Mobile Systems and Smartphone Security�(MOBISEC)

Prof: Yanick Fratantonio�EURECOM

1

Big Recap & The Future

We. Are. Done.

• ~800 slides
• 47 Android apps / 8.5K LoC
• ~3K LoC for the website / analysis system
• 5300+ APK submissions
• Many weekends completely destroyed :-)

2

Main goals I had in mind

• Be able to take an APK, unpack it, reverse it, and understand what it's doing, find, & exploit bugs
• Cover *all* architectural and security features of apps and Android framework itself (and a bit of iOS)
• Main point: "Why did Google add feature X??"
• Overview on mobile security ecosystem, malware analysis & detection, vuln finding, exploitation, prevention, UI security, program analysis, evasion, ...

3

Don't give up!

• If you have finished all/most of the tasks:
• Good job, I'm impressed

​

• If you did not finish all your tasks...
• ... because you didn't care ⇒ :-(
• ... because you didn't have time / too many skills to acquire
• Don't give up! You can do this, it's not rocket science
• If you like it, stick to it and you can become an expert on these things + have fun

4

From MOBISEC to the "real world"

• Believe it or not, we have covered all the skills required to be "mobile security researchers" in the "real world"
• Comparison: what we have seen vs. "real world"
• Apps are often easier to reverse than some of hw3's apps
• RW apps have much more code, more complex in terms of structure
• Reversing is not necessarily more difficult, but it can be more tedious
• Classes of bugs we have seen are very realistic
• fortnite & keyboard tasks from hw4 are from real-world cases
• Real apps may use some unknown-to-you Android APIs
• You are ready: I've never mentioned many APIs that appeared in some of the tasks!
• Maybe the biggest difference: some apps may use native code

5

A look to the future

• Current research trends

​

• How to stay updated

6

Current research trends

• Malware detection, classification, clustering
• Still an unsolved problem
• Evasion/obfuscation is still effective

​

• App analysis
• More sophisticated / transparent program instrumentation techniques

​

• Vulnerability detection / patching
• Many bugs are fixed every month ⇒ we are still far from "finding them all"
• Find new classes of vulnerabilities, "design problems"

​

• Repackaging detection is particularly important

7

Current research trends

• Enabling mobile devices to do "more"
• Mobile driving licence, mobile identification
• E-voting
• Control of medical devices

​

• Android outside mobile devices
• Android Auto, Things (for Iot), TV, Watch, ...

​

• We need better guarantees
• One key problem: we currently don't have a fully Trusted UI

8

Current research trends

• Android may (?) soon be replaced

​

• Google is developing a new OS, Fuchsia
• The project became public when it appeared on github, no official announcement
• To date, Google has never issued an official statement
• It is NOT based on Linux -- they wrote an OS from scratch
• It is known that it will support Android apps / APKs
• Different security model?

9

How to keep yourself updated

• Follow what the research community does
• Both academia (e.g., universities) and industry contribute significantly
• Check the accepted papers / talks at academic/industry conferences

​

• Academic conferences
• IEEE S&P, ACM CCS, USENIX Security, NDSS, RAID, ACSAC, DIMVA, and many others

​

• Industry conferences
• Black Hat USA / EU / Asia, DEFCON, RSA, Infiltrate, recon, CCC, offensivecon, ...

10

How to keep yourself updated

• Find good researchers and check their website / follow them on twitter / check their blogs

​

• Monitor blogs of security companies working in the area
• ESET, AVAST, Trend Micro, Kaspersky, checkpoint, Threat Fabric, NowSecure, Google security blog (examples: 1, 2)
• Android "Year in Review" reports, Android monthly security bulletins

​

• Follow important competitions that showcase exploits
• pwn2own, mobile pwn2own, ...
• For these competitions, participants need to find full chains of previously unknown vulns (aka 0days) in a number of targets

11

How to keep yourself updated

• Monitor related subreddits
• https://www.reddit.com/r/andSec/
• https://www.reddit.com/r/netsec/
• Not focused on Android, but it's a big one on information security

​

• Monitor news outlets that cover security stuff
• Ars Technica, ZDNet, The Hacker News, slashdot (tech-related, not only security), Threat Post, ...
• I use "feedly" app to keep track of stuff

12

How to keep yourself updated

• Book suggestions
• Android Hacker's Handbook
• A bit outdated, but it's good to skim through and dig in when interesting
• Many details about native code / ARM vuln detection / exploitation
• Android Security Internals: An In-Depth Guide to Android's Security Architecture
• Android Internals: A Confectioner's Cookbook
• New version is coming up!
• iOS Hacker's Handbook
• Same comment as for AHH
• iOS Application Security

13

Thank you all!

• I spent crazy amount of time for preparing this class

​

• Absolutely worth it, I really enjoyed it -- I hope you did too!

​

• Thanks for your patience & best of luck with the exams!

14