Tuesday, 25 February 2020

Project onto Mobile Devices using Android Applications

Project onto Mobile Devices using Android Applications

PingER was developed by the Stanford Linear Accelerator Center’s (SLAC) National Accelerator Laboratory as a tool for Internet End-to-end Performance Monitoring (IEPM). It monitors over 700 sites worldwide, and aims to measure the round-trip time, loss jitter etc. for packets travelling between nodes on the internet. The PingER MeasurementAgent can be deployed on servers running Linux, however these servers have limitations. The fixed-line servers currently in use are not mobile and require a continuous power source. The extension of the PingER project to the Android ecosystem brings advantages like greater power efficiency, ease of installation, maintenance, and better affordability to the table. The Android application is planned to supplement the existing PingER Measurement Agent Linux application set up at about 40 locations around the globe.Code Shoppy

the SLAC National Accelerator Laboratory’s (SLAC’s) Internet End-to-End Performance Measurement (IEPM) Group backed by the US Department of Energy aims to provide valuable insights into the performance of the Internet [1] [2]. The current research-implementation targets replicating the entire PingER Measurement Agent (MA) into a portable Android application. This allows Android devices to act as PingER MAs and hence provide internet end-to-end monitoring. The Android app thus acts as a PingER MA, sending out pings to a SLAC-hosted list of beacons every 30 minutes and recording their responses. This data is saved and sent on a daily basis to the PingER archive at SLAC for use in multiple projects. When it was started in 1995, the primary goal of PingER was to "keep tabs on how parts of the network were performing and root out any problems" [3] so as to know how the Internet was performing, identify problems, and apply solutions. Now, it has expanded to something bigger – identify and assess the ‘digital divide’ across different regions of the world from Sub-Saharan Africa to the Middle East, from South America to Central and South Asia [4][5]. This ‘digital divide’ refers to economic and social disparity with regard to access to information and communication technology [6]. The project has various subdivisions such as PingER Deployment, Analysis, Operations, Databases, Validation data and toolbox that further open up multiple avenues like informed decision making. 

  PingER is a Project led by the SLAC National Accelerator Laboratory and developed by the IEPM group in 1995 [1]. It is short for Ping End-to-end Reporting. The framework for the PingER project is based on the ping utility, that is available on most Internet connected hosts. A ping involves sending an Internet Control Message Protocol (ICMP) echo request to a specified remote/target node which responds with an ICMP echo reply. It is also optional to send a data payload in the request which will be returned in the reply. The round-trip time (RTT) is reported; if multiple pings are dispatched, most implementations provide statistical summaries [7]. PingER uses this data to assess the quality of the internet in various regions, understand performance, and identify problems [8]. For each remote node specified in a configuration file: PingER sends a single ping with a 56-byte payload, followed by up to 30 pings with 100-byte payloads at 1 second intervals to the remote node, until 10 response are received. This is followed by sending up to 30 pings with a 1000-byte payload, also at 1 second intervals to the remote node until 10 responses are received. [9]

 Project onto Mobile Devices using Android Applications
The porting of the PingER application onto Android-based mobile devices has been a successful project. The targets set for the application such as ease-of-access, maintainable code, scalable architecture, small foot-print and viable scalability have been achieved. This latest iteration ofthe project overcomes the hurdles of the previous iteration of PingER on Android wherein the Perl Scripts were run on an emulator on a rooted Android Device. The Android App can now dynamically ping the beacons as and when updated by SLAC, parse and store their output, and send the generated txt files on a daily basis to the server via FTP – all in the background requiring minimal user-intervention. This approach allows individuals with minimal technical knowledge to contribute to the PingER Project with little to no effort which will be a huge boon to the data collection team at SLAC. This, in turn will be a greater boon to the data analysis team as the number of android-based measuring agents increase and provide more diverse data. This app can now be distributed to people around the world for collecting data.
 

A Framework for Employing MultipleReal-Time Malware Detectors

A Framework for Employing MultipleReal-Time Malware Detectors

Android has become the leading operating systemfor next-generation smart devices. Consequently, the number ofAndroid malware has also skyrocketed. Many dynamic analysistechniques have been proposed to detect Android malware.However, very few of these techniques use real-time monitoringon user devices as Android does not provide low-level informa-tion to third-party apps. Moreover, some techniques detect aspecific malware class more effectively than others. Therefore,end users can be benefited by installing multiple malwaredetection techniques. In this paper, we propose SpyDroid, areal-time malware detection framework that can accommodatemultiple detectors from third-parties (e.g., researchers and an-tivirus vendors) and allows efficient and controlled real-timemonitoring. SpyDroid consists of two operating system modules(monitoring and detection) and supports application layer sub-detectors. Sub-detectors are regular Android applications thatmonitor and analyze different runtime information using themonitoring module and they report the detection module abouttheir findings. The detection module decides when to mark an appas malware. Researchers and antivirus vendors can now publishtheir techniques via app markets and end users can install anynumber of sub-detectors as they require. We have implementedSpyDroid using the Android Open Source Project (AOSP) andour experiments with a dataset containing 4,965 apps show thatdecisions from multiple sub-detectors can increase the malwaredetection rate significantly on a real device. Code Shoppy
               A Framework for Employing MultipleReal-Time Malware Detectors

Among all smartphone operating systems, Android occupiesover 85% market share in 2017 [1]. Moreover, Android-powered devices such as cars, fridges, televisions, point ofsale (POS) terminals, and ATM booths are expected to flooduser markets within a few years. Due to the popularity ofthe Android ecosystem, malware writers are targeting Androiddevices exclusively and the number of malware for Androidsurged exponentially in 2017. Android implements a num-ber of security mechanisms to ensure the safety of deviceresources, e.g., the permission mechanism.The permission mechanism of Android is coarse-grainedand users are usually ignorant about the sought permissions.Researchers also proposed attacks that can bypass the per-mission mechanism [2], [3]. As a result, effective detectionof malware is very important to mitigate security threats inthe Android ecosystem. Unfortunately, antiviruses are not veryeffective due to the restrictive security model of Android thatdoes not let any app scan the runtime behavior of others.Researchers have made great efforts to improve the securityof Android and proposed a number of static and dynamicanalysis techniques. In static analysis, the Android applicationfile (apk) is decompiled to perform analysis, such as data flowanalysis, control flow analysis, API call analysis, byte N-gram,and fingerprinting. Studies [4] have shown that static analysisis becoming less effective day by day due to powerful trans-formation techniques (call graph obfuscation, dynamic codeloading, manifest cheating, metamorphism, polymorphism,etc.). They concluded that dynamic analysis is a necessarycomplement to static analysis as it is less vulnerable to codetransformations.Dynamic analysis is more effective as it can extract featuresthat represent unique patterns of execution. Interestingly, ac-cording to this study [5], over 98% of the new malware arein fact variants of an existing malware family. Google usesa dynamic analysis system called Google Bouncer that ana-lyzes apks submitted to them. Unfortunately, dynamic analysistechniques that execute Android apps inside an emulator alsosuffer from the fact that malware writers can detect emulatorsand thus evade detection. Hence, real-time monitoring onuser devices becomes necessary. In addition, end users arenot benefiting from these research as it is very difficult forthem to integrate the techniques into their devices. Moreover,sometimes a specific class of malware can only be detected bya single technique or a particular antivirus. Therefore, deviceowners can be benefited by employing multiple malwaredetectors on their devices.In this paper, we propose SpyDroid, https://codeshoppy.com/android-app-ideas-for-students-college-project.html

 A real-time malwaredetection framework that can deploy multiple malware detec-tors (we call them sub-detectors) on a real device. SpyDroidis designed as a part of the operating system and has twomodules for monitoring and detection. Sub-detectors monitorruntime information using the monitoring module and performanalysis to detect malware. They report their analysis resultsto the SpyDroid detector. The detector decides when to markan app as malware. A framework like SpyDroid can help third-parties (researchers and commercial vendors) to publish theirdetection techniques via application markets and users caninstall multiple sub-detectors to improve the security of theirdevices.We implement SpyDroid using the Android Open SourceProject (AOSP) [6]. However, the concept of SpyDroid isgeneric and can be implemented in any smartphone operatingsystem. To validate the effectiveness of SpyDroid, we alsoimplement four sub-detectors to emulate the scenario where anend user installed four sub-detectors from different publishers.We use a dataset containing 4,965 apps (2,711 malwareand 2,254 benign). We show that each sub-detector detectsmalware that other sub-detectors fail to detect and SpyDroid’smalware detection rate is improved when it combines decisionsfrom multiple sub-detectors.In particular, we make the following contributions:We design and implement a malware detection frame-work that can employ multiple malware detectors (calledsub-detectors) for Android. It provides useful low-levelinformation about the installed applications to the sub-detectors. It has a detector that collects decisions frommultiple sub-detectors and decides when to notify theuser.SpyDroid enables antivirus vendors and independent re-searchers to detect new malware quickly as they canobtain data directly from real devices.We validate the effectiveness of the framework by using adataset of around 5,000 apps and four sub-detectors thatmonitor different low-level information. We show thatdifferent sub-detectors may classify the same applicationdifferently and an ensemble of sub-detectors improve thedetection rate significantly.The remainder of the paper is organized as follows. Sec-tion II describes the related work. We present the designand implementation of SpyDroid in Section III. Then, wedescribe a number of sub-detectors in Section IV. We evaluateSpyDroid in Section V and conclude this paper in Section VI.

Monday, 24 February 2020

NDroid: Towards Tracking Information FlowsAcross Multiple Android Contexts

NDroid: Towards Tracking Information FlowsAcross Multiple Android Contexts

This makes a bidirectional data flow through multiplecontexts, i.e., the Java context and the native context, in Androidapps. Unfortunately, this interaction brings serious challenges toexisting dynamic analysis systems, which fail to capture the dataflow across different contexts. In this paper, we first performeda large-scale study on apps using native code and reported someobservations. Then, we identified several scenarios where dataflow cannot be tracked by existing systems, leading touncaughtinformation leakage. Based on these insights, we designed andimplemented an efficient dynamic taint analysis systemthat could track the data flow between both Java context andnative context. The evaluation of ral apps demonstrated theeffectiveness ofin identifying information leakage withreasonable performance overhead.Code Shoppy
The popularity of Android platform is evident from thetremendous number of activated devices and available apps.As of May 2017, there are around 72.68% smartphone runningAndroid system [1]. At the same time, for better performancereason and compatibility of legacy code, developers tend touse native code in their apps and interface with Java codethrough the JNI bridge. Developers can even create an entireapp using native code since Android 2.3.Recent years witnessed a considerable increase in the num-ber of apps using native libraries. For example, from 204,040applications collected in May.-Jun. 2011 from several markets,Zhou et al. observed that 4.52% of them used native code [2].This percentage increased to 9.42% in 118,318 apps collectedby the same authors in Sep.-Oct. 2011 [3]. This trend is furtherconfirmed by the findings that 24% apps crawled from Asianthird-party mobile markets contain native code [4].However, the popularity of native code in apps bringsserious challenges to existing dynamic analysis systems. First,although there are many systems for analyzing apps or de-tecting malware [2], [3], [5], only a few of them inspect thenative libraries in apps [6], [7], and none of them scrutinizesthe interactions between an app’s Java code and native code.This leads to a security loophole, which could be abused bymalware to evade detection.


NDroid: Towards Tracking Information FlowsAcross Multiple Android Contexts
Stack StructureAs shown in , TaintDroid modifiesDVMs stack structure to increase stack size for storing taintlabels related to registers. For method invocation, TaintDroidfirst stores the taint labels interleaved with the parameters atthe current stack frame’s outs area. Then it allocates stack slotsfor callee’s local variables and lets the frame pointer point tothe new method’s first local variable. After that, TaintDroidallocates aStackSaveAreaon the top of the stack for savingthe caller’s information.When a method returns, TaintDroid will save the returnvalue’s taint label into current thread’sInterpSaveState. Ifthe target is a native method, TaintDroid will store both theparameters’ taint labels and the return value’s taint label thatis appended to the parameters. The return value’s taint labelis set by JNI Call Bridge according to TatintDroid’s taintpropagation policy, because native code cannot directly accessthe return value’s taint label. The retrun value’s taint label willalso be copied to current thread’sInterpSaveStateafter thenative method returns.Taint StorageFor ArrayObject and StringObject that containan array of chars, TaintDroid sets a taint label in the arrayobject. For class static field and class instance field, thetaint labels are stored interleaved with variables in Class’s orObject’s instance data area. For other Java objects, TaintDroidonly keeps the taint label of their references.Taint PropagationThe taint propagation policy is a set ofrules that define when and how taint should be propagated.TaintDroid adds taints to the sources of sensitive information(GPS data, SMS messages, IMSI, IMEI, etc.) of an Androiddevice. The taint labels in TaintDroid are represented by 32bitintegers, each bit of a taint label indicates one type of sensitiveinformation, and different types of sensitive information arecombined by the union operation of different taint labels.TaintDroid tracks the taints of primitive type variables andobject references according to the logic of eachDVMinstruc-tion.When a native method is called, TaintDroid adopts thetaint propagation policy that the return value will be tainted ifany parameter is tainted.Code Shoppy
A. Instrumentation ManagerWhen an app sends sensitive data to its own native codeby invoking native methods, the data first goes through theJNI bridge before it steps into native codes, then native codeswill handle the data and possibly invoke system library calls.Therefore, the JNI bridge, apps’ third party native librariesand system libraries must be instrumented in order to traceinformation flows through JNI.As shown in Fig. 5, for an app’s own native code (i.e.,libNDroidDemo.so), the instrumentation manager instrumentsit at two different levels: (1) basic block level (i.e., indicatedfopenlibc.soInstructionMethod......call fopenlibNDroidDemo.socall NewObjectlibdvm.sodvmCallJniMethodNewObjectdvmAllocObjectINSN_BEGINBLOCK_ENDBLOCK_BEGINCALLRETURNFig. 5.Instrumentation ManagerbyBLOCKENDarrow) – if a block of code ends at invokingsystem library method or JNI API call, we do instrumentationat the end of it; (2) instruction level (i.e., indicated byINSNBEGINarrow) – each instruction is instrumented beforebeing executed. By doing so, whenever an app’s native codecalls system library methods and JNI APIs we are interested in(e.g.,open(), NewObject(), etc.), we can conduct analysis be-fore and after they are invoked. Note that system libraries andJNI bridge are not instrumented all the time. Instead, we onlyinstrument them when they are used by an app’s own nativecode. However, certain methods (e.g.,dvmCallJniMethod(),dvmAllocObject(), etc.) related to JNI bridge are instrumentedat both beginnings/ends of their first/last basic blocks. Detailsabout these methods will be discussed in Section V-B.It is necessary to know the offsets of the methods that needinstrumentation. Since it is time-consuming to calculate thoseoffsets manually, we prepare scripts to disassemble libraries(e.g.,libc.so, libm.so, libdvm.so, etc.), extract offsets, andgenerate template codes for handlers in following subsections. 

Exploiting Binary-level CodeVirtualization to Protect AndroidApplications Against App Repackaging

Exploiting Binary-level CodeVirtualization to Protect AndroidApplications Against App Repackaging

Application repackaging is a severe problem for Android systems. Many Android malwareprograms pass the mobile platform fundamental security barriers through repackaging other legitimate apps.Most of the existing anti-repackaging schemes only work at the AndroidDEXbytecode level, but not forthe shared object files consisting of native ARM-based machine instructions. Lacking the protection atthe native machine code level opens a door for attackers to launch repackaging attacks on the sharedlibraries that are commonly used on Android apps. This paper presents CodeCloak, a novel anti-repackagingsystem to protect Android apps at the native code level. CodeCloak employs binary-level code virtualizationtechniques to protect the target application. At the native machine code level, it uses a newly designed stack-based virtualization structure to obfuscate and protect critical algorithm implementations that have beencompiled into native instructions. It leverages multiple dynamic code protection schemes to increase thediversity of the program behavior at runtime, aiming to increase the difficulties for performing code reverseengineering. We evaluate CodeCloak under typical app repackaging scenarios. Experimental results showthat CodeCloak can effectively protect apps against repackaging attacks at the cost of minimum overhead APPLICATION repackaging is a prevalent and severethreat to the Android ecosystem. With the help ofdynamic profiling and reverse engineering tools, an attackercan unpack an app, replace and insert code to, e.g., removeadvertisements, steal privacy information, or make purchaseswithout the user’s authorization [1]. A prior study shows thatover 80% of the malware samples were implemented throughrepacking legitimate apps [2]. Therefore, there is a criticalneed to protect Android apps from repackaging attacks.Code obfuscation is a viable means to protect applica-tions against reverse engineering and repackaging [3]. Bycreating code that preserves the intention and semantics ofthe original code but is challenging to understand, codeobfuscation increases the time and efforts for performingcode reverse engineering. There is considerable work inapplying code obfuscation to protect Android applicationsagainst repackaging. In Figure 1, we summarize some ofthe most relevant work. Many of the previous approachestarget at the AndroidDEXbytecode level. Proguard [4] andDexGuard [5] are two representative work, which, however,cannot effectively protect the obfuscated code if the entrypoint (such as thememcpymethod) is found using toolslike DexExtractor [6].Code Shoppy
In addition toDEXfiles, there are many Android appsbuilt upon shared libraries which were firstly written inhigh-level languages like C and C++ and then compiledinto native machine instructions. These shared libraries oftenimplemented the frequently used core algorithms. Therefore,there is a need to protect share object (SO) files against codereverse engineering and app repackaging. However, existingSOprotection schemes often adopt a simple but less effectivecode obfuscation or encryption strategy. They do not providesufficient protection against sophisticated code reverse engi-neering attacks. For example, UPX shelling [11] is one ofsuch protection methods, but an attacker can use the UPXShell tools [12] to launch the attack as shown in Figure1.OLLVM confusion [13] is compiler-based code obfuscationperformed at the source code level, but it is proven to bevulnerable under new anti-obfuscation methods [14], [15].This paper aims to propose a better code obfuscation ap-proach forSOfiles. Our work targets applications compiledfor the ARM instruction set, a de-facto Android hardwarearchitecture. As a departure from prior work, our code obfus-cation scheme, namely CodeCloak, works at the binary level.It employs a stack-based virtualization scheme to protectthe logic of algorithms and protocols implemented inSOfiles. At the native machine code level, it uses a novel stack-based virtualization structure to protect native ARM instruc-tions. To enhance the security strength, we adopt multiplevirtual protection schemes, where a scheme is dynamicallychosen at runtime. Furthermore, our implementation is fullycompatible with existing protection schemes forDEX. As aresult, CodeCloak closes the gap betweenDEXandSOfileprotection.We evaluate CodeCloak under typical app repackagingsettings. Our evaluation results show that CodeCloak caneffectively protect apps from repackaging attacks, and itachieves this at the cost of minimum overhead. One of the keycontributions of this paper is a novel approach for protectingnative share object files against app repackaging on Androidsystems. The other contribution is the first approach forbinary-level code virtualization for ARM instructions, and itcan be applied to many embedded systems that are poweredby ARM processor architectures.II. BACKGROUNDA. VM-BASED ANDROID APP PROTECTION SHCEMEThe VM protection process consists of the following steps.We first decompile the binarySOfile and extract the keyARM instructions according to the pre-set tags. Then, theextracted ARM instructions are mapped to virtual instruc-tions which are still turning equivalent. Next, the virtualinstructions are encoded into theSOfile in a binary formutilizing the custom encoding rules.
Exploiting Binary-level CodeVirtualization to Protect AndroidApplications Against App Repackaging

In this paper, we introduce CodeCloak, a new method ofnative ARM instruction virtualization protection based ontime diversity. It can effectively resist the threat of deeprepackaging attacks. As far as we know, CodeCloak is thefirst system to take advantage of virtualization technology toprotect nativeSOfiles