/Teaching/Mobile Security/Assignments

Assignments

The practical exercises shall foster your understanding of topics related to the lecture. In this course we pursue an approach which is slightly different from what you might have experienced in other courses: your ideas may form part of an assignment. Instead of exercises where each student tries to solve the same task, the seminar-style class enables us to highlight your individual contribution. Now, what does that mean in practice? During the course, you get two assignments. While the first task intends to introduce you to the subject, the second one challenges your individual skills and should enable you to work on a project, related to the lecture, which is fun to you.

Task 1

The first assignment focuses on combining network analysis with mobile security. Your task consists of analysing a set of min. 3 applications for Android or iOS and find out if they are susceptible to MITM attacks and what data it transmits to servers. Some background knowledge on the relevant concepts is provided on the assignment slides.

The steps for each of the apps are:

  1. Try to intercept its traffic using a proxy server
  2. If the application uses only HTTP or it uses HTTPS, but insecure certificate validation (i.e. the proxy CA is accepted): Document and go to step 6
  3. If you use an iOS device that is not jailbroken: Find another app, go to 1
  4. Decompile the application to figure out how certificate pinning is implemented (using apktool/jadx or Ghidra/Hopper)
    • Is an HTTP library used?
    • Android: Is a custom TrustManager or HostnameVerifier used?
    • Android: Is the Network Security Configuration used?
  5. Android: If no NSC is present (secure default), or a secure NSC is used, make it insecure
    • Modify NSC to trust user-installed certificates
    • Recompile and resign the APK
    • Install resigned APK and proceed
    • (If the modified APK crashes due to APK signature verification: Document the crash in detail, go to 7)
  6. Analyse the server communication
    • Is any sensitive information sent from the device?
    • Is there any hard-coded secret in the app (i.e. Authorisation tokens, …)
    • Does the app collect analytics?
    • Any other interesting find in the communication?
  7. Document all findings in a report (submit a PDF document including screenshots and textual analyses)
Please note: I’m sure I missed some case above. In general, if you don’t end at 7, or for some reason cannot sensibly follow a step, find another app 😉
Important: Upload your results (ZIP file including PDF report and supplementary data) until 17.04.2023 at 23:59 by sending an email to mobilesec@iaik.tugraz.at. If your ZIP file exceeds allowed attachment sizes, upload it here, and reference the uploaded file in your email.

Resources

In the following, a small list of task-related links is assembled. This may help you to deepen your understanding of what you should do.

Task 2

You will have the opportunity to propose a preferred and somehow course-related topic for this assignment. Otherwise, you may choose from one of the suggested topics. With regards to content, the focus is put on fast-prototyping research and might form a basis for subsequent projects at our institute. Please send a ZIP archive of your final work or a link to a GIT repository until 12.06.2023 at 23:59 to the email address mobilesec@iaik.tugraz.at. A documentation of source code would be nice but is not explicitly required. If you want, of course, you can hand in your final delivery also alongside with your presentation. All information regarding the presentation can be found here.