/Teaching/Mobile Security/Assignments/Task 2 – Suggested Topics

Task 2 – Suggested Topics


Each of the following topics can be handled in groups of max. 3 people. In case you are interested in projects with already 1-2 participants assigned, please apply anyway (= send me an email) and we will bring you together. If none of these topics sounds appealing to you, propose your own idea and we can see if it fits into the ensemble. All listed projects can also be worked on independently by max. 2 groups per project, unless there are still projects in the pool where nobody is assigned.

Important note: Obviously, the subsequent list provides only a very short abstract of every project. In case something sounds appealing but you do not fully understand what the topic is about, do not hesitate to come to me after the lecture and I will gladly explain it! Also, if you are uncertain how to proceed, please just ask me after the lecture and do not wait until the last week before the deadline!

Hint: For all projects where Android applications have to be reverse-engineered, please use Bytecode Viewer, Apktool, enjarify or something equivalent. These tools greatly simplify the job.

Topics

Working Title Description
Android: Native Code Analysis Analysis of native code in Android applications is still neglected by many researchers since you do not deal with easily readable Java code. The goal of this project is to find out information contained in native code libraries. For example, identify all contained functions, linkings between these functions and calls to libc. The result could be a graph or tree-based visualisation, showing the basic structure of the native code library. Hint: It seems advisble to work with existing frameworks for low-level binary inspection, e.g. Angr or Capstone.
Assigned: Johannes Erlacher, Ahmed Fahmy
Assigned:
Android: Live Data analysis using VPNService By leveraging the VPNService functionality of Android, it is possible to capture all data packets without requiring root permissions. In this project we intend to do a live analysis of the data transfered. You could, for example, find out what URLs are called (whether HTTP or HTTPS) by apps, or even more interesting: try to determine if critical data is sent. For instance, you could search through all transmitted data packets whether they contain the IMEI, IMSI, or a phone number. Likewise, indicate the TLS-related properties of servers apps connect to (Cipher suite, HSTS yes/no, HPKP, ..). The output could be then displayed on the device within a kind of monitoring app. Hint: You will save a lot of time if you build your work on an already existing framework, such as NetGuard.
Assigned: Markus Ritzer, Sandro Letter
Assigned: Christof Schützenhofer, Mario Egger-Feiel
Android: Notifier (P2P) Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish a direct connection between a computer and a mobile in order to transmit notifications. The focus of this work should be put on elaborating on appropriate protection mechanisms for a secure data transfer. E.g. in order for an initial key exchange between a computer and a smartphone, the computer could show a QR code that has to be scanned by the phone. Still there are remaining questions to solve: How to encrypt messages? When to re-pair a computer? Where do you store secret key material on the phone? By developing the Android app and a desktop counterpart, you are requested to deal with that and propose practically viable solutions.
Assigned: David Andrawes, Thomas Faschang, Maria Ivanova
Assigned:
Android: Notifier (Server) Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish an indirect connection (= using a web server) to a target while ensuring that all transfered data is encrypted. The challenges are similar to the P2P variant. With a server-based version, however, this would also work if the mobile phone and recipient device are located in distinct networks. Somehow you also have to authenticate at the server, i.e. the server has to know the target devices it should deliver notifications for. A very good starting point is in looking at / thinking about how existing messengers, such as Telegram or Signal approach these issues.
Assigned: Johannes Loibner, Benjamin Wunderling
Assigned:
Android: App Analysis of wallet and trading apps Recently, it has become very popular to manage financial trades and crypto coins using specialized wallet apps. Unfortunately, it often remains unclear what data is actually transmitted and how safe these apps manage virtual and real money. Your task is to collect and analyze at least 8 apps, provided by the popular vendors, and investigate what data is transfered, which crypto processes they use, to which endpoints the app connects, etc. The outcome should be a report in which you describe your analysis and the results obtained. A very good starting point can be found here. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things into at runtime).
Assigned: Roland Barta
Assigned: Luca Rodiga, Jonathan Montineri, Mohamed Sameem Ahamed Azeem
Android: Analysis of Dating Apps Looking for a partner using mobile apps has become increasingly popular. Many people share personal and often even intimate data with apps like Tinder, Badoo, and others. Unfortunately, users typically don’t know how their data is processed. A small survey of frequently used apps, done in 2017, has revealed blatant security flaws in a majority of them. In this project, you should re-investigate a couple of popular dating apps, seeking for similar problems as reported in the study. Have the issues been fixed meanwhile? How is it different now? Are there new leaks? Do these apps suffer from other problems the survey might have overlooked? The outcome should be an investigative report of at least 8 popular apps where you describe your analysis process and present the results you have obtained from your inspection. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things during runtime).
Assigned: Valentin Edelsbrunner, David Kerschbaumer, Patrick Lovric
Assigned: Christian Rieger, Mathias Oberhuber, Felix Holzknecht
Android: App Analysis of Password Managers Password managers are often closed-source applications and one has to trust that the developers are properly managing the data and the decryption key(s). The idea of this project is to decompile and analyze a set of at least 8 popular password managers on Android to verify if they are handling the master password and related derived keys adequately (KDFs, number of rounds, salts, erasure from memory after usage, hardcoded values etc.). Additional verification, whether possible, will be performed on how the decryption process of database is performed (is the whole DB decrypted into memory or only the required field when copied by user?). The final goal is to come up with a report in which you describe how you inspected the apps, sum up your findings and assess how trustworthy these applications are in relation to their marketing image. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things during runtime).
Assigned: Alexander Wolfbauer, Harald Koinig, Felix Auf
Assigned: Stefan di Vora, Marco Herzl, Michael Streibl
Android: App Analysis of Austrian Banking Apps Protecting sensitive user data and ensuring no data leaks is especially important when it comes to potential theft of money. In this project, you should decompile and analyze a set of at least 8 popular apps from Austrian banking institutes. What happens underneath when transactions are released? Is biometric authentication (fingerprint sensor) used? Which secrets are used and where are they stored? etc. The final goal is to come up with a report in which you describe how you inspected the apps, sum up your findings and assess how trustworthy these applications are in relation to their marketing image. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things during runtime).
Assigned:
Assigned:
Android: Fuzzing Almost all recent defects in the Android platform have been found using Fuzzing. The idea of fuzzing is to supply all kind of input data to a service and see how it reacts. A gold mine of success for this kind of attack is/was the Stagefright media library. As repeatedly reported in the press, it was possible to provoke buffer overflows and other problems by injecting corrupt files. The idea of this project is to get familiar with at least one existing fuzzing solution (e.g. Droid-FF [1], [2], [3], [4], [5]), try it out, and to determine the effectiveness of the attack.
Assigned: Florian Kargl, Hannes Weissteiner, Marek Hubbell
Assigned:
Android: Dynamic App Instrumentation with Frida Hooking and monitoring the activities of Android applications has been a tedious task for a long time causing dramatic performance drain. Recently, researchers have published a framework called Frida (also see here: [1], [2) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to write own snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic. A very good starting point and introduction to Frida can be found here.
Assigned: Djordje Rajic, Eldin Abdic
Assigned:
Android: Automated patching of Certificate Pinning To prevent MITM attacks, many Android applications implement certificate pinning. Newer versions of Android even provide means for an app to deploy certificate pinning automatically for all its network requests. The goal of this project is to build a system that can automatically patch applications (APK files) so that certificate pinning is bypassed. If possible, the solution should run on Android itself.
Assigned:
Assigned:
iOS: Cordova Crypto in Swift With the standardization of the W3C Crypto API a simple usage for common cryptographic tasks has been made available to desktop browsers. Since cross-platform mobile applications are usually composed of HTML and Javascript code, it would be great if we could also use the W3C Crypto API with these applications. The goal of this project is to write a plugin for Cordova which provides these API functions to Cordova apps. Since Swift is now the standard, development should be done in Swift. Related work ([1],[2]) could serve as an inspiration.
Assigned:
Assigned:
iOS: Dynamic App Instrumentation with Frida Hooking and monitoring the activities of iOS applications has been a tedious task for a long time and often required a jailbroken device. Recently, researchers have published a framework called Frida (also see here: [1]) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to elaborate snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic.
Assigned: Nikolaus Grogger
Assigned:
Cordova: Static Analysis The Apache Cordova platform allows developers to create cross-platform compatible mobile apps using web technologies (HTML, JavaScript, CSS). The idea of this project is to apply and augment an existing tool for static analysis tools of JavaScript (see [1] and [2]) to Cordova apps. Thereby, we could not only uncover security-related problems in apps but probably also follow the trace of entered passwords throughout an application. Hint: The DASCA and DVHMA projects are very good starting points so that you don’t have to start from zero.
Assigned:
Assigned:
Android & iOS App Analysis As agreed via email on 19.03.2021.
Assigned: Theo Gasteiger, Andreas Karner