web communication security in android...
TRANSCRIPT
Web Communication Analysis
of Android Applications
Master Thesis - Final Presentation
Marc-Andrea Tarnutzer
09.04.2019
Android75%
iOS23%
KaiOS1%
Others1%
Networked Appified World
2
Web Communication
3
Response
Requesthttps://www.admob.com/
Response
Request
http://api.snapchat.com/
Research Questions
RQ1) Prevalent web communication frameworks?
RQ2) Transmitted data?
RQ3) Differences open-source vs closed-source apps?
RQ4) Web server configurations?
4
Web Communication
Background
Application Programming Interface (API)
6
Request
Response
API endpoint
(server)
Application server(s)
Client-Server Architecture
Stateless Cacheable
Code on demand
Layered System
Uniform interfaces
REpresentational State Transfer (REST)
7
Data Schemes
8
Common HTTP Request Methods
Retrieve resource
Create resource
Replace resource
Modify resource
Delete resource
9
www.example.com/api/user?id=42
HTTP body: { "id": 42, "name": "Bob Smith”, … }
HTTP body: {"id": 42, "name": ”Adam Smith”, … }
www.example.com/api/user?id=42
HTTP body: { "age": 33 }
Simplified HTTP
Request
10Request Response
1
3
2
Request line1
2
3
Request headers
Request message body
4
5
6
Server status4
5
6
Response headers
Response message body
RQ1:
Which are the prevalent web
communication frameworks
used in mobile apps?
11
Gsongithub.com/google/gson
org.jsonIncluded in Android
Moshigithub.com/square/moshi
AndroidHttpClient
AsyncHttpClient
(loopj)
Ion
Found Web Communication Facilities
(manual analysis of 160 apps)
12
HTTP libraries JSON libraries
REST Library Support
13without REST library with REST library
JSON Library Support
14without JSON library with JSON library
Jandrolyzer
Introduction
Retrofit
OkHttp
Java.netJandrolyzer
16
Decompilation
API calls
Sink method
detectionSample
Generation
Gradle Parsing
Gson
Moshi
org.json
Endpoint
extraction
JSON extraction
Analysis Step 1 / 7: Decompilation
17
Analysis Step 2 / 7: Gradle Parsing
18
Analysis Step 3 / 7: Sink method detection
19
com.koushikdutta.ion.builder.LoadBuilder
Analysis Step 4 / 7: Endpoint Extraction
20
http://retrofiturl.com/api/loadUser/<INTEGER>
http://oldapi.com/api/loadNewsFromOldAPI
http://retrofiturl.com/api/loadUsers
http://retrofiturl.com/api/createUser
interface implementation interface declaration
Analysis Step 5 / 7: JSON Extraction
21
Analysis Step 6 / 7: Sample Generation
22
Jaro-Winkler similarity: 0.8944…
extracted URLs & JSON extracted variables
final result
Analysis Step 7 / 7: API Calls
23
RQ2:
What data do mobile apps transmit
through web communication
channels?
RQ3:
What are the differences between
open-source and closed-source apps
in regard to web communication? 24
Jandrolyzer
Results
Analysis
26
431open-source
applications
889closed-source
applications
Top Query and JSON Keys
27
0 50 100 150 200 250 300 350
id
category
setting
sel_start
expression
sel_end
precise
type
q
name
# occurences
qu
erie
s o
r JS
ON
key
s
0 20 40 60 80 100 120
id
event
type
value
valueType
enumType
<STRING>
what
session_id
js
# occurences
qu
erie
s o
r JS
ON
key
s
# occurrences # occurrences
open-source projects closed-source projects
Library Usage
28
0 20 40 60 80 100 120
java.net.URLConnection
java.net.HttpURLConnection
java.net.Socket
javax.net.ssl.HttpsURLConnection
com.squareup.okhttp3
com.squareup.retrofit
org.apache.httpcomponents
com.github.bumptech.glide
com.android.volley
com.koushikdutta.ion
# occurrences
net
work
lib
rari
es
0 20 40 60 80 100 120
java.net.URLConnection
java.net.HttpURLConnection
java.net.Socket
javax.net.ssl.HttpsURLConnection
com.github.bumptech.glide
com.squareup.retrofit
com.squareup.okhttp
com.squareup.okhttp3
org.apache.httpcomponents
com.loopj.android
# occurrences
net
work
lib
rari
es
open-source projects closed-source projects
# occurrences # occurrences
JSON Types and URL Schemes
0 200 400 600 800 1000 1200 1400
STRING (JSON type)
NUMBER (JSON type)
BOOLEAN (JSON type)
NULL (JSON type)
https:// (URL scheme)
http:// (URL scheme)
# occurrences
JSO
N t
ypes
and
UR
L s
chem
es
0 200 400 600 800 1000 1200 1400 1600 1800
STRING (JSON type)
BOOLEAN (JSON type)
NUMBER (JSON type)
NULL (JSON type)
http:// (URL scheme)
https:// (URL scheme)
# occurrences
JSO
N t
yp
es a
nd U
RL
sch
emes
29# occurrences # occurrences
open-source projects closed-source projects
RQ4:
What configurations apply to
API endpoint servers found
in the wild?
30
Endpoint Server Analysis – What We Found
Outdated server software with known security vulnerabilities
(web server daemons, language parsers & interpreters)
Web views using HTTP protocol
(unprotected communication)
Disclosures of server configuration
(internal error message leaks, …)
Hardcoded sensitive information
(API keys and other credentials)
31
Freely accessible APIs
(which are intended for private use)
Shell commands in request body (!)
(does not need any further explanations)
Jandrolyzer
Demo
Future Work
Jandrolyzer improvements
more {speed, library support, strategies}
More comprehensive static analyses
more applications, security-related investigations
More comprehensive dynamic analyses
accurate server assessments (OS, web server, programming languages)
+ server port testing (by using default passwords)
33
Conclusions
Decompilation with JADX (great tool, obfuscation, etc.)
JavaParser (great tool, memory problems, symbol resolving bugs, etc.)
Open-source vs. closed-source apps (transmitted data, libraries, security, ads)
Outdated software in the wild
Implementation variations
34
35