All Your Code Belongs To Us – Dismantling Android Secrets With CodeInspect

Eric | June 23, 2015

Steven will give a talk about CodeInspect at the leading international conference on software development GOTO Copenhagen. We are looking forward for a great conference.

Title of the talk: “All Your Code Belongs To Us – Dismantling Android Secrets With CodeInspect

Abstract of the talk:

Android malware is getting more and more sophisticated. So-called “sleeper” applications only trigger their malicious behavior after a certain time has passed or event has happened, effectively evading many dynamic analysis techniques. Other techniques include integrity checks as well as detectors for emulators, rooted devices, and hooks. If any such sign is detected, the malware refrains from its actual malicious behavior. For countering static analyses, these apps apply code encryption, packers, and code obfuscators. Together, these features render most automated analyses ineffective, leaving a manual analysis as the only viable option – a very difficult and time-consuming undertaking.

To alleviate the problem, we propose CodeInspect, a new integrated reverse-engineering environment extending the Eclipse IDE and targeting sophisticated state-of-the-art malware apps for Android. With features such as interactive debugging on a human readable representation of the application’s bytecode, CodeInspect aims to greatly reduce the time an analyst requires to understand and judge applications. Using CodeInspect, the engineer can debug an app in combination with the Android Open Source Project (AOSP) live, can rename (obfuscated) identifiers, jump to definitions, remove or add statements and more. Reverse engineers can even add new Java source classes or projects into the application, which can then be called from the original app’s code. This is especially useful when implementing decryption methods which can be directly tested in place.

CodeInspect also includes new code-analysis techniques that, to the best of our knowledge, are not available in any other reverse-engineering tool. These techniques include a fully-automatic de-obfuscation of reflective method calls, string de-obfuscation and a very precise data-flow tracking component that shows suspicious flows from sensitive sources to public sinks, all of which can be easily used in combination. Aside from malware, these features of CodeInspect also allow an analyst to assess the security of closed-source libraries, detect unwanted behaviors in advertisement SDKs, and check apps for security vulnerabilities such as hard-coded secrets.

This talk is aimed at Software Engineers as well as Security Experts. For Software Engineers we will demonstrate how fast users of CodeInspect can extract data from their apps’ bytecode, demonstrating that trying to hide secrets in the code is not secure. If you include keys or passwords in your app code, they are lost – even if you obfuscate them. We will also show how to easily upgrade a trial-version of an application to a full (paid) version with CodeInspect, circumventing prevalent mechanisms for in-app purchases. The goal is to sensitize developers for the risks posed by current technologies.

Cross-posted from SEEBlog

Comments
Comments Off on All Your Code Belongs To Us – Dismantling Android Secrets With CodeInspect
Categories
Research

New SSE Papers Accepted

Eric | June 22, 2015

Several new papers written by members of the Secure Software Engineering Group have now been accepted at renowned international venues. The papers cover topics such as the reduction of false positives in static data flow analysis, the in-depth analysis of modern, sophisticated malware applications, and the challenges of developing secure software using agile techniques.

The paper “Using Targeted  Symbolic Execution for Reducing False-Positives in Dataflow Analysis” describes a technique for pruning false alarms from the result list of static data flow analysis tools such as FlowDroid. It will appear at the 4th ACM SIGPLAN International Workshop on the State Of the Art in Program Analysis (SOAP 2015), co-located with PLDI 2015 in Portland, Oregon.

The paper “An Investigation of the Android/BadAccents Malware which Exploits a new Android Tapjacking Attack” describes in detail a new and sophisticated malware application for Android. This malware has infected about 20,000 Korean users and stole banking details from their smartphones. The paper has been accepted for publication at The 9th WISTP International Conference on Information Security Theory and Practice (WISTP’2015).

In a paper called “Analysis of the Challenges of Developing Secure Software Using the Agile Approach”, researchers from the Secure Software Engineering Group investigate the key challenges that arise when using modern agile software development processes for security-critical applications. The paper will be presented at The First International Workshop on Agile Secure Software Development (ASSD) at ARES 2015.

 

 

Cross-posted from SEEBlog

Comments
Comments Off on New SSE Papers Accepted
Categories
Research