An extension to the Android access control framework

Huang, Qing

January 2011

Several nice hardware functionalities located at the low level of operating system onmobile phones could be utilized in a better way if they are available to applicationdevelopers. With their help, developers are able to bring overall user experienceto a new level in terms of developing novel applications. For instance, one of thosehardware functionalities, SIM-card authentication is able to offer stronger andmore convenient way of authentication when compared to the traditional approach.Replacing the username-password combination with the SIM-card authentication,users are freed from memorizing passwords. However, since normally those kindsof functionalities are locked up at the low level, they are only accessible by a fewusers who have been given privileged access rights. To let the normal applicationsbe benefiting as well, they need to be made accessible at the application level. Onthe one hand, as we see the benefit it will bring to us, there is a clear intentionto open it up, however, on the other hand, there is also a limitation resultingfrom their security-critical nature that needs to be placed when accessing whichis restricting the access to trusted third parties. Our investigation is based on the Android platform. The problem that we havediscovered is the existing security mechanism in Android is not able to satisfy everyregards of requirements we mentioned above when exposing SIM-card authenticationfunctionality. Hence, our requirement on enhancing the access control modelof Android comes naturally. In order to better suit the needs, we proposed a solutionWhite lists & Domains (WITDOM) to improve its current situation in thethesis. The proposed solution is an extension to the existing access control modelin Android that allows alternative ways to specify access controls therefore complementingthe existing Android security mechanisms. We have both designedand implemented the solution and the result shows that with the service that weprovided, critical functionalities, such as APIs for the low-level hardware functionalitycan retain the same level of protection however in the meanwhile, with moreflexible protection mechanism.

Android security

access control

Privacy Preserving Controls for Android Applications

January 2014

abstract: Android is currently the most widely used mobile operating system. The permission model in Android governs the resource access privileges of applications. The permission model however is amenable to various attacks, including re-delegation attacks, background snooping attacks and disclosure of private information. This thesis is aimed at understanding, analyzing and performing forensics on application behavior. This research sheds light on several security aspects, including the use of inter-process communications (IPC) to perform permission re-delegation attacks. Android permission system is more of app-driven rather than user controlled, which means it is the applications that specify their permission requirement and the only thing which the user can do is choose not to install a particular application based on the requirements. Given the all or nothing choice, users succumb to pressures and needs to accept permissions requested. This thesis proposes a couple of ways for providing the users finer grained control of application privileges. The same methods can be used to evade the Permission Re-delegation attack. This thesis also proposes and implements a novel methodology in Android that can be used to control the access privileges of an Android application, taking into consideration the context of the running application. This application-context based permission usage is further used to analyze a set of sample applications. We found the evidence of applications spoofing or divulging user sensitive information such as location information, contact information, phone id and numbers, in the background. Such activities can be used to track users for a variety of privacy-intrusive purposes. We have developed implementations that minimize several forms of privacy leaks that are routinely done by stock applications. / Dissertation/Thesis / Masters Thesis Computer Science 2014

Computer science

Computer engineering

Android Permissions

Android Security

Privacy Android

Multi-Dimensional Identification of Vulnerable Access Control in Mobile Applications

Chaoshun, Zuo

January 2020

No description available.

Computer Science

Revisiting the Evolution of Android Permissions

Lu, Can

January 2018

No description available.

Information Technology

Android

Android permission

Android Security

Android app

Leveraging attention-based deep neural networks for security vetting of Android applications

Pathak, Prabesh

01 June 2021

No description available.

Computer Science

Android

Android Security

Attention

Classification

Deep Learning

Building Android Malware Detection Architectures using Machine Learning

Mathur, Akshay

January 2022

No description available.

Computer Science

Technology

A Security and Privacy Audit of KakaoTalk’s End-to-End Encryption

Schmidt, Dawin

January 2016

End-to-end encryption is becoming a standard feature in popular mobile chat appli-cations (apps) with millions of users. In the two years a number of leading chat apps have added end-end encryption features including LINE, KakaoTalk, Viber, Facebook Messenger, and WhatsApp.However, most of these apps are closed-source and there is little to no independent ver-ification of their end-to-end encryption system design. These implementations may be a major concern as proprietary chat apps may make use of non-standard cryptographic algorithms that may not follow cryptography and security best practices. In addition, governments authorities may force chat app providers to add easily decryptable export-grade cryptography to their products. Further, mainstream apps have a large attack surface as they offer a variety of features. As a result, there may be software vulnera-bilities that could be exploited by an attacker in order to compromise user’s end-to-end privacy. Another problem is that, despite being closed-source software, providers often market their apps as being so secure that even the provider is not able to decrypt messages. These marketing claims may be potentially misleading as most users do not have the technical knowledge to verify them.In this Master’s thesis we use KakaoTalk – the most popular chat app in South Korea – as a case study to perform a security and privacy assessment and audit of its “Secure Chat” opt-in end-to-end encryption feature. Also, we examine KakaoTalk’s Terms of Service policies to verify claims such as “[. . . ] Kakao’s server is unable to decrypt the encryption [. . . ]” from a technical perspective.The main goal of this work is to show how various issues in a product can add up to the potential for serious attack vectors against end-to-end privacy despite there being multiple layers of security. In particular, we show how a central public-key directory server makes the end-to-end encryption system vulnerable to well-known operator-site man-in-the-middle attacks. While this naive attack may seem obvious, we argue that (KakaoTalk) users should know about the strength and weaknesses of a particular design in order to make an informed decision whether to trust the security of a chat app or not. / End-to-end kryptering är en allt mer vanligt förekommande funktionalitet bland populära mobila chatttjänster (händanefter appar) med miljontals användare. Under de två senaste åren har många ledande chattappar, bland annat LINE, KakaoTalk, Viber, Facebook Messenger, och WhatsApp, börjat använda end-to-end kryptering. Dock så är de flesta av dessa appar closed-source och det finns begränsad, eller ingen, fristående granskning av systemdesignen för deras end-to-end kryptering. Dessa implementationer kan innebära en stor risk då proprietära chattappar kan använda sig av kryptografiska algoritmer som inte följer best practice för säkerhet eller kryptografi. Vidare så kan statliga myndigheter tvinga de som tillhandahåller chattappar att använda lättdekrypterad export-grade kryptografi för sina produkter. Lägg till det att de flesta vanliga appar har många ytor som kan attackeras, till följd av all funktionalitet de erbjuder. Som ett resultat av detta finns en risk för mjukvarubrister som kan utnyttjas av en hackare för att inkräkta på en användares end-to-end integritet. Ytterligare ett problem är att trots att det är closed-source mjukvara så marknadsför ofta appleverantörerna sina appar som att vara är så säkra att inte ens leverantörerna själva kan dekryptera användarnas meddelanden. Det som hävdas i marknadsföringen riskerar vara missledande eftersom de flesta användarna inte har den tekniska kunskap som krävs för att kunna verifiera att det som hävdas är sant. I den här Master-uppsatsen använder vi KakaoTalk – den mest populära chattappen i Sydkorea – som en fallstudie för att granska och bedömma säkerhetens- och integritets-aspekterna hos deras valbara “Secure Chat” med end-to-end krypteringsfunktionalitet. Vi granskar även KakaoTalk’s användarvillkor för att kunna verifiera påståenden som att “[. . . ] Kakao’s server is unable to decrypt the encryption [. . . ]” från ett tekniskt perspektiv. Det huvudsakliga syftet med denna studien är att belysa hur olika brister i en produkt sammantagna kan skapa en risk för allvarliga vektorattacker mot end-to-end integriteten även fast det finns flera skyddslager. Mer specifikt visar vi hur en central katalogserver för public-keys gör end-to-end krypteringssystemet sårbart mot välkända operator-site man-in-the-middle-attacker. Trots att denna naiva typ av attack kan verka uppenbar, argumenterar vi för att (KakaoTalk) användare borde veta om styrkorna och svagheterna med en särskild systemdesign för att kunna göra ett informerat val för om de ska lita på säkerheten hos en chattapplikation eller inte.

Secure Messaging

End-to-end Encryption

Android Security

Secure Messaging

End-to-end Encryption

Android Security

Elektroteknik och elektronik

Remote Method Invocation for Android Platform / Remote Method Invocation for Android Platform

Magic, Ľuboš

January 2012

The thesis inquires the potential of a remote method invocation in the context of the Android mobile devices. The primary goal of the thesis is to investigate execution of security-critical parts of application code on smart cards (a prominent example of a smart card is the SIM card). Further, the thesis discusses issues of implementation of the remote method invocation in general, covering also its other frequent forms (such as execution on a remote server). A part of the thesis is a real world case study, which demonstrates the results of the thesis.

Bezpečnostní testování obfuskovaných Android aplikací / Security Testing of Obfuscated Android Applications

Michalec, Pavol

January 2020

Diplomová práca je o bezpečnostnom testovaní obfuskovaných Android aplikácií. Teoretická časť práce opisuje základy obfuskácie a spomína niektoré vybrané obfuskátory. Dopad obfuskácie na penetračné testovanie je taktiež zmienený. Práca navrhuje dynamickú analýzu ako hlavný nástroj pri obchádzaní obfuskácie. Praktická časť práce popisuje ochrany aplikácie v reálnom čase a spôsoby, ako tieto ochrany obísť pomocou dynamickej analýzy. Druhá polovica praktickej časti je venovaná pokročilým technikám obfuskácie a spôsobom ich obídenia.

A FRAMEWORK FOR THE SOFTWARE SECURITY ANALYSIS OF MOBILEPOWER SYSTEMS

Yung Han Yoon (10732161)

05 May 2021

Mobile devices have become increasingly ubiquitous as they serve many important functions in our daily lives. However, there is not much research on remote threats to the battery and power systems of these mobile devices. The consequences of a successful attack on the power system of a mobile device can range from being a general nuisance, financial harm, to loss of life if emergency communications were interrupted. Despite the relative abundance of work on implementing chemical and physical safety systems for battery cells and power systems, remote cyber threats against a mobile battery system have not been as well studied. This work created a framework aimed at auditing the power systems of mobile devices and validated the framework by implementing it in a case study on an Android device. The framework applied software auditing techniques to both the power system and operating system of a mobile device in a case study to discover possible vulnerabilities which could be used to exploit the power system. Lessons learned from the case study are then used to improve, revise, and discuss the limitations of the framework when put in practice. The effectiveness of the proposed framework was discovered to be limited by the availability of appropriate tools to conduct vulnerability assessments.<br>

Computer System Security

software audit

mobile battery system

vulnerability analysis approach

framework

Android Security