14-829 / 18-638: Mobile Security - Fall 2016
Assignment #2 - Malicious Intent: Exploiting Another App
- Assigned: September 13, 2016
- Due: October 4, 2016
- Description:
A hot new phonebook/contact app has entered the Android market: SuperAwesomeContacts. Following in the footsteps
of other super innovative apps like Yo, SuperAwesomeContacts attempts to give a degraded user experience than
traditional phonebook/contact apps by providing almost no features, and a UI that resembles something a little kid
designed. The app ends up being a huge success, with teenagers everywhere downloading it and decreeing it to be the
next great thing.
There is one problem though: the app's creator doesn't even remember writing the app (he woke up one day in a
dumpster behind his apartment, and just found the code on his laptop.... he assumes he wrote it). Because of this,
he has asked you to find vulnerabilities in the app.
- Tasks:
- Exploit the SuperAwesomeContacts App - You are given the code and
other source for SuperAwesomeContacts. Your task is to exploit the app by writing another app which colludes with
SuperAwesomeContacts. Your app will exploit any vulnerabilities in SuperAwesomeContacts and steal the user's phonebook.
Your app must work under following constraints:
- Your app must request no permissions.
- You cannot modify SuperAwesomeContacts in any way.
- You cannot modify the host phone in any way, other than installing/running SuperAwesomeContacts and your own app.
For this assignment it is okay if the app isn't discreet in the stealing and sending of data. In your report, you must
show that you wrote the app and that it does everything that it is supposed to do, given the constraints. You may show
us your code in the report, but do not submit code to us, as we will not run it.
- Bytecode-based Analysis - Now suppose the creator of SuperAwesomeContacts only gives you the bytecode. Would
you still be able to discover the vulnerability/vulnerabilities necessary to write the exploit from part 1? Explain
how or why not. If you explain how, be specific.
- Fix the SuperAwesomeContacts App - You show your exploit to the creator, and he gives you a half eaten cookie
for your efforts. Being the poor hungry CMU student that you are, you gladly accept this generous gift. Now you are
asked to give some advice and insight on how to fix any vulnerabilities in SuperAwesomeContacts. He then admits that
he has forgotten how to write code in Java and asks you to fix his app yourself. Explain the steps required to fix any
vulnerabilities you found in the code or any other source from SuperAwesomeContacts. Also demonstrate your fixes by
patching SuperAwesomeContacts and demonstrating in your report that your exploit app in fact doesn't work anymore.
- Tips:
- Importing the SuperAwesomeContacts project into Android Studio: First, unzip the project folder somewhere (in
Linux, a good place would be under
~/Android/projects
. To make sure you extracted correctly, using the previous
path example, you should be able to see files such as build.gradle
and settings.gradle
in
~/Android/projects/SuperAwesomeContacts
.
- When you import the project, you can do this in one of two ways: File -> New -> Import Project, or from the 'Import Project'
button from the welcome screen if no other projects are loaded.
- You are now presented with a dialog box to choose the project. Navigate to your project folder (
~/Android/projects
in the previous example), and you should see the SuperAwesomeContacts project there with the Android Studio icon next to it. If
you see a folder icon, you may have extracted it into an additional folder, so open that and see if the project shows up inside.
- Once the SuperAwesomeContacts project is selected, click OK.
- Enabling unknown sources for APK installation on your phone: go to Settings --> Security, and check 'Unknown
sources'. This is required to install the apk on your phone (unless you compile the src and run it on your phone that way
- be sure that developer mode / USB debugging is enabled on your phone).
- Deliverables: Each student will submit a written summary of their efforts in the above tasks. Some report
guidelines to help convey your work to us:
- Include screenshots of your app in action. Also attach code snippets with the screenshots of the important
code. Important code is essentially anything related to the actual exploit.
- Be sure to explain what is going on. Simply sending screenshots and code snippets in itself doesn't prove to us
that you fully understand why the code works the way it does.
- For part 2, be as detailed as possible. Don't just say something like, "Well I could use XXX to figure out YYY."
Instead, explain why you could XXX to figure out YYY.
The written summary should be no longer than four (4) pages in a single-column format using font size 10 or greater,
converted to a .pdf
document.
- Submission Instructions: Each student should submit a
.pdf
version of their written summary
via Blackboard, using the format requested above. All students are expected to complete the assignment on their own;
discussion about the assignment is allowed and encouraged, but all design, coding, and writing components must be done
individually.
- Grading: This assignment is worth 30 points: 17 points for the detailed presentation of your exploit,
5 points for your extension to bytecode analysis, and 8 points for the detailed presentation of your fix. We reserve
the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.