Transcript POKHAREL_presentation_newx

ON THE SECURITY OF
ANDROID COMMUNICATION
APPS
September 2015
Supervisors:
Dr. Raymond Choo,
Dr. Jixue Liu
By
Shasi Pokharel
Bachelor Of Information Technology (Honours)
Why Android:
Share of Total Smartphone Market: 82.8%
 iOS: 13.9% (up to Quarter 2, 2015; Source: idc.com)
Number of Apps in Google Play: 1.6 million
 App Store: 1.5 million (up to July, 2015; Source: statista.com)
Share of Mobile attack Target: 99%
- as January, 2014; Source: Kaspersky Lab
Focus:
 Study popular Android communication apps
 An adversary model
 Case study apps
Communication Apps:
VoIP Apps:
 Growing popularity
 Free app to app call, Cheaper app to phone call
 Voice Call, Video Call, Conference Call, Text
messages
 Cross-Platform
Mobile Browsers
 Application to browse web pages in Mobile
VoIP Communication
Encoding/Decoding : Analog Voice > Digital data > Analog Voice
Characteristics of Codecs
 Bit rate (Kbps)
 Sample Size (Byte)
 Sample Interval (ms)
 Packet Per second (PPS)
Constant Bit Rate (CBR) or Variable Bit Rate(VBR)
Proprietary Codecs
Parts of VoIP Communication
Signalling Control Session (SIP)
 Session establishment
 Codec negotiation
RTP session
 Voice data transfer
Identify Codec from intercepted packets
If Signalling Control Session is not encrypted.
VoIP communication security
 Encryption
Signalling Control Session Encryption
RTP packets Encryption
 Proprietary Codec
Identify Codec from intercepted packets
If Signalling Control Session is encrypted:
Calculate bit rate for each seconds from RTP payload
If (bitrate is constant)
 Constant Bit rate(CBR) codec is used
 Select matching or closest bitrate codecs
If (bitrate is dynamic)
 Variable Bit rate (VBR) codec is used
 Select “opus” decoder tool for decoding
Formula 1: Calculate Bit rate from RTP payload
Input
S = Sequence of RTP Packets
Output
b = Bit rate of RTP Packets
Do:
Let S1 be the packets per second in S.
If the header of s[0] contains PT, then
𝑏=
𝑠. 𝑝𝑎𝑦𝐿𝑜𝑎𝑑𝑆𝑖𝑧𝑒 ∗ .008
𝑠∈𝑆1
Else: 𝑏 = 0;
Identify Codec from intercepted packets
Analyze
intercepted
traffic in
Wireshark
Calculate bit
rate using
Formula 1
Encrypted
media (cannot
be decoded)
Yes
Bit rate = 0?
Yes
No
Check PT value
in RTP header
SIP has readable
SDP section?
No
Check Bit rate for
multiple seconds
If PT value is
readable
Yes
Bit rate
constant?
No
Try(codec =
“opus”)
Yes
Identify list of
possible
codecs
Return Codec(s)
Get Codec from
SDP.rtpmap
filtered by RTP.PT
No
Encrypted
media (cannot
be decoded)
Decoder Tools
For CBR codec: RTP to wave decoders are freely available:
 G.711, G.722, GSM : decoded by CloudShark
 G.729, ILBC : decoder tool available for download
 For VBR: we created a java applications
 Takes each RTP packet from captured file
 Decodes using official native libraries
 Add header for linear wave sound
 Save as wave file
Result
Part 2: Mobile Browser
Lightweight Browsers:
 Faster for web page loading
 Growing popularity
 Limited Plugins
Selected Browsers for Experiment
Browser Cache
 Saves web resources when downloaded for the first time
 Are loaded to the browser, when user access the same site
 Contain: HTML file, CSS, JavaScript and media files
Android File System for applications
• Internal Storage: MODE_PRIVATE; accessible only by creator application, by
default
• External Storage: Accessible to all applications
Cache Storage of the browsers
Dolphin:
 Cache resources: /sdcard/TunnyBrowser/Cache/webViewCache
 Screenshots of tabs: /sdcard/TunnyBrowser/Cache/tablist_cache
 Speed dial URLs: /sdcard/TunnyBrowser/Cache/speeddial_covers
UC Browser:
 Cache resources: sdcard/UCDownloads/cache/com.UCMobile.inti/
 Data Traffic detail: /sdcard/UCDownloads/config/TrafficStats.db
 Detailed browsing data: /sdcard/UCDownloads/offline/ApplicationCache.db
Cache Storage of the browsers
CM Browser:
 Cache Resources: /data/data/com.ksmobile.cb/app_webview/Cache
 Browser History: /sdcard/CheetahBrowser/.data/
Samsung Stock Browser:
 Cache resources: /data/data/com.sec.android.app.sbrowser/cache/Cache/
 Screenshots : /data/data/com.sec.android.app.sbrowser/files/thumbnail.bmp1 (Permission:
Mode 644)
Why use External storage ?
• Larger Cache storage Capability
• Avoid risk of file deletion by System
Proposed adversary model
Adversary Capability: Install application in user’s device
Goals:
 Know URLs visited by user
 Know searched items : searched by user
 Know the content of the webpage, visited by user
Application
User Permission required:
 WRITE_EXTERNAL_STORAGE
 ACCESS_NETWORK_STATE
Permission granted by Android, without users approval
 READ_EXTERNAL_STORAGE
 INTERNET
Targeted activities of application
• Know, when user started using browser
• Copy cache files to the Internal storage
• Upload files to the server
• Change content (Poison) in cache
Work Flow of the application
Input:OnWiFiConnectedEvent
Input:OnWiFiConnectedEvent
Input:OnFileAccessedEvent
Input:OnFileAccessedEvent
Check If Vulnerable
Browser is Installed
Yes
StartCacheMonitor()
Is WiFi
Connected ?
Yes
UploadFile()
No
CopyFileToPrivateDir()
Result
Video: Getting Browsed content From Samsung Stock browser.
Conclusion
Many Android users private information is at risk
Adversary can:
 Listen What the user is talking
 See what the user is Browsing
Thank You