Abstract: Android is the most used operating system and thus, ensuring security for its applications is an essential task. Securing an application consists in preventing potential attackers to divert the normal behavior of the targeted application. In particular, the attacker may take advantage of vulnerabilities left by the developer in the code and also tries to steal intellectual property of existing applications. To slow down the work of attackers who try to reverse the logic of a released application, developers are incited to track potential vulnerabilities and to introduce countermeasures in the code. Among the possible countermeasures, the obfuscation of the code is a technique that hides the real intent of the developer by making the code unavailable to an adversary using a reverse engineering tool. With the growing amount of malware and applications carrying sensitive information, obfuscating the code and searching vulnerabilities becomes essential.
This thesis presents the impact of native code on both reverse-engineering and vulnerability finding applied to Android applications. First, by listing the possible interferences between assembly and bytecode, we highlight new obfuscation techniques and software vulnerabilities. Then, we propose new analysis techniques combining static and dynamic analysis blocks, such as taint tracking or system monitoring, to observe the code behaviors that have been obfuscated or to reveal new vulnerabilities. These two objectives have led us to develop two new tools. The first one spots a specific vulnerability that comes from inconsistently mixing native and Java data. The second one extracts the object level behavior of an application, regardless of whether this application contains native code, embedded for obfuscation purposes. Finally, we implemented these new methods and conducted experimental evaluations. In particular, we automatically found a vulnerability in the Android SSL library and we analyzed several Android firmware to detect usage of a specific class of obfuscation.

Abstract: Obfuscation techniques help developers to hide their code when distributing an Android application. The used techniques are linked to the features provided by the programming language but also with the way the application is executed. Using obfuscation is now a common practice and specialized companies sell tools or services for automatizing the manipulation of the source code. In this paper, we present how to develop obfuscated applications and how obfuscation technique usage is evolving in the wild. First, using advanced obfuscation techniques requires some advanced knowledge about the development of Android applications. We describe how to build such applications for helping researchers to generate samples of obfuscated applications for their own research. Second, the use of obfuscation techniques is evolving for both regular applications or malicious ones. We aim at measuring the development of these usages by studying application and malware samples and the artifacts that indicate the use of obfuscation techniques.

Conference: 3^rd Central European Cybersecurity Conference

Abstract: Since Android became the first smartphone operating system, malware developers have put large efforts to craft new threats uploaded to the Google Play store and other third market places. Companies and researchers now include in their activities the analysis of malware targeting smartphones. Most of the time, the problem that is addressed consists in deciding if an application should be considered as a malware or not. Nevertheless, once a malware is tagged as a malicious application, users that have been infected ask for more technical explanations about the threat they have been exposed to. Dissecting a malware requires a lot of efforts for a security analyst to be conducted and companies are in demand of new tools for automatizing the analysis.

Conference: International Conference on High Performance Computing & Simulation

Abstract:Native code is now commonplace within Android app packages where it co-exists and interacts with Dex bytecode through the Java Native Interface to deliver rich app functionalities. Yet, state-of-the-art static analysis approaches have mostly overlooked the presence of such native code, which, however, may implement some key sensitive, or even malicious, parts of the app behavior. This limitation of the state of the art is a severe threat to validity in a large range of static analyses that do not have a complete view of the executable code in apps. To address this issue, we propose a new advance in the ambitious research direction of building a unified model of all code in Android apps. The JUCIFY approach presented in this paper is a significant step towards such a model, where we extract and merge call graphs of native code and bytecode to make the final model readily-usable by a common Android analysis framework: in our implementation, JUCIFY builds on the Soot internal intermediate representation. We performed empirical investigations to highlight how, without the unified model, a significant amount of Java methods called from the native code are “unreachable” in apps' callgraphs, both in goodware and malware. Using JUCIFY, we were able to enable static analyzers to reveal cases where malware relied on native code to hide invocation of payment library code or of other sensitive code in the Android framework. Additionally, JUCIFY'S model enables state-of-the-art tools to achieve better precision and recall in detecting data leaks through native code. Finally, we show that by using JUCIFY we can find sensitive data leaks that pass through native code.

Conference: 44^th IEEE/ACM International Conference on Software Engineering (ICSE)

Abstract:Verifying Android applications' source code is essential to ensure users' security. Due to its complex architecture, Android has specific attack surfaces which the community has to investigate in order to discover new vulnerabilities and prevent as much as possible malicious exploitations. Communication mechanisms are one of the Android components that should be carefully checked and analyzed to avoid data leakage or code injections. Android software components can communicate together using serialization processes. Developers need thereby to indicate manually the transient keyword whenever an object field should not be part of the serialization. In particular, field values encoding memory addresses can leave severe vulnerabilities inside applications if they are not explicitly declared transient.
In this study, we propose a novel methodology for automatically detecting, at compilation time, all missing transient keywords directly from Android applications' source code. Our method is based on taint analysis and its implementation provides developers with a useful tool which they might use to improve their code bases. Furthermore, we evaluate our method on a cryptography library as well as on the Telegram application for real world validation. Our approach is able to retrieve previously found vulnerabilities, and, in addition, we find non-exploitable flows hidden within Telegram's code base.

Conference: 36^th ACM/SIGAPP Symposium on Applied Computing (SAC)

Track: Computer Security (SEC)

Abstract: A malicious Android application often consists of a benign part which is the body of the application, and a malicious part that is added later, by repackaging. Fast and efficient analysis of Android malware depends on the analyst's ability to quickly locate malicious code and have aclear representation of it. To do this, the analysis tools must allow the suspicious code to be quickly located and isolated from the rest of the application. In this article, we propose in a first part to synthesize recent works from the literature and to refresh older research works in order to highlight the discriminating characteristics of malicious code. Then, we propose a heuristic to reveal the suspicious methods of an Android application by static analysis. Finally, we discuss an algorithm to recover the malicious graft. This graft should contain the methods considered suspicious as well as the code calling these suspicious methods.

Conference: 14^th International Conference on Malicious and Unwanted Software

Abstract: At present, computer science studies generally offer courses addressing mobile development and they use mobile technologies for illustrating theoretical concepts such as operating system, design patterns, and compilation because Android and iOS use a large variety of technologies for developing applications. Teaching courses on security is also becoming an important concern for academics, and the use of mobile platforms (such as Android) as supporting material is becoming a reasonable option. In this paper, we intend to bridge a gap in the literature by reversing this paradigm: Android is not only an opportunity to learn security concepts but requires strong pedagogical efforts for covering all the aspects of mobile security. Thus, we propose teaching Android mobile security through a two-dimensional approach. The first dimension addresses the cognitive process of the Bloom taxonomy, and the second dimension addresses the technical layers of the architecture of the Android operating system. We describe a set of comprehensive security laboratory courses covering various concepts, ranging from the application development perspective to a deep investigation of the Android Open Source Project and its interaction with the Linux kernel. We evaluated this approach, and our results verify that the designed security labs impart the required knowledge to the students.

Conference: 50^th ACM Technical Symposium on Computer Science Education

Abstract: Le nombre d'applications malveillantes Android grandissant, de nombreux systèmes de détection et d'analyse ont été développés. Pour contrer ces méthodes, les malware se sont tournés vers des techniques de dissimulation. L'une d'entre-elles, le "packing", a pour but d'empêcher l'analyse statique du bytecode de l'application en le chiffrant. Cet article présente un état de l'art des différentes techniques existantes pour détecter l'utilisation d'une telle protection ainsi que des méthodes permettant d'obtenir le code original de l'application.

Conference: Rendez-Vous de la Recherche et de l'Enseignement de la Sécurité des Systèmes d'Information

Track: Session doctorants

Abstract: Studying Android obfuscation techniques is an essential task for understanding and analyzing malicious applications. Obfuscation techniques have already been extensively studied for market applications but never for pre-compiled applications used in smartphone firmwares. In this paper, we describe two new obfuscation techniques that take advantage of the duality between assembly and Dalvik bytecode and, as far as we know, have never been described before. We also propose detection methods for these obfuscation techniques. We apply them to vendor firmwares and market applications in order to evaluate their usage in the wild. We found that even if they do not seem to be already used in the wild, they are fully practical.

Conference: IEEE European Symposium on Security and Privacy Workshops

Track: Workshop on Software Attacks and Defenses

Abstract: Experimenting with Android malware requires to manipulate a large amount of samples and to chain multiple analyses. Scripting such a sequence of analyses on a large malware dataset becomes a challenge: the analysis has to handle fails on the computer and crashes on the used smartphone, in case of dynamic analyses. We present a new tool, PyMaO, for handling such experiments on a regular desktop PC with the highest performance throughput. PyMaO helps to write sequences of analyses and handle partial experiments that should be restarted after a crash or continued with new unknown analyses. The tool also offers a post processing capability for generating number tables or bar graphs from the analyzed datasets.

Conference: IEEE 27^th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems

Track: Demos