continues-to-rise
Q: How secure are the apps?
Security issues in mobile app
Mobile applications may include functionalities related to security/privacy breaches contain vulnerabilities leading to data exposure/alteration unexpectedly
A recent study by MetaIntell (http://metaintelli.com) examined 500 popular mobile applications from several sources including Google paly store
460 out of 500 apps were found to contain security risk and vulnerabilities 92% applications used non-secure communication protocols 60% applications communicate with blacklisted domains Apps may access other app’s content provider and alter data
Source: http://www.net-security.org/secworld.php?id=16248
Security issues in mobile app
Two major reasons can be blamed Users do not have enough awareness of what an app is capable of doing
Developers are not aware of vulnerabilities during development
Organization of this talk Part 1
Android malware, example characteristics
Device features, sources of malware, engineering
Some mitigation approaches
Part 2 Content provider leakage
Example of leakage
Best practices to avoid leakage
Part 3 Android memory manager
Memory leak patterns in source code
Best practices and mitigation approaches
Conclusions
Part1: Android, Malware, Mitigation
Dining out: Introducing tip calculator app
How much tip we should give?
Is there a mobile app?
Download and launch the tip calculator app
http://ksuweb.kennesaw.edu/~hshahria/mobileapp/tipapp.html
Beware: this tip app is a malware
If you select 10% tip option, the app will send SMS with food amount you typed to a phone number you do not know
This is an example of keylogging activity and it is happening without your knowledge
Beware: this tip app is a malware 15% tip option: start a phone call
Beware: this tip app is a malware
20% tip option: read all contact from address book, send to an external phone number through SMS
All these additional actions barely match with our perception of what a tip calculator app should be doing
What is a malware app?
Malware apps are seemingly benignapps that users install because of thepopularity or trusted source likeGoogle play store
Once installed in devices, apps mayinvoke additional and unwantedfunctionalities without user’sknowledge
Example of real-world Android malware
MMarketPay malware affected morethan 100,000 Android devices inChina
A hidden application designed topurchase contents without theconsent of the device users (victims)
Victims saw high phone bills Prompted Google introducing rules
such as banning applications thatdisclose personal information withoutuser permission
Example of real-world Android malware
An Android SMS malware firm wasfined £50,000 by the UK premiumphone services regulatorPhonepayPlus
The company, SMSBill, produced amalicious Facebook link that led tothe downloading of malware inAndroid phones
Types of activities malware may do
Premium Services – calling 900 series numbers, sending SMS messages Spyware – secretly log activities like key pressed Adware/Spam – embedded advertisements within application Ransom – disable keyguard of infected device for financial gain Desktop setup change – change of wallpaper
Source: Porter et al. “A Survey of Mobile Malware in The Wild” ACM CCSWorkshop 2011.
Malicious actions and required permissions
Malware type Example action Required Permissions
Changing Desktop Setting (M1)
Novelty and amusement by change the default wallpaper without user’s permission (personal).
SET_WALLPAPER
Accessing User Credentials (M2)
Secretly accessing user information stored on the Android device. GET_ACCOUNTS
SMS Message and Premium Rate Calls (M3)
Bills victim by arbitrarily initiating phone calls to premium numbers or sending text messages to premium numbers.
SEND_SMSCALL_PHONECALL_PRIVILEGED
Phone Ransom (M4)
Locking a client’s phone by changing default setting on password or other profile information.
DISABLE_KEYGUARDWRITE_SETTINGSWRITE_SECURE_SETTINGS
Hacking Social Networks (M5)
Secretly accessing and updating user profile information on a social network (device).
READ_SOCIAL_STREAMWRITE_SOCIAL_STREAM
Changing Wallpaper Setting
//Retrieve instance of the applicationWallpaperManager myWallpaperManager =
WallpaperManager.getInstance(getApplicationContext());//R.drawable.five presents a stored imagemyWallpaperManager.setResource(R.drawable.five);
<uses-permission android:name="android.permission.SET_WALLPAPER" />
Source code to change wallpaper
Required permission for changing wallpaper
Accessing User Credentials (1)//Retrieve the constant, email addressPattern emailPattern = Patterns.EMAIL_ADDRESS;
// Functionality is availabile for API level 8+ Account[] accounts = AccountManager.get(context).getAccounts();
//Retrieve account name for email accountfor (Account account : accounts) {
if (emailPattern.matcher(account.name).matches()) { String possibleEmail = account.name;
}}
Source code to access user account information
<uses-permission android:name="android.permission.GET_ACCOUNTS "/>
Required permission for retrieving user account information
Sending SMS Message
//Retrieve the default SMS engineSmsManager sms = SmsManager.getDefault();
//Send a text message using desired textsms.sendTextMessage(“1-900-222-3333”, null, message, null, null);
Method to send SMS message
<uses-permission android:name="android.permission.SEND_SMS "/>
Required permission to send SMS message
Premium Rate Calls//Initiate a phone call using desired phone numberString number = “1-900-444-8821”;
Intent callIntent = new Intent(Intent.ACTION_CALL, Uri.parse(number));
startActivity(callIntent);
Required permissions to make phone call without phone dialer
<uses-permission android:name="android.permission.CALL_PHONE"/>
Required permission to send SMS message
Phone Ransom (1)
//Access system settings for the keyguardKeyguardManager mgr =
(KeyguardManager)getSystemService(Activity.KEYGUARD_SERVICE);
// Lock the deviceKeyguardLock lock = mgr.newKeyguardLock(KEYGUARD_SERVICE);
lock.disableKeyguard(); //Disable the keyguard from showing
Lock an Android device and disable keyguard
Phone Ransom (2)
<uses-permission android:name="android.permission.DISABLE_KEYGUARD "/>
<uses-permission android:name="android.permission.WRITE_SETTINGS "/>
<uses-permission android:name="android.permission.WRITE_SECURE_SETTINGS"/>
Figure 14: Required permissions to disable keyguardSource: “Lock and Android phone”, 2012
Hacking Social Networks (1)
//Create status update to post on user profileContentValues values = new ContentValues(); values.put(StreamItems.RAW_CONTACT_ID, rawContactId); //destinationvalues.put(StreamItems.TEXT, "Lunch at 3.00 PM"); //messagevalues.put(StreamItems.TIMESTAMP, timestamp);
//timestampvalues.put(StreamItems.COMMENTS, "Family and Friends"); //comments
//Specify where content will be posted and send request to post contentUri.Builder builder = StreamItems.CONTENT_URI.buildUpon(); builder.appendQueryParameter(RawContacts.ACCOUNT_NAME, accountName); builder.appendQueryParameter(RawContacts.ACCOUNT_TYPE, accountType);Uri streamItemUri = getContentResolver().insert(builder.build(), values); long streamItemId = ContentUris.parseId(streamItemUri);
Code snippet for updating social network account
Hacking Social Networks (2)
<uses-permission android:name="android.permission.READ_SOCIAL_STREAM "/>
<uses-permission android:name="android.permission.WRITE_SOCIAL_STREAM"/>
Required permissions to update social network profileSource: “Get Social Updates of your contact list using Ice cream sandwich”, 2012
Malware family
Zhou and Xiang, “Dissecting Android Malware: Characterization and Evolution,” IEEE Symposium on Security & Privacy, 2012.
Project malgenome, http://malgenomeproject.org/
Malware vs. Spyware vs. Adware
Malware – any software that is implemented with maliciousintention
Spyware - programs developed to monitor and logactivities performed on a computer
Adware - displays advertisements and marketing contentautomatically after the installation.
Malgenome project: key findings
Examined 1260 malware samples
1083 (86.0%) are repackaged versions of legitimate applications
Among 49 malware families 28 send background short messages (to premium-rate numbers) or making
phone calls without user awareness
27 collect user information including user accounts and SMS stored on phones
Where malware are coming from?
In Google Play app and media store's apps section, only 1 in 1,000 apps would be found as malware
Slightly higher than iPhone app store and iOS app store
Most malware are developed and hosted outside USA China
Middle Eastern countries
http://www.dailytech.com/Android+has+97+Percent+of+Mobile+Malware+But+Nearly+None+in+the+US/article34595.htm
Where malware are coming from?
Baidu.com, Inc. (ETR:B1C) app portal -- one of the most used third party app stores in China
1 in every 13 apps is malicious or dangerous (8%)
Android159 is a third-party app store
33.3% apps are repackaged copies of Google Play apps, having malware activities
Why we may be at risk of using a malware app?
We look at first device specific security features and developer specific recommendation from vendors
We find gap between the two Security notions are motivated based on operating system context rather than application
specific security needs
Developer recommendations are not always for secured development of apps
Critical security precautions are delegated to end users discretion
We will see it is so easy to engineer a malware
We will see state of the art literature works act as defense in-depth, but awareness is essential
Why we may be at risk of using a malware app?
Security notions are motivated based on operating system context rather than application specific security needs
Architectural OverviewAPPLICATIONS
Home Contacts Phone BrowserAPPLICATION FRAMEWORK
Activity Manager Window Manager Content Providers View SystemPackage Manager Telephony
ManagerResource Manager Location
ManagerNotification
Manager
LIBRARIES ANDROID RUNTIMESurface Manager Media
FrameworkSQLite Core Libraries
OpenGL | ES FreeType WebKit Dalvik Virtual MachineSGL SSL libc
LINUX KERNELDisplay Driver Camera
DriverFlash Memory Driver Binder (IPC)
DriverKeypad Driver WiFi Driver Power Management Audio Drivers
Android Security Features (1) Sandbox – Android prevents one application to access
data and memory contents from another and runs eachof the applications in a sandbox
http://www.ibm.com/developerworks/library/x-androidsecurity/
Android Security Features (1)
Permission-based access control – User grants permissions during installation of anapp
Most users see similar types of permission for both good and malware app
Android Security Features (2)
Safe memory management – Each application runs in a separateprocess within its own Dalvik instance. No buffer overflow, support for address space layout randomization, to
avoid arbitrary injected code execution
Data encryption - Android supports a range of algorithmimplementation to encrypt disk data (AES128, SHA256)
Why we may be at risk of using a malware app?
Developer recommendations are not always for secured development of apps
Recommendation from vendor
Source code review Lint tool (http://tools.android.com/download)
Example problems Lint can identify Layout performance problems
Usability problems (not specifying input type of a text field)
Manifest errors
So little focus on security bugs A malware app may be designed without exporting
service, and pass Lint checking with flying color
No capability on identifying content provider leakage
Recommendation from vendor
Signing applications
Generate signature based on apk file with a user chosen random key
Signature is recomputed and matched during updating of application
However, anyone can sign an application with a key and stick with the same key
Repackaged malware apps are all signed apps
Why we may be at risk of using a malware app?
It is easy to reengineer apks
Malware apps are repackaged apps
Reverse engineering tools are available to engineer malware apps
A popular tool is android-apktool http://ibotpeaches.github.io/Apktool/
Malware apps are repackaged apps
Source: http://ulsrl.org/repackaged-applications
Malware mitigation research
Static code analysis tool Sandboxing approachMachine learning Permission analysis Information-theoretic approach Anti-malware tool Best practices
Static Analysis (1) The structural analysis of program sources without executing them
Apk files are decompressed and converted back to Java source Dex2jar (http://code.google.com/p/dex2jar)
Examine the presence of API signatures for malware activities like SMSmessage sending
sms.sendTextMessage(“1-900-222-3333”, null, “SMS”, null, null);
Static Analysis (2)Advantages Does not require installing and executing apps Can be scaled up easily
Disadvantages Good apps may use bad coding practices Generate false positive warnings API may not get invoked at all during runtime
Dynamic analysis or Sandboxing (1)
Run a suspected app (Apk) in anemulator and log specific systemlevel API calls
Log can reveal the presence of malware activities Reading file from storage Opening network connection
Sandboxing (2)
Advantages More accurate than static analysis
Disadvantages implementation of a loadable kernel module (LKM)
is a daunting and error prone task
emulator are very unstable and not supported well
Machine Learning (1) Define features from good and malware apps permission list, API signatures
Learn chosen classifier(s) Bayesian classifier Decision tree
The classifier can be used to detect new apptypes - malware or benign
Machine Learning (2)
Advantages Automated and can be scaled up
Disadvantages Depending on the type of classification algorithms,
performance vary Performance depends on initial dataset selection representing
all types of applications
Permission Analysis (1)
Identify privileged permissions thatlikely represent malware activities Accessing Accounts Accessing GPS Net Access Read and Write Contacts Read Browser History, Bookmarks
Permission Analysis (2)
Advantages Permission list can reveal early the mismatch of mobile
application’s purpose and potential activities that could beperformed
Disadvantages Most users find it burdening to read all permissions Users have limited knowledge of what it means by privileged
permission vs. general permission Permissions may be maliciously inserted into an
AndroidManifest.xml file after a popular app is repackaged
Why Permission Display at install time Fails to prevent users installing malware?
Research by Kevin et al. 2013 (Indiana University) showsthat permission disclosing are ineffective Even addition of text warning does not make any difference to
deter user from installing dangerous apps App download count has a direct relationship with app
installation habit
* Kevin et al. 2013, Studying the Effectiveness of Android ApplicationPermissions Requests, Fifth International Workshop on SECurity andSOCial Networking 2013, San Diego (18 March 2013)
Why Permission Display at install time Fails to prevent users installing malware?
Proter et al. 2011 (UC Berkeley & Google) examined 956 apps 100 paid, 856 free, taken from market place Normal permission: no harmful effect like network access check Dangerous permission: costs user money or access private data
93% free and 82% paid apps have at least one dangerous permission INTERNET permission is heavily used Barrera et al. 2011 (Carleton University, Ottawa) had similar findings in their study
done around the same time They argued that INTERNET permission had to be used to load advertisements by
free apps
Why Permission Display at install time Fails to prevent users installing malware?
97% of applications that ask for ACCESS FINE LOCATION (GPS) alsorequest the INTERNET permission
94% and 78% of the respective applications that request READCONTACTS and READ CALENDAR also have asked for the INTERNETpermission.
Free apps request more Internet access and location datacompared to paid apps Possible indication of leakage of location information to advertisers
Information-Theoretic Approach
A repackaged application when compared to its original version is different compared to the set of available functionalities.
Research QuestionHow can we measure the difference?
Kullback-Leibler Divergence (KLD) can capture the differenceKLD between a legitimate and malware should be high
Information-Theoretic Approach (cont.)
Let us assume that P and Q represent two probability distributions having n elements P = {p1, ..., pn}
Q = {q1, ..., qn}.
KLD computes the divergence between P and Q using the formula KLD (P, Q) = ∑ * log2 (pi / qi) … … … (i)
The following two constraints (Equations (ii) and (iii)) are satisfied: ∑ = 1 … (ii)
∑ = 1 … (iii)
Information-Theoretic Approach (cont.)
We need to build population set for both legitimate (P) and malware (Q) applications
Example below are related to SMS sending apps (ADCAIJ 2014)Type Name Description
Benign
f1SMS message is sent with visual input, through even handler method
f2
SmsManager object is created, sendTxtMsg is invoked, variable argument is present
f3
Create Intent object, write SMS message, variable argument message, start Activity
f4
Start activity with “smsto:” string in Uri.parse method and variable parameter for SMS message
f5Message delivery or receiving status is notified
Type Name Description
Malicious
f6
SMS message is sent without input from visual interfaces, and in presence or absence of event handler method
f7
SmsManager object is created, sendTxtMsg is invoked, constant argument present
f8Using intent object, putting SMS body, and constant argument message
f9
Start activity with “smsto:” string in Uri.parse method and constant parameter representing SMS message
f10Message delivery or receiving status is not notified
SMS Operational Elements for good application SMS Operational Elements for malware application
Information-Theoretic Approach (cont.)
The challenge of computing KLD (P, Q) is the term pi * log2 (pi/qi)
If pi or qi is zero (no occurrence of opcode), then the term becomes infinite
KLD also becomes infinite
We apply constant back-off smoothing All zero probability values in P and Q are replaced with a negligible constant
probability (e)
All non-zero values are equally subtracted with the constant value proportionally
Anti-virus tool
Four representative tools mobile anti-virus software AVG Antivirus Free
Lookout Security & Antivirus
Norton Mobile Security Lite
Trend Micro Mobile Security Personal Edition
Zhou and Xiang (IEEE S&P 2012) showed tools have limited capability to detect malware signatures as they tested samples from Malgenome project best detection rate was 79.6% (1, 003 samples) from TrendMicro
worst detection rate was 20.2% (254 samples) by Norton Mobile Security Lite
Some best practices to protect ourselves
Keep devices updated with the latest OS version and app versions
Don’t store sensitive data on your handheld devices
Use common sense about suspicious links, messages, applications
How do we protect ourselves?
Lock your devices with a strong pin, passcode, or password
Download apps from the official market source like Google Play Store
Read list of app permissions before agreeing Think if your app should be needing all permissions
Seek opinions from experts and others who may have used an app already
Part2: Content Provider Data Leakage
Content provider leakage Example of leakage Best practices to avoid leakage
Content Provider Basics
A content provider presents data to external applications as one or more tables similar to tables found in relational database
Content provider is needed to offer data or files to other
applications
to allow users to copy data from your app into other apps
ContentProvider
ContentResolver
A demo of content provider leakage Access the page and follow the instructions
http://ksuweb.kennesaw.edu/~hshahria/mobileapp/contentprovider.html
Entering data in content provider
Uri of the provider (table)
Retrieving data from content provider
Output data (id=6, name=x, grade=y)
Probing a content provider
Tautology attack (SQL Injection) on content provider
Outcome of tautology attack on content provider
Content Provider Leakage Vulnerability
Leakage of data, managed by a vulnerable provider application, to other applications (including malware) running on Android
The vulnerability arises when the meaning of intended operations get change E.g., Querying different data provider
E.g., Inserting data rather than retrieving data
Content Provider Leakage Vulnerability (cont.)
The vulnerabilities can be exploited by developing malware retrieve passwords of instant messaging accounts (SocialHub app)
read or delete notes entries (Memo app)
view photos and locations (MiniDiary app)
An attacker needs to know the provider class name and the Uri
E.g., accessing userid and password of a device would require querying com.android.providers.settings
selecting all data for Uri: content://settings/secure
https://labs.mwrinfosecurity.com/advisories/2012/09/07/multiple-samsung-android-application-vulnerabilities
Code level issues in content provider class
Public class XYZProvider extends ContentProvider {private static final String AUTHORITY = “ com.example.app.xyzprovider “;private static final UriMatcher sURIMatcher;static {
sURIMatcher.addURI(AUTHORITY, “table1”, 1);… … …
}
public Cursor query (Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
if (sURIMatcher.match (uri) == 1){SQLiteDatabase db = database.getWritableDatabase();Cursor cursor = db.query(db, projection, selection, selectionArgs, null,
null, sortOrder);return cursor;
}else{
throw new IllegalArgumentException("Unknown URI: " + uri);}
}public Uri insert (Uri uri, ContentValues values) {
SQLiteDatabase db = database.getWritableDatabase();long int id = db.insert(uri, null, values);
}… …}
UriMatcher provides the facility to match with the supplied Uri with known data provider Uris
The match() method returns a number to perform specific actions query(), insert(), update(), delete()
query() does not validate the arguments• projections (columns of a table)• selection (where condition)• selectionArgs (replace ? placeholders)
SQL Injection attack inputs can be supplied to change the semantics of the select query
More example: Piggybacked query Assume that data provider contains Table 1
Consider four arguments: projection, selection, selectionArgs, sortOrder and their values in Table 2
Benign input
Malicious input
public Cursor query (Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) { …
}
Mitigation approach
Secure programming practices for implementing content provider classes can effectively prevent this vulnerability
Content leakage vulnerabilities is as a deviation from secure programming practices
Research questions how do we measure the deviation with respect to secure programming practices?
can the apply the deviation measurement to identify content leakage vulnerabilities in the wild?
KLD-Based detection of content provider leakage vulnerability
Kullback-Leibler Divergence (KLD) can be used to measure how divergent a given content provider implementation is from secure implementation
We develop a set of population elements Interface definition, resource locator (Uri) analysis, permission analysis
We build the initial population set from vulnerable free applications A new implementation is identified as vulnerable if the KLD divergence from the initial
population set is relatively high
Kullback-Leibler Divergence (KLD)
Let us assume that P and Q represent two probability distributions
P = {p1, ..., pn}
Q = {q1, ..., qn}.
Development of Population Set
We rely on the three programming principles (P1-P3) for secure implementation Motivated by Japan Smartphone Security Association guidelines
http://www.jssec.org/dl/android_securecoding_en.pdf
P1: Check the presence of malicious inputs for SQL Injection attacks
P2: Check both protocol and repository represented by the supplied Uri to avoid accessing of arbitrary Uris and missing handle exceptions
P3: Check content provider permissions for accessing, modifying, and creating data in a conservative manner Avoid high privilege permission when not needed
Mapping of secure programming principles, P set elements, and signatures
Histogram of population elements for P set
Most applications provides interfaces to access various data storage (SMS, File), and external storage (Google maps)
Within applications, calls to content providers are performed by supplying static arguments
In Viber, project, selectionArgs, and sortOrder arguments are set to null, and the Uri and selection arguments are hard coded, thus eliminating possible SQL injection
Histogram of population elements in Q set
Sample applications used to build P set
Sample applications used to build Q set
KLD for some selected applications
Application KLD Value
Huffington Post 4.408717Mailbox 1.56147Perfect Sunset Live Wallpaper 2.346257Quick Profiles 2.09625Skype 5.157877Spring Flowers Live Wallpaper 9.36725To-Do Calender Planner 11.12971Virtual Table Tennis 3D 10.57418
KLD threshold level vs. FP/TP
KLD Threshold FP (%) TP (%)
3 4.5 95.5
5 2.9 97.1
7 0.8 99.2
9 and above 0 100
• Threshold affect false positive (FP) and true positive (TP)• For each application, we confirm the FP and TP
manually based on secure programing
• The higher the divergence threshold level; the better the obtained vulnerability detection result
• A lower threshold level may lead to many false positive
• False positive are due to the acceptance of HTTP resources as Uri such as Google maps, Facebook and Twitter account in remote websites rather than local storage
• Many applications query multiple providers
• Applications rarely analyze supplied arguments while invoking query(), insert(), update(), delete()
• Vulnerable applications do not check the project and where condition arguments
Other approaches for content provider leakage mitigation
Path sensitive data flow analysis from static source code Generate data flow graph, extract path constraints and check for input to solve
constraints
Identify passive leaking sensitive data being displayed within an application
content pollution leaking detection changes of the setting of applications inadvertently to introduce unwanted side effects
such as blocking SMS messages sending
Disadvantage: Suffers from discontinuity of control flow graph due to event driven nature of android app
Other approaches for content provider leakage mitigation
Data flow from paths extracted from loaded apk Lets us discard infeasible path, only keep feasible path
Paths represent function calls of interest capable of leaking sensitive data
Can detect explicit exploit of publicly accessible interfaces or services
Implicit vulnerabilities (inherit permission from another application)
Secure development practices
Three programming principles (P1-P3) for secure implementation Motivated by Japan Smartphone Security Association guidelines
http://www.jssec.org/dl/android_securecoding_en.pdf
Check the presence of malicious inputs for SQL Injection attacks
Check both protocol and repository represented by the supplied Uri to avoid accessing of arbitrary Uris and missing handle exceptions
Check content provider permissions for accessing, modifying, and creating data in a conservative manner Avoid high privilege permission when not needed
Part3: Memory Leak
Apps are not reliable due to memory leak
CWE-401: Improper Release of Memory Before Removing Last Reference ('Memory Leak')
Software does not sufficiently track and release allocated memory after it has been used, which slowly consumes remaining memory
Most memory leaks result in app crash or unexpected program behavior
Memory leak in android
Android built-in garbage collection support is not adequate to release unused objects
Garbage objects are collected periodically
Allocated objects in application live longer than expected lifetime inside an Activity (an entity for running an application).
Much of the burden is on the application developer to understand different types of leaks and avoiding them
Leak due to bitmap object loading
Bitmaps take up a lot of memory, especially for rich images like photographs.
The camera on Galaxy Nexus takes photos up to 2592x1936 pixels (5 megapixels).
Android devices can have as little as 16MB memory available to a single application
https://developer.android.com/training/displaying-bitmaps/index.html
Leak due to bitmap object loadingpublic class DrawBitmap extends Activity {
static Bitmap bitMap; class BitmapView extends View {
public BitmapView(Context context) {super(context);
}
public void onDraw(Canvas canvas) {Bitmap bitMap = BitmapFactory.decodeResource
(getResources(), R.drawable.bitmap);canvas.drawColor (Color.BLACK);canvas.drawBitmap (bitMap, 10, 10, null);
} } public void onDestroy() {
super.onDestroy();}
}
Example of an Android program code having memory leak
Leak due to bitmap object loading
public void onDestroy() {if (bitMap != null) {
bitMap.recycle();bitMap = null;
}super.onDestroy();
}
Example fixing of memory leak
Leak due to object allocated in event handler
Example of memory leak fixing for click event listener
public class Main extends Activity {public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);setContentView(R.layout.main);findViewById(R.id.button).setOnClickListener
(new View.OnClickListener() {private byte[] m = new byte[1024*1024];//1MB allocatedpublic void onClick(View v) {…
}});
}}
An example of memory allocation in a click event listener
public void onDestroy() {
findViewById(R.id.button).setOnClickListener(null);
super.onDestroy();}
Leak due to drawable object
Example code of fixing memory leak due to drawable object
public void onDestroy(){super.onDestroy();if (d != null)
d.setCallback(null);}
public void onDestroy(){super.onDestroy();if(view != null{
ViewGroup viewGroup = (ViewGroup)view;int childCount = viewGroup.getChildCount();for(int index = 0; index < childCount; index++){
View child = viewGroup.getChildAt(index);child.setBackgroundDrawable(null);
}}
(a) Releasing memory of one drawable object
(b) Recursive enumeration to release the memory ofmultiple drawable objects
Memory leak due to static/constant object
Example of memory leak due to a static memory object
public class Main extends Activity{public InnerClass (Context context){static BitMap bmp;… …
}public void onCreate (){
InnerClass in = new InnerClass();…
}public void onDestroy(){
in = null;}
}
The onCreate method cares an instance of the inner class. The onDestroy method destroys the object by referring the in variable as null. However, the static object still remains in the memory and causing a leak
Leak prevention strategy
Description Allocation location Expected releaselocation
Bitmap/ImageView image object View/onDraw Activity/onDestroy
Memory object inside event handler
Event handler class definition
Activity/onDestroy
Drawable object allocation inside view
Activity/onCreate Activity/onDestroy
Static/constant object (public/private)
Inner class, Activity, View
Activity/onDestroy
Activity termination Activity/onCreate Activity/onDestroy
Understanding of Lifecycle for leak mitigation
• Device rotation may let an app on pause
• Recreate another app
• onDestroy() may not invoked as app is onPause() status
• This cause memory leak
Kennesaw State University, Kennesaw, GA
Memory leak is not related to supplying specific malformed inputs and conforming expected output results
Rather, it is due to the abnormal user level activities which may include destructing activity voluntarily/involuntarily
Wrongful assumption of programmers about built-in garbage collector and lack of understanding on the role of built-in methods to avoid memory leak, and application resources will never be altered (images in res/drawable folder)
Three types of fuzz testing to emulate memory leak Application fuzzing
Resource fuzzing
API fuzzing
Fuzz Testing of Memory Leak
Kennesaw State University, Kennesaw, GA
Memory leak patterns and fuzz testing type
Memory object Memory allocation location
Expected location of memory release
Application fuzzing
Resource fuzzing
API fuzzing
Bitmap, ImageView
View/onDraw Activity/onDestroy (), recycle(),null assignment, System.gc()
Yes Yes Yes
Memory object inside event handler
Event handler class definition
Activity/ onDestroy (), setOnClickListener(null)
Yes No No
Drawable object allocation inside view
Activity/ onCreate
Activity/ onDestroy(),setCallBack (null), setBackgroundDrawable (null)
Yes Yes No
Static/constant object (public/private)
Inner class, Activity, View
Activity/ onDestroy(), null assignment, System.exit(0)
Yes Yes Yes
AdView object Activity/ onCreate
Activity/ onDestroy(),null assignment, destroy()
Yes No Yes
Kennesaw State University, Kennesaw, GA
Memory leak patterns and fuzz testing typeFuzzing type StepsApplication Repeated launching of an application
1. Launch an application.2. Close the application.3. Repeat steps 1 and 2 for N number of time. Rotating application frequently1. Launch an application.2. Rotate the device or application.3. Wait for few seconds.4. Repeat steps 2 and 3 for N number of times.
Resource 1. Remove an image file randomly from a resource folder.2. Add a new image file having an increased compared to the removed file.3. Launch the application.4. If the application does not crash, repeat Steps 1-3 by substituting the image withan increased size image.5. If the application crashes, or the number of attempt exceeds N, then stop.
API 1. Replace a specific API call with suitable wrapper, or remove the API calls to nullifythe effect. Applicable for recycle(), System.gc(), System.exit(), and destroy().2. Launch the application, invoke the relevant activity, and then observe theresponse.3. Repeat steps 1-2 for all the API calls of interest.
6 out of every 10 Application Crashed due to Repeated Launching.
Only 3 Applications crashed due to continuous Application.
Results
Application 10MB 50MB 100MB Barcode Scanner
No crash Crash Crash
FxCamera Crash Crash CrashHuffington Post No crash No crash Crash
My Currency –Converter
No crash Crash Crash
Skype No crash Crash CrashTo-Do Calendar Planner
Crash No crash Crash
Viber No crash No crash Crash
Virtual Table Tennis 3D
Crash Crash Crash
WhatsApp No crash Crash CrashYouTube Crash Crash Crash
Results of resource fuzzing
Application Repeated launching
Rotating
Barcode Scanner Crash No crashFxCamera No crash No crashHuffington Post No crash No crashMy Currency –Converter
Crash Crash
Skype Crash No crashTo-Do Calendar Planner
Crash Crash
Viber No crash No crash
Virtual Table Tennis 3D Crash CrashWhatsApp Crash No crash
YouTube No crash No crash
Results of application fuzzing
Developer support: Heap snapshotExamine heap dump to identify which objects taking up more memory
Heap dump is stored in a binary format called HPROF
Can be created in the DDMS Perspective (Eclipse, IntelliJ).
https://eclipse.org/mat/
Conclusions Malware apps can invoke actions resulting in leakage of personal
data or financial losses to the end users
Both good and bad (malware) apps have overlappingpermissions and API signatures
Android built-in features, recommended development practices,permission display are not sufficient
Burden is on user and developers
Mitigation approaches vary in performance, only provide adefense in-depth
Memory leak issue can be subtle to address
References
Cooper, V., Shahriar, H., Haddad, H. (2014). A Survey of Android Malware Characteristics and Mitigation Techniques (pp. 327-332). Proc. 11th IEEE International Conference on Information Technology: New Generations (ITNG)
H. Shahriar, H. Haddad, (2014). “Content Provider Leakage Vulnerability Detection in Android Applications,” (pp. 359-366). Proc. of 7th ACM/SIGSAC International Conference on Security of Information and Networks (SIN), ACM.
VN Cooper, HM Haddad, H Shahriar, Android Malware Detection Using Kullback-Leibler Divergence, ADCAIJ: Advances in Distributed Computing and Artificial Intelligence, 2014.
A. Porter Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A Survey of Mobile Malware in the Wild ,” Proc. of 2011 ACM CCS WORKSHOP ON SECURITY AND PRIVACY IN SMARTPHONES AND MOBILE DEVICES (SPSM), Chicago, USA.
Y. Zhou, Z. Xiang, “Dissecting Android Malware: Characterization and Evolution,” 2012 IEEE Symposium on Security and Privacy (SP), Oakland, CA, May 2012, pp. 95 – 109.
Felt et al. 2011, The Effectiveness of Application Permissions, Proceedings of the 2nd USENIX conf. on Web application development, USENIX Association Berkeley, CA.
BARRERA, D., KAYACIK, H. G., VAN OORSCHOT, P. C., AND SOMAYAJI, A. A Methodology for Empirical Analysis of Permission-Based Security Models and its Application to Android. In ACM CCS (2010)
H. Shahriar and V. Clincy, (2014). Detection of Repackaged Android Malware (pp. 350-355). Proc. of The 9th IEEE International Conference for Internet Technology and Secured Transactions (ICITST-2014).
Hossain Shahriar, Sarah North, Edward Mawangi, “Testing of Memory Leak in Android Applications,” Proc. Of 15th IEEE International Symposium on High-Assurance Systems Engineering (HASE), 2014, pp. 176-183.
Dilbert and Smart phone
