privacy issues with the google android market
play

Privacy Issues with the Google Android Market Thorben Kr uger - PowerPoint PPT Presentation

Oct 23, 2022 •157 likes •774 views

Privacy Issues with the Google Android Market Thorben Kr uger Bastiaan Wissingh benthor@os3.nl bastiaan@os3.nl February 2, 2011 1/ 18 Outline Introduction Terms Research I Background MITM Sniffing Findings Research II App Analysis

  1. Privacy Issues with the Google Android Market Thorben Kr¨ uger Bastiaan Wissingh benthor@os3.nl bastiaan@os3.nl February 2, 2011 1/ 18

  2. Outline Introduction Terms Research I Background MITM Sniffing Findings Research II App Analysis Findings Implications Bonus Conclusion 2/ 18

  3. Definition of Terms 3/ 18

  4. Definition of Terms ◮ Android 3/ 18

  5. Definition of Terms ◮ Android ◮ Google Android Market 3/ 18

  6. Definition of Terms ◮ Android ◮ Google Android Market ◮ XMPP 3/ 18

  7. Definition of Terms ◮ Android ◮ Google Android Market ◮ XMPP ◮ App 3/ 18

  8. Original Question Google Android Market - Remotely Controllable? 4/ 18

  9. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? 4/ 18

  10. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality 4/ 18

  11. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality ◮ What Privacy Issues? 4/ 18

  12. Original Question Google Android Market - Remotely Controllable? ◮ To what exact extent? ◮ Suspicion: Highly Privileged Remove Administration Functionality ◮ What Privacy Issues? ◮ Proposed Mitigations? 4/ 18

  13. Current Research: Status 5/ 18

  14. Current Research: Status ◮ Market uses XMPP over SSL 5/ 18

  15. Current Research: Status ◮ Market uses XMPP over SSL ◮ Google Android: A State-of-the-Art Review of Security Mechanisms 5/ 18

  16. Current Research: Status ◮ Market uses XMPP over SSL ◮ Google Android: A State-of-the-Art Review of Security Mechanisms ◮ AppBrain 5/ 18

  17. Approach: SSL Man-In-The-Middle 6/ 18

  18. Approach: SSL Man-In-The-Middle ◮ Idea: Traffic Introspection 6/ 18

  19. Approach: SSL Man-In-The-Middle ◮ Idea: Traffic Introspection ◮ Methods: Lots Of Dirty Hacks 6/ 18

  20. Traffic Analysis: Results 7/ 18

  21. Traffic Analysis: Results ◮ Confirmed: XMPP-Triggered Installation 7/ 18

  22. Traffic Analysis: Results ◮ Confirmed: XMPP-Triggered Installation ◮ Unconfirmed: Additional Functionality 7/ 18

  23. Approach: Reverse Engineering 8/ 18

  24. Approach: Reverse Engineering ◮ Analyze Market Package 8/ 18

  25. Approach: Reverse Engineering ◮ Analyze Market Package ◮ Core System Application 8/ 18

  26. Binary Analysis: Findings 9/ 18

  27. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” 9/ 18

  28. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable 9/ 18

  29. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality 9/ 18

  30. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality ◮ INSTALL ASSET ◮ REMOVE ASSET 9/ 18

  31. Binary Analysis: Findings ◮ Binary Decodable To “Assembly” ◮ Results Hardly Readable ◮ Evidence: Remotely Triggerable Functionality ◮ INSTALL ASSET ◮ REMOVE ASSET ◮ Evidence: Persistent Connection 9/ 18

  32. Privacy Implications 10/ 18

  33. Privacy Implications ◮ No Evidence For: Advanced Remote Control Functionality 10/ 18

  34. Privacy Implications ◮ No Evidence For: Advanced Remote Control Functionality ◮ Possible Issue For Some: Remotely Triggered Application Removal 10/ 18

  35. Mitigation Idea: Patch Script 11/ 18

  36. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary 11/ 18

  37. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary ◮ Result Still Executable 11/ 18

  38. Mitigation Idea: Patch Script ◮ “Assembly” Rebuildable To Binary ◮ Result Still Executable ◮ Assembly-Level Patch: Remove Unwanted Functionality 11/ 18

  39. Accidental Finding: Market App Honors Permission System 12/ 18

  40. Accidental Finding: Market App Honors Permission System ◮ Error For Patched Market: No Permission To Install Apps 12/ 18

  41. Accidental Finding: Market App Honors Permission System ◮ Error For Patched Market: No Permission To Install Apps ◮ Very Unexpected 12/ 18

  42. Digression: Android Permission System 13/ 18

  43. Digression: Android Permission System ◮ Central Part Of Android Architecture 13/ 18

  44. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! 13/ 18

  45. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! ◮ Uses: Plain XML Files 13/ 18

  46. Digression: Android Permission System ◮ Central Part Of Android Architecture ◮ Open Source! ◮ Uses: Plain XML Files ◮ Problem: Very Coarse Grained UI 13/ 18

  47. Android Permission System: Current Research 14/ 18

  48. Android Permission System: Current Research ◮ permissionBlocker.apk 14/ 18

  49. Android Permission System: Current Research ◮ permissionBlocker.apk ◮ Apex 14/ 18

  50. Proposal: Extension of Apex 15/ 18

  51. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack 15/ 18

  52. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack ◮ Hurdle: System App Permissions Handled Differently 15/ 18

  53. Proposal: Extension of Apex ◮ Requires: Changes To Software Stack ◮ Hurdle: System App Permissions Handled Differently ◮ Red Tape: Nothing Has Been Released 15/ 18

  54. Conclusion 16/ 18

  55. Conclusion ◮ Current Market App Less Evil Than Expected 16/ 18

  56. Conclusion ◮ Current Market App Less Evil Than Expected ◮ Binary/Assembly Patches Possible 16/ 18

  57. Conclusion ◮ Current Market App Less Evil Than Expected ◮ Binary/Assembly Patches Possible ◮ Alternative Approach: Permission Management 16/ 18

  58. Outlook 17/ 18

  59. Outlook ◮ Reimplement Apex: NLnet funding? 17/ 18

  60. Questions? 18/ 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on:

Lesson 25 Android Google Maps Android API V2 Victor Matos Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced from work created and shared by Google

518 views • 41 slides
(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2

(Android) https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2 (iPhone) https://itunes.apple.com/us/app/google-authenticator/id388497605?mt=8 (Android)

365 views • 13 slides
Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a

Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a

11/12/13 Setup Google Map API for Android Setup Google Map API for Android Part 1: Setup Google Map API for Android Prerequisites Please make sure that you can deploy a regular Android App on your device. See instructions if you did not finish

384 views • 6 slides
A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia

A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia

A Measurement Study of Google Play Nicolas Viennot Edward Garcia Jason Nieh Columbia University Android is increasingly popular Android Dominates the Market Google Play Uploading Content to Google Play is Easy Very low barrier to

730 views • 72 slides
Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State

Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State

Lesson 25 Lesson 25 Android Google Maps Android API V2 Victor Matos Cleveland State University Cleveland State University Notes are based on: Android Developers http://developer.android.com/index.html Portions of this page are reproduced

1k views • 21 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and

Google Privacy & Security interfaces Dominic Battr Robert Brauer Google Confidential and Proprietary Google Privacy Principles 1. Use information to provide our users with valuable products and services. 2. Develop products that

541 views • 13 slides
Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application

Android update June 2010 David Melgar david@broadreachsoftware.com Android application development Agenda Google I/O Froyo Future Other Device updates Google I/O Googles developer conference May 2010, San Francisco

594 views • 24 slides
CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is

CS 528 Mobile and Ubiquitous Computing Lecture 1b: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Open source (https://source.android.com/setup/) Google: Owns Android,

652 views • 43 slides
CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is

CS 403X Mobile and Ubiquitous Computing Lecture 2: Introduction to Android Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android OS,

589 views • 35 slides
CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu

CS 528 Mobile and Ubiquitous Computing Lecture 2: Android Introduction and Setup Emmanuel Agu What is Android? Android is worlds leading mobile operating system Google: Owns Android, maintains it, extends it Distributes Android

388 views • 38 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

927 views • 38 slides
Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android

SELinux in Android Oreo or: How I Learned to Stop Worrying and Love Attributes Dan Cashman September 15th, 2017 $ whoami Dan Cashman - dcashman@google.com Android Security since 2013 Software Engineer Acknowledgements

627 views • 40 slides
Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and

Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and

Mobile Internet in Russia Prepared by J'son & Partners Consulting for Google Android and Mobile Marketing, Google Russia Android and Mobile Marketing, Google Russia Google Confidential and Proprietary Table of Contents 1. Mobile Internet

551 views • 40 slides
Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition

Strategic Issues for Binary/File Format ILDG4 May 21 2004, T.Yoshie CCS,Tsukuna Definition binary format: array format of config. U(3,3,X,,,) numerical format (precision,IEEE,byte-order) file format: format of a file

88 views • 8 slides
Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in

Enhancing Data Sets for Accelerated Wind Energy Development Advancing the state of the art in data set dissemination Erik Quaeghebeur Wind Energy Group Delft University of Technology OEEC 2017 EUROS for wind energy 11 October 2017

750 views • 27 slides
Simple nonunifilar binary word generators Sarah Marzen June 1, 2013 Outline Motivation

Simple nonunifilar binary word generators Sarah Marzen June 1, 2013 Outline Motivation

Simple nonunifilar binary word generators Sarah Marzen June 1, 2013 Outline Motivation Results Simple nonunifilar source (SNS) Variation on the SNS A different set of nonunifilar binary word generators (preliminary)

521 views • 29 slides
A jump-target identification method for multi-architecture static binary translation Alessandro

A jump-target identification method for multi-architecture static binary translation Alessandro

A jump-target identification method for multi-architecture static binary translation Alessandro Di Federico Giovanni Agosta Politecnico di Milano CASES 2016 October 4, 2016 Index Introduction Our solution Evaluation Static binary

667 views • 63 slides
Lecture 27: Sorting & Searching CS 1110 Introduction to Computing Using Python [E.

Lecture 27: Sorting & Searching CS 1110 Introduction to Computing Using Python [E.

http://www.cs.cornell.edu/courses/cs1110/2018sp Lecture 27: Sorting & Searching CS 1110 Introduction to Computing Using Python [E. Andersen, A. Bracy, D. Gries, L. Lee, S. Marschner, C. Van Loan, W. White] Announcements Academic

334 views • 17 slides
About me Operations Engineer - DevOps BS, MS, and CAS in Telecommunications

About me Operations Engineer - DevOps BS, MS, and CAS in Telecommunications

Analyzing large flow data sets using modern open-source data search and visualization tools FloCon 2014 Max Putas About me Operations Engineer - DevOps BS, MS, and CAS in Telecommunications Work/research interests System

614 views • 22 slides
Final Advisor Mr. Harker Presentation May15-03 Agenda System Technical Project Problem

Final Advisor Mr. Harker Presentation May15-03 Agenda System Technical Project Problem

Team (May 15-03) Shawn LaGrotta lagrotta@iastate.edu Matt Eckes mweckes@iastate.edu Jacob Mayer jdmayer@iastate.edu Trevor Boone tdboone@iastate.edu Jacob Schulz jschulz@iastate.edu Client HGST Final Advisor Mr. Harker Presentation

572 views • 40 slides
Git: A Guide for Economists Frank Pinter 22 February 2019 1 / 32 Outline The importance of

Git: A Guide for Economists Frank Pinter 22 February 2019 1 / 32 Outline The importance of

Git: A Guide for Economists Frank Pinter 22 February 2019 1 / 32 Outline The importance of version control Getting started on a project Using Git Using Git for collaboration 2 / 32 What is version control? Version control is a way to keep

597 views • 32 slides

More recommend