Leitthema - Informatik - FB3 - Uni Bremen

Transcrição

Architectural Risk Analysis for
Android Applications
University of Applied Sciences Bremen, 22.06.2015
Dr. Karsten Sohr
TZI – Universität Bremen
Center for Computing Technologies
1
Systemqualität und Informationssicherheit
Dr. Karsten Sohr, [email protected]
Outline
 Software security as an own discipline
 Security problems in Android apps
 Research project ZertApps
 Outlook
2
Software Security as an Own Discipline
 Current security mechanisms such as firewalls anti-virus software or
intrustion dectection systems are reactive
 Cause of many security problems: security issues in software
 McGraw: Trinity of trouble
1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?)
2. Increasing connectivity (SOA, Internet of Things, Iindustrial controllers…)
3. Extensibility of systems (Nachladen von Apps, Plugins für Browser)
 Tools and processes to improve software security
•
Security development lifecycle (SDL)
3
Architektural Risk Analysis as Part of the SDL
 Security analysis of the software architecture
• At design time
• Detection of basic security problems („flaws“ vs. „bugs“)
• Example of flaws: Missing encryption; only integrity protection, although
confidentiality is requierd; inconsistent role-based access
control;overprivilegation; wrong usage of frameworks
 Two approaches
• Threat Modeling/STRIDE (Microsoft)
• Architektural risik analysis from McGraw
 Core idea in both approaches:
Discussion of basic security aspects with the help of diagrams
(forest-level overview)
5
Threat Modeling with Dataflow diagrams
6
Security Holes in Apps

Cryptographic Weaknesses, e.g., easily guessable keys in
WhatsApp messenger

Overprivileged apps

Confused-deputy problems

Massive vulnerabilities in SSL-implementation of apps

Injection of JavaScript code into apps with web functionality

Faulty usage of software frameworks

Basic waeknesses in systems consisting of a remote-control app
and a backend
7
An E-Mail of a Colleague …
If you are interested in the SSL-stuff again: The app is implemented as a
WebView, i.e., all is HTML. What speaks to a big error is this:
public void onReceivedSslError(android.webkit.WebView,
android.webkit.SslErrorHandler, android.net.http.SslError){
com.WebDevs.SPCanywhere.MyWebViewClient $r0;
android.webkit.WebView $r1;
android.webkit.SslErrorHandler $r2;
android.net.http.SslError $r3;
$r0 := @this: com.WebDevs.SPCanywhere.MyWebViewClient;
$r1 := @parameter0: android.webkit.WebView;
$r2 := @parameter1: android.webkit.SslErrorHandler;
$r3 := @parameter2: android.net.http.SslError;
virtualinvoke $r2.<android.webkit.SslErrorHandler: void proceed()>();
return;
}
8
Decompiled to Java
public void onReceivedSslError(WebView
paramWebView, SslErrorHandler
paramSslErrorHandler, SslError
paramSslError)
{
paramSslErrorHandler.proceed();
}
9
Insecure Usage of the Android Framework:
Telekom Online Manager
Intent localIntent1 =
new
Intent("de.telekom.hotspot.intent.action.SMS_STATUS");
localIntent1.putExtra("status",
CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED);
localIntent1.putExtra("username", str2);
localIntent1.putExtra("password", str3);
sendBroadcast(localIntent1);
10
Exported Content Provider: SAP Mobile
Documents
<provider
android:name="com.sap.mcm.android.content.FileContentProvider"
android:exported="true"
android:authorities="com.sap.mcm.android.provider" />
public File getFile(Uri paramUri){
McmDocument localMcmDocument = getDocument(paramUri);
File localFile =
new File(localMcmDocument.getUnencryptedPath());
return localFile;
}
private void decryptNextDocument() {
McmDocument localMcmDocument =
(McmDocument)this.documents.get(this.nextDocumentIndex);
localMcmDocument.copyUnencrypted(this);
11
Problem Statement
We need cost-efficient analysis methods and
evaluation processes that assure that
Android apps are show an appropriate
security level.
12
Current Research Project ZertApps

BMBF-funded project ZertApps: Certified security for mobile applications

Project partners:
•
Universität Bremen,
•
Fraunhofer SIT,
•
TU Darmstadt,
•
OTARIS Interactive Service GmbH,
•
datenschutz cert GmbH,
•
SAP AG
13
Project Goals /1

Development of precise static security analyses based on the Android
Framework with open source tools, e.g., Soot

If necessary, dynamic analysis to improve static analysis

Interaction of several apps (→ confused deputy problem)

Consideration of hybride apps (apps with Java and web parts)
•
E.g., analysis of PhoneGap-based apps
14
Project Goals /2

Comprehensible presentation of analysis results for different groups of
users
•


Security administrators, evaluators, developers, users?
Conception of a lightweight certification process / scheme
•
Low cost
•
Graded certification concept
Tool-support for certification
15
Own Contribution: Architektural Risk Analysis

Extraction and security analysis of the software architecture of apps

Reverse engineering of dataflow diagrams (DFDs) with the help of static
analysis (Soot)

Automated analysis of these extracted DFDs against known architectural
weaknesses (e.g., CWE entries)

Conception and implementation within in the context of a dissertation at
AG Softwaretechnik, Prof. Koschke
16
Procedure
Android App
Android Model
EDFD
1
7
Systemqualität
und Informationssicherheit
Static Analysis
Component detection
A Service
Entry point dectection
Android app
Detection of exit points
Identification of intra-component flows
Identification of inter-component flows
Identification of security properties
Activity
Determination of external communications
Usage of shared preferences
Android model
Usage of encryption
18
Procedure
Android app
Android model
EDFD
19
Example Dataflow Diagram
20
Example Dataflow Diagram: Hybride App
21
Procedure
Android app
Pattern catalogue
Android model
EDFD
Risk model
Security rules
22
Checking Security Rules
MATCH (source : Element)
-[flow : Channel *]->
(target : Element)
WHERE flow.data.IsConfidential
and not flow.IsEncrypted
23
Summary & Outlook

Software security becomes more relevant
•
Mobile apps, Internet of Things, industrial controllers, …

Systematic and cost-efficient prcesses for software security
are needed

Escecially relevant: security of apps

Tool support

New supporting kinds of analysis:
Static (and dynamic) code analyses for the extraction and
validation of the implemented security architecture
24
Thank you very much for
your attention!
Questions?
25

Leitthema - Informatik - FB3 - Uni Bremen

Transcrição

Documentos relacionados

8. Bibliografia ACS, Zoltan J., ARMINGTON, Catherine