Talk 1: Towards Secure Interoperation in Android : A Study of Interoperation Vulnerabilities in Android
Talk 2: Composing Static Analyzers for Bug and Security Vulnerability Detection in Multilingual Android Applications
Speaker 2: Mr Lee Sungho, PhD Student, KAIST
COM2 Level 4
Executive Classroom, COM2-04-02
Talk 1
Abstract:
Android apps interoperate with different components to provide extensive experience to users. Even though interoperation between Android apps and different components may improve the quality of apps by providing additional features, it may cause security issues.
In this talk, we study interoperation vulnerabilities in the Android platform to improve the security of the mobile platform. We investigate four different levels of interoperation; app level, system level, third-party level, and programming language level. For the app level, we study security issues arisen while Android apps interoperate with each other. We focus on vulnerabilities in managing the Activity component in the Android platform and introduce an activity injection attack. We demonstrate the attack to show how powerful it is and propose a static analyzer and a defense system that detects and prevents such attacks. For the system level, we study security problems while Android apps interoperate with system utilities provided by the Android platform. Among many system utilities, we target ADB (Android Debug Bridge) as it provides powerful debug features. We intensively analyze ADB to understand how malicious apps can exploit ADB to launch various kinds of attacks. Our work shows that the missing authentication logic in an ADB server allows an attacker to leverage powerful functionalities in ADB that lead to critical attacks. For the third-party level, we perform security analysis on smart contracts running in the Ethereum network. We target smart contracts as Android apps provide services utilizing blockchain network and this requires Android apps to interact with smart contracts, but because it is a new technology, the security of the smart contracts has not been explored intensely by security researchers. We empirically study how secure real-world smart contracts are in the case of the Solidity programming language. Unfortunately, our work reveals that many smart contracts are vulnerable due to the known vulnerabilities and lacking the quality of security patches. For future work, we plan to perform security analysis on interoperation between different languages. For this work, we study JNI (Java Native Interface) that allows Java code to interoperate with other programming languages such as C and C++. We will investigate undefined behaviors in the JNI specification and their security issues.
Biodata:
Sungjae Hwang is a Ph.D. student in the School of Computing at Korea Advanced Institute of Science and Technology (KAIST). His research interests include software and system security, reverse engineering and binary analysis, finding new vulnerabilities, and blockchain security. Hwang received an M.S. in computer science at KAIST.
Talk 2
Abstract:
Mobile applications (apps) have long invaded the realm of desktop apps. With multiple mobile platforms, each base language is used to develop mobile apps for the specific mobile platform, and developers easily implement mobile apps via a combination of multiple languages for supporting multiple mobile platforms or reusing existing libraries of other languages. However, because different languages have different semantics and features, developing multilingual apps may be vulnerable to programmer errors. Moreover, because interoperation semantics among languages are not easily examined by existing analysis tools, multilingual apps may be vulnerable to various security attacks.
In this talk, we propose two static analyzer composition models for multilingual Android apps analysis: 1) tightly coupled composition and 2) loosely coupled composition. We adopt the tightly coupled analysis model for Android hybrid apps implemented in both Java and JavaScript. Based-on the interoperation semantics we investigated, we design and implement a static analysis framework HybriDroid that composites two frontend analysis modules for each language, and bridges the modules using a shared backend analysis module. HybriDroid seamlessly analyzes the interoperation and detects bugs and information leaks cross language boundaries. We also propose Adlib, which augments HybriDroid with various analysis models for advertisement libraries to discover security vulnerabilities in the mobile advertising ecosystem. For an unconstrained composition of analyzers, we design the loosely coupled model in which a static analyzer utilizes the analysis results of another. As a proof of concept, we propose an analysis tool that composes two static analyzers for Java and C to construct call graphs and detect interoperation bugs in JNI programs. Our empirical evaluation shows that the composition approaches are useful to find genuine bugs and security vulnerabilities in real-world multilingual Android apps. We believe that this work would be the first step that broadens the scope of static analysis to multilingual programs.
Biodata:
Sungho Lee is a Ph.D. student in the School of Computing at Korea Advanced Institute of Science and Technology (KAIST). His research interests include security vulnerability detection of Android applications via static analysis techniques and static analysis for multi-lingual programs. Lee received an M.S. in computer science at KAIST.