the impact of third-party code on android app security · 2019-12-18 · the impact of third-party...
TRANSCRIPT
The Impact of Third-party Code
on Android App Security
Erik Derr
Third-party Code – A Double-edged Sword
Eases software development
Code re-use
Faster development, less costs
Increases apps‘ attack surface
Code from different origins
Trust closed-source components
Risk Estimation
2,000,000,000 components with known
vulnerabilities are downloaded / year
Outdated libs have a 3x higher
probability to include vulnerabilities
OWASP Top 10 Security Risks (since 2013)
“Using components with known vulnerabilities”
Quantify Security Impact
Measure the status quo of outdated libs in the software ecosystem
Identify apps that use lib versions with known vulnerabilities
Attribute new vulnerabilities to the correct component (library / app code)
Requires a reliable detection of libraries in app binaries
Detection Challenges on Android
Compiled App Obfuscated App
Developer View
Explicit declaration
Libraries / versions known
Monolithic bytecode
Same Origin
Identifier renaming
Dead code elimination
public void myTest(int, int, String) {code code codecode code codeif (..) {
code code codecode code code
} elsecode = doSomething(data);
}
private int doSomething(String) {while (true) {
obfuscatedCallobfuscatedCallif (..) {
return data;}
}return otherData;
}
CFG
CFG
??
Static (Byte)Code Analysis Data Structures (CFG, CG, ..)
Imprecision
Scalability
Common Analysis Approach
Code Structure Detection
Root
com
widget
internalandroid
model
ads
searchadsmediation
util
admob
customeventdeexample
myapp
activity
widget
utilanimator
…
…
}
public class myClass {
public class someClass {{..}
}
package com.google.ads.util;
public void myTest(int, int, String) {}
private int doSomething(String) {}
package com.facebook.widget;
public class anotherActivity {{..}
}
package de.example.myapp.activity;
Code Structure Detection
Root
com
ads
searchadsmediation
util
admob
customeventdeexample
myapp
activity
widget
utilanimator
…
…
}
public class myClass {
public class someClass {{..}
}
package com.google.ads.util;
public void myTest(int, int, String) {}
private int doSomething(String) {}
package com.facebook.widget;
public class anotherActivity {{..}
}
package de.example.myapp.activity;
a
bc
d
Profiling Apps & Libraries
Merkle Tree
Parent hash generated
from child hashes
Efficient integrity checks
for large data structures
Sort hashes for
deterministic build order
Method Hash
Class Hash
Package Hash
Library/App Hash
Package Hash
Class Hash Class Hash
Method Hash Method Hash
Match
Build
Method Hashing
signature com.myClass.do(android.content.Context, int, com.Foo) com.Session
descriptor (android.content.Context, int, com.Foo) com.Session
fuzzy descriptor (android.content.Context, int, X) X
Idea: Replace anything that is prone to identifier renaming
Side-effect: Error introduced at method layer to defeat obfuscation
But, error decreases when building the entire tree
Profile Matching
Class Hash
Package Hash Package Hash
Class Hash Class Hash
App Tree Library Version Tree
Full Match
Profile Matching
Class Hash
Package Hash Package Hash
Class Hash Class Hash
App Tree Library Version Tree
Partial Match
90% of original library code
Measuring Library Outdatedness
0 20 40 60 80 100 120 140
3.0.x3.5.x3.6.x3.7.x3.8.x
3.14.x3.15.x3.16.x3.17.x3.18.x3.19.x3.20.x3.21.x3.22.x3.23.x4.0.x4.1.x4.2.x4.3.x4.4.x4.5.x4.6.x4.7.x4.8.x4.9.x
4.10.x4.11.x4.12.x4.13.x4.14.x
# Apps including Facebook SDK
Account Hijacking Vulnerability (version 3.15)
Vulnerability Lifetime
Released apps with vulnerable Facebook SDK (before / after release of patched SDK)
Packages with patched / removed Facebook
SDK
Packages with vulnerable Facebook SDK (released after patched SDK)
Released apps with patched / removed Facebook SDK
Call for Action
Additional Platform Support
(dependency manager)Library Developer
simplify updates
Market Operator
adopt state-of-the-art analyses
Android Ecosystem Need for Development Tools
Takeaways
Third-party libraries are a double-edged sword
Consider potential security risks
Reliable library detection
Quantify security impact of third-party code
Raise awareness
No silver bullet
Requires combined effort to improve
status quo more sustainably
LibScout is Open-Source!
https://github.com/reddr/LibScout
Growing library DB (>230 libs, >4,500 versions)
Detected more than 20k apps with vulnerable libs