Mobile, Embedded, & Wireless Security

14-829: Mobile Security - Fall 2015



Assignment #4 - Analyzing Application Security and Privacy

Assigned: October 22
Due: November 5

Description: It is yet another fine fall day at CMU. Billy Bob is staring out the window of his study room. The sun is shining, and the birds are chirping... or so he assumes, if he could actually hear them! Instead, the pleasantness of the day is drowned out by the 35 other Mobile Security students in Billy Bob's study room, chatting about anything from Justin Bieber's newest single to how innovative the new iPhone 6S Version 2 Gold Edition Plus is. Billy Bob sighs, turns back around, and attempts to start writing the report for HW3, which was due yesterday. Much to Billy Bob's amazement, another student has set himself on top of Billy Bob's laptop, busily surfing Facebook. Billy Bob asks him to please move and he shrugs, saying, "Sorry bro, no room." Realizing that the CMU student population has become so huge that breathable oxygen is actually a commodity, Billy Bob comes up with a brilliant idea!

The next morning when the Mobile Security students file into the lone study room at CMU for another day of assignments and Justin Bieber gossip, something is noticeably different. On the tables are laptops and Android phones, one for each student. Suddenly the door closes and locks behind them. A single rusty CRT television illuminates in front of them, with an image of a masked character and a voice saying "I want to play a game." Unfortunately, Billy Bob forgot to scramble his voice, and the students immediately know who is behind the mask. The masked Billy Bob politely explains to the students that he has locked them in the airtight study room, and they will never get out unless all of them can successfully find vulnerabilities in some apps he designed, using only the devices in front of them. Billy Bob also mentions that attempts to collaborate amongst students or cheat will be severely punished...

You are one of the students in this room. Since you kinda like going outside and really want to go to a Justin Bieber concert next week, you only have one choice: become a 1337 h4x0r!

Tasks:
  1. Pick an app to analyze. The goal is to reverse engineer its APK to look for vulnerabilities.
  2. Analyze the app by taking the following risks into consideration:
    • Lack of Binary Protections
    • Unintended Data Leakage
    • Insecure Data Storage
    • Incorrect Permission Model Implementation
  3. Think of how to harden your app based on your analysis in Task 2.

Tips:
  1. Ensure that the app you choose is indeed reversible, and not heavily obfuscated. This may take a few attempts, so don't go in too much depth with a single app until you've determined it has favorable properties to analyze.
  2. Helpful background reading:
    1. OWASP Top 10 Mobile Risks
    2. DataTheorem Threat Model for Mobile Apps

Deliverables:
  • For Task 1, provide a high level overview of the app you chose. Explain its functionality and why you chose it.
  • For Task 2, provide a detailed summary of your app analysis efforts for each of the risks.
  • For Task 3, provide an explanation of your idea to break the app, and how you would fix it; or provide an explanation of how you would make the app even more secure than it is.
  • Tabulate your analysis in the following format

The written report should be formatted according to the IEEE conference proceedings template, using either Microsoft Word or LaTeX, and converted to a .pdf document.

Submission Instructions: Each student should submit a .pdf version of their written summary via Blackboard, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all design and writing components must be done individually.

Grading: This assignment is worth 40 points: 5 points for Task 1, 24 points for Task 2, 6 points for Task 3, and 5 points for the tabulated results. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.