Leitthema - Informatik - FB3 - Uni Bremen
Transcrição
Leitthema - Informatik - FB3 - Uni Bremen
Architectural Risk Analysis for Android Applications University of Applied Sciences Bremen, 22.06.2015 Dr. Karsten Sohr TZI – Universität Bremen Center for Computing Technologies 1 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Outline Software security as an own discipline Security problems in Android apps Research project ZertApps Outlook 2 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Software Security as an Own Discipline Current security mechanisms such as firewalls anti-virus software or intrustion dectection systems are reactive Cause of many security problems: security issues in software McGraw: Trinity of trouble 1. Increasing complexity (Windows 8 up to 80 Mio. lines of code?) 2. Increasing connectivity (SOA, Internet of Things, Iindustrial controllers…) 3. Extensibility of systems (Nachladen von Apps, Plugins für Browser) Tools and processes to improve software security • Security development lifecycle (SDL) 3 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Architektural Risk Analysis as Part of the SDL Security analysis of the software architecture • At design time • Detection of basic security problems („flaws“ vs. „bugs“) • Example of flaws: Missing encryption; only integrity protection, although confidentiality is requierd; inconsistent role-based access control;overprivilegation; wrong usage of frameworks Two approaches • Threat Modeling/STRIDE (Microsoft) • Architektural risik analysis from McGraw Core idea in both approaches: Discussion of basic security aspects with the help of diagrams (forest-level overview) 5 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Threat Modeling with Dataflow diagrams 6 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Security Holes in Apps Cryptographic Weaknesses, e.g., easily guessable keys in WhatsApp messenger Overprivileged apps Confused-deputy problems Massive vulnerabilities in SSL-implementation of apps Injection of JavaScript code into apps with web functionality Faulty usage of software frameworks Basic waeknesses in systems consisting of a remote-control app and a backend 7 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] An E-Mail of a Colleague … If you are interested in the SSL-stuff again: The app is implemented as a WebView, i.e., all is HTML. What speaks to a big error is this: public void onReceivedSslError(android.webkit.WebView, android.webkit.SslErrorHandler, android.net.http.SslError){ com.WebDevs.SPCanywhere.MyWebViewClient $r0; android.webkit.WebView $r1; android.webkit.SslErrorHandler $r2; android.net.http.SslError $r3; $r0 := @this: com.WebDevs.SPCanywhere.MyWebViewClient; $r1 := @parameter0: android.webkit.WebView; $r2 := @parameter1: android.webkit.SslErrorHandler; $r3 := @parameter2: android.net.http.SslError; virtualinvoke $r2.<android.webkit.SslErrorHandler: void proceed()>(); return; } 8 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Decompiled to Java public void onReceivedSslError(WebView paramWebView, SslErrorHandler paramSslErrorHandler, SslError paramSslError) { paramSslErrorHandler.proceed(); } 9 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Insecure Usage of the Android Framework: Telekom Online Manager Intent localIntent1 = new Intent("de.telekom.hotspot.intent.action.SMS_STATUS"); localIntent1.putExtra("status", CredSmsStatusType.SMS_STATUS_CREDENTIALS_RECEIVED); localIntent1.putExtra("username", str2); localIntent1.putExtra("password", str3); sendBroadcast(localIntent1); 10 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Exported Content Provider: SAP Mobile Documents <provider android:name="com.sap.mcm.android.content.FileContentProvider" android:exported="true" android:authorities="com.sap.mcm.android.provider" /> public File getFile(Uri paramUri){ McmDocument localMcmDocument = getDocument(paramUri); File localFile = new File(localMcmDocument.getUnencryptedPath()); return localFile; } private void decryptNextDocument() { McmDocument localMcmDocument = (McmDocument)this.documents.get(this.nextDocumentIndex); localMcmDocument.copyUnencrypted(this); 11 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Problem Statement We need cost-efficient analysis methods and evaluation processes that assure that Android apps are show an appropriate security level. 12 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Current Research Project ZertApps BMBF-funded project ZertApps: Certified security for mobile applications Project partners: • Universität Bremen, • Fraunhofer SIT, • TU Darmstadt, • OTARIS Interactive Service GmbH, • datenschutz cert GmbH, • SAP AG 13 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Project Goals /1 Development of precise static security analyses based on the Android Framework with open source tools, e.g., Soot If necessary, dynamic analysis to improve static analysis Interaction of several apps (→ confused deputy problem) Consideration of hybride apps (apps with Java and web parts) • E.g., analysis of PhoneGap-based apps 14 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Project Goals /2 Comprehensible presentation of analysis results for different groups of users • Security administrators, evaluators, developers, users? Conception of a lightweight certification process / scheme • Low cost • Graded certification concept Tool-support for certification 15 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Own Contribution: Architektural Risk Analysis Extraction and security analysis of the software architecture of apps Reverse engineering of dataflow diagrams (DFDs) with the help of static analysis (Soot) Automated analysis of these extracted DFDs against known architectural weaknesses (e.g., CWE entries) Conception and implementation within in the context of a dissertation at AG Softwaretechnik, Prof. Koschke 16 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Procedure Android App Android Model EDFD 1 7 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Static Analysis Component detection A Service Entry point dectection Android app Detection of exit points Identification of intra-component flows Identification of inter-component flows Identification of security properties Activity Determination of external communications Usage of shared preferences Android model Usage of encryption 18 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Procedure Android app Android model EDFD 19 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Example Dataflow Diagram 20 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Example Dataflow Diagram: Hybride App 21 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Procedure Android app Pattern catalogue Android model EDFD Risk model Security rules 22 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Checking Security Rules MATCH (source : Element) -[flow : Channel *]-> (target : Element) WHERE flow.data.IsConfidential and not flow.IsEncrypted 23 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Summary & Outlook Software security becomes more relevant • Mobile apps, Internet of Things, industrial controllers, … Systematic and cost-efficient prcesses for software security are needed Escecially relevant: security of apps Tool support New supporting kinds of analysis: Static (and dynamic) code analyses for the extraction and validation of the implemented security architecture 24 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected] Thank you very much for your attention! Questions? 25 Systemqualität und Informationssicherheit Dr. Karsten Sohr, [email protected]