Ryan Johnson

Analysis of Android Applications' Permissions

We developed an architecture that automatically searches for and downloads Android applications from the Android Market. Furthermore, we created a detailed mapping of Android application programming interface (API) calls to the required permission(s), if any, for each call. We then performed an analysis of 141,372 Android applications to determine if they have the appropriate set of permissions based on the static analysis of the APK bytecode of each application. Our findings indicate that the majority of mobile software developers are not using the correct permission set and that they either over-specify or under-specify their security requirements.

Exposing security risks for commercial mobile devices

Recent advances in the hardware capabilities of mobile hand-held devices have fostered the development of open source operating systems and a wealth of applications for mobile phones and tablet devices. This new generation of smart devices, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. Moreover, mobile devices have access to Personally Identifiable Information (PII) from a full suite of sensors such as GPS, camera, microphone and others. In this paper, we discuss the security threats that stem from these new smart device capabilities and the online application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. We present our ongoing research efforts to defend or mitigate the impact of attacks against mobile devices. Our approaches involve analyzing the source code and binaries of mobile applications, kernel-level and data encryption, and controlling the communication mechanisms for synchronizing the user contents with computers and other phones including updates or new version of the operating system or applications over USB. We also explain the emerging challenges in dealing with these security issues when the end-goal is to deploy security-enhanced smart phones into military and tactical scenarios.

Forced-Path Execution for Android Applications on x86 Platforms

We present a code analysis framework that performs scalable forced-path execution of Android applications in commodity hardware. Our goal is to reveal the full application functional behavior for large commercial applications without access to source code. We do so by identifying code blocks and API calls that are deemed sensitive and provide a security report to an analyst regarding the functionality of the Android application that is under inspection. We show that our approach is scalable by allowing for the execution of each software component by numerous instances of execution modules. Each execution instance exercises a different code path through the application call-graph leading to full code and state space coverage and exposing any hidden or unwanted functionality. The output is a list of API calls, parameter values, component call graphs, and control flow graphs. We show how this can be leveraged for automated policy enforcement of runtime functionality.

Exposing software security and availability risks for commercial mobile devices

The advent of smaller, faster, and always connected handheld devices along with the ever-increasing reliance on technology for our everyday activities have introduced novel threats and risks. Beyond hardware security another primary factor that affects the reliability of the device is mobile applications. Indeed, the shift to smart commercially available mobile devices has created a pressing need for understanding the risks in using third-party mobile code running on the mobile devices. This new generation of smart devices and systems, including iPhone and Google Android, are powerful enough to accomplish most of the user tasks previously requiring a personal computer. In our paper, we discuss the cyber threats that stem from these new smart device capabilities and the on-line application markets for mobile devices. These threats include malware, data exfiltration, exploitation through USB, and user and data tracking. In this manuscript, we present our efforts towards a framework for exposing the functionality of a mobile application through a combination of static and dynamic program analysis that attempts to explore all available execution paths including libraries. We verified our approach by testing a large number of Android applications with our dynamic analysis framework to exhibit its functionality and viability. The framework allows complete automation of the execution process so that no user input is required. We also discuss how our static analysis output can be used to inform the execution of the dynamic analysis. Our approach can serve as an extensible basis to fulfill other useful purposes such as symbolic execution, program verification, interactive debugger, and other approaches that require deep inspection of an Android application. In summary, we believe that our efforts are the beginning of a long journey to asserting and exposing the risks of commercially available mobile devices. Our future work will include non-Android platforms.

Targeted DoS on android: how to disable android in 10 seconds or less

we present the implementation and impact of a wide-range of novel targeted Denial of Service (DoS) attacks on Android devices that are persistent across all recent Android platform versions. The DoS attacks can be selectively focused on denying access to device resources including microphone and camera, preventing the installation of applications, making the device unresponsive, targeting and terminating other running applications and processes, and causing a reboot cycle. To make matters worse, the attacks can be launched through regular apps that do not require a rooted device or any permissions with the exception of the attacks on the microphone and camera resources that require simple access rights. We propose and demonstrate defenses against each of these attacks showing that the security and reliability flaws identified require changes in the underlying Android source code to address them.

Improving traditional Android MDMs with non-traditional means

Enterprise Mobile Device Management (MDM) solutions have become widely adopted as large organizations strive to secure their data and exert more control over the mobile devices that access it. In our efforts to provide a more fine-grained control over the mobile device functions, we have discovered additional system-wide capabilities for all levels of Android MDM applications. In addition, we have developed mechanisms that can prevent the installation of undesired applications and block the removal of necessary applications. To achieve that, we employ two development permissions via the Android Debug Bridge (adb) which allows a remote operator to modify the settings database that controls certain capabilities and resources on the device. The proposed approach significantly increases the level of control of an MDM by enabling whitelisting and blacklisting of applications and functionality.

Analysis of content copyright infringement in mobile application markets

As mobile devices increasingly become bigger in terms of display and reliable in delivering paid entertainment and video content, we also see a rise in the presence of mobile applications that attempt to profit by streaming pirated content to unsuspected end-users. These applications are both paid and free and in the case of free applications, the source of funding appears to be advertisements that are displayed while the content is streamed to the device. In this paper, we assess the extent of content copyright infringement for mobile markets that span multiple platforms (iOS, Android, and Windows Mobile) and cover both official and unofficial mobile markets located across the world. Using a set of search keywords that point to titles of paid streaming content, we discovered 8,592 Android, 5,550 iOS, and 3,910 Windows mobile applications that matched our search criteria. Out of those applications, hundreds had links to either locally or remotely stored pirated content and were not developed, endorsed, or, in many cases, known to the owners of the copyrighted contents. We also revealed the network locations of 856,717 Uniform Resource Locators (URLs) pointing to back-end servers and cyber-lockers used to communicate the pirated content to the mobile application.

Pairing continuous authentication with proactive platform hardening

Mobile authentication has always been a usability and security challenge. In the past, researchers have discovered various methods to bypass the screen lock protection mechanism without entering authentication credentials on mobile devices. There is a clear need for authentication to be seamless and continuous but also address the security threats that stem from the current unlock-once, always-on mechanisms. To that end, we developed a framework for continuous behavioral authentication of users. In addition, we introduce a configurable “authentication level” for access to resources and applications. For example, if a users authentication level declines below a pre-specified threshold, all external communications are disabled to prevent exfiltration of sensitive data. Similarly, viewing or modifying any sensitive data on the device is also restricted by moderating access to the underlying file system based on the users authentication level. We will perform a live demonstration of our entire system implemented for Android 6.0.1, and show how it can successfully defend against a wide range of attacks while improving the usability of the mobile device by offering a seamless authentication experience.