Analyzing Security Property of Android Application
As mobile phones are becoming a main approachfor people to use to access internet, security is a major concernwhen people are using their mobile phones. Different from theweb browser which has mature isolation mechanisms to protectusers’ information such as cookies and credentials, Androidapp developers have to implement the isolation mechanism suchas the Single Origin Policy (SOP) [1], [2] themselves. Duringthe implementation process, it is highly likely that there isvulnerability in the implementation. Therefore, it is necessaryto perform analysis to the implementation before it is releasedto market. As part of an ongoing Ph.D. research project, thisdissertation inspects two scenarios. The first scenario is an appwhich provides Single Sign-on (SSO) service using FacebookSDK. The author builds formal models from the capturednetwork traffic of the app and uses a verifier Proverif to checkagainst the defined properties of the formal models. After theanalysis, one vulnerability is discovered which violates SOP. Asfor the second scenario, it is an initial analysis of informationflow leak in Android apps.CodeShoppy
Information security is becoming more and more importantnowadays. Companies, governments and militaries are con-necting themselves to the internet for various reasons suchas to provide certain services to public, to cooperate withpartners and to allow their staffs to work remotely and soon. However, when they connect to internet, they are alsoexposing a possible entrance for the adversaries to break intotheir internal networks and to access to their private data ifthere are vulnerabilities. It is also the same case when it comesto the individual person who connects oneself to the internetwith mobile devices. Personal data leak may cause troubles oreven financial lost [3], [4].As mobile devices are replacing traditional desktop as amain portal to internet, people rely on their mobile devicesto handle all sorts of daily activities such as online shopping,internet banking and subscribing to premium services, whichare almost impossible in the past on mobile devices. Onemight not even realize that its mobile device stores so much ofits personal information that the security of such informationon these mobile devices has become a critical and seriousproblem.Android operating system has become the most popularmobile operating system [5] , however, Android apps are notas secure as one might think it should be. The vulnerabilitiesmight come from flaws of protocol an Android applicationadopted [6], the misunderstandings when implementing proto-cols in the apps [7], not aware of the assumptions when usingcertain SDKs [8] and even from Android operating systemitself [9], [10].Many of the vulnerabilities are actually implementation spe-cific. Therefore, it’s imperative to study the security propertyof concrete implementation of Android apps to improve thesecurity level of them.In this dissertation, the author presents the preliminaryresults of his ongoing research project mainly in two scenarios:A formal analysis of Android apps that provide Single Sign-on (SSO) service and the initial analysis of information flowleak in Android apps
SSO Background With the development of information technology, more andmore websites emerge and they have demands to record users’data. User needs to register at these websites before they canuse the services from them. However, the more accounts auser has, the more reluctant the user becomes to register newaccounts as this will increase the cost of managing differentaccounts across different websites. Therefore, the user maytend to use a same password for its different accounts. Never-theless, it will inevitably increase the risk that one passwordbeing compromised endangers its identities on other websites[11], [12]. The attacker can try to break user’s other accountswith brute-force attack. It even exacerbates this situation whenuser uses simple password.Single Sign-on is an authentication scheme which allowsa user to login to a third party application (service provider,SP) with the identity it registers in an identity provider (IdP).This protocol mainly involves three parties, namely, the user,the SP and the IdP. Although SSO protocol does not solve theproblem of using a same password across different websites,but it simplifies the account creation process or even skips ittotally, which eases the burden when a user uses a new website.It will also ease the cost of managing different accounts froma use’s perspective.As SSO becomes more and more popular, the securityof SSO is one of the concerns that recent researches focuson [6], [8], [13]. However, most prior studies only focuson SSO on desktop or web-based browser environment andfew of them have inspected the security of the concrete SSOimplementation in mobile platforms.Being a different platform other than the desktop or webbrowser, Android OS has its own attack surfaces and as-sumptions. Due to mobile device’s product orientation andthe physical limitation of a hand-held device, it is infeasibleor even impossible to deploy a real-time malware detectionsystem to protect Android from the attacks of virus or trojans[14]. Moreover, unlike the desktop browser, Android doesnot have important security mechanisms like the Same OriginPolicy (SOP) [1], [2] which is a standard on almost all modernbrowsers. This would let Android suffer from the vulnerabilitythat is not easy to exit in browser environment. Moreover, asmentioned above, there might be misunderstandings or hiddenassumptions regarding to the developer documentation of aprotocol which introduces more vulnerabilities to the concreteimplementation in Android apps. Therefore, it is important totake these factors into consideration and to inspect the concreteimplementation of SSO on Android OS in a systematic andrigorous manner.Formal analysis has been proved to be such an powerfulapproach which is systematic and partially automatic approachto analyze the design of a protocol or a system. Recentresearches adopting formal analysis have confirm its ability[9], [13], [15]. It can verify properties of protocol design in amathematical and rigorous manner
As mobile phones are becoming a main approachfor people to use to access internet, security is a major concernwhen people are using their mobile phones. Different from theweb browser which has mature isolation mechanisms to protectusers’ information such as cookies and credentials, Androidapp developers have to implement the isolation mechanism suchas the Single Origin Policy (SOP) [1], [2] themselves. Duringthe implementation process, it is highly likely that there isvulnerability in the implementation. Therefore, it is necessaryto perform analysis to the implementation before it is releasedto market. As part of an ongoing Ph.D. research project, thisdissertation inspects two scenarios. The first scenario is an appwhich provides Single Sign-on (SSO) service using FacebookSDK. The author builds formal models from the capturednetwork traffic of the app and uses a verifier Proverif to checkagainst the defined properties of the formal models. After theanalysis, one vulnerability is discovered which violates SOP. Asfor the second scenario, it is an initial analysis of informationflow leak in Android apps.CodeShoppy
Information security is becoming more and more importantnowadays. Companies, governments and militaries are con-necting themselves to the internet for various reasons suchas to provide certain services to public, to cooperate withpartners and to allow their staffs to work remotely and soon. However, when they connect to internet, they are alsoexposing a possible entrance for the adversaries to break intotheir internal networks and to access to their private data ifthere are vulnerabilities. It is also the same case when it comesto the individual person who connects oneself to the internetwith mobile devices. Personal data leak may cause troubles oreven financial lost [3], [4].As mobile devices are replacing traditional desktop as amain portal to internet, people rely on their mobile devicesto handle all sorts of daily activities such as online shopping,internet banking and subscribing to premium services, whichare almost impossible in the past on mobile devices. Onemight not even realize that its mobile device stores so much ofits personal information that the security of such informationon these mobile devices has become a critical and seriousproblem.Android operating system has become the most popularmobile operating system [5] , however, Android apps are notas secure as one might think it should be. The vulnerabilitiesmight come from flaws of protocol an Android applicationadopted [6], the misunderstandings when implementing proto-cols in the apps [7], not aware of the assumptions when usingcertain SDKs [8] and even from Android operating systemitself [9], [10].Many of the vulnerabilities are actually implementation spe-cific. Therefore, it’s imperative to study the security propertyof concrete implementation of Android apps to improve thesecurity level of them.In this dissertation, the author presents the preliminaryresults of his ongoing research project mainly in two scenarios:A formal analysis of Android apps that provide Single Sign-on (SSO) service and the initial analysis of information flowleak in Android apps
SSO Background With the development of information technology, more andmore websites emerge and they have demands to record users’data. User needs to register at these websites before they canuse the services from them. However, the more accounts auser has, the more reluctant the user becomes to register newaccounts as this will increase the cost of managing differentaccounts across different websites. Therefore, the user maytend to use a same password for its different accounts. Never-theless, it will inevitably increase the risk that one passwordbeing compromised endangers its identities on other websites[11], [12]. The attacker can try to break user’s other accountswith brute-force attack. It even exacerbates this situation whenuser uses simple password.Single Sign-on is an authentication scheme which allowsa user to login to a third party application (service provider,SP) with the identity it registers in an identity provider (IdP).This protocol mainly involves three parties, namely, the user,the SP and the IdP. Although SSO protocol does not solve theproblem of using a same password across different websites,but it simplifies the account creation process or even skips ittotally, which eases the burden when a user uses a new website.It will also ease the cost of managing different accounts froma use’s perspective.As SSO becomes more and more popular, the securityof SSO is one of the concerns that recent researches focuson [6], [8], [13]. However, most prior studies only focuson SSO on desktop or web-based browser environment andfew of them have inspected the security of the concrete SSOimplementation in mobile platforms.Being a different platform other than the desktop or webbrowser, Android OS has its own attack surfaces and as-sumptions. Due to mobile device’s product orientation andthe physical limitation of a hand-held device, it is infeasibleor even impossible to deploy a real-time malware detectionsystem to protect Android from the attacks of virus or trojans[14]. Moreover, unlike the desktop browser, Android doesnot have important security mechanisms like the Same OriginPolicy (SOP) [1], [2] which is a standard on almost all modernbrowsers. This would let Android suffer from the vulnerabilitythat is not easy to exit in browser environment. Moreover, asmentioned above, there might be misunderstandings or hiddenassumptions regarding to the developer documentation of aprotocol which introduces more vulnerabilities to the concreteimplementation in Android apps. Therefore, it is important totake these factors into consideration and to inspect the concreteimplementation of SSO on Android OS in a systematic andrigorous manner.Formal analysis has been proved to be such an powerfulapproach which is systematic and partially automatic approachto analyze the design of a protocol or a system. Recentresearches adopting formal analysis have confirm its ability[9], [13], [15]. It can verify properties of protocol design in amathematical and rigorous manner
https://codeshoppy.com/android-app-ideas-for-students-college-project.html
No comments:
Post a Comment