Avoiding the Pandora Pitfall
0 likes438 views
This document summarizes key points about mobile application privacy based on an analysis of over 53,000 applications: 1) Many applications request unnecessary permissions like location tracking and SMS access without proper disclosure to users. 2) Code reuse through third party libraries introduces privacy risks as the libraries' data practices are often unknown. 3) Developers should securely store sensitive data, encrypt data in transit, analyze all reused code for flaws, and avoid hardcoded secrets to better protect user privacy.
Avoiding the Pandora Pitfall
- 1. Avoiding the Pandora Pitfall Tyler Shields Secure Coding Practices for Veracode Research Android Application Privacy November 3, 2011
- 2. Mobile Security Privacy Landscape Implications START END 1 2 3 4 Case Studies Q&A
- 3. Risk - noun `risk The possibility of loss or injury
- 4. PC Sensitive Data Financial data Corporate data Computing power Email Call L Contact List ogs! Photos … ages! MMS! Vi deo Im SMS!
- 5. Mobile Mitigations Patch methodology Process isolation Reasonable permission model Some disk encryption Code signatures … DEP! irus! Anti-V
- 6. 10.9 billion mobile apps downloaded in 2010, according to IDC Expected to rise to 76.9 billion apps by 2014
- 7. Part 1: Malicious Code Activity monitoring and data retrieval Unauthorized dialing, SMS, and payments Unauthorized network connectivity (exfiltration or command & control) UI impersonation System modification (rootkit, APN proxy config) Logic or time bomb
- 8. Part 2: Code Vulnerabilities Sensitive data leakage (inadvertent or side channel) Unsafe sensitive data storage Unsafe sensitive data transmission Hardcoded password/keys
- 9. Case Study: Hardcoded Passwords
- 10. eys! passw ord or k ed Hardcod g?! ! cut – Debuggin La zy short E!! ! – Get ALL FRE O wn one ! !
- 11. Case Study: Unsafe Data Transmission
- 12. Goo gle Tran Cale smi ndar tted ! ! in c appoint on! lear m ebook applicati text ent dat Off icial Fac rything e xcept ! a ed eve T ransmitt in clear text! d passwor ! es, privat e messag Photos, , etc! wall posts ! bled! Web- SSL Ena E ven with
- 13. ! Or better yet… er!! ! ert che cking all togeth Just disable c WILD! As Seen In The
- 14. Case Study: Unsafe Data Writes
- 15. Imp rope r Da ta S Acc ! tora Paym ount ge! ents Nu , Se mbers, cur Bil Code ity Acc l s! ess WOR ! WOR LD_ LD_ READAB WRI L TEA E! ! BLE! !
- 16. Impr oper Data Stor SQLi ! age! te3 D ataba ! se! Cont ac Chat t List! Logs ! WOR ! WOR LD_REA LD_W DA RIT BLE! EABL ! E! !
- 17. Case Study: Data Exfiltration
- 18. WSJ Breaks Story on Pandora Investigation “Federal prosecutors in New Jersey are investigating whether numerous smartphone applications illegally obtained or transmitted information about their users without proper disclosures”
- 19. ! m execution No progra ! urce! bin ary or so Full c overage of ! y! of bu g discover Wi der range ! a ! by ru ntime dat N ot limited Sta tic -- JD-GUI! Ana -- Veracode Engine! lysi s !
- 20. JD-Gui Analysis
- 26. Android Manifest Permissions ACCESS_CHECKIN_PROPERTIES DIAGNOSTIC READ_SYNC_STATS ACCESS_COARSE_LOCATION DISABLE_KEYGUARD REBOOT ACCESS_FINE_LOCATION DUMP RECEIVE_BOOT_COMPLETED ACCESS_LOCATION_EXTRA_COMMANDS EXPAND_STATUS_BAR RECEIVE_MMS ACCESS_MOCK_LOCATION FACTORY_TEST RECEIVE_SMS ACCESS_NETWORK_STATE FLASHLIGHT RECEIVE_WAP_PUSH ACCESS_SURFACE_FLINGER FORCE_BACK RECORD_AUDIO ACCESS_WIFI_STATE GET_ACCOUNTS REORDER_TASKS ACCOUNT_MANAGER GET_PACKAGE_SIZE RESTART_PACKAGES AUTHENTICATE_ACCOUNTS GET_TASKS SEND_SMS BATTERY_STATS GLOBAL_SEARCH SET_ACTIVITY_WATCHER BIND_APPWIDGET HARDWARE_TEST SET_ALARM BIND_DEVICE_ADMIN INJECT_EVENTS SET_ALWAYS_FINISH BIND_INPUT_METHOD INSTALL_LOCATION_PROVIDER SET_ANIMATION_SCALE BIND_REMOTEVIEWS INSTALL_PACKAGES SET_DEBUG_APP BIND_WALLPAPER INTERNAL_SYSTEM_WINDOW SET_ORIENTATION BLUETOOTH INTERNET SET_PREFERRED_APPLICATIONS BLUETOOTH_ADMIN KILL_BACKGROUND_PROCESSES SET_PROCESS_LIMIT BRICK MANAGE_ACCOUNTS SET_TIME BROADCAST_PACKAGE_REMOVED MANAGE_APP_TOKENS SET_TIME_ZONE BROADCAST_SMS MASTER_CLEAR SET_WALLPAPER BROADCAST_STICKY MODIFY_AUDIO_SETTINGS SET_WALLPAPER_HINTS BROADCAST_WAP_PUSH MODIFY_PHONE_STATE SIGNAL_PERSISTENT_PROCESSES CALL_PHONE MOUNT_FORMAT_FILESYSTEMS STATUS_BAR CALL_PRIVILEGED MOUNT_UNMOUNT_FILESYSTEMS SUBSCRIBED_FEEDS_READ CAMERA NFC SUBSCRIBED_FEEDS_WRITE CHANGE_COMPONENT_ENABLED_STATE PERSISTENT_ACTIVITY SYSTEM_ALERT_WINDOW CHANGE_CONFIGURATION PROCESS_OUTGOING_CALLS UPDATE_DEVICE_STATS CHANGE_NETWORK_STATE READ_CALENDAR USE_CREDENTIALS CHANGE_WIFI_MULTICAST_STATE READ_CONTACTS USE_SIP CHANGE_WIFI_STATE READ_FRAME_BUFFER VIBRATE CLEAR_APP_CACHE READ_HISTORY_BOOKMARKS WAKE_LOCK CLEAR_APP_USER_DATA READ_INPUT_STATE WRITE_APN_SETTINGS CONTROL_LOCATION_UPDATES READ_LOGS WRITE_CALENDAR DELETE_CACHE_FILES READ_PHONE_STATE WRITE_CONTACTS DELETE_PACKAGES READ_SMS WRITE_EXTERNAL_STORAGE DEVICE_POWER READ_SYNC_SETTINGS WRITE_GSERVICES WRITE_HISTORY_BOOKMARKS WRITE_SECURE_SETTINGS WRITE_SETTINGS WRITE_SMS WRITE_SYNC_SETTINGS
- 27. Phone Calls Read Phone State and Identity System Tools Modify Global System Settings Prevent Device From Sleeping Permissions ! Bluetooth Administration Change Wi-Fi State Change Network Connectivity Automatically Start at Boot Network Communication Full Internet Access Create Bluetooth Connections View Network State View Wi-Fi State Your Personal Information Read Contact Data Add or Modify Calendar Events and Send Email To Guests https://market.android.com/details?id=com.pandora.android&feature=search_result – 4/25/2011
- 28. Just a bit deeper… Google purchases AdMob for $750 million dollars. Closed May, 2010
- 29. ESPN, CBS Interactive, Geico, Starbucks… 100,000 – 500,000 installations Permissions: • FINE (GPS) LOCATION • COARSE (NETWORK-BASED) LOCATION • FULL INTERNET ACCESS 5,000,000 – 10,000,000 installation Permissions: • RECORD AUDIO • CHANGE YOUR AUDIO SETTINGS • FINE (GPS) LOCATION • COARSE (NETWORK-BASED) LOCATION • FULL INTERNET ACCESS • MODIFY/DELETE USB STORAGE CONTENTS MODIFY/DELETE SD CARD CONTENTS • PREVENT DEVICE FROM SLEEPING Permissions retrieved from official Android Marketplace on 4/25/2011
- 30. CBS News Advertising Networks
- 32. One week later... 1. http://www.rollingstone.com/culture/blogs/gear-up/pandora-responds-to- claims-that-its-online-service-violates-user-privacy-20110415
- 33. Privacy?
- 34. Here are Some Numbers… Permissions Requeste d! 24% GPS information (11,929)! 8% Read Contacts (3,6 26)! 53,000 - # Of 4% Send SMS (1,693)! Applications 3% Receive SMS (1262 )! 2%Record Audio (1100 Analyzed! )! 2% Read SMS (832)! ! 1% Process Outgoing! ~48,000 Android 3 Average Numb er of Calls (323)! Market! Permissions .5% Use Credentials (2 48)! ~5,000 3rd Party Requested! Markets! ! 117 Most Reque sted for Single Application!
- 35. And Even More Numbers… Total Third Party Libraries: ~83,000! ! Top Shared Libraries "! 38% com.admob (18,426 apps )! 8% org.apache ( 3,684 apps )! 6% com.google.android ( 2,838 apps )! 6% com.google.ads ( 2,779 apps )! 6% com.flurry ( 2,762 apps )! 4% com.mobclix ( 2,055 apps )! 4% com.millennialmedia ( 1,758 apps)! 4% com.facebook ( 1,707 apps)!
- 36. Code Reuse Most Code Is! ! Outsourcing Reused! Outsourced! 3rd Party Libraries (with source)! 3rd Party Libraries (binary format)! Third Party Libraries ! Nobody really knows what their code does!!
- 37. Risk Transference! ! Your code! Your libraries! Outsourced code! 3rd party libraries! Purchased code! COTS code! ! ! Contract your vendors to do the same! I’ll Accept that Risk! Pass it on over..
- 38. Tyler Shields @txs tshields@veracode.com txs@donkeyonawaffle.org Summary Case Studies! ape! ! L andsc rity No Hardcoded Passwords! On ile Secu ly T P Mob ! atio ns ! ! ake rivacy! pplic k! Wh l e A Encrypt Data In Transit! at Y Mobi High Ris Be H one ! ou Nee Ar e ! st W d! ! ! bile Code Secure Data At Rest! Use ith You iou s Mo Flaws! rs! r! M alic Co ding ! Be W ! M obile a Analyze Security of ALL Code! Tran ry of R sfe (Includes Code Reuse)! renc isk e !