ON THE SECURITY OF ANDROID COMMUNICATION APPS

September 2015

ByShasi Pokharel

Bachelor Of Information Technology (Honours)

Supervisors: Dr. Raymond Choo,

Dr. Jixue Liu

Why Android:

Share of Total Smartphone Market: 82.8% iOS: 13.9% (up to Quarter 2, 2015; Source: idc.com)

Number of Apps in Google Play: 1.6 million App Store: 1.5 million (up to July, 2015; Source: statista.com)

Share of Mobile attack Target: 99% - as January, 2014; Source: Kaspersky Lab

Focus:

Study popular Android communication apps

An adversary model

Case study apps

Communication Apps:VoIP Apps: Growing popularity Free app to app call, Cheaper app to

phone call Voice Call, Video Call, Conference Call,

Text messages Cross-Platform

Mobile Browsers Application to browse web pages in

Mobile

VoIP Communication

Encoding/Decoding : Analog Voice > Digital data > Analog Voice

Characteristics of Codecs Bit rate (Kbps) Sample Size (Byte) Sample Interval (ms) Packet Per second (PPS)

Constant Bit Rate (CBR) or Variable Bit Rate(VBR)

Proprietary Codecs

Parts of VoIP Communication

Signalling Control Session (SIP) Session establishment Codec negotiation

RTP session Voice data transfer

Identify Codec from intercepted packets

If Signalling Control Session is not encrypted.

VoIP communication security

EncryptionSignalling Control Session EncryptionRTP packets Encryption

Proprietary Codec

Identify Codec from intercepted packets

If Signalling Control Session is encrypted:

Calculate bit rate for each seconds from RTP payloadIf (bitrate is constant)

Constant Bit rate(CBR) codec is used Select matching or closest bitrate codecs

If (bitrate is dynamic) Variable Bit rate (VBR) codec is used Select “opus” decoder tool for decoding

Formula 1: Calculate Bit rate from RTP payload

Input S = Sequence of RTP Packets

Output b = Bit rate of RTP Packets

Do:

Let S1 be the packets per second in S.

If the header of s[0] contains PT, then

Else:

Identify Codec from intercepted packets

Analyze intercepted

traffic in Wireshark

SIP has readable SDP section?

If PT value is readable

Calculate bit rate using Formula 1

Bit rate = 0?

Identify list of possible codecs

Encrypted media (cannot be decoded)

Encrypted media (cannot be decoded)

Get Codec from SDP.rtpmap

filtered by RTP.PT

Bit rate constant?

Check PT value in RTP header

Check Bit rate for multiple seconds

Return Codec(s)

NoYes

YesNo

Yes

No

Yes

Try(codec = “opus”)

No

Decoder Tools

For CBR codec: RTP to wave decoders are freely available:

G.711, G.722, GSM : decoded by CloudShark G.729, ILBC : decoder tool available for download

For VBR: we created a java applications Takes each RTP packet from captured file Decodes using official native libraries Add header for linear wave sound Save as wave file

Result

Part 2: Mobile BrowserLightweight Browsers: Faster for web page loading Growing popularity Limited Plugins

Selected Browsers for Experiment

Browser Cache

Saves web resources when downloaded for the first time

Are loaded to the browser, when user access the same site

Contain: HTML file, CSS, JavaScript and media files

Android File System for applications

• Internal Storage: MODE_PRIVATE; accessible only by creator application, by default

• External Storage: Accessible to all applications

Cache Storage of the browsers

Dolphin: Cache resources: /sdcard/TunnyBrowser/Cache/webViewCache Screenshots of tabs: /sdcard/TunnyBrowser/Cache/tablist_cache Speed dial URLs: /sdcard/TunnyBrowser/Cache/speeddial_covers

UC Browser: Cache resources: sdcard/UCDownloads/cache/com.UCMobile.inti/ Data Traffic detail: /sdcard/UCDownloads/config/TrafficStats.db Detailed browsing data:

/sdcard/UCDownloads/offline/ApplicationCache.db

Cache Storage of the browsers

Samsung Stock Browser: Cache resources: /data/data/com.sec.android.app.sbrowser/cache/Cache/ Screenshots :

/data/data/com.sec.android.app.sbrowser/files/thumbnail.bmp1 (Permission: Mode 644)

CM Browser: Cache Resources:

/data/data/com.ksmobile.cb/app_webview/Cache Browser History: /sdcard/CheetahBrowser/.data/

Why use External storage ?

• Larger Cache storage Capability

• Avoid risk of file deletion by System

Proposed adversary model

Adversary Capability: Install application in user’s device

Goals: Know URLs visited by user Know searched items : searched by user Know the content of the webpage, visited by user

Application

User Permission required: WRITE_EXTERNAL_STORAGE ACCESS_NETWORK_STATE

Permission granted by Android, without users approval READ_EXTERNAL_STORAGE INTERNET

Targeted activities of application

• Know, when user started using browser

• Copy cache files to the Internal storage

• Upload files to the server

• Change content (Poison) in cache

Work Flow of the application

Is WiFi Connected ?

UploadFile()

Yes

CopyFileToPrivateDir()NoCheck If Vulnerable Browser is Installed Yes StartCacheMonitor()

Input:OnFileAccessedEventInput:OnFileAccessedEvent Input:OnWiFiConnectedEventInput:OnWiFiConnectedEvent

Result

Video: Getting Browsed content From Samsung Stock browser.

Conclusion

Many Android users private information is at risk

Adversary can: Listen What the user is talking See what the user is Browsing

Thank You