/Teaching/Mobile Security/Assignments/Task 2 – Suggested Topics

Task 2 – Suggested Topics

Each of the following topics can be handled in groups of max. 3 people. In case you are interested in projects with already 1-2 participants assigned, please apply anyway (= send me an email) and we will bring you together. If none of these topics sounds appealing to you, propose your own idea and we can see if it fits into the ensemble. All listed projects can also be worked on independently by max. 2 groups per project, unless there are still projects in the pool where nobody is assigned.

Important note: Obviously, the subsequent list provides only a very short abstract of every project. In case something sounds appealing but you do not fully understand what the topic is about, do not hesitate to come to me after the lecture and I will gladly explain it! Also, if you are uncertain how to proceed, please just ask me after the lecture and do not wait until the last week before the deadline!

Hint: For all projects where Android applications have to be reverse-engineered, please use Bytecode Viewer, Apktool, enjarify or something equivalent. These tools greatly simplify the job.

Topics

Working Title	Description
Android: Live Data analysis using VPNService	By leveraging the VPNService functionality of Android, it is possible to capture all data packets without requiring root permissions. In this project we intend to do a live analysis of the data transfered. You could, for example, find out what URLs are called (whether HTTP or HTTPS) by apps, or even more interesting: try to determine if critical data is sent. For instance, you could search through all transmitted data packets whether they contain the IMEI, IMSI, or a phone number. Likewise, indicate the TLS-related properties of servers apps connect to (Cipher suite, HSTS yes/no, HPKP, ..). The output could be then displayed on the device within a kind of monitoring app. Hint: You will save a lot of time if you build your work on an already existing framework, such as NetGuard.
	Assigned: Denk, Toch, Zant
	Assigned: Gruber, Lemle
Android: Notifier (P2P)	Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish a direct connection between a computer and a mobile in order to transmit notifications. The focus of this work should be put on elaborating on appropriate protection mechanisms for a secure data transfer. E.g. in order for an initial key exchange between a computer and a smartphone, the computer could show a QR code that has to be scanned by the phone. Still there are remaining questions to solve: How to encrypt messages? When to re-pair a computer? Where do you store secret key material on the phone? By developing the Android app and a desktop counterpart, you are requested to deal with that and propose practically viable solutions.
	Assigned: Gollob, Hennerbichler, Mucaj
	Assigned:
Android: Notifier (Server)	Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish an indirect connection (= using a web server) to a target while ensuring that all transfered data is encrypted. The challenges are similar to the P2P variant. With a server-based version, however, this would also work if the mobile phone and recipient device are located in distinct networks. Somehow you also have to authenticate at the server, i.e. the server has to know the target devices it should deliver notifications for. A very good starting point is in looking at / thinking about how existing messengers, such as Telegram or Signal approach these issues.
	Assigned: Alshazly, Pjanic
	Assigned: Gigerl, Kreiner
Android: Analysis of Dating Apps	Looking for a partner using mobile apps has become increasingly popular. Many people share personal and often even intimate data with apps like Tinder, Badoo, and others. Unfortunately, users typically don’t know how their data is processed. A small survey of frequently used apps, done in 2017, has revealed blatant security flaws in a majority of them. In this project, you should re-investigate a couple of popular dating apps, seeking for similar problems as reported in the study. Have the issues been fixed meanwhile? How is it different now? Are there new leaks? Do these apps suffer from other problems the survey might have overlooked? The outcome should be an investigative report of at least 8 popular apps where you describe your analysis process and present the results you have obtained from your inspection. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things during runtime).
	Assigned: Ayan, Watko
	Assigned: Armstorfer, Gutschlhofer, Heinz
Android: Fuzzing	Almost all recent defects in the Android platform have been found using Fuzzing. The idea of fuzzing is to supply all kind of input data to a service and see how it reacts. A gold mine of success for this kind of attack is/was the Stagefright media library. As repeatedly reported in the press, it was possible to provoke buffer overflows and other problems by injecting corrupt files. The idea of this project is to get familiar with at least one existing fuzzing solution (e.g. Droid-FF [1], [2], [3], [4], [5]), try it out, and to determine the effectiveness of the attack.
	Assigned: Dermutz, Wieser
	Assigned: Kindlhofer, Schaffer
Android: Dynamic App Instrumentation with Frida	Hooking and monitoring the activities of Android applications has been a tedious task for a long time causing dramatic performance drain. Recently, researchers have published a framework called Frida (also see here: [1], [2) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to write own snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic. A very good starting point and introduction to Frida can be found here.
	Assigned: Kleeberger, Treffner
	Assigned: Barta
Android: Automated patching of Certificate Pinning	To prevent MITM attacks, many Android applications implement certificate pinning. Newer versions of Android even provide means for an app to deploy certificate pinning automatically for all its network requests. The goal of this project is to build a system that can automatically patch applications (APK files) so that certificate pinning is bypassed. If possible, the solution should run on Android itself.
	Assigned:
	Assigned:
iOS: Dynamic App Instrumentation with Frida	Hooking and monitoring the activities of iOS applications has been a tedious task for a long time and often required a jailbroken device. Recently, researchers have published a framework called Frida (also see here: [1]) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to elaborate snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic.
	Assigned:
	Assigned:
Cordova: Static Analysis	The Apache Cordova platform allows developers to create cross-platform compatible mobile apps using web technologies (HTML, JavaScript, CSS). The idea of this project is to apply and augment an existing tool for static analysis tools of JavaScript (see [1] and [2]) to Cordova apps. Thereby, we could not only uncover security-related problems in apps but probably also follow the trace of entered passwords throughout an application. Hint: The DASCA and DVHMA projects are very good starting points so that you don’t have to start from zero.
	Assigned:
	Assigned:
Android: Investigate proprietary application-layer transport encryption implementations	In an effort to protect their server APIs from third-party clients, a considerable number of applications protects their server communication through (pseudo-)cryptographic means that go beyond the common TLS/SSL layer (Examples: Banggood, Willhaben, ProSiebenSat1). This increasingly popular practise raises several interesting research questions: How exactly is this protection implemented? If it involves including a hash of the request, how is it formed? Is some additional encryption involved? Does the additional layer of protection actually improve security or can it be merely considered additional obfuscation? Does the custom implementation actually introduce new attack vectors? As part of this project, you identify 3 new applications that implement this sort of protection and analyse them to answer the research questions stated above.
	Assigned: Huber, Oberhauser
	Assigned:
Android: Determine the prevalence of Network Security Misconfiguration	Android 7.0 introduced the Network Security Configuration (NSC) system, which in principle simplifies the configuration of allowed and trusted server communication. However, the new method still assumes that developers make no mistakes in its proper employment. The goal of this project is to determine how prevalent this problem is among applications from Google Play. The project involves: Building a simple tool for extracting the NSC file from compiled APK files Analysing the NSC file for any misconfigurations Executing this tool on a corpus of applications from Google Play (see gplaydl, androzoo, contact me for app sets) Short discussion of results
	Assigned:
	Assigned:
Linux: Analysing an Embedded Linux device	Many IoT devices run a simple Linux-based operating system. They therefore present a very interesting possibility for studying various security-related concepts that directly translate to larger Linux-based embedded systems such as Android. As part of this project, you analyse an embedded Linux IoT device of your choice to shed light on its internal operation and identify potential security vulnerabilities. The following aspects will have to be covered: How can the Linux system be accessed: Is there any debug interface such as a Serial or JTAG? Is an SSH server running? What basic system-level security is used: How is DAC (Discretionary Access Control) configured? Is MAC (Mandatory Access Control) used as well? What does the startup routine look like? Integrated open-source SW/libs/kernel? Recency? Known vulnerabilities? Proprietary software stack: What frameworks were used? Was security considered? Are there any vulnerabilities? Helpful tools: Ghidra, ssh, strace, gdb Note: If you choose this topic, please contact me in advance about the IoT device you intend to analyse!
	Assigned: Alexi
	Assigned:
Android Malware Analysis and Report	Take a set of malware samples for Android and write an exhaustive report on how they work by reverse engineering: Endpoints they ping, Vulnerabilities that are used to bypass security measures and how they were fixed upstream, Ransomware etc.
	Assigned: Buchrieser, Haritopoulos, Garcia
	Assigned:
Your idea	If you have any idea for a project of suitable scope that involves a mobile OS and security aspects, don’t hesitate to contact me about pursuing it as part of this course! Specific contributions to open-source projects are welcomed as well!