/Teaching/Mobile Security/Assignments/Task 2 – Suggested Topics

Task 2 – Suggested Topics


Each of the following topics can be handled in groups of max. 3 people. In case you are interested in projects with already 1-2 participants assigned, please apply anyway (= send me an email) and we will bring you together. If none of these topics sounds appealing to you, propose your own idea and we can see if it fits into the ensemble. All listed projects can also be worked on independently by max. 2 groups per project, unless there are still projects in the pool where nobody is assigned.

Important note: Obviously, the subsequent list provides only a very short abstract of every project. In case something sounds appealing but you do not fully understand what the topic is about, do not hesitate to come to me after the lecture and I will gladly explain it! Also, if you are uncertain how to proceed, please just ask me after the lecture and do not wait until the last week before the deadline!

Hint: For all projects where Android applications have to be reverse-engineered, please use Bytecode Viewer, Apktool, enjarify or something equivalent. These tools greatly simplify the job.

Topics

Working Title Description
Android: Live Data analysis using VPNService By leveraging the VPNService functionality of Android, it is possible to capture all data packets without requiring root permissions. In this project we intend to do a live analysis of the data transfered. You could, for example, find out what URLs are called (whether HTTP or HTTPS) by apps, or even more interesting: try to determine if critical data is sent. For instance, you could search through all transmitted data packets whether they contain the IMEI, IMSI, or a phone number. Likewise, indicate the TLS-related properties of servers apps connect to (Cipher suite, HSTS yes/no, HPKP, ..). The output could be then displayed on the device within a kind of monitoring app. Hint: You will save a lot of time if you build your work on an already existing framework, such as NetGuard.
Assigned: Schiffermüller
Assigned:
Android: Notifier (P2P) Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish a direct connection between a computer and a mobile in order to transmit notifications. The focus of this work should be put on elaborating on appropriate protection mechanisms for a secure data transfer. E.g. in order for an initial key exchange between a computer and a smartphone, the computer could show a QR code that has to be scanned by the phone. Still there are remaining questions to solve: How to encrypt messages? When to re-pair a computer? Where do you store secret key material on the phone? By developing the Android app and a desktop counterpart, you are requested to deal with that and propose practically viable solutions.
Assigned: Altendorfer, Buchsteiner, Ropele
Assigned: Gerhalter, Jedinger, Lugstein
Android: Notifier (Server) Receiving notifications from mobile phones on a computer is nothing new (e.g. Messages, Pushbullet, Mightytext, or Desktop Notifications). However, all of these services relay your messages using a 3rd party in clear text. Your task is to establish an indirect connection (= using a web server) to a target while ensuring that all transfered data is encrypted. The challenges are similar to the P2P variant. With a server-based version, however, this would also work if the mobile phone and recipient device are located in distinct networks. Somehow you also have to authenticate at the server, i.e. the server has to know the target devices it should deliver notifications for. A very good starting point is in looking at / thinking about how existing messengers, such as Telegram or Signal approach these issues.
Assigned: Tumbul, Wistauder
Assigned: Kocher, Petter, Winkler
Android: Analysis of Dating Apps Looking for a partner using mobile apps has become increasingly popular. Many people share personal and often even intimate data with apps like Tinder, Badoo, and others. Unfortunately, users typically don’t know how their data is processed. A small survey of frequently used apps, done in 2017, has revealed blatant security flaws in a majority of them. In this project, you should re-investigate a couple of popular dating apps, seeking for similar problems as reported in the study. Have the issues been fixed meanwhile? How is it different now? Are there new leaks? Do these apps suffer from other problems the survey might have overlooked? The outcome should be an investigative report of at least 8 popular apps where you describe your analysis process and present the results you have obtained from your inspection. Please note that it will not be sufficient to just do a MITM attack and see what data the apps transfer. I expect you to do an in-depth review of how the apps behave by reverse-engineering (and eventually injecting things during runtime).
Assigned: Hevesy, Suhadolnik
Assigned: 
Android: Fuzzing Almost all recent defects in the Android platform have been found using Fuzzing. The idea of fuzzing is to supply all kind of input data to a service and see how it reacts. A gold mine of success for this kind of attack is/was the Stagefright media library. As repeatedly reported in the press, it was possible to provoke buffer overflows and other problems by injecting corrupt files. The idea of this project is to get familiar with at least one existing fuzzing solution (e.g. Droid-FF [1], [2], [3], [4], [5]), try it out, and to determine the effectiveness of the attack.
Assigned: Lazarevic, Vukovic, Ziegler
Assigned: Schmid, Zinkanell
Android: Dynamic App Instrumentation with Frida Hooking and monitoring the activities of Android applications has been a tedious task for a long time causing dramatic performance drain. Recently, researchers have published a framework called Frida (also see here: [1], [2) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to write own snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic. A very good starting point and introduction to Frida can be found here.
Assigned: Neela (Using Frida to analyse how WhatsApp backups are transferred to and stored on Google Drive)
Assigned: Barta
Android: Automated patching of Certificate Pinning To prevent MITM attacks, many Android applications implement certificate pinning. Newer versions of Android even provide means for an app to deploy certificate pinning automatically for all its network requests. The goal of this project is to build a system that can automatically patch applications (APK files) so that certificate pinning is bypassed. If possible, the solution should run on Android itself.
Assigned: Šiljak
Assigned:
iOS: Dynamic App Instrumentation with Frida Hooking and monitoring the activities of iOS applications has been a tedious task for a long time and often required a jailbroken device. Recently, researchers have published a framework called Frida (also see here: [1]) which drastically simplifies logging and tracking of arbitrary methods. Using small JavaScript snippets you can spy and trace on any API without needing to disassemble anything. The goal of this project is to get familiar with Frida and to elaborate snippets that can be used for target-oriented analysis, e.g. to highlight all usages of crypto APIs or network traffic.
Assigned:
Assigned:
Cordova: Static Analysis The Apache Cordova platform allows developers to create cross-platform compatible mobile apps using web technologies (HTML, JavaScript, CSS). The idea of this project is to apply and augment an existing tool for static analysis tools of JavaScript (see [1] and [2]) to Cordova apps. Thereby, we could not only uncover security-related problems in apps but probably also follow the trace of entered passwords throughout an application. Hint: The DASCA and DVHMA projects are very good starting points so that you don’t have to start from zero.
Assigned:
Assigned:
Android: Investigate proprietary application-layer transport encryption implementations In an effort to protect their server APIs from third-party clients, a considerable number of applications protects their server communication through (pseudo-)cryptographic means that go beyond the common TLS/SSL layer (Examples: Banggood, Willhaben, ProSiebenSat1). This increasingly popular practise raises several interesting research questions:

  • How exactly is this protection implemented? If it involves including a hash of the request, how is it formed? Is some additional encryption involved?
  • Does the additional layer of protection actually improve security or can it be merely considered additional obfuscation?
  • Does the custom implementation actually introduce new attack vectors?

As part of this project, you identify 3 new applications that implement this sort of protection and analyse them to answer the research questions state above.

Assigned:
Assigned:
Android: Determine the prevalence of Network Security Misconfiguration Android 7.0 introduced the Network Security Configuration (NSC) system, which in principle simplifies the configuration of allowed and trusted server communication. However, the new method still assumes that developers make no mistakes in its proper employment. The goal of this project is to determine how prevalent this problem is among applications from Google Play. The project involves:

  • Building a simple tool for extracting the NSC file from compiled APK files
  • Analysing the NSC file for any misconfigurations
  • Executing this tool on a corpus of applications from Google Play (see gplaydl, androzoo, contact me for app sets)
  • Short discussion of results
Assigned: Jenšterle
Assigned:
Linux: Analysing an Embedded Linux device Many IoT devices run a simple Linux-based operating system. They therefore present a very interesting possibility for studying various security-related concepts that directly translate to larger Linux-based embedded systems such as Android. As part of this project, you analyse an embedded Linux IoT device of your choice to shed light on its internal operation and identify potential security vulnerabilities. The following aspects will have to be covered:

  • How can the Linux system be accessed: Is there any debug interface such as a Serial or JTAG? Is an SSH server running?
  • What basic system-level security is used: How is DAC (Discretionary Access Control) configured? Is MAC (Mandatory Access Control) used as well?
  • What does the startup routine look like?
  • Integrated open-source SW/libs/kernel? Recency? Known vulnerabilities?
  • Proprietary software stack: What frameworks were used? Was security considered? Are there any vulnerabilities?

Helpful tools: Ghidra, ssh, strace, gdb

Note: If you choose this topic, please contact me in advance about the IoT device you intend to analyse!

Assigned:
Assigned:
A Java Cryptography Extension (JCE) implementation for iOS J2ObjC is an open-source transpiler developed by Google capable of automatically translating Java source code to equivalent Objective-C source code. The tool permits sharing Java logic code between Android and iOS projects. Although J2ObjC provides its own implementation of the Java standard library in Objective-C, several critical parts of the common Java environment are missing, such as a Provider for cryptographic functionality. As part of this project, you implement a small subsection of the JCE interface on top of the iOS CommonCrypto (CCCrypt) framework.

  • Get familiar with the Java Cryptography Architecture and the CommonCrypto framework
  • Decide on a small subset of the JCE functionality that you want to implement
    • e.g. MessageDigest interface for a specific algorithm
  • Implement a corresponding Service Provider Interface (SPI) in Swift or Objective-C
    • e.g. MessageDigestSpi
  • The implementation can then be upstreamed into the J2ObjC project
    • Your code will now be actually used by several real-world projects (including Gmail!)
Assigned:
Assigned:
Your idea If you have any idea for a project of suitable scope that involves a mobile OS and security aspects, don’t hesitate to contact me about pursuing it as part of this course! Specific contributions to open-source projects are welcomed as well!