/Teaching/Mobile Security/Assignments
Assignments
The practical exercises shall foster your understanding of topics related to the lecture. In this course we pursue an approach which is slightly different from what you might have experienced in other courses: your ideas may form part of an assignment. Instead of exercises where each student tries to solve the same task, the seminar-style class enables us to highlight your individual contribution. Now, what does that mean in practice? During the course, you get two assignments. While the first task intends to introduce you to the subject, the second one challenges your individual skills and should enable you to work on a project, related to the lecture, which is fun to you.
Task 1
Prerequisites:
- You are expected to be familiar with HTTP(S), TLS, proxies, MITM attacks and certificate pinning from earlier courses
- Study the Android developer documentation on Network Security Configuration
- Read up on the
TrustManager
andHostnameVerifier
interfaces- What do they do?
- When is an implementation insecure?
- How are they called?
- How can developers use custom implementations with common HTTP stacks?
- Read up on certificate pinning on Android for the default
HttpsURLConnection
or OkHttp stacks - An unrooted Android device or emulator running Android 7.0 or newer
The steps for each of the apps are:
- Try to intercept its traffic using a proxy server
- If the application uses only HTTP or it uses HTTPS, but insecure certificate validation (i.e. the proxy CA is accepted):
- Insecure HTTPS: Decompile the app to figure out how this vulnerability was introduced. Document your findings and continue with step 5.
- HTTP: Great find! Skip to step 5.
- Decompile the application to figure out why interception failed (using apktool/jadx)
- Which HTTP stack is used? Maybe OkHttp’s
CertificatePinner
was used? - Is a custom
TrustManager
orHostnameVerifier
defined? Is it actually used as well? - Is pinning configured in the Network Security Configuration?
- …
- Which HTTP stack is used? Maybe OkHttp’s
- If no NSC is present (secure default), or a secure NSC is used, make it insecure
- Modify NSC to trust user-installed certificates
- Recompile and resign the APK
- Install resigned APK and proceed
- (If the modified APK crashes due to APK signature verification: Document the crash in detail, go to 6)
- Analyse the server communication:
- Is the Play Store Data Safety section of the app accurate?
- Are there any hard-coded secret in the app (i.e. Authorisation tokens, …)?
- Any other interesting find in the communication?
- Document all findings in a scientific report (see below)
Report Format
Your report is a scientific document, so it is supposed to:
- Demonstrate your understanding of the topics mentioned in Prerequisites
- Be well-structured, including a short conclusion for every app
- Use appropriate language
- Full sentences, not just a list of bullet points
- Provide full reasoning for decisions and steps taken
- Include code or communication snippets as text, not as screenshots (if possible)
- Explain all steps, not simply refer to blog posts or tutorials
- Document your environment and procedures
Include your report in your submission as a PDF document.
Submission
Important: Submit your report until TODO at 23:59 by sending an email to mobilesec@iaik.tugraz.at. Include your name and matriculum number in the email.
Resources
In the following, a small list of task-related links is assembled. This may help you to deepen your understanding of what you should do.
- Apktool: Tool for Decompiling and Recompiling Android APKs
- Uber-APK-Signer: Simplified APK signing
- Network Security Configuration
- A2P2 – An Android Application Patching Pipeline Based On Generic Changesets
FAQ
Q: Are we allowed to use tool XZY?
A: If it automates the traffic analysis: No! Otherwise: Ask on Discord.