![Page 1: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/1.jpg)
What is Android Colluded
Applications Attack and How
to Detect It?Igor Khokhlov, Leon Reznik
[email protected], [email protected]
Rochester Institute of Technology
Rochester, NY
1
This research is partially based upon
work supported by the NSF under
Award # ACl-1547301 and NSA
under Award # H98230-I7-l-0200
![Page 2: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/2.jpg)
Content
Data Quality and Security in real life
Android security mechanisms
Overt communication channel
Overview
Attack scenario
Attack analysis
Covert communication channel
Overview
Attack scenario
Attack analysis
Colluded application attack detection
Conclusion
2
![Page 3: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/3.jpg)
Data Quality3
Old data collection modelModern data collection model
From a scientist to a scientist Citizen science Internet of Things
Quality Data What is data quality?
![Page 4: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/4.jpg)
Data Quality4
How do we do it?
Our Solution:
A Cyclic Distributed
Hierarchical Framework for
Data Quality Evaluation and
Assurance
![Page 5: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/5.jpg)
5 Data Quality
Data Qulity
Data Trustworthiness
User s Privacy
Communication security
Device Security
Channel type
Colluded Applications
Accuracy
Freshness
Noise
![Page 6: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/6.jpg)
What is application collusion?
Colluded applications – are collaborating
applications that can bypass permission
restrictions through communicating with
each other.
Applications can communicate with each
other either through overt communication
channel or covert communication channel.
6
![Page 7: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/7.jpg)
Hypothesis
Colluded applications may create
distinctive patterns in the memory
consumption and CPU usage signals.
7
![Page 8: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/8.jpg)
Typical Android Architecture
Hardware Drivers
Power Managment
Linux Kernel
Hardware Abstraction Layer (HAL)
Native C/C++ Libraries
Android Runtime (ART) or Dalvik JVM
Core Libraries
Android Runtime
Java API Framework
System Applications
Third-party Applications
• (HAL) provides standard interfaces of hardware components.
• Native C/C++ Libraries layer contains high performance libraries.
• Linux kernel is the basic layer that communicates with platform
hardware and sensors.
• Android Runtime (ART) executes Java code
• Application layer
Source: “Platform Architecture | Android Developers.” [Online]. https://developer.android.com/guide/platform/index.html. Accessed: March 27, 2017.
8
![Page 9: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/9.jpg)
Colluded applications: violation of
major security mechanisms9
![Page 10: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/10.jpg)
10Colluded applications: violation of
major security mechanisms
![Page 11: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/11.jpg)
11Colluded applications: violation of
major security mechanisms
![Page 12: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/12.jpg)
Overt communication channelOvert communication is used for explicit data transmission
between installed applications.
12
![Page 13: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/13.jpg)
Overt communication channel:
Explicit Intent
13
![Page 14: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/14.jpg)
Overt communication channel:
Implicit Intent
14
![Page 15: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/15.jpg)
Overt communication channel:
Implicit Intent
15
![Page 16: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/16.jpg)
Overt communication channel:
Attack scenario
16
Explicit Intent Implicit Intent
![Page 17: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/17.jpg)
Colluded Applications Defenition17
𝐴, 𝐵 ∈ 𝑆 ⋀ 𝑃𝐷𝐴, 𝑃𝐷𝐵 ⊂ 𝐷𝑃 ⋀ 𝑃𝐷𝐴 ≠ 𝑃𝐷𝐵 ⋀ሺሻ
𝑝𝐷 ∈𝑃𝐷𝐴 ⋀ሺ𝑝𝐷∉𝑃𝐷𝐵) ⋀ 𝑝𝐿 ∈ 𝑃𝐷𝐵 ⋀ሺ𝑝𝐿∉𝑃𝐷𝐴) ⋀
𝑡𝐴 𝐵, 𝐷𝑝𝐷, 𝑏𝑎𝑐𝑘𝑔𝑟𝑜𝑢𝑛𝑑 → 𝐴 𝑎𝑛𝑑 𝐵 𝑎𝑟𝑒 𝑐𝑜𝑙𝑙𝑢𝑑𝑒𝑑
![Page 18: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/18.jpg)
Initial Experiment Description
Device: Google Nexus 4
Android version 5.1
Colluded applications do not follow up normal procedures forretrieving user’s data, which commonly have to requestpermission for data acquisition
Colluded application transfer data using Android OS services
Transmitted data: 300 MB of user’s data
Chrome web-browser runs at the background
18
![Page 19: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/19.jpg)
Overt communication channel:
Attack analysis – no attacks
19
![Page 20: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/20.jpg)
Overt communication channel:
Attack analysis – 1 attack at a time
20
![Page 21: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/21.jpg)
Overt communication channel:
Attack analysis – 3 attacks simultaneously
21
![Page 22: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/22.jpg)
Overt communication channel:
Attack analysis - comparison
22
![Page 23: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/23.jpg)
Covert communication channelCovert inter-application communication creates a capability to
transfer data between applications that are not supposed to
be allowed to communicate.
23
![Page 24: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/24.jpg)
Covert communication channel:
Time based
24
![Page 25: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/25.jpg)
Covert communication channel:
Time based – attack analysis
Minimal time interval between requests is 1ms;
125 bytes per second – expected to be used for small amount of data
A device cannot go into a sleep mode
We have not detected patterns in the CPU usage
25
Allocation memory consumption
![Page 26: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/26.jpg)
Covert communication channel:
Storage based
26
![Page 27: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/27.jpg)
Conclusion
Colluded applications can bypass permissions and cause leak of a
private information
Time-based covert channel is not expected to be used for
communicating big amounts of data
Transferring big amounts of data through Intents creates
distinguishing patterns in memory consumption and CPU usage
These patterns can be used for application collusion detection in a
real-time
27
![Page 28: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/28.jpg)
More information?
Download our apps from Google Play
https://play.google.com/store/apps/details?id=com
.igorkh.trustcheck.securitycheck
https://play.google.com/store/apps/details?id=data
qualitylab.rit.ver_app_finder and more are coming
Watch our webinar: https://youtu.be/nkp0kvJvTWw
Take a look at our publications (next slide)
And yes, we are developing the project website
Contact us
28
Leon Reznik, Igor KhokhlovDepartment of Computer Science
Rochester Institute of Technology
email: [email protected], [email protected]
![Page 29: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/29.jpg)
Publications
1. Khokhlov, I., Reznik, L., “Colluded Applications Vulnerabilities in Android Devices”.The 15th IEEE International Conference on Dependable, Autonomic and SecureComputing (DASC 2017), Orlando, FL, November 2017.
2. Khokhlov, I., Reznik, L., “Android System Security Evaluation”. Demonstration. IEEEConsumer Communications & Networking Conference, Las-Vegas, NV, January2018.
3. Khokhlov, I., Reznik, L., Kumar, A., Mookherjee, A. and Dalvi, R., “Data Security andQuality Evaluation Framework: Implementation Empirical Study on AndroidDevices.” In IEEE Information Security and Protection of Information TechnologiesConference, St. Petersburg, April 2017.
4. Khokhlov, I., Reznik, L., “Data Security Evaluation for Mobile Android Devices.” In IEEEInformation Security and Protection of Information Technologies Conference, St.Petersburg, April 2017.
5. Vora A., Reznik, L., Khokhlov, I.,“Mobile Road Pothole Classification and Reportingwith Data Quality Estimates”. IEEE MobiSecServ 2018 - Fourth Conference On MobileAnd Secure Services, Miami Beach, FL, February 2018. Pages 26-31
29
![Page 30: What is Android Colluded Applications Attack and How to ... · Colluded applications – are collaborating applications that can bypass permission restrictions through communicating](https://reader034.vdocuments.net/reader034/viewer/2022052022/603786469438bb416c4b085a/html5/thumbnails/30.jpg)
What is Android Colluded
Applications Attack and How
to Detect It?Igor Khokhlov, Leon Reznik
[email protected], [email protected]
Rochester Institute of Technology
Rochester, NY
30
This research is partially based upon
work supported by the NSF under
Award # ACl-1547301 and NSA
under Award # H98230-I7-l-0200