Prof. Dr. Eric Bodden

With the help of CodeInspect, Appicaptor and an internally developed tool, researchers from TU Darmstadt and Fraunhofer SIT have found that many mobile applications store private information in the cloud, in an easily accessible manner.

Many users of mobile applications want their data to be synced across multiple platforms (iOS/Android/Windows/OSX/…). For app developers it is typically hard to support synchronization, as they need to set up backend servers on which the data can be stored and synchronized. Cloud providers such as Amazon and Parse.com therefore provide backends as a service (BaaS). With BaaS, app developers can simply connect to pre-configured servers using a few lines of program code. This makes data storage and synchronization through the cloud very easy. Some apps use BaaS to share public data, which is ok as long as the data is configured to be read-only. Many apps, however, use BaaS also to store confidential data such as user names, email addresses, contact information, passwords and other secrets, photos and generally any kind of data one can think of. Such data should only be accessible to the individual app user who stored the data. The researchers found more than 56 million sets of unprotected data, including email addresses, passwords, health records and other sensitive information of app users, which may be easily stolen and often manipulated. Read the official release here.

Cross-posted from SEEBlog

We gave a talk about CodeInspect at the CARO 2015 workshop in Hamburg. The slides and the live-demo (video) are available here: https://goo.gl/LblcR5

The main elements of the CodeInspect demo are:

• Jimple manipulation
• Interactive debugging
• Hyperlinks in XML files (e.g., layout.xml or AndroidManifest.xml)
• Java Source Code Enhancement

If you are interested in further videos about CodeInspect, you can find them here: http://sseblog.ec-spride.de/2014/12/codeinspect/

Enjoy!

Cross-posted from SEEBlog

Are you interested in call graph generation for static analysis and machine-driven soundness proof?

If you are interested in becoming a research assistant in our group have a look at the proposal.

Cross-posted from SEEBlog

Stephan Huber (Fraunhofer SIT) and Siegfried Rasthofer got acknowledged from the Android Security Team for our Tapjacking Attack:

https://source.android.com/devices/tech/security/overview/acknowledgements.html

Thank you!

Cross-posted from SEEBlog

CodeInspect will be presented at the 7th edition of DroidCon in Berlin. Droidcon is a global developer conference series and a network focusing on the best of Android. Our talk “DISMANTLING DROIDS FOR BREAKFAST – THE CURRENT STATE OF APP REVERSE ENGINEERING” is aimed at Software Engineers as well as Security Experts.

Looking forward for an interesting conference with lot’s of “droid-talks”.

Cross-posted from SEEBlog

We are currently looking for a research assistant who supports us in designing an eclipse plugin to represent Clafer models. These models aim to guide the user on how to use cryptographic components appropriate.

Have a look to the attached proposal and contact us!

Proposal

Cross-posted from SEEBlog

The OCAP has published its Phase 2 report on its security analysis of the TrueCrypt code base. It appears like they discovered no major issues. In the meantime we are making good progress on the creation of our own in-depth security analysis of TrueCrypt for the BSI. We hope to be able to make this one public, too, at some point.

Cross-posted from SEEBlog

Only two weeks left to submit to our workshop on Agile Secure Software Development. Better get started on your paper now!

Cross-posted from SEEBlog

Earlier this year, we reported on the Korean threat we identified in collaboration with McAfee Mobile Research. We have now released a technical report describing in detail the Android/BadAccents malware. Furthermore, we also describe a new tapjacking attack (also reported earlier this year) the malware exploited.

The technical report also describes the fix we submitted to the Android Security Team in January this year. Until now (approximately 4 month later), the official AOSP still doesn’t include the fix, meaning likely all Android versions are still vulnerable. Unfortunately, there is no real protection-mechanism for the user against this attack. A general recommendation from our side is the installation of apps from the official app stores and the usage of anti-virus applications (many AV vendors already detect this malware family).

Cross-posted from SEEBlog

The major German news station heute.de is reporting on our tool Harvester and on time bombs in app in general. Read the German article here.

In the meantime we are doing our best to get both CodeInspect and Harvester ready for roll-out. Stay tuned for more.

Cross-posted from SEEBlog