1. Avoiding the Pandora Pitfall Tyler Shields
Secure Coding Practices for Veracode Research
Android Application Privacy November 3, 2011
2. Mobile Security Privacy
Landscape Implications
START END
1 2 3 4
Case Studies Q&A
3. Risk - noun `risk
The possibility of loss or injury
4. PC Sensitive Data
Financial data
Corporate data
Computing power
Email
Call L
Contact List ogs!
Photos
…
ages! MMS!
Vi deo Im
SMS!
5. Mobile Mitigations
Patch methodology
Process isolation
Reasonable permission model
Some disk encryption
Code signatures
…
DEP!
irus!
Anti-V
6. 10.9 billion mobile apps downloaded in
2010, according to IDC
Expected to rise to
76.9 billion apps by 2014
7. Part 1: Malicious Code
Activity monitoring and data retrieval
Unauthorized dialing, SMS, and
payments
Unauthorized network
connectivity (exfiltration
or command & control)
UI impersonation
System modification
(rootkit, APN proxy
config)
Logic or time bomb
8. Part 2: Code Vulnerabilities
Sensitive data leakage (inadvertent or side channel)
Unsafe sensitive data storage
Unsafe sensitive data transmission
Hardcoded password/keys
12. Goo
gle
Tran Cale
smi ndar
tted ! !
in c appoint
on! lear m
ebook applicati text ent dat
Off icial Fac rything e
xcept ! a
ed eve
T ransmitt in clear
text!
d
passwor !
es,
privat e messag
Photos, , etc!
wall posts
!
bled!
Web- SSL Ena
E ven with
13. !
Or better yet…
er!!
!
ert che cking all togeth
Just disable c
WILD!
As Seen In The
18. WSJ Breaks Story on Pandora Investigation
“Federal prosecutors in
New Jersey are investigating
whether numerous
smartphone applications
illegally obtained or
transmitted information
about their users without
proper disclosures”
19. !
m execution
No progra
!
urce!
bin ary or so
Full c overage of
! y!
of bu g discover
Wi der range
! a !
by ru ntime dat
N ot limited
Sta
tic -- JD-GUI!
Ana -- Veracode Engine!
lysi
s !
27. Phone Calls
Read Phone State and Identity
System Tools
Modify Global System Settings
Prevent Device From Sleeping
Permissions !
Bluetooth Administration
Change Wi-Fi State
Change Network Connectivity
Automatically Start at Boot
Network Communication
Full Internet Access
Create Bluetooth Connections
View Network State
View Wi-Fi State
Your Personal Information
Read Contact Data
Add or Modify Calendar Events
and Send Email To Guests
https://market.android.com/details?id=com.pandora.android&feature=search_result – 4/25/2011
28. Just a bit deeper…
Google purchases AdMob for
$750 million dollars. Closed
May, 2010
29. ESPN, CBS Interactive, Geico, Starbucks…
100,000 – 500,000 installations
Permissions:
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
5,000,000 – 10,000,000 installation
Permissions:
• RECORD AUDIO
• CHANGE YOUR AUDIO SETTINGS
• FINE (GPS) LOCATION
• COARSE (NETWORK-BASED) LOCATION
• FULL INTERNET ACCESS
• MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD
CONTENTS
• PREVENT DEVICE FROM SLEEPING
Permissions retrieved from official Android Marketplace on 4/25/2011
34. Here are Some Numbers…
Permissions Requeste
d!
24% GPS information
(11,929)!
8% Read Contacts (3,6
26)!
53,000 - # Of 4% Send SMS (1,693)!
Applications 3% Receive SMS (1262
)!
2%Record Audio (1100
Analyzed! )!
2% Read SMS (832)!
! 1% Process Outgoing!
~48,000 Android 3 Average Numb
er of Calls (323)!
Market! Permissions .5% Use Credentials (2
48)!
~5,000 3rd Party Requested!
Markets! !
117 Most Reque
sted
for Single
Application!
35. And Even More Numbers…
Total Third Party Libraries: ~83,000!
!
Top Shared Libraries "!
38% com.admob (18,426 apps )!
8% org.apache ( 3,684 apps )!
6% com.google.android ( 2,838 apps )!
6% com.google.ads ( 2,779 apps )!
6% com.flurry ( 2,762 apps )!
4% com.mobclix ( 2,055 apps )!
4% com.millennialmedia ( 1,758 apps)!
4% com.facebook ( 1,707 apps)!
36. Code Reuse
Most Code Is!
!
Outsourcing Reused!
Outsourced!
3rd Party Libraries (with source)!
3rd Party Libraries (binary format)!
Third Party Libraries !
Nobody really knows what their
code does!!
37. Risk Transference!
!
Your code!
Your libraries!
Outsourced code!
3rd party libraries!
Purchased code!
COTS code!
!
!
Contract your vendors
to do the same!
I’ll Accept that Risk!
Pass it on over..
38. Tyler Shields @txs
tshields@veracode.com
txs@donkeyonawaffle.org Summary
Case Studies!
ape! !
L andsc
rity No Hardcoded Passwords! On
ile Secu ly T P
Mob !
atio ns ! ! ake rivacy!
pplic k! Wh
l e A Encrypt Data In Transit! at Y
Mobi High Ris Be H
one ! ou
Nee
Ar e ! st W d!
! !
bile Code Secure Data At Rest! Use ith
You
iou s Mo Flaws! rs! r!
M alic Co ding ! Be W !
M obile a
Analyze Security of ALL Code! Tran ry of R
sfe
(Includes Code Reuse)! renc isk
e !