Androsia: Securing 'Data in Process' for your Android Apps

Presented at DEF CON China Beta (2018), May 13, 2018, 1 p.m. (60 minutes)

Each Android app runs in its own VM, with a limited heap size for creating new objects. The Android OS/app doesn't differentiate between regular objects and objects that contain security sensitive information. These critical objects are kept around in the heap until the OS hits a memory constraint. The OS then chooses to invoke garbage collector in order to reclaim memory from the apps. Java does not provide explicit APIs to reclaim memory occupied by objects. This leaves a window of time where the security critical objects live in the memory and wait to be garbage collected. During this window a compromise of the app can allow an attacker to read the credentials. This is a needless risk every Android application lives with today. We propose a tool called Androsia, which performs a summary based interprocedural data flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared). Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values. Attendees will learn: a) why java.security.* APIs for destroying objects are not upto the mark?, b) the key terms used in data flow analysis with live examples and finally, c) how Androsia protects data in process of Android apps?

Presenters:

• Samit Anwer
  Samit Anwer is a Web/Mobile Application security researcher. Soon after completing his Master's degree from IIIT Delhi in Mobile and Ubiquitous Computing he joined Citrix R&D India as a Product Security researcher. He is actively involved with vulnerability research in popular Web/Mobile apps and has responsibly disclosed several security vulnerabilities with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, Microsoft's OAuth 2.0 implementation and buffer overflows on MS Edge/IE 11. He is an active member of the Null Bangalore Chapter, IEEE community and has spoken on various security topics at BlackHat Asia Singapore (2018), AppSec USA, Orlando (2017), c0c0n X, Kerala (2017), CodeBlue, Tokyo (2017), and Null meets (2015, 2016, 2017) His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms. His publications can be found here: https://dblp.uni-trier.de/pers/hd/a/Anwer:Samit.

Links:

• https://defcon.org/html/defcon-china/dc-cn-speakers.html#Anwer
• https://infocon.org/cons/DEF CON/DEF CON China beta/DEF CON China beta videos/DEF CON China beta - Samit Anwer - Androsia Securing data in process for your Android Apps (en).mp4
• https://www.youtube.com/watch?v=1GoXnRpp0cQ

Similar Presentations:

• AppSec USA 2017 / Androsia: A tool for securing in memory sensitive data
• BruCON 0x0A (2018) / Hunting Android Malware: A novel runtime technique for identifying malicious applications
• TROOPERS18 (2018) / Hunting Android Malware: A novel runtime technique for identifying malicious applications