Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Slides - ruxcon 2012

advertisement 
Websense SecurityLabs
Agenda
1
Goal & Objectives
2
Services in the Cloud
3
Tracker Web Portal
4
Next Step To Do
Websense SecurityLabs
Goal &
Objectives
• Crawl and Build Android App Repository
• Profile Android Apps
• Create databases for Apps and associating data.
• Auto classific for Android Apps
Websense SecurityLabs
Analytic
Workflow
Websense SecurityLabs
Cloud
Services
1
APK Crawler & Parser
2
Static Profile
3
Dynamic Profile
(Security Classifier)
(On-line Emulator)
Websense SecurityLabs
Apps
Crawler
Market Auto-Crawling
• Google Play (Eng.)
• SlideME (Eng.)
Crawler
• Gfan (Chinese)
Real-life
• GoAPK (Chinese)
• Mumayi (Chinese)
.apk Web Request
Stats
(GEO IP) ThreatSeeker
Websense SecurityLabs
.APK Parser
3rd party Parsing tools
• Apktool: decode resources from apk files, such as
AndroidMainifest.xml, classes.dex
• Dex2jar: reads embedded .dex file from apk files
and generates .jar file
In-house scripts
• parsing automation
• database insert
Websense SecurityLabs
APK Profile
• Security Classifier
• Dynamic Profile
– auto APK runner
– Interactive emulator
Websense SecurityLabs
Security
Classifier
Objective
•
Create a classifier for malicious android app detection
•
A static analysis approach
•
A machine learning approach
Data training
•
Mysql queries to retrieve raw data from AppTracker database
•
Analytic features conversion to binary vectors
The R code components
•
Preprocessing: convert variables into factor variables or numeric variables accordingly
•
Load R RandomForest library
Prediction
•
Import R environment
•
Load R model, read in input (test case) and write out output (classification response)
Websense SecurityLabs
R Module
•Environment for statistical data analysis, inference and visualization.
•Ports for Unix, Windows and MacOSX
•Highly extensible through user-defined functions
•Generic functions and conventions for standard operations like plot, predict etc.
• >1200 add-on packages contributed by developers from all over the world
•e.g. Multivariate Statistics, Machine Learning, Natural Language Processing,
Bioinformatics (Bioconductor), SNA, .
•Interfaces to C, C++, Fortran, Java
Websense SecurityLabs
Analytic
Results
Confidence 0.5
0.6
0.7
0.8
Websense SecurityLabs
0.9
Dynamic
Profile
How It Works?
Steps:
1. Load emulator
2. Install and run APK file
3. System output profile
4. Show on web portal
Websense SecurityLabs
Run APK
• emulator -avd avdname -no-snapshot-save
• adb install apkfile
• aapt dump badging apkfile
• adb shell am start -n packagename/mainActivity
Websense SecurityLabs
Auto Input
• adb shell input keyevent "value"
7
KEYCODE_0
16
KEYCODE_9
29
KEYCODE_A
54
KEYCODE_Z
• adb shell sendevent [device] [type] [code] [value]
example:
adb shell sendevent /dev/input/event0 3 0 40
adb shell sendevent /dev/input/event0 3 1 210
// touch screen (x=40,y=210)
Websense SecurityLabs
Monkey
“The Monkey is a command-line tool that that
you can run on any emulator instance or on a
device. It sends a pseudo-random stream of user
events into the system, which acts as a stress test
on the application software you are developing.”
adb shell monkey –p package.name -v 500
Websense SecurityLabs
Network
Monitoring
adb shell tcpdump -v 'tcp port 80 and (((ip[2:2]-((ip[0]&0xf)<<2))-((tcp[12]&0xf0)>>2))!=0'
Websense SecurityLabs
SMS & Call
adb logcat -b radio -s "AT:*"
AT Commands
PDU SMS messages
Decode '0001000a81016681859200000539590c1b03'
Suspicious number '1066185829'
Message '@9@2@'
Websense SecurityLabs
Interactive
Emulator
Browser-based for end users
Example:
50 users have tested this app,
average time 3 minutes per user
• suspicious SMS found
• no phone call made
• 1 active network access
Websense SecurityLabs
App Tracker
Front page to users
•
Web portal support
•
Top 20 profiles: Malware vs. Benign
•
Real-time crawler status
•
Real-time virus status report
•
Built-in app emulation
Back end in cloud
•
ThreatSeeker service
•
Automatic static data analysis
•
Dynamic profile support
Websense SecurityLabs
Demo
Time
• Security Classifier POC
• Web Portal Framework
Websense SecurityLabs
Mobile
Solution
ThreatSeeker Cloud real-time analytics:
• Advance Detection (AR) result > Mobile Malware
Triton classifications:
• Mobile Malware
• Unauthorized Mobile Marketplaces
Websense SecurityLabs
Next Step
• Hierarchy Viewer Automation?
• Robotium?
Websense SecurityLabs
Robotium
Limitation
• Activity
• Service
• Broadcast Receiver
• Content Provider
Websense SecurityLabs
Websense SecurityLabs
Related documents
N ews R elease - Prologic Data Management Ltd
N ews R elease - Prologic Data Management Ltd
PCNA 138 - Controlling internet misuse at work
PCNA 138 - Controlling internet misuse at work
Shawamel Technology has been providing shared & dedicated
Shawamel Technology has been providing shared & dedicated
- rksi.org
- rksi.org
Securing Confidential Data within a Business
Securing Confidential Data within a Business
Installation Guide Supplement for use with Universal Integrations
Installation Guide Supplement for use with Universal Integrations
Climate Change and Food Security by Sanath Ranawana, Senior
Climate Change and Food Security by Sanath Ranawana, Senior
Global Technical Support
Global Technical Support
End point security
End point security
launched via MY-SCHOOL - St Joseph`s Grammar School
launched via MY-SCHOOL - St Joseph`s Grammar School
Websense Support Webinar: Questions and Answers
Websense Support Webinar: Questions and Answers
Websense v7.6 Install or Upgrade Checklist
Websense v7.6 Install or Upgrade Checklist
Android Debug Bridge(adb)
Android Debug Bridge(adb)
and-lec04
and-lec04
Websense Confidential Template 2012 4:3
Websense Confidential Template 2012 4:3
TRITON - Web Security Help
TRITON - Web Security Help
TRITON
TRITON
Download
advertisement