14-829 / 18-638: Mobile Security - Fall 2017
Assignment #4 - Analyzing Real-World App Security and Privacy
- Due: November 2, 2017
- Description: Before CMU releases you into the wild, we want you to see what kinds of applications are being published
by real developers in Android app markets. Your task in this assignment is to analyze a collection of relevant mobile apps and
identify any vulnerabilities or odd design choices made by the developers. A major component of this assignment will be familiarizing
yourself with a variety of software analysis tools that exist for Android applications. A subset of these tools was discussed in a
previous instance of this course, and the presentation material from that discussion is available to you.
- Tasks:
- Create your Android app collection - The main tasks here is to identify at least three (3) Android apps that satisfy
the following constraints:
- You should be able to recover significant portions of the app's source code, meaning it should not be heavily obfuscated to
the extent your results are trivial and uninteresting.
- The app should include interesting functionality based on collection and analysis of user data, a non-trivial set of
permissions, and non-trivial client-side processing (e.g., not just a wrapper for a website).
- The app should have non-trivial usage (i.e., not an app with 5 installs), but maybe not one of the most popular apps (see
the note below).
Important Note: Maybe don't pick the most popular apps like Facebook, Instagram, etc., as these are already heavily
analyzed and protected through respective company's security teams and bug-bounty programs. As such, you likely won't be able
to find any interesting results.
Another Important Note: Don't finalize your app collection until you've considered Task 2. This may require some iteration
through the tasks until you converge to an intersting collection of apps.
- Analyze apps in your collection - Given your collection of Android apps, your goal is to use whatever tools you want
to study the APK and containing code to identify potential vulnerabilities and other issues with security and privacy. Pay
particular attention to aspects of data leakage or unnecessary data collection, insecure data management/storage, issues with
permission usage/implementation, and insufficient protection of source code. If possible, study available whitepapers about
mobile app security (possibly including but not limited to those from
OWASP or
DataTheorem), and
include relevant risks in your app analysis study.
- Recommend changes to developers - For each app in your collection, come up with at least one recommendation that you
would make to the development team to help improve the overall security or privacy protection of their mobile app. In forming
your recommendation, keep in mind the typical business considerations that may compete against security or privacy. Be sure
your recommendation is clear and complete.
- Deliverables: Each student will submit a written summary of their efforts for the above tasks. Your report should
include:
- A description of each app in your collection, including relevant functionality both on the user-facing app and the backend
system and a justification for why these apps meet the constraints,
- Identification and detailed description of the various vulnerabilities or issues that you identified for each app in your
collection, including relevant details of the type of issue, whether it appears to be accidental or the result of an explicit
design decision, the severity of the issue in regard to security or privacy protections, and potential impact of the issue for
the developer or their users,
- Step-by-step explanation of the process you followed to identify the vulnerabilities or issues described, including any
analysis or coding tools that you used,
- Detailed explanation and justification of your recommendations to the developers.
The written summary should be formatted as a single-column document using font size 11 or greater, converted to a .pdf
document for submission.
- Submission Instructions: Each student should submit a
.pdf
version of their written summary via Canvas,
using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment
is allowed and encouraged, but all analysis, design, and writing components must be done individually.
- Grading: This assignment is worth 35 points: eight (8) points for a detailed description of your relevant set of Android
apps, ten (10) points for discusssion of your identified vulnerabilities including severity, impact, etc., eight (8) points for
step-by-step details of the process used to identify vulnerabilities, and nine (9) points for per-app description and justification
of developer recommendations. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.