Honey, I Shrunk Your App Security: The State of Android App Hardening

  title={Honey, I Shrunk Your App Security: The State of Android App Hardening},
  author={Vincent Haupert and Dominik Maier and Nicolas Schneider and Julian Kirsch and Tilo M{\"u}ller},
  booktitle={International Conference on Detection of intrusions and malware, and vulnerability assessment},
The continued popularity of smartphones has led companies from all business sectors to use them for security-sensitive tasks like two-factor authentication. Android, however, suffers from a fragmented landscape of devices and versions, which leaves many devices unpatched by their manufacturers. This security gap has created a vital market of commercial solutions for Runtime Application Self-Protection (RASP) to harden apps and ensure their integrity even on compromised devices. In this paper… 

AppJitsu: Investigating the Resiliency of Android Applications

AppJITSU, a dynamic app analysis framework that evaluates the resiliency of security-critical apps, is presented, which exercises the most popular 455 financial apps in attack-specific hostile environments to demonstrate the current state of resiliencies against known tampering methods.

False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps

It is found that all but one banking app, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks.

The Internet Banking [in]Security Spiral

The past and the present of internet banking implementations in Brazil are reviewed, showing how Internet banking evolved from desktop software to mobile apps and how attackers also evolved from phishing mails to complete phishing applications to target Brazilian users.

R&R tool for Android applications hiding malicious features

A tool for recording and replaying Android APIs used to discover rooting traces and detect rooted devices is proposed, which is applied in sophisticated Android malware that applied evasion techniques.

The Internet Banking [in]Security Spiral: Past, Present, and Future of Online Banking Protection Mechanisms based on a Brazilian case study

The past and the present of internet banking implementations in Brazil are reviewed, showing how Internet banking evolved from desktop software to mobile apps and how attackers also evolved from phishing mails to complete phishing applications to target Brazilian users.

AndrEnsemble: Leveraging API Ensembles to Characterize Android Malware Families

AndrEnsemble is presented, a characterization system for Android malware families based on ensembles of sensitive API calls extracted from aggregated call graphs of different families, which has several advantages over similar characterization approaches, including a greater reduction ratio with respect to original call graphs, robustness against transformation attacks, and flexibility to be applied at different granularity levels.

Short Paper: How to Attack PSD2 Internet Banking

A series of attacks targeting online and mobile banking that are possible even in a post-PSD2 era are looked at.

Financial Cryptography and Data Security: 23rd International Conference, FC 2019, Frigate Bay, St. Kitts and Nevis, February 18–22, 2019, Revised Selected Papers

This paper uses a lattice-based algorithm for solving the hidden number problem to efficiently compute private ECDSA keys that were used with biased signature nonces due to multiple apparent implementation vulnerabilities.

A Taxonomy of Approaches for Integrating Attack Awareness in Applications

A taxonomy illustrating how existing attack awareness techniques can be integrated into applications is proposed, providing a guide for security researchers and developers, aiding them when choosing the approach which best fits the needs of their application.



Dynamic Self-Protection and Tamperproofing for Android Apps Using Native Code

This paper proposes an application of the Android native code component to implement strong software self-protection for apps, and presents three dynamic obfuscation techniques, namely dynamic code loading, dynamic re-encryption, and tamper proofing.

The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations

This study analyzed three popular phones from Samsung, identified their likely flaws and built end-to-end attacks that allow an unprivileged app to take pictures and screenshots, and even log the keys the user enters through touch screen.

Breaking Ad-hoc Runtime Integrity Protection Mechanisms in Android Financial Apps

The analysis of 76 popular financial Android apps in the Republic of Korea shows that it can pinpoint methods to bypass a self-defense mechanism using a causality graph in most cases, and demonstrates the necessity of a platform-level solution for integrity checks.

Things You May Not Know About Android (Un)Packers: A Systematic Study based on Whole-System Emulation

DROIDUNPACK is a whole-system emulation based Android packing analysis framework, which compared with existing tools, relies on intrinsic characteristics of Android runtime (rather than heuristics), and further enables virtual machine inspection to precisely recover hidden code and reveal packing behaviors.

Repackaging Attack on Android Banking Applications and Its Countermeasures

Some of the major Android-based smartphone banking apps in Korea were tested to verify whether a money transfer could be made to an unintended recipient and showed that an attack of this kind is possible without having to illegally obtain any of the sender’s personal information.

DexHunter: Toward Extracting Hidden Code from Packed Android Applications

The first systematic investigation on packing services to protect Android apps by hiding the original executable file, dex file, is performed and a novel system, named DexHunter, is proposed and developed to extract dex files protected by these services.

The impact of vendor customizations on android security

This paper analyzes stock Android images from five popular smartphone vendors to assess the extent of security issues that may be introduced from vendor customizations and further determine how the situation is evolving over time.

Divide-and-Conquer: Why Android Malware Cannot Be Stopped

It is demonstrated that Android malware can bypass all automated analysis systems, including AV solutions, mobile sandboxes, and the Google Bouncer, and a tool is proposed called Sand-Finger for the fingerprinting of Android-based analysis systems that combines fingerprinting and dynamic code loading.

On App-based Matrix Code Authentication in Online Banking

A transaction manipulation attack for the app-based authentication schemes of Deutsche Bank, Commerzbank, and Norisbank is shown and whether the matrix code authentication method that these banks implement — widely known as photoTAN — is compliant with the upcoming payment service directive of the European banking authority is evaluated.

AppSpear: Bytecode Decrypting and DEX Reassembling for Packed Android Malware

AppSpear is the first automatic and generic unpacking system for current commercial Android packers, able to recover any protected bytecode effectively without the knowledge of the packer, and could sanitize mainstream Androidpackers and help detect more malicious behaviors.