14-829: Mobile Security

14-829 / 18-638: Mobile Security - Fall 2016



Assignment #1 - How to Steal Personal Information

Assigned: August 30, 2016
Due: September 13, 2016

Description: The goal of this assignment is to gain intuition about how Android applications work, how the Android permission model works, and how attackers can do things they're not supposed to be able to do, all through application design. The assignment has three components: 1) read about privilege escalation attacks, 2) design a malicious application, and 3) describe various elements of your design. Note that Assignment #2 will extend Assignment #1, so pay attention to the details as you work, and start working on the assignment early to avoid a rush before the deadline.

Tasks:
  1. Read some papers - Download and read these papers [1, 2, 3]. These papers provide background on common privilege escalation attacks in Android and also provide some intuition on the Android permissions model.
  2. Design your malicious app - Now that you are on your way to becoming a 1337 Android h4x0r, may we present the following real-world scenario that will probably one day happen to you:

    One fine fall day you are sitting around, minding your own business, carefully working on the latest Mobile Security homework assignment. One of your good friends, Billy Bob, approaches you and asks for a favor. He feels that his girlfriend, who is also in Mobile Security, has been growing distant and worries it may be because she met some other guy in the class. Billy Bob asks you if you can apply your mad skillz to develop an app that will steal his girlfriend's Android phone contact list, so he can see if there are any unusual contacts on her phone. You tell him to get lost. Billy Bob comes back 5 minutes later with a half-eaten bag of chips he got from the vending machine, and offers the bag to you in exchange for the app. Being the hungry poor CMU student that you are, you accept the bag of chips and ask for more details on this app.

    Building on your new-found expertise in privilege escalation attacks using intent-based attacks or app collusion, your job is to earn your half-eaten bag of chips by creating a great data-stealing app. The app must abide by the following constraints:
    • It needs to appear to perform some task that is not related to stealing an Android contact list.
    • It cannot use any permissions. Therefore, the app's manifest will not have any uses-permission tags.
    • The app must exfiltrate the contact list to Billy Bob (e.g., via email).
    • The attack should be fully-automated and require no explicit user interaction, meaning the user should be unaware that the attack actions are happening.
  3. Describe your app design - Without actually implementing the app, describe your design and how you would implement the app. In your report, describe what your app appears to do (super awesome creativity here is welcome), and how it successfully steals the target contact list, based on the above constraints. Feel free to make any other assumptions, as long as they don't violate the constraints, but you must fully explain and justify these assumptions in your report.

Deliverables: Each student will submit a written summary of their efforts in the above tasks, including the following:
  • A detailed description of your app design,
  • A summary of assumptions you made, and
  • A detailed explanation of how your design achieves each of the given constraints.
The written summary should be no longer than three (3) pages in a single-column format using font size 10 or greater, converted to a .pdf document.

Submission Instructions: Each student should submit a .pdf version of their written summary via Blackboard, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all design and writing components must be done individually.

Grading: This assignment is worth 15 points: 9 points for the app design description, and 6 points for describing how the constraints are met. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.