14-829: Mobile Security

14-829 / 18-638: Mobile Security - Fall 2016



Assignment #2 - Malicious Intent: Exploiting Another App

Assigned: September 13, 2016
Due: October 4, 2016

Description: A hot new phonebook/contact app has entered the Android market: SuperAwesomeContacts. Following in the footsteps of other super innovative apps like Yo, SuperAwesomeContacts attempts to give a degraded user experience than traditional phonebook/contact apps by providing almost no features, and a UI that resembles something a little kid designed. The app ends up being a huge success, with teenagers everywhere downloading it and decreeing it to be the next great thing. There is one problem though: the app's creator doesn't even remember writing the app (he woke up one day in a dumpster behind his apartment, and just found the code on his laptop.... he assumes he wrote it). Because of this, he has asked you to find vulnerabilities in the app.

Tasks:
  1. Exploit the SuperAwesomeContacts App - You are given the code and other source for SuperAwesomeContacts. Your task is to exploit the app by writing another app which colludes with SuperAwesomeContacts. Your app will exploit any vulnerabilities in SuperAwesomeContacts and steal the user's phonebook. Your app must work under following constraints:
    • Your app must request no permissions.
    • You cannot modify SuperAwesomeContacts in any way.
    • You cannot modify the host phone in any way, other than installing/running SuperAwesomeContacts and your own app.
    For this assignment it is okay if the app isn't discreet in the stealing and sending of data. In your report, you must show that you wrote the app and that it does everything that it is supposed to do, given the constraints. You may show us your code in the report, but do not submit code to us, as we will not run it.
  2. Bytecode-based Analysis - Now suppose the creator of SuperAwesomeContacts only gives you the bytecode. Would you still be able to discover the vulnerability/vulnerabilities necessary to write the exploit from part 1? Explain how or why not. If you explain how, be specific.
  3. Fix the SuperAwesomeContacts App - You show your exploit to the creator, and he gives you a half eaten cookie for your efforts. Being the poor hungry CMU student that you are, you gladly accept this generous gift. Now you are asked to give some advice and insight on how to fix any vulnerabilities in SuperAwesomeContacts. He then admits that he has forgotten how to write code in Java and asks you to fix his app yourself. Explain the steps required to fix any vulnerabilities you found in the code or any other source from SuperAwesomeContacts. Also demonstrate your fixes by patching SuperAwesomeContacts and demonstrating in your report that your exploit app in fact doesn't work anymore.

Tips:
  • Importing the SuperAwesomeContacts project into Android Studio: First, unzip the project folder somewhere (in Linux, a good place would be under ~/Android/projects. To make sure you extracted correctly, using the previous path example, you should be able to see files such as build.gradle and settings.gradle in ~/Android/projects/SuperAwesomeContacts.
    • When you import the project, you can do this in one of two ways: File -> New -> Import Project, or from the 'Import Project' button from the welcome screen if no other projects are loaded.
    • You are now presented with a dialog box to choose the project. Navigate to your project folder (~/Android/projects in the previous example), and you should see the SuperAwesomeContacts project there with the Android Studio icon next to it. If you see a folder icon, you may have extracted it into an additional folder, so open that and see if the project shows up inside.
    • Once the SuperAwesomeContacts project is selected, click OK.
  • Enabling unknown sources for APK installation on your phone: go to Settings --> Security, and check 'Unknown sources'. This is required to install the apk on your phone (unless you compile the src and run it on your phone that way - be sure that developer mode / USB debugging is enabled on your phone).

Deliverables: Each student will submit a written summary of their efforts in the above tasks. Some report guidelines to help convey your work to us:
  • Include screenshots of your app in action. Also attach code snippets with the screenshots of the important code. Important code is essentially anything related to the actual exploit.
  • Be sure to explain what is going on. Simply sending screenshots and code snippets in itself doesn't prove to us that you fully understand why the code works the way it does.
  • For part 2, be as detailed as possible. Don't just say something like, "Well I could use XXX to figure out YYY." Instead, explain why you could XXX to figure out YYY.
The written summary should be no longer than four (4) pages in a single-column format using font size 10 or greater, converted to a .pdf document.

Submission Instructions: Each student should submit a .pdf version of their written summary via Blackboard, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all design, coding, and writing components must be done individually.

Grading: This assignment is worth 30 points: 17 points for the detailed presentation of your exploit, 5 points for your extension to bytecode analysis, and 8 points for the detailed presentation of your fix. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.