The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based - - PowerPoint PPT Presentation

the betrayal at cloud city
SMART_READER_LITE
LIVE PREVIEW

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based - - PowerPoint PPT Presentation

Nov 12, 2022 320 likes •1.34k views

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends Omar Alrawi* , Chaoshun Zuo * , Ruian Duan, Ranjita Pai Kasturi, Zhiqiang Lin, Brendan Saltaformaggio *First Co-Authors Conference Conference Conference More

slide-1
SLIDE 1

The Betrayal At Cloud City: An Empirical Analysis Of Cloud-Based Mobile Backends

Omar Alrawi*, Chaoshun Zuo*, Ruian Duan, Ranjita Pai Kasturi, Zhiqiang Lin, Brendan Saltaformaggio *First Co-Authors

slide-2
SLIDE 2

Conference

slide-3
SLIDE 3

Conference

slide-4
SLIDE 4

Conference

slide-5
SLIDE 5

More Than What’s on The Surface

slide-6
SLIDE 6

More Than What’s on The Surface Mobile App

slide-7
SLIDE 7

More Than What’s on The Surface

Cloud Backend

Mobile App

slide-8
SLIDE 8

More Than What’s on The Surface

Cloud Backend

Mobile App Web App

slide-9
SLIDE 9

More Than What’s on The Surface

Cloud Backend

Mobile App Web App Software Services

slide-10
SLIDE 10

More Than What’s on The Surface

Cloud Backend

Mobile App Web App Software Services Operating System

slide-11
SLIDE 11

More Than What’s on The Surface

Cloud Backend

Mobile App Web App Software Services Operating System (v)Hardware

slide-12
SLIDE 12

Mobile Backends All Over the News

slide-13
SLIDE 13

Mobile Backends All Over the News

slide-14
SLIDE 14

Mobile Backends All Over the News

slide-15
SLIDE 15

Prior Work

  • The rise of backends
  • Acar et al. "SoK: Lessons learned from android security

research for appified software platforms." IEEE S&P, 2016.

slide-16
SLIDE 16

Prior Work

  • The rise of backends
  • Acar et al. "SoK: Lessons learned from android security

research for appified software platforms." IEEE S&P, 2016.

  • Evolution of backends
slide-17
SLIDE 17

Prior Work

  • The rise of backends
  • Acar et al. "SoK: Lessons learned from android security

research for appified software platforms." IEEE S&P, 2016.

  • Evolution of backends
  • App Thinning1

[1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019

slide-18
SLIDE 18

Prior Work

  • The rise of backends
  • Acar et al. "SoK: Lessons learned from android security

research for appified software platforms." IEEE S&P, 2016.

  • Evolution of backends
  • App Thinning1
  • Security of Backends

[1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019

slide-19
SLIDE 19

Prior Work

  • The rise of backends
  • Acar et al. "SoK: Lessons learned from android security

research for appified software platforms." IEEE S&P, 2016.

  • Evolution of backends
  • App Thinning1
  • Security of Backends
  • Zuo et al. "Authscope: Towards automatic discovery of

vulnerable authorizations in online services." ACM CCS., 2017

  • Zuo et al. "Why does your data leak? uncovering the data

leakage in cloud from mobile apps.” IEEE S&P. 2019

  • Appthority2

[1] Mojica, Gregg. Working with App Thinning in iOS 9https://www.appcoda.com/app-thinning/, Accessed Aug 2019 [2] K. Watkins, “HospitalGown: The Backend Exposure Putting Enterprise Data at Risk,” Appthority, Tech. Rep., 2017.

slide-20
SLIDE 20

Mel is an app developer. Mel just wants to ship his killer app.

slide-21
SLIDE 21

Mel is an app developer. Mel just wants to ship his killer app.

Mobile App Web App Software Services Operating System (v)Hardware

slide-22
SLIDE 22

Let’s Help Mel

slide-23
SLIDE 23

Let’s Help Mel

Challenges for Mel

slide-24
SLIDE 24

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
slide-25
SLIDE 25

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
  • How do I check if they are secure?
slide-26
SLIDE 26

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
  • How do I check if they are secure?
  • How do I fix them?
slide-27
SLIDE 27

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
  • How do I check if they are secure?
  • How do I fix them?
  • Can I fix them (attribution)?
slide-28
SLIDE 28

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
  • How do I check if they are secure?
  • How do I fix them?
  • Can I fix them (attribution)?
slide-29
SLIDE 29

Let’s Help Mel

Challenges for Mel

  • What backends does my app use?
  • How do I check if they are secure?
  • How do I fix them?
  • Can I fix them (attribution)?

Mel’s Dream: Upload APK and vet all backends!

slide-30
SLIDE 30

What Backends My App Uses?

slide-31
SLIDE 31

What Backends My App Uses?

slide-32
SLIDE 32

What Backends My App Uses?

slide-33
SLIDE 33

What Backends My App Uses?

slide-34
SLIDE 34

What Backends My App Uses?

slide-35
SLIDE 35

What Backends My App Uses?

slide-36
SLIDE 36

How Many Backends?

slide-37
SLIDE 37

How Many Backends? 10 or More Unique Backends on Average

slide-38
SLIDE 38

How Many Backends? 10 or More Unique Backends on Average

slide-39
SLIDE 39

How Do I Check If They Are Secure?

slide-40
SLIDE 40

How Do I Check If They Are Secure?

slide-41
SLIDE 41

How Do I Check If They Are Secure?

First: Bug finding via input perturbation

slide-42
SLIDE 42

How Do I Check If They Are Secure?

First: Bug finding via input perturbation

slide-43
SLIDE 43

How Do I Check If They Are Secure?

First: Bug finding via input perturbation

slide-44
SLIDE 44

How Do I Check If They Are Secure?

First: Bug finding via input perturbation

slide-45
SLIDE 45

How Do I Check If They Are Secure?

First: Bug finding via input perturbation SQLi, XSS, XXE

slide-46
SLIDE 46

How Do I Check If They Are Secure?

slide-47
SLIDE 47

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-48
SLIDE 48

65K Ports

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-49
SLIDE 49

65K Ports

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-50
SLIDE 50

65K Ports

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-51
SLIDE 51

65K Ports

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-52
SLIDE 52

65K Ports

How Do I Check If They Are Secure?

Second: Scan services for known vulnerabilities

slide-53
SLIDE 53

Can I Fix Them?

slide-54
SLIDE 54

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

slide-55
SLIDE 55

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

First-Party: If Mel owns the whole stack

slide-56
SLIDE 56

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

Mel is responsible for this portion

First-Party: If Mel owns the whole stack

slide-57
SLIDE 57

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

slide-58
SLIDE 58

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

No Access! SDK Access

Third-Party: If Mel uses an SDK

slide-59
SLIDE 59

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

slide-60
SLIDE 60

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

Mel is responsible for this portion

Hybrid: If Mel uses a rented platform

slide-61
SLIDE 61

Can I Fix Them?

Mobile App Web App Software Services Operating System (v)Hardware

Mel is responsible for this portion Platform Provider is responsible for this portion

Rented!

Hybrid: If Mel uses a rented platform

slide-62
SLIDE 62

How Do I Fix Them?

slide-63
SLIDE 63

How Do I Fix Them?

slide-64
SLIDE 64

How Do I Fix Them?

Data Aggregation and Consolidation

slide-65
SLIDE 65

How Do I Fix Them?

Data Aggregation and Consolidation

slide-66
SLIDE 66

How Do I Fix Them?

Data Aggregation and Consolidation

slide-67
SLIDE 67

How Do I Fix Them?

Data Aggregation and Consolidation

slide-68
SLIDE 68

Geo and Net Distribution

How can Mel be expected to solve everything?

slide-69
SLIDE 69

Google Play Store

slide-70
SLIDE 70

Google Play Store

  • Top 5,000 apps from August 2018
slide-71
SLIDE 71

Google Play Store

  • Top 5,000 apps from August 2018
  • We found
  • Over 600 0-DAY
  • Over 900 N-DAY
slide-72
SLIDE 72

Google Play Store

  • Top 5,000 apps from August 2018
  • We found
  • Over 600 0-DAY
  • Over 900 N-DAY

Mobile App Web App Software Services Operating System (v)Hardware

slide-73
SLIDE 73

Google Play Store

  • Top 5,000 apps from August 2018
  • We found
  • Over 600 0-DAY
  • Over 900 N-DAY
  • 0-day vulnerabilities affect web

apps

Mobile App Web App Software Services Operating System (v)Hardware

slide-74
SLIDE 74

Google Play Store

  • Top 5,000 apps from August 2018
  • We found
  • Over 600 0-DAY
  • Over 900 N-DAY
  • 0-day vulnerabilities affect web

apps

  • N-day affects software below the

web apps

Mobile App Web App Software Services Operating System (v)Hardware

slide-75
SLIDE 75

Overall Vulnerabilities

slide-76
SLIDE 76

Overall Vulnerabilities

Over 1,600 Vulnerability Instances

slide-77
SLIDE 77

Overall Vulnerabilities

slide-78
SLIDE 78

Overall Vulnerabilities

Over 600 ZERO-DAYS!

slide-79
SLIDE 79

Overall Vulnerabilities

slide-80
SLIDE 80

Overall Vulnerabilities

Audited over 9,000 backends

slide-81
SLIDE 81

Overall Vulnerabilities

slide-82
SLIDE 82

Overall Vulnerabilities

Over 1,000 third-party backends. Used by multiple mobile apps!

slide-83
SLIDE 83

Top Vulnerabilities

slide-84
SLIDE 84

Top Vulnerabilities

slide-85
SLIDE 85

Top Vulnerabilities

slide-86
SLIDE 86

Top Vulnerabilities

slide-87
SLIDE 87

Top Vulnerabilities

slide-88
SLIDE 88

Top Vulnerabilities

slide-89
SLIDE 89

Top Vulnerabilities BEWARE: Can Install Malicious Apps Through Redirection

slide-90
SLIDE 90

Top Vulnerabilities

slide-91
SLIDE 91

Top Vulnerabilities

slide-92
SLIDE 92

Top Zero-Day Vulnerabilities

slide-93
SLIDE 93

Top Zero-Day Vulnerabilities

slide-94
SLIDE 94

Top Zero-Day Vulnerabilities

slide-95
SLIDE 95

http tps: s://Mobil bileBackend.vet

slide-96
SLIDE 96

What’s Next?

NOTIFICATION WORKING WITH 3RD PARTY LIBRARIES IMPACT ON APP USERS

slide-97
SLIDE 97

Related Work

  • Backes et al., “Reliable third-party library detection in android and its security applications,” ACM CCS, Oct.

2016.

  • Arzt et al., “Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for

android apps,” ACM SIGPLAN PLDI, 2014.

  • You et al., “Semfuzz: Semantics-based automatic generation of proof-of-concept exploits,” ACM CCS, 2017.
  • Durumeric et al., “Zmap: Fast internet-wide scanning and its security applications.,” USENIX Security, 2013.
  • Li et al., “You‘ve got vulnerability: Exploring effective vulnerability notifications,” USENIX Security, 2016.
  • Durumeric et al., “The matter of heartbleed,” IMC, 2014
  • Ristenpart et al., “Hey, you, get off of my cloud: Exploring information leakage in third-party compute

clouds,” ACM CCS, 2009.

  • Sun et al., “Pileus: Protecting user resources from vulnerable cloud services,” ACSAC, 2016.
  • Durumeric et al., “Analysis of the https certificate ecosystem,” IMC, 2013.
  • Fernandes et al., “Security analysis of emerging smart home applications,” IEEE S&P, May 2016.
slide-98
SLIDE 98

Thank you – Questions?

Omar Alrawi alrawi@gatech.edu https://alrawi.io

slide-99
SLIDE 99

Recommendation

  • Delegate
  • Use reputable 3rd party

services

  • Dedicate
  • Time and personal to secure

development

  • Develop
  • A plan to for incidents: backup

data, backup providers, etc.

  • Defense
  • Use WAFs and CDNs

PROPERLY!

slide-100
SLIDE 100

Unknown Category

  • Backend domains with different effective second-level domain
  • Missing registration information
  • Privacy WHOIS
  • IP address show up as delegated
  • IP address in collocation facility, but maybe hosting reseller
  • CDNs fronted (can overcome with pDNS)