This document summarizes mobile malware and security issues in Android apps. It discusses identifying malware at app stores rather than on devices. It also describes a study that analyzed over 1 million Android apps from the Google Play store, finding that 85% used web interfaces and many were vulnerable. Additionally, it covers how outdated Android apps may disable security patches by targeting older Android versions and behaving in riskier default ways.
Mobile Enterprise Application PlatformNugroho Gito
mobile enterprise application, mobile application development, mobile enterprise, hybrid mobile, mobile security, reverse engineer, obfuscation, ibm, mobilefirst platform, bluemix, api management, mobile backend as a service
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Keeping up with the Revolution in IT SecurityDistil Networks
For many of today’s businesses, web applications are their lifeline. The growing complexity involved in keeping these applications fast, secure, and available can be seen as a byproduct of shifts in how these apps are developed, deployed, and attacked. This discussion will explore how high level trends in today’s web environments and the cyber attack landscape are shaping tomorrow’s application security solutions.
Key Takeaways:
- Trends in contemporary web applications that are forcing security evolution
- How today’s cyber attack landscape impacts cybersecurity
- What modern IT security solutions look like
- Distil Networks Overview
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
On Thursday, September 25, Bluebox Security hosted a webinar on transforming risky mobile apps into self-defending apps. During the webinar, Subbu Iyer, VP of Product management, analyzed the anatomy of risky apps and explained how to encrypt and protect data from device or app-level compromises.
View and listen to the entire webinar here:
http://offers.bluebox.com/resource-webinar-transform-risky-mobile-apps.html
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Mobile Enterprise Application PlatformNugroho Gito
mobile enterprise application, mobile application development, mobile enterprise, hybrid mobile, mobile security, reverse engineer, obfuscation, ibm, mobilefirst platform, bluemix, api management, mobile backend as a service
Mobile Application Security Threats through the Eyes of the Attackerbugcrowd
As an active security researcher with immense professional expertise in application security, Jason Haddix joins us to explain the common attack vectors that face today’s mobile applications -- from a hacker’s perspective.
Keeping up with the Revolution in IT SecurityDistil Networks
For many of today’s businesses, web applications are their lifeline. The growing complexity involved in keeping these applications fast, secure, and available can be seen as a byproduct of shifts in how these apps are developed, deployed, and attacked. This discussion will explore how high level trends in today’s web environments and the cyber attack landscape are shaping tomorrow’s application security solutions.
Key Takeaways:
- Trends in contemporary web applications that are forcing security evolution
- How today’s cyber attack landscape impacts cybersecurity
- What modern IT security solutions look like
- Distil Networks Overview
Transforming Risky Mobile Apps into Self Defending AppsBlueboxer2014
On Thursday, September 25, Bluebox Security hosted a webinar on transforming risky mobile apps into self-defending apps. During the webinar, Subbu Iyer, VP of Product management, analyzed the anatomy of risky apps and explained how to encrypt and protect data from device or app-level compromises.
View and listen to the entire webinar here:
http://offers.bluebox.com/resource-webinar-transform-risky-mobile-apps.html
Malware on Smartphones and Tablets - The Inconvenient TruthAGILLY
De nombreux entreprises, à travers leurs responsables informatiques et DSI ne reconnaissent toujours pas les logiciels malveillants mobiles comme une menace imminente. Selon une étude de Duo Security, un tiers des utilisateurs mobiles Android n'utilisent ne verrouillent pas l'écran de leurs appareils à l'aide d'un Mot de Passe, et la plupart ne prennent aucunes mesures de sécurité. En outre, les responsables informatiques et DSI déploient de nouvelles applications vers leurs clients et employés sans y intégrer de mesure de sécurité favorisant l'authentification et la mitigation des menaces.
Cependant, les logiciels malveillants mobiles ont évolué au fil des dernières années et constituent aujourd'hui des menaces réelle. Business Insider a noté que ces menaces sont désormais équivalentes à celles des PC en terme de distribution et de niveau de risque.
Presentation I gave at ISSA DC on June 21, 2011. It introduces the OWASP Mobile Security Project, and covers at a high level: Overview of the Android platform, Mobile Top 10 Risks, Threat Modeling for Android.
Building an Android Scale Incident Response ProcessPriyanka Aash
The Android ecosystem has over one billion active devices from hundreds of OEMs and carrier networks. The Android Security Team will explain how the ecosystem is able to respond quickly and effectively to security incidents. This will be part historical analysis of actual incidents, such as the Stagefright vulnerabilities, and part data-focused analysis of technology and processes we developed.
(Source: RSA USA 2016-San Francisco)
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Enable best-of-breed security testing for enterprise, web and
mobile applications
• Facilitate application security testing for your customers at the
appropriate stage of their development lifecycle
• Identify security vulnerabilities such as SQL injection and
cross-site scripting (XSS)
• Automate correlation of static, dynamic and interactive application
security testing results
• Deliver detailed reporting to your customers that summarise
security vulnerabilities, assesses potential risk and offers
remediation tactics
Mobile apps are the entry point to your web applications, APIs and web services. But sometimes the developer implements security in the mobile app that can easily be bypassed by a malicious attacker, allowing the attacker to exploit your web applications and steal confidential information. In this presentation I will show you how easy it is to attack a mobile application, intercept the communication and exploit the trust model of mobile apps. I will also give an overview of the OWASP Top 10 Mobile Risks.
Mobile Banking Security: Challenges, SolutionsCognizant
With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.
The following slides present an
application security checklist — a look at how your company can counter the
impact of seven top application security threats.
2015 cemented the saying “No one is immune to hacking” and the high profile breaches of Ashley Madison, LastPass and others was proof of that. Quick Heal detected close to 1.4 billion malware samples in 2015 and this number simply shows how widespread and lucrative cyber-attacks have now become. In this webinar, we will look back at some of the notable highlights from malware attacks in 2015, and then chart the way forward for 2016 and provide our listeners with a heads up on what kind of malware threats to expect. The webinar will cover the following points:
1. Malware detection statistics and highlights from 2015
2. Platform statistics for Windows and Android vulnerabilities
3. Insight into Ransomware and Exploit Kits in 2015
4. A look ahead at the cyber security predictions for 2016 and how we can help you
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
Arxan Technologies, FS-ISAC, and IBM joined forces to deliver a presentation on how to protect your applications and data from emerging risks. This session will cover:
- The threat landscape regarding mobile payments
- How cybercriminals can hack your applications
- Comprehensive prevention and protection techniques
Building an Android Scale Incident Response ProcessPriyanka Aash
The Android ecosystem has over one billion active devices from hundreds of OEMs and carrier networks. The Android Security Team will explain how the ecosystem is able to respond quickly and effectively to security incidents. This will be part historical analysis of actual incidents, such as the Stagefright vulnerabilities, and part data-focused analysis of technology and processes we developed.
(Source: RSA USA 2016-San Francisco)
Unicom Conference - Mobile Application SecuritySubho Halder
Mobile adoption is strategic in every industry today. Although it can be a great catalyst for growth, the security risks that come with it cannot be overlooked. Even though this fact is established, many companies are still not following some of the mobile application security best practices. The goal of this is to raise awareness about application security by identifying some of the most critical risks facing organizations during development. We will be covering from basic OWASP top 10 security issues to live demos on different use-case scenarios on how a hacker can hack your application, and how to prevent them.
Essentials of Web Application Security: what it is, why it matters and how to...Cenzic
Join Cenzic’s Chris Harget for an overview of the essentials of Web Application Security, including the risks, practices and tools that improve security at every stage of the application lifecycle.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Enable best-of-breed security testing for enterprise, web and
mobile applications
• Facilitate application security testing for your customers at the
appropriate stage of their development lifecycle
• Identify security vulnerabilities such as SQL injection and
cross-site scripting (XSS)
• Automate correlation of static, dynamic and interactive application
security testing results
• Deliver detailed reporting to your customers that summarise
security vulnerabilities, assesses potential risk and offers
remediation tactics
Mobile apps are the entry point to your web applications, APIs and web services. But sometimes the developer implements security in the mobile app that can easily be bypassed by a malicious attacker, allowing the attacker to exploit your web applications and steal confidential information. In this presentation I will show you how easy it is to attack a mobile application, intercept the communication and exploit the trust model of mobile apps. I will also give an overview of the OWASP Top 10 Mobile Risks.
Mobile Banking Security: Challenges, SolutionsCognizant
With the proliferation of online mobile banking services, security is a key issue. We offer a primer on security challenges and applicable controls/remedies. This includes solutions such as Trusteer Mobile SDK, Arxon's EnsureIT and Dexguard.
The following slides present an
application security checklist — a look at how your company can counter the
impact of seven top application security threats.
2015 cemented the saying “No one is immune to hacking” and the high profile breaches of Ashley Madison, LastPass and others was proof of that. Quick Heal detected close to 1.4 billion malware samples in 2015 and this number simply shows how widespread and lucrative cyber-attacks have now become. In this webinar, we will look back at some of the notable highlights from malware attacks in 2015, and then chart the way forward for 2016 and provide our listeners with a heads up on what kind of malware threats to expect. The webinar will cover the following points:
1. Malware detection statistics and highlights from 2015
2. Platform statistics for Windows and Android vulnerabilities
3. Insight into Ransomware and Exploit Kits in 2015
4. A look ahead at the cyber security predictions for 2016 and how we can help you
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
Mobile Payments: Protecting Apps and Data from Emerging RisksIBM Security
Arxan Technologies, FS-ISAC, and IBM joined forces to deliver a presentation on how to protect your applications and data from emerging risks. This session will cover:
- The threat landscape regarding mobile payments
- How cybercriminals can hack your applications
- Comprehensive prevention and protection techniques
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
2. Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
6. Based on FairPlay vulnerability
• Requires malware on user PC, installation of malicious app in App Store
• Continues to work after app removed from store
• Silently installs app on phone
8. Current Android Malware
Description
AccuTrack
This application turns an Android smartphone into a GPS tracker.
Ackposts
This Trojan steals contact information from the compromised device and
uploads them to a remote server.
Acnetdoor
This Trojan opens a backdoor on the infected device and sends the IP
address to a remote server.
Adsms
This is a Trojan which is allowed to send SMS messages. The distribution
channel ... is through a SMS message containing the download link.
Airpush/StopSMS
Airpush is a very aggresive Ad-Network.
…
BankBot
This malware tries to steal users’ confidential information and money from
bank and mobile accounts associated with infected devices.
http://forensics.spreitzenbarth.de/android-malware/
11. • “Even security companies know the risk is low — that's why apps
are packaged with other selling points.” - AndroidCentral
• Kevin Haley, Symantec's Director of Symantec Security Response:
– "Symantec sees an important role to play in helping to protect
data and mobile devices from being exposed to risk," …
– "While Symantec sees its purpose in the mobile landscape as
providing security against malware, fraud and scams; we also
protect devices against loss and theft — loss of the device itself,
as well as the information on it. In addition, Symantec helps
businesses protect and manage their data being stored or
transmitted through the mobile devices of their employees."
http://www.androidcentral.com/antivirus-android-do-you-need-it
15. Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
16. STAMP Admission System
Static
Dynamic
STAMP
Static Analysis
More behaviors,
fewer details
Dynamic Analysis
Fewer behaviors,
more details
Alex Aiken,
John Mitchell,
Saswat Anand,
Jason Franklin
Osbert Bastani,
Lazaro Clapp,
Patrick Mutchler,
Manolis Papadakis
17. Abstract program execution
• States: mapping of variable names to values
• Transitions: relation on pairs of states
• Traces: sequence of states or state, transition pairs
18. Analysis
Convert bytecode to intermediate
format (called Quads)
Step 1
Compute call graph using Class
Hierarchy Analysis
Step 2
Build an edge-labeled graph G by
processing Quads of each class
Step 3
Add new edges to G as per a set
of rules until no rules apply
Step 4
19. Data Flow Analysis
getLoc() sendSMS()
sendInet()
Source:
Location
Sink: SMS
Sink: Internet
Location SMS Location Internet
• Source-to-sink flows
o Sources: Location, Calendar, Contacts, Device ID etc.
o Sinks: Internet, SMS, Disk, etc.
20. Data Flow Analysis in Action
• Vulnerability Discovery
Privacy Policy
This app collects your:
Contacts
Phone Number
Address
FB API Send
Internet
Source:
FB_Data Sink: Internet
Web
Source:
Untrusted_Data
SQL Stmt Sink: SQL
• Malware/Greyware Analysis
o Data flow summaries enable enterprise-specific policies
• API Misuse and Data Theft Detection
• Automatic Generation of App Privacy Policies
o Avoid liability, protect consumer privacy
21. Challenges
• Android is 3.4M+ lines of complex code
o Uses reflection, callbacks, native code
• Scalability: Whole system analysis impractical
• Soundness: Avoid missing flows
• Precision: Minimize false positives
22. STAMP Approach
• Model Android/Java
o Sources and sinks
o Data structures
o Callbacks
o 500+ models
• Whole-program analysis
o Context sensitive
Android
Models
App App
Too expensive!
OS
HW
23. Data We Track (Sources)
• Account data
• Audio
• Calendar
• Call log
• Camera
• Contacts
• Device Id
• Location
• Photos (Geotags)
• SD card data
• SMS
30+ types of
sensitive data
24. Data Destinations (Sinks)
• Internet (socket)
• SMS
• Email
• System Logs
• Webview/Browser
• File System
• Broadcast Message
10+ types of
exit points
26. Example Analysis
Contact Sync for Facebook (unofficial)
Description:
This application allows you to synchronize
your Facebook contacts on Android.
IMPORTANT:
* "Facebook does not allow [sic] to export phone
numbers or emails. Only names, pictures and
statuses are synced."
* "Facebook users have the option to block one or all
apps. If they opt for that, they will be EXCLUDED
from your friends list."
Privacy Policy: (page not found)
28. Possible Flows from Permissions
Sources Sinks
INTERNET
READ_CONTACTS
WRITE_SETTINGS
READ_SYNC_SETTINGS
WRITE_CONTACTS
READ_SYNC_STATS
GET_ACCOUNTS WRITE_SECURE_SETTINGS
WRITE_SETTINGS
INTERNET
31. Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
32. A Large-Scale Study of
Mobile Web App Security
Patrick Mutchler, Adam Doupe,
John Mitchell, Chris Kruegel, Giovanni Vigna
42. Static Analysis
• How many mobile web apps?
• How many use JavaScript Bridge?
• How many vulnerable?
43. Experimental Results
• 737,828 free apps from Google Play (Oct ’13)
• 563,109 apps embed a browser
• 219,404 use the JavaScript Bridge
• 107,974 have at least one security violation
44. Most significant vulnerabilities
1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to
foreign apps
45. 1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to
foreign apps
46. “You should restrict the web-pages that
can load inside your WebView with a
whitelist.”
- Facebook
47. “…only loading content from trusted
sources into WebView will help protect
users.”
- Adrian Ludwig, Google
64. Takeaways
• Apps must not load untrusted content into
WebViews
• Able to identify violating apps using static
analysis
• Vulnerabilities are present in the entire app
ecosystem
65. Outline
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
67. Android apps can run using outdated OS behavior
- The large majority of Android apps do this
- Including popular and well maintained apps
Takeaways
Outdated security code invisibly permeates the app ecosystem
- “Patched” security vulnerabilities still exist in the wild
- “Risky by default” behavior is widespread
68. What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
69. What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
70. “If the device is running Android 6.0 or higher… [the app] must
request each dangerous permission that it needs while the app is
running.
- Android Developer Reference
71. “If the device is running Android 6.0 or higher and your app's
target SDK is 6.0 or higher [the app] must request each
dangerous permission that it needs while the app is running.
- Android Developer Reference
72. “If the [operating system version of the device] is higher than the
version declared by your app’s targetSdkVersion, the system may
enable compatibility behaviors to ensure that your app continues to
work the way you expect.”
- Android Developer Reference
73. What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
74. 1,232,696 Android Apps
Popularity, Category, Update, and Developer metadata
Collected between May 2012 and Dec 2015
Broken into five datasets by collection date
Dataset
82. Fragment Injection
Fixed in Android 4.4
Developers implement isValidFragment to authorize fragments
// Put this in your app
protected boolean isValidFragment(String fName){
return MyFrag.class.getName().equals(fName);
}
83. Fragment Injection
Vulnerable if:
- Targets 4.3 or lower (31%)
- Some class inherits from PreferenceActivity (4.8%)
- That class is exported (1.1%)
- That class does not override isValidFragment (0.55%)
4.2% of apps vulnerable if no fix was ever implemented
85. Mixed Content in WebView
Major web browsers block Mixed Content
In Android 5.0, WebViews block Mixed Content by default
Can override default with setMixedContentMode()
86.
87.
88. SOP for file:// URLs in WebView
Android 4.1 separate file:// URLs are treated as unique origins
Can override with setAllowFileAccessFromFileURLs()
89.
90.
91. Android apps can run using outdated OS behavior
- The large majority of Android apps do this
- Including popular and well maintained apps
Outdated security code invisibly permeates the app ecosystem
- “Patched” security vulnerabilities still exist in the wild
- “Risky by default” behavior is widespread
Recap
92. Summary
• Mobile malware
• Identifying malware
– Detect at app store rather than on platform
• Classification study of mobile web apps
– Entire Google Play market as of 2014
– 85% of approx 1 million apps use web interface
• Target fragmentation in Android
– Out-of-date Apps may disable more recent
security platform patches
Editor's Notes
30 seconds
5 minutes
29% unsafe nav
51% http
53% https
Outline
Story to explain why targetSdkVersion exists.
Requiring code changes to run on new OS versions hurts forwards compatibility.
Story to explain why targetSdkVersion exists.
Requiring code changes to run on new OS versions hurts forwards compatibility.
Describe targetSdkVersion design
Not all old code is used.
Set up outdatedness here!
We aren’t just concerned with whether an app is out of date. We are concerned with how out of date that app is.
Define outdatedness.
Cumulative distribution of outdatedness for apps collected in December 2015
8% of apps target the most current version (6.0, released in October)
50% of apps target versions at least 500 days out of date
20% of apps target versions at least 1000 days out of date
Cumulative distributions for different install counts.
Apps installed 10m times are a bit better but target fragmentation is still a severe problem.
Fewer than 20% target 6.0. 80th percentile is still about two years out of date.
Lets be even more generous and account for stale apps on the app store.
Define negligent outdatedness
Compare negligent outdatedness and outdatedness curves. Shows that stale apps are not the primary cause of outdatedness.
Outline
Introduce and explain fragment injection attack
Describe the solution for fragment injection. Fixed on Sep 3rd 2013.
But what happens when you don’t implement isValidFragment?
Vulnerability rates.
The “fix” has only reduced the vuln rate to 20% of what it would be if no fix was ever implemented.
Define mixed content and explain what webview is.
Explain mixed content changes
We cannot directly measure the number of “vulnerable” apps that allow mixed content because it is possible to do so safely.
Instead we try to understand the number of apps that “accidentally” allow mixed content.
Assume that the % of apps that want to allow mixed content is constant
Red bar are apps that allow mixed content unnecessarily
Red bar represents 18% of apps from December
Difference is 64%.
15% of apps target <16
9.6% of all apps
Difference is 64%.
15% of apps target <16
9.6% of all apps
You can see this going two ways:
One is that developers who use Feature X are more likely to retarget when a security change comes to Feature X
One is that developers who use Feature X are *less* likely to retarget when a change comes to Feature X because it breaks their code
Apps that use PreferenceActivity target 19+ 66% of the time while the general population targets 19+ 69% of the time.
Apps that use WebView...
Apps that export Content Providers
Big takeaways from this paper
Make third point into a sentence
Make this last point punchier