In 2019 I received my Master’s degree from the Vienna University of Technology for my thesis on Efficient Automated Analysis of Android-Applications Related to IT-Security Based on Open-Source-Tools.
Since there were quite fascinating and also shocking results, I decided to publish a very short overview of the thesis results.
Introduction
Mobile and especially smart devices are spreading faster and faster in all areas of daily life, while the operating system Android is with almost 85% market share worldwide in a leading position and the Android Google Play Store counts around 2.8 million mobile applications. However, the threats these applications involve remains untold.
In the last few years, many publications, different analysis approaches, and analysis tools have been published in the field of Android-Security. Most of them with a very specific focus on distinct security areas such as communication, cryptography, and data access or data storage.
In fact, thousands of Open-Source-Security-Analysis-Tools exist on the internet.
Unfortunately, most of them are very focused, opaque, and also hard to install and use. No matter whether you are a simple user, developer, or even security specialist, it seems quite impossible to classify the security of Android-Applications.
So it’s not surprising that there exists a huge amount of security issues also in very common Android-Applications.
One popular, shocking radicular example published by Fahl et. al. is the vulnerability of Zoner AntiVirus, where a missing hostname verification in the SSL-Connection to update virus-signatures causes Zoner AnitVirus to recognize itself as a virus.
Well…
No more words needed…
To provide the ability of automated Android-Application security testing on different security fields, I implemented a web-based Testing as a Service (TaaS) Framework as part of my master thesis with the focus on:
- Consolidation of different static analysis approaches like
- Pattern Matching, Regex
- Taint-Tracking
- Program Slicing
- Data- and Control-Flow-Analysis
- Reuse and composition of existing static Open-Source-Analysis-Tools
- Automated security classification of Android-Applications
- Easy expansion with new analysis approaches and tools
- Answering research questions
Automated Vulnerability Discovery TaaS Framework
The Automated Vulnerability Discovery TaaS Framework consists basically of three different microservice types.
Main-Service
- Connected to a database
- Responsible for data administration
- Provides user interface
- Evaluation of the five security categories
- Insufficient Attack Protection
- Security Invalidation
- Access Control
- Sensitive Data Leakage
- Input Validation
- Security classification into
- SECURE
- WARNING – Code that should be avoided
- POTENTIAL INSECURE – Possible security risk that should be examined manually
- INSECURE – Deviation from State-of-the-Art recommendations with safety-critical effects
RabbitMQ
- Manages and queue new Android-Applications to analyze.
Analysis-Service
- Performs the analysis executed by the included Open-Source-Analysis-Tools
Based on the analysis results of the integrated tools, and the recommendations of the Open Web Application Security Project (OWASP) Top 10 as well as the rules of the CERT Department of the Software Engineering Institute of Carnegie Mellon University (CMU) the AVD-Framework identifies the security class of the analyzed applications.
Security Evaluation of Android-Applications
In order to identify the most common security threats and issues, the most secure and vulnerable Google Play Store categories as well as the changes in the security field of cryptography in the last six years, an evaluation was conducted to automatically determine the security of 100 Android-Applications from 58 different Google Play Store categories.
AVD-Framework Setup
The following graphic provides a short overview of the distributed Framework setup used to evaluate the security class of 5.800 Android-Applications.
Evaluation Results
Analyzing 5.800 Google Play Store Android-Applications using the AVD-Framework resulted in at least one security issue in about 76% of the evaluated Android-Applications.
Most of the issues have been located in the Security Invalidation category or more precisely in the areas of Certificate Validation and Cryptography.
Top insecure classified issues
- Insecure HTTP-Connections
- Security issues in the field of Cryptography (especially in R1, R2, R6 of Egele’s rules)
- Remote Code Execution
- Root-Checks
Re-evaluation of Egele’s Cryptography-Rules R1, R2, R6
The field of Cryptography-Rules concerning the usage of Electronic Code Book Mode (ECB), Cipher Block Chaining Mode (CBC) with non-random Initialization Vector (IV) as well as Static Seeds have been re-evaluated and resulted overall in a decline of problems in the past six years.
Security differences between the Google Play Store categories
The result of insecure classified Android-Applications varied in different Google Play Store categories.
Lower rates of critical applications found in security-critical categories such as MEDICAL (62% Apps with critical issues), FINANCE (65%), and BUSINESS (67%).
Higher rates in categories such as SOCIAL (85%), VIDEO PLAYER (86%), and WEATHER (88%).
Conclusio
The security evaluation results of the 5.800 analyzed Google Play Store Android-Applications is clear.
Despite massive existing scientific publications and Open-Source-Tools, there are critical security issues in most applications. In fact, this is a worrying result concerning the privacy of every single user.
So it must be the goal of security experts and also developers to increase the security and privacy conditions in Android-Applications.
The AVD-Framework I developed, is the first step to provide understandable as well as comparable security reports and to reduce the complexity of security testing.
Unfortunately, I’m not able to provide my AVD-Framework as a publicly available project, since I’m currently working on further improvements within a large Austrian Research and Software Engineering Company, so that the framework can be offered in the future as part of a security analysis product as well as an integration for Continuous Integration / Continuous Deployment pipelines.
