Stefan Kraxberger

Android Security Permissions – Can We Trust Them?

The popularity of the Android System in combination with the lax market approval process may attract the injection of malicious applications (apps) into the market. Android features a permission system allowing a user to review the permissions an app requests and grant or deny access to resources prior to installation. This system conveys a level of trust due to the fact that an app only has access to resources granted by the stated permissions. Thereby, not only the meaning of single permissions, but especially their combination plays an important role for understanding the possible implications. In this paper we present a method that circumvents the permission system by spreading permissions over two or more apps that communicate with each other via arbitrary communication channels. We discuss relevant details of the Android system, describe the permission spreading process, possible implications and countermeasures. Furthermore, we present three apps that demonstrate the problem and a possible detection method.

Malware detection by applying knowledge discovery processes to application metadata on the Android Market Google Play

Recent smartphone platforms based on new operating systems, such as iOS, Android, or Windows Phone, have been a huge success in recent years and open up many new opportunities. Unfortunately, 2011 also showed us that the new technologies and the privacy-related data on smartphones are also increasingly interesting for attackers. Especially, the Android platform has been the favorite target for malware, mainly because of the openness of the platform, the ability to install applications from other sources than the Android Market, and the significant gains in market share. Although the processes of detecting and analyzing malware are well known from the PC world, where the arms race between attackers and defenders has continued for the past 15years, they cannot be directly applied to smartphone platforms because of differences in the hardware and software architectures. In this paper, we first give an overview of the current malware situation on smartphone platforms with a special focus on Android and explain relevant malware detection and analysis methods. It turns out that most of the current malware relies on the installation by the user, who represents the last line of defense in malware detection. With these conclusions, we then present a new malware detection method that focuses on the information that the user is able to see prior to the installation of an application-the metadata within the platforms software market. Depending on the platform, this includes the applications description, its permissions, the ratings, or information about the developer. To analyze these data, we use sophisticated knowledge discovery processes and lean statistical methods. By presenting a wide range of examples based on real application metadata extracted from the Android Market, we show the possibilities of the new method. With the possibilities, we argue that it should be an essential part of a complete malware analysis/detection chain that includes other well-known methods such as network traffic analysis, or static, or dynamic code inspection. Copyright

Android Market Analysis with Activation Patterns

The increasing market share of the Android platform is partly caused by a growing number of applications (apps) available on the Android market: by now (January 2011) roughly 200.000. This popularity in combination with the lax market approval process attracts the injection of malicious apps into the market. Android features a fine-grained permission system allowing the user to review the permissions an app requests and grant or deny access to resources prior to installation. In this paper, we extract these security permissions along other metadata of 130.211 apps and apply a new analysis method called Activation Patterns. Thereby, we are able to gain a new understanding of the apps through extracting knowledge about security permissions, their relations and possible anomalies, executing semantic search queries, finding relations between the description and the employed security permissions, or identifying clusters of similar apps. The paper describes the employed method and highlights its benefits in several analysis examples – e.g. screening the market for possible malicious apps that should be further investigated.

Extracting semantic knowledge from twitter

Twitter is the second largest social network after Facebook and currently 140 millions Tweets are posted on average each day. Tweets are messages with a maximum number of 140 characters and cover all imaginable stories ranging from simple activity updates over news coverage to opinions on arbitrary topics. In this work we argue that Twitter is a valuable data source for e-Participation related projects and describe other domains were Twitter has already been used. We then focus on our own semantic-analysis framework based on our previously introduced Semantic Patterns concept. In order to highlight the benefits of semantic knowledge extraction for Twitter related e-Participation projects, we apply the presented technique to Tweets covering the protests in Egypt starting at January 25th and resulting in the ousting of Hosni Mubarak on February 11th 2011. Based on these results and the lessons learned from previous knowledge extraction tasks, we identify key requirements for extracting semantic knowledge from Twitter.

An autonomous attestation token to secure mobile agents in disaster response

Modern communication and computing devices have the potential to increase the efficiency of disaster response. Mobile agents are a decentralized and flexible technology to leverage this potential. While mobile agent platforms suffer from a greater variety of security risks than the classic client-server approach, Trusted Computing is capable of alleviating these problems. Unfortunately, Remote Attestation, a core concept of Trusted Computing, requires a powerful networked entity to perform trust decisions. The existence and availability of such a service in a disaster response scenario cannot be relied upon. In this paper we introduce the Autonomous Attestation Token (AAT), a hardware token for mobile computing devices that is capable of guaranteeing the trusted state of a limited set of devices without relying on a networked service. We propose a Local Attestation protocol with user interaction that in conjunction with the AAT allows to prevent unauthorized access to an emergency mobile agent platform.

Secure Communication with RFID tags in the Internet of Things

The functional capabilities of radio-frequency identification (RFID) tags are rapidly increasing. Therefore, they can no longer be treated as pure bar-code substitute, but they should be considered as computing devices. Modern tags are able to store and compute data, or even hold sensors. To draw full advantage from the increased functionality of the tags, it will become important to integrate these tags into the Internet of Things (IoT), that is, enable two-way end-to-end communication over the Internet. Powerful application scenarios can be developed when communication with tags can be established via the network. We introduce the concept of Mobile-IPv6-enabled RFID tags to enable a two-way communication via IPv6. Mobile IPv6 allows integration of passive low-cost RFID tags into the IoT in a transparent and compatible way. Like the “traditional” Internet, many applications can only be built upon secure communication. Therefore, it is essential to provide securing mechanisms. For the Internet, Internet Protocol Security (IPsec) is used to secure the connection between two nodes. In this paper, we want to define security services analog to IPsec for communication with RFID tags. We analyze the cryptographic capabilities of current RFID tags and build a security layer to enable a secure end-to-end connection between tags and other nodes in the net. Copyright

Cost-Effective Routing for a Greener Internet

Energy costs for data centers are a significant part of the overall expenses for their operation. With a reduction of these and associated costs, huge savings can be achieved. This paper describes a way to reduce the energy costs for data centers. The general idea behind our solution is very simple. Instead of routing the information required for any service interaction to and from the data center with the best latency performance or least utilization we rather propose that instead the one with the current cheapest energy costs should be used. We consider implications of our method to user performance and latency efficiency. Thereafter, we present methods such as mobile IPv6 and traffic tunneling which can be used to implement our general idea and discuss potential problems and benefits. The approaches described in this paper can all be integrated into the IP protocol and require therefore no modifications of the network topology, the used hardware or used protocols.

Secure Routing Approach for Unstructured P2P Systems

Although P2P systems have found its way into almost every field of application, the lack of adequate security concepts, research for specific security algorithms and implementations of suitable security mechanisms are still limiting their full potential. We are focusing on getting an overall view on the security of heterogeneous unstructured P2P systems and finding solutions to this challenging task. This work tries to make the first step towards secure unstructured P2P systems by applying security to routing. Existing secure routing protocols are either intended for structured P2P systems or use mechanisms not adequate for heterogeneous P2P system. We used the dynamic source routing protocol and proposed security extensions as foundation, adapted and modified the inherent principles to comply with the P2P concept and verified the applicability in a real world system.

Massive data mining for polymorphic code detection

Driven by the permanent search for reliable anomaly-based intrusion detection mechanisms, we investigated different statistical methodologies to deal with the detection of polymorphic shellcode. The paper intends to give an overview on existing approaches in the literature as well as a synopsis of our efforts to evaluate the applicability of data mining techniques such as Neural Networks, Self Organizing Maps, Markov Models or Genetic Algorithms in the area of polymorphic code detection. We will then present our achieved results and conclusions.

Polymorphic code detection with GA optimized markov models

This paper presents our progression in the search for reliable anomaly-based intrusion detection mechanisms. We investigated different options of stochastic techniques. We started our investigations with Markov chains to detect abnormal traffic. The main aspect in our prior work was the optimization of transition matrices to obtain better detection accuracy. First, we tried to automatically train the transition matrix with normal traffic. Then, this transition matrix was used to calculate the probabilities of a dedicated Markov sequence. This transition matrix was used to find differences between the trained normal traffic and characteristic parts of a polymorphic shellcode. To improve the efficiency of this automatically trained transition matrix, we modified some entries in a way that byte-sequences of typical shellcodes substantially differs from normal network behavior. But this approach did not meet our requirements concerning generalization. Therefore we searched for automatic methods to improve the matrix. Genetic algorithms are adequate tools if just little knowledge about the search space is available and the complexity of the problem is very hard (NP-complete).