[Paper Summary] Hidden in Plain Sight: Exploring Encrypted Channels in Android Applications

News 2023-04-17 07:40:21 views: null

Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps

introduce

This is a paper from 2022 CCS "Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps", the authors are: Sajjad Pourali, Nayanamana Samarasinghe, Mohammad Mannan.

This paper mainly discusses two parts

  1. Designed ThirdEye, a tool that looks for privacy leaks from various non-standards and channels. The tool can discover privacy leaks and security issues in HTTP/HTTPS and non-HTTP protocols and shared storage.

  2. Large-scale analysis of Top apps in AndroidRank using ThirdEye

threat model

The attackers targeted in this article are mainly three types of attackers

  1. Attacker in the path network: The attacker has full access to the network communication between the application user and the application server, and can decrypt the encrypted content in the network traffic to obtain user information.

  2. Attacker targeting apps: This attacker installs malware in the user's device, allowing the attacker to access shared encrypted files of other apps on the same device.

  3. Device owners are attackers: Device owners are attackers who want to access protected content, such as free access to paid services

Tool principle

insert image description here
The tool is mainly composed of 4 main components: device manager, UI interactor, operation recorder, data flow detector

Device Manager: Start the connection between the test desktop and the Android device through ADB, uninstall all non-system applications, and clear the data, then go to the application store to download the corresponding APK file, and finally start the application and monitor its progress.

UI Interactor: UI interaction with the application through the UI Interactor, such as clicking and other UI operations to increase code coverage.

Operational recorder: For network traffic, use tcpdump to record captured HTTP and non-HTTP network traffic, and mitmproxy to capture HTTPS. For encryption operations, obtain API parameters through Frida, define non-SDK APIs as third-party libraries of applications, and test applications on two separate devices after identifying non-SDK APIs to see if a fixed key is returned.

Data flow detector: Detect the collected network traffic to determine whether there are privacy security issues. For privacy issues, personally identifiable information and personal data stored on the device are mentioned to identify privacy leaks. For security issues, look for fixed keys or insecure encryption algorithms. For covert channels, files in shared storage are checked, and if multiple applications find a file with a common path, it is flagged as a potentially problematic channel.

Measurement

1. Features of encrypted communication

1) Pervasive use of encryption technology

2887/6075 (47.52%) applications use encryption/decryption calls when communicating

2) Communication content
insert image description here
3) Communication channel
insert image description here
4) Whether the application is packed

121/12598 applications are packed in the implementation

2. Insecure key management

1) Whether to use a fixed key

2421/2887 (83.86%) use a fixed key for custom encryption to send data

2) Whether to use unsafe cryptographic algorithms

262/2887 (9.08%) used insecure cryptographic algorithms

3. App leaks geolocation information

1) GPS and router SSID

2,727/12,598 (21.65%) applications sent GPS coordinates and router SSID to a remote server, 4.73% of which sent this information using additional encryption.

2) Adjacent route ID

Apps with location permission can collect BSSID, router from app user's router and all nearby wireless routers. 21.57% of the applications only send the adjacent routing ID through custom encryption

4. Via file leaks

1) External memory file

128 apps stored device information, 12 stored GPS coordinates, and 10 stored network information. 27/150 (18.00%) apps use custom encryption to store external storage content; 9/27 (33.33%) apps store device information

2) Covert passage

44 apps store device information in public folder paths in shared storage. There were 104 applications that checked for the existence of these paths.

ThridEye source code

https://github.com/SajjadPourali/ThirdEye

Guess you like

Origin blog.csdn.net/Ohh24/article/details/128611970
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com