research-article

Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps

Authors:

Byung-Gon ChunAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 179 - 192

https://doi.org/10.1145/3052973.3053018

Published: 02 April 2017 Publication History

Abstract

To protect customers' sensitive information, many mobile financial applications include steps to probe the runtime environment and abort their execution if the environment is deemed to have been tampered with. This paper investigates the security of such self-defense mechanisms used in 76 popular financial Android apps in the Republic of Korea. Our investigation found that existing tools fail to analyze these Android apps effectively because of their highly obfuscated code and complex, non-traditional control flows. We overcome this challenge by extracting a call graph with a self-defense mechanism, from a detailed runtime trace record of a target app's execution. To generate the call graph, we identify the causality between the system APIs (Android APIs and system calls) used to check device rooting and app integrity, and those used to stop an app's execution. Our analysis of 76 apps shows that we can pinpoint methods to bypass a self-defense mechanism using a causality graph in most cases. We successfully bypassed self-defense mechanisms in 67 out of 73 apps that check device rooting and 39 out of 44 apps that check app integrity. While analyzing the self-defense mechanisms, we found that many apps rely on third-party security libraries for their self-defense mechanisms. Thus we present in-depth studies of the top five security libraries. Our results demonstrate the necessity of a platform-level solution for integrity checks.

References

[1]

android - Determine if running on a rooted device - StackOverflow. http://stackoverflow.com/questions/1101380/determine-if-running-on-a-rooted-device.

[2]

Android Developers. https://developer.android.com.

[3]

App security for banking & payment apps - Promon SHIELD. https://promon.co/industries/app-security-banking-payment/.

[4]

Application Fundamentals | Android Developers. https://developer.android.com/guide/components/fundamentals.html.

[5]

ART and Dalvik | Android Open Source Project. https://source.android.com/devices/tech/dalvik/.

[6]

Checking Device Compatibility with SafetyNet | Android Developers. http://developer.android.com/intl/ko/training/safetynet/index.html.

[7]

Dashboard | Android Developers. http://developer.android.com/intl/ko/about/dashboards/index.html.

[8]

FRB: CM: 2016 Introduction. http://www.federalreserve.gov/econresdata/mobile-devices/2016-Introduction.htm.

[9]

Graphviz | Graphviz - Graph Visualization Software. http://www.graphviz.org/.

[10]

How secure the mobile payments are? https://storify.com/williamjohn005/how-secure-the-mobile-payments-are.

[11]

IDA Debugger. https://www.hex-rays.com/.

[12]

Java Decompiler. http://jd.benow.ca/.

[13]

Linux Manual Page. http://man7.org/.

[14]

Mobile Banking Security, Internet Banking App Security. https://www.whitecryption.com/mobile-banking/.

[15]

Shrink Your Code and Resources | Android Studio. https://developer.android.com/studio/build/shrink-code.html.

[16]

smali - An assembler/disassembler for Android's dex format. https://github.com/JesusFreke/smali.

[17]

Trusted Computing Group | Open Standards for Security Technology. http://www.trustedcomputinggroup.org/.

[18]

U-Boot Verified Boot. http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=blob;f=doc/uImage.FIT/verified-boot.txt.

[19]

Verified Boot - The Chromium Projects. http://www.chromium.org/chromium-os/chromiumos-design-docs/verified-boot.

[20]

Verified Boot | Android Open Source Project. https://source.android.com/security/verifiedboot/.

[21]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In ACM SIGPLAN, pages 259--269, 2014.

Digital Library

[22]

N. Bose. Retailer-backed mobile wallet to rival Apple Pay set for test. http://www.reuters.com/article/2015/08/12/us-currentc-mobile-payment-idUSKCN0QH1RY20150812.

[23]

W. Brecht. White-box cryptography: hiding keys in software. NAGRA Kudelski Group, 2012.

[24]

Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In ISOC NDSS, 2015.

[25]

J. Chen, H. Chen, E. Bauman, Z. Lin, B. Zang, and H. Guan. You Shouldn't Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps. In USENIX Security, 2015.

Digital Library

[26]

E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in Android. In ACM MobiSys, pages 239--252, 2011.

Digital Library

[27]

M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in android applications. In ACM CCS, pages 73--84, 2013.

Digital Library

[28]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. ACM TOCS, 32(2):5, 2014.

Digital Library

[29]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In USENIX Security, volume 2, page 2, 2011.

Digital Library

[30]

S. Fahl, M. Harbach, T. Muders, L. Baumgartner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM CCS, pages 50--61, 2012.

Digital Library

[31]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In ACM CCS, pages 627--638, 2011.

Digital Library

[32]

A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission Re-Delegation: Attacks and Defenses. In USENIX Security, 2011.

Digital Library

[33]

M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In ACM CCS, pages 38--49, 2012.

Digital Library

[34]

Google. Method Tracer | Android Studio. https://developer.android.com/studio/profile/am-methodtrace.html.

[35]

E. Gruber. Android Root Detection Techniques. https://blog.netspi.com/android-root-detection-techniques/.

[36]

A. Harris, S. Goodman, and P. Traynor. Privacy and security concerns associated with mobile money applications in Africa. Wash. JL Tech. & Arts, 8:245, 2012.

[37]

J. Huang, Z. Li, X. Xiao, Z. Wu, K. Lu, X. Zhang, and G. Jiang. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In USENIX Security, 2015.

Digital Library

[38]

W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flow analysis for app sets. In ACM SIGPLAN, pages 1--6, 2014.

Digital Library

[39]

J. Lee, L. Bauer, and M. L. Mazurek. The Effectiveness of Security Images in Internet Banking. Internet Computing, IEEE, 19(1):54--62, 2015.

[40]

C. Marforio, N. Karapanos, C. Soriente, K. Kostiainen, and S. Capkun. Smartphones as practical and secure location verification tokens for payments. In ISOC NDSS, 2014.

[41]

C. Mulliner, W. Robertson, and E. Kirda. VirtualSwindle: an automated attack against in-app billing on android. In ACM ASIA CCS, pages 459--470, 2014.

Digital Library

[42]

Y. Nan, M. Yang, Z. Yang, S. Zhou, G. Gu, and X. Wang. UIPicker: User-Input Privacy Identification in Mobile Applications. In USENIX Security, 2015.

Digital Library

[43]

M. Nauman, S. Khan, X. Zhang, and J.-P. Seifert. Beyond kernel-level integrity measurement: enabling remote attestation for the android platform. In Trust and Trustworthy Computing, pages 1--15. Springer, 2010.

Digital Library

[44]

L. Onwuzurike and E. De Cristofaro. Danger is my middle name: experimenting with ssl vulnerabilities in android apps. In ACM WiSec, page 15. ACM, 2015.

Digital Library

[45]

F. S. Park, C. Gangakhedkar, and P. Traynor. Leveraging cellular infrastructure to improve fraud prevention. In IEEE ACSAC, pages 350--359, 2009.

Digital Library

[46]

PayPal. PayPal Security Key. https://www.paypal.com/webapps/mpp/security/security-protections.

[47]

B. Reaves, N. Scaife, A. Bates, P. Traynor, and K. Butler. Mo(bile) Money, Mo(bile) Problems: Analysis of Branchless Banking Applications in the Developing World. In USENIX Security, 2015.

Digital Library

[48]

RSA. RSA SecurID. http://www.emc.com/security/rsa-securid/index.htm.

[49]

P. Stirparo, I. N. Fovino, M. Taddeo, and I. Kounelis. In-memory credentials robbery on android phones. In IEEE WorldCIS, pages 88--93, 2013.

[50]

Y. Wang, S. Hariharan, C. Zhao, J. Liu, and W. Du. Compac: Enforce component-level access control in Android. In ACM CODASPY, pages 25--36, 2014.

Digital Library

[51]

L.-K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In USENIX Security, pages 569--584, 2012.

Digital Library

[52]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In IEEE Security and Privacy (Oakland), pages 95--109, 2012.

Digital Library

Cited By

Cao JGuo FQu Y(2024)JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00033(255-266)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00033
Ikram MSentana IAsghar HKaafar MKepkowski M(2024)More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator AppsWeb Information Systems Engineering – WISE 202410.1007/978-981-96-0576-7_14(177-192)Online publication date: 27-Nov-2024
https://doi.org/10.1007/978-981-96-0576-7_14
Quarta DIanni MMachiry AFratantonio YGustafson EBalzarotti DLindorfer MVigna GKruegel CHauser CKwon YBanescu S(2021)Tarnhelm: Isolated, Transparent & Confidential Execution of Arbitrary Code in ARM's TrustZoneProceedings of the 2021 Research on offensive and defensive techniques in the Context of Man At The End (MATE) Attacks10.1145/3465413.3488571(43-57)Online publication date: 19-Nov-2021
https://dl.acm.org/doi/10.1145/3465413.3488571
Show More Cited By

Index Terms

Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps

Recommendations

Inter-app communication between Android apps developed in app-inventor and Android studio
MOBILESoft '16: Proceedings of the International Conference on Mobile Software Engineering and Systems

Communications between mobile apps are an important aspect of mobile platforms. Android is specifically designed with inter-app communication in mind and depends on this to provide different platform specific functionalities. Android Apps can either be ...
Android: Changing the Mobile Landscape

The mobile phone landscape changed last year with the introduction of smart phones running Android, a platform marketed by Google. Android phones are the first credible threat to the iPhone market. Not only did Google target the same consumers as iPhone,...
Analyzing GUI running fluency for Android apps
MSCC '16: Proceedings of the 3rd ACM Workshop on Mobile Sensing, Computing and Communication

Android as a free open platform has become increasingly popular and been widespread adopted in mobile, tablet, and other devices. However, a great number of issues, such as inadequate quality and the fragmentation phenomenon, have emerged, enhancing the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Research Foundation of Korea(NRF)

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

11
Total Citations
View Citations
408
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)2

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Cao JGuo FQu Y(2024)JNFuzz-Droid: A Lightweight Fuzzing and Taint Analysis Framework for Android Native Code2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00033(255-266)Online publication date: 12-Mar-2024
https://doi.org/10.1109/SANER60148.2024.00033
Ikram MSentana IAsghar HKaafar MKepkowski M(2024)More Than Just a Random Number Generator! Unveiling the Security and Privacy Risks of Mobile OTP Authenticator AppsWeb Information Systems Engineering – WISE 202410.1007/978-981-96-0576-7_14(177-192)Online publication date: 27-Nov-2024
https://doi.org/10.1007/978-981-96-0576-7_14
Quarta DIanni MMachiry AFratantonio YGustafson EBalzarotti DLindorfer MVigna GKruegel CHauser CKwon YBanescu S(2021)Tarnhelm: Isolated, Transparent & Confidential Execution of Arbitrary Code in ARM's TrustZoneProceedings of the 2021 Research on offensive and defensive techniques in the Context of Man At The End (MATE) Attacks10.1145/3465413.3488571(43-57)Online publication date: 19-Nov-2021
https://dl.acm.org/doi/10.1145/3465413.3488571
Contasel CTranca DPalacean A(2021)Cloud based mobile application security enforcement using device attestation API2021 20th RoEduNet Conference: Networking in Education and Research (RoEduNet)10.1109/RoEduNet54112.2021.9638302(1-5)Online publication date: 4-Nov-2021
https://doi.org/10.1109/RoEduNet54112.2021.9638302
Zungur OBianchi AStringhini GEgele M(2021)AppJitsu: Investigating the Resiliency of Android Applications2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00038(457-471)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00038
Uddin MMannan MYoussef A(2021)Horus: A Security Assessment Framework for Android Crypto WalletsSecurity and Privacy in Communication Networks10.1007/978-3-030-90022-9_7(120-139)Online publication date: 4-Nov-2021
https://doi.org/10.1007/978-3-030-90022-9_7
Choi JKim SCho JKim KHong SKim HHung CCerny TShin DBechini A(2020)ACIDroidProceedings of the 35th Annual ACM Symposium on Applied Computing10.1145/3341105.3374037(376-383)Online publication date: 30-Mar-2020
https://dl.acm.org/doi/10.1145/3341105.3374037
Won YKim SYun JTuan DSeo J(2019)DASHProceedings of the VLDB Endowment10.14778/3317315.331732112:7(793-806)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.14778/3317315.3317321
Kaur RLi YIqbal JGonzalez HStakhanova N(2018)A Security Assessment of HCE-NFC Enabled E-Wallet Banking Android Apps2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2018.10282(492-497)Online publication date: Jul-2018
https://doi.org/10.1109/COMPSAC.2018.10282
Haupert VMaier DSchneider NKirsch JMüller T(2018)Honey, I Shrunk Your App Security: The State of Android App HardeningDetection of Intrusions and Malware, and Vulnerability Assessment10.1007/978-3-319-93411-2_4(69-91)Online publication date: 8-Jun-2018
https://doi.org/10.1007/978-3-319-93411-2_4
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents