Identifying and Mitigating Misuse of Secrets in Android with Dynamic Analysis Techniques
Wallach, Dan Seth
Doctor of Philosophy
Mobile phones have been completely changing the way people think and behave, making our lives convenient. At the same time, this accelerated growth has brought with it unprecedented new threats related to user privacy. A myriad of apps in Android phones are handling various user data. However, each app developer has the principle responsibility to protect them because the Android framework lacks direct support for them. This is not good news, because developers have varying levels of secure coding practice, and the resulting apps may inadvertently misuse of sensitive data of users. In this thesis, I will present my studies with various Android apps and the Android framework to understand the misuse of secrets in the mobile environment. To assist my work, I have used various analysis techniques and developed a dynamic analysis framework to perform systematic analyses of Android apps. This dissertation describes approaches and tools I have developed, my findings on how sensitive data is misused, and mitigation to address found security problems. Our research has had a significant practical impact and helped to mitigate the misuse of secrets in the mobile ecosystem. Specifically, I designed a memory analysis framework that provides physical and logical memory dumping, along with a high degree of automation of experiments. We have discovered that Android keeps TLS master secret live in memory for an unnecessarily long period of time, posing a threat to all Android applications built on standard HTTPS libraries. I found modest changes to Android codebase could mitigate these issues, and reported to Google. Also, our comprehensive analysis of variety of apps revealed that user passwords can survive in a variety of locations for an extended period of time, including UI widgets where users enter their passwords, apps that retain passwords rather than exchange them for tokens, old copies not yet reused by garbage collectors, keyboard apps, password management apps, and even the lockscreen system service. I have developed solutions that fix these problems and assist apps to follow more secure practices. Lastly, I will present FlowPass, an efficient and informative dynamic taint tracking system that I developed. FlowPass found 13 previously unknown security bugs in popular apps that have each been installed more than one million times. I have reported these misuses to the app vendors, and most have fixed the bugs shortly afterward.
Android; Mobile system; password; dynamic analysis; TLS