GROUP

SOFTWAREENGINEERING

Large-scalevalue extraction in mobile applications

Eric BoddenSiegfried Rasthofer

Steven ArztRobert Hahn

Max Kolhagen

GROUP

SOFTWAREENGINEERING

A talk in two chapters…

2

New Technology: Harvester [NDSS’16]

Mass analysiswith disturbing findings

enables…

GROUP

SOFTWAREENGINEERING

Chapter 1: Harvester

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, Eric Bodden NDSS 2016

GROUP

SOFTWAREENGINEERING

This we would still hope for…

4

@Overrideprotected void onCreate(Bundle paramBundle) {

SmsManager manager = SmsManager.getDefault();manager.sendTextMessage("3353", null, "798657", null, null);

}

FakePlayer 2010

GROUP

SOFTWAREENGINEERING

But this is what we get…

5

public static void gdadbjrj(String paramString1,String paramString2) throws Exception{ // Get class instanceClass clz = Class.forName(

gdadbjrj.gdadbjrj("VRIf3+In9a.aTA3RYnD1BcVRV]af") ); Object localObject = clz.getMethod(

gdadbjrj.gdadbjrj("]a9maFVM.9")).invoke(null); // Get method nameString s = gdadbjrj.gdadbjrj(“BaRIta*9caBBV]a");// Build parameter listClass c = Class.forName(

gdadbjrj.gdadbjrj("VRIf3+InVTTnSaRI+R]KR9aR9"));Class[] arr = new Class[] {

nglpsq.cbhgc, nglpsq.cbhgc, nglpsq.cbhgc, c, c }; // Get method and invoke itclz.getMethod(s, arr).invoke(localObject, paramString1,

null, paramString2, null, null);}

SmsManager.sendTextMessage(...)

GROUP

SOFTWAREENGINEERING

Contributions

6

C1: Fully-Automatic Extraction of Runtime Data

C2: Fully-Automatic Resolving of Reflective

C3: Improving the Coverage of Existing off-the-shelf Static and Dynamic Analysis Tools

GROUP

SOFTWAREENGINEERING

7

HarvestersendTextMessage(num, text)Class.forName(className)

sendTextMessage(“004242“, “loc_Other“)sendTextMessage(“008888“, “loc_US“)Class.forName(“SmsManager“)

GROUP

SOFTWAREENGINEERING

nr+="4242"

8

if(Build.FINGERPRINT.startsWith("generic"))

msg=AES.decrypt("1234","fri$ds\&S")

nr="00"

if(simCountryIso().equals("US"))

nr+="8888"

sendTextMessage(nr,msg)

...

StaticAnalysis?

DynamicAnalysis?

GROUP

SOFTWAREENGINEERING

Static Analysis +

Dynamic Analysis

9

GROUP

SOFTWAREENGINEERING

10

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

if(simCountryIso().equals("US"))

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

11

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

if(simCountryIso().equals("US"))

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

12

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

if(simCountryIso().equals("US"))

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

13

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

if(simCountryIso().equals("US"))

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

xmsg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

x

14

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

if(simCountryIso().equals("US"))

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

if(simCountryIso().equals("US"))

x

15

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

x

16

if(Build.FINGERPRINT.startsWith("generic"))

nr="00"

nr+="4242" nr+="8888"

sendTextMessage(nr,msg)

...

Environment

if(EXECUTOR_1)

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

17

nr="00"

nr+="4242" nr+="8888"

Log(nr,msg)

if(EXECUTOR_1)

sendTextMessage(nr,msg)

main(){Callee1(false);Callee1(true);}

Callee1(booleanEXECUTOR_1){

}

msg=AES.decrypt("1234","fri$ds\&S")

GROUP

SOFTWAREENGINEERING

Harvester enablesde-obfuscation

18

Class c = Class.forName(gdadbjrj.gdadbjrj(„VRIf3+InVTTnSaRI+R]KR9aR9“));...

Class c = Class.forName("SmsManager");...

SmsManager.sendTextMessage(a, b, c, d, e);SmsManager

...

GROUP

SOFTWAREENGINEERING

19

Efficiency:

Interesting findings:

Recall:

Precision:

16,799 Malware Samples

• Premium-rate numbers• C&C messages• URLs (URIs)• Encryption key for WhatsApp data• … and more

< 3 minutes

87%

100%

we manually looked into 12 samples

Our approach works pretty well since none designs a malware that is combined to an environment variable

GROUP

SOFTWAREENGINEERING

Chapter 2: Let there be light…

Chapter 2: Let there be light!

GROUP

SOFTWAREENGINEERING

21

GROUP

SOFTWAREENGINEERING

22

IaaS PaaS

SaaS

??

GROUP

SOFTWAREENGINEERING

23

BaaS

GROUP

SOFTWAREENGINEERING

24

Secure?

GROUP

SOFTWAREENGINEERING

25

GROUP

SOFTWAREENGINEERING

Backend-as-a-Service

26

BaaS SDK

Cloud

APP

GROUP

SOFTWAREENGINEERING

Backend-as-a-Service

27

GROUP

SOFTWAREENGINEERING

Backend-as-a-Service

28

User Administration

GROUP

SOFTWAREENGINEERING

29

DB connection

BaaS SDK

AmazonS3Client s3Client = new AmazonS3Client(new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

GROUP

SOFTWAREENGINEERING

30

DB connectionAmazonS3Client s3Client = new AmazonS3Client(

new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

BaaS SDK

“When you access AWS programmatically, you use an access key to verify your identity and the identity of your applications. An access key consists of an access key ID and a secret access key.

Anyone who has your access key has the same level of access to your AWS resources that you do.“ Source: http://docs.aws.amazon.com/

“ACCESS_KEY_ID“, “SECRET_KEY“

GROUP

SOFTWAREENGINEERING

31

DB connectionAmazonS3Client s3Client = new AmazonS3Client(

new BasicAWSCredentials(“ACCESS_KEY_ID“, “SECRET_KEY“) );

BaaS SDK

“…The AWS SDKs use your access keys to sign requests for you so that you don't have to handle the signing process…” http://docs.aws.amazon.com/

“…Secret access keys are, as the name implies, secrets, like your password…”

Jim Scharf Director, AWS Identity and Access Management

(username) (password)“ACCESS_KEY_ID“, “SECRET_KEY“

GROUP

SOFTWAREENGINEERING

IT-Security 101

32

Peter

“Hi, I am Peter”Identification

“My password is Secret123”Authentication

"I am allowed to access foo.txt”Authorization

Server

GROUP

SOFTWAREENGINEERING

=??

App-Authentication Model

33

App“Hi, I am app <Application ID>”Identification

“My <Secret Key> is in the app” ???Authentication

Server

GROUP

SOFTWAREENGINEERING

34

Server

Peter

Howard

Peter?

Howard? Eve?

App-Authentication Model

GROUP

SOFTWAREENGINEERING

How are developers coping?

35

[...]“The App-Secret key should be kept private - but when releasing the app they can be reversed by some guys. I want to know what is the best thing to encrypt, obfuscate or whatever to make this secure.“[...] (Source: stackoverflow.com)

“Few ideas, in my opinion only first one gives some guarantee: 1. Keep your secrets on some server on internet, and when needed just

grab them and use. 2. Put your secrets in jni code 3. use obfuscator 4. Put your secret key as last pixels of one of your image in assets “

(Source: stackoverflow.com)

Q:

R:

NO!!!!

GROUP

SOFTWAREENGINEERING

Security Analysis

36

GROUP

SOFTWAREENGINEERING

Manual Pre-Analysis (here: Parse)

37

public void onCreate() { java.lang.String $S1, $S2; $S1 = “34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"; $S2 = “pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3"; staticinvoke <Parse: void initialize(Context, String, String)>(this, $S1, $S2); }

+

”Users” Table

GROUP

SOFTWAREENGINEERING

Manual Pre-Analysis (here: Parse)

• Commerciallyavailable

• Ask for a free trial license

• More information on features and inner workings are in the proceedings

38

GROUP

SOFTWAREENGINEERING

39

Results of Pre-analysis

Were able to access all recordsOnly few developers actually used obfuscation

GROUP

SOFTWAREENGINEERING

40

Let’s get our fingers dirty! Time for mass analysis!

GROUP

SOFTWAREENGINEERING

Mass analysis

41

GROUP

SOFTWAREENGINEERING

Example exploit data set

42

“34lI1wgISkIUpTunWRAzXei20H3NAL7W6buKTe7e"

“pB7OlNi0jsEp3fpJfq9wvHBoOWgaOQCSW98BF7e3"

“CreditCardDataTable"

“ContactDataTable"

...

BaaS API

GROUP

SOFTWAREENGINEERING

Disturbing findings…

GROUP

SOFTWAREENGINEERING

Parse-enabled Goodware

44

In-app purchase info

Location data

Facebook-Infos - “Frieds” - Blocked “Friends”

Contact dataVerified

email addresses

Birthdays Phone numbers

PhotosCar-accidentreports

GROUP

SOFTWAREENGINEERING

45

We know what you did this summer: Android Banking Trojan exposing its sins in the cloud Siegfried Rasthofer, Eric Bodden, Carlos Castillo, Alex Hinchliffe VirusBulletin 2015, AVAR 2015

Intercepted SMSmessages C&C Tasks

C&C CommandsStolen data

Parse-enabled Malware!!

GROUP

SOFTWAREENGINEERING

Responsible-Disclosure ProcessParse (Facebook)

46

Full access to 100 tables Partial access to 32 tables ( ~56 Mio Data)

Contacted Facebook with a few samples

Facebook verified it and asked for more data

We provided all information

28th April 2015

5th May 2015

18th May 2015

12th Nov 2015 Full access to 99 tables Partial access to 33 tables

20th May 2015 Facebook forwarded everything to Parse (we assume they contacted the developers)

GROUP

SOFTWAREENGINEERING

Results Amazon

47

Server Backups Baby-growth data More photos

GROUP

SOFTWAREENGINEERING

Results Amazon

48

Private messages Lottery data Website contents !!!

GROUP

SOFTWAREENGINEERING

Stay tuned for more…

49

GROUP

SOFTWAREENGINEERING

Prof. Dr. Eric BoddenChair for Software EngineeringHeinz Nixdorf Institut Zukunftsmeile 1 33102 Paderborn

Telefon: +49 5251 60-3313 eric.bodden@uni-paderborn.de

https://www.hni.uni-paderborn.de/swt/

https://blogs.uni-paderborn.de/sse/

50