I’m pleased to share that our paper, “A Study of Application Sandbox Policies in Linux,” will appear at SACMAT 2022 in June. In this work, WSPR PhD student Trevor Dunlap, in collaboration with his co-advisors Will Enck and myself, examine the brave new worlds of Linux desktop application distribution: Flatpak and Snap. These competing platforms are already used by millions, and will likely become the defacto method of distributing apps on Linux moving forward — complementing if not replacing traditional package managers like apt and yum. Our paper examines the sandbox policies of these systems, finding that package maintainers seem to be doing their level best to implement least-privilege policies, but occasionally get it wrong — leading to failed functionality or creating chances for compromise. More details soon!
Author: bgreaves
Resources to Get Started with Android App Security
Around 2015 I found myself training a number of junior researchers in how to analyze Android Apps. I developed this guide with pointers to books and resources. This guide, and/or the books that it points to, may be well out of date at this point. I share it here in case someone finds it useful.
I recommend using the following sources as references. First, lightly skim the recommended topics to get a sense of what is going on. The idea is not to become an expert — it’s to figure out what questions to ask, and where to find answers. You can refer back to these resources as you work and fill in gaps in your knowledge.
Books:
Click the link for full bib info.
- Beginning Android 4
- Read Ch. 1, 2, 8, 9, 18, 20, 21, 22, 28 skim 11-14, 17, 18, 23, 32, 34, 35
- Pro Android 4
- Read Ch 1, 2 (especially lifecycle — super important), 3, 4, 5, 17, 18, 19, Skim: 6-9, 13, 14
- Android Security
- Read Chapters 2, 4, 5, pgs 493-5
- Android apps security
Dalvik References:
Dalvik is the Java VM that all Android apps compile to. This assembly language is also called “smali.” You will find the following references helpful.
- http://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
- http://davidehringer.com/software/android/The_Dalvik_Virtual_Machine.pdf
- Reference: http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
- https://code.google.com/p/smali/wiki/Registers
- https://code.google.com/p/smali/wiki/TypesMethodsAndFields
Helpful Papers:
- Enck et al., “A Study of Android Application Security,” USENIX Security 2011. PDF
- Reaves et al. “Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World,” USENIX Security 2015. PDF
- Wei et al., “Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps.” ACM TOPS 2018. PDF
Useful Tools:
- APKtool: Swiss army knife for manipulating an application package (.apk file)
- smalidea: Smali plugin for IntelliJ IDEA/Android Studio. Haven’t used, but looks neat.
- dex2jar: Converts a DEX file (which contains Smali bytecode) into a JAR file (Compiled in the Java bytecode Jasmin). Among other things, it lets you use tools for Java programs on Android apps.
- JEB: Commercial tool for reverse engineering Android Apps. Worth the cost for any involved or sophisticated analysis.
“Investigating web service account remediation advice” to appear at SOUPS 21
WSPR PhD Student Lorenzo Neil will present his first first-author paper, titled “Investigating web service account remediation advice” at the 2021 Symposium on Usable Security and Privacy. Lorenzo was assisted by Elijah Bouma-Sims, a WSPR undergraduate now in the PhD program at CMU, NC State undergrad Evan Lafontaine, Dr. Yasemin Acar, and myself.
Abstract:
Online web services are susceptible to account compromises where adversaries gain access to a user’s account. Once compromised, an account must be restored to its pre-compromise state in a process we term “account remediation.” Account remediation is a technically complex process that in most cases is left to the user, though some web services provide guidance to users through help documentation. The quality of this account remediation advice is of paramount importance in assisting victims of account compromise, yet it is unclear if this advice is complete or suitable. In this paper, we analyze account remediation advice from 57 popular U.S.- based web services. We identify five key phases of account remediation, use this five-phase model to develop a codebook of account remediation advice, then analyze topic coverage. We find that only 39% of the web services studied provided advice for all phases of account remediation. We also find that highly-ranked websites and sites with a previously disclosed data breach have more complete coverage than other sites. Our findings show that account remediation should be more carefully and systematically considered by service providers, security researchers, and consumer advocates, and our detailed analysis will aid in creating better guidelines for users and services.
You can find more about the paper here.