14-829 / 18-638: Mobile and IoT Security - Fall 2018

Assignment #3 - Analyzing Real-World App Security and Privacy

Due: October 25, 2018

Description: Before CMU releases you into the wild, we want you to see what kinds of applications are being published by real developers in Android app markets. Your task in this assignment is to analyze a collection of relevant mobile apps and identify any vulnerabilities or odd design choices made by the developers. A major component of this assignment will be familiarizing yourself with a variety of software analysis tools that exist for Android applications. A subset of these tools was discussed in a previous instance of this course, and the presentation material from that discussion is available to you.

Tasks:

1. Create your Android app collection - The main tasks here is to identify at least three (3) Android apps that satisfy the following constraints:
   • You should be able to recover significant portions of the app's source code, meaning it should not be heavily obfuscated to the extent your results are trivial and uninteresting.
   • The app should include interesting functionality based on collection and analysis of user data, a non-trivial set of permissions, and non-trivial client-side processing (e.g., not just a wrapper for a website).
   • The app should have non-trivial usage (i.e., not an app with 5 installs), but maybe not one of the most popular apps (see the note below).
   Important Note: Maybe don't pick the most popular apps like Facebook, Instagram, etc., as these are already heavily analyzed and protected through respective company's security teams and bug-bounty programs. As such, you likely won't be able to find any interesting results.
   Another Important Note: Don't finalize your app collection until you've considered Task 2. This may require some iteration through the tasks until you converge to an intersting collection of apps.
2. Analyze apps in your collection - Given your collection of Android apps, your goal is to use whatever tools you want to study the APK and containing code to identify potential vulnerabilities and other issues with security and privacy. Pay particular attention to aspects of data leakage or unnecessary data collection, insecure data management/storage, issues with permission usage/implementation, and insufficient protection of source code. If possible, study available whitepapers about mobile app security (possibly including but not limited to those from OWASP or DataTheorem), and include relevant risks in your app analysis study.
3. Recommend changes to developers - For each app in your collection, come up with at least one recommendation that you would make to the development team to help improve the overall security or privacy protection of their mobile app. In forming your recommendation, keep in mind the typical business considerations that may compete against security or privacy. Be sure your recommendation is clear and complete.

Deliverables: Each student will submit a written summary of their efforts for the above tasks. Your report should include:

• A description of each app in your collection, including relevant functionality both on the user-facing app and the backend system and a justification for why these apps meet the constraints,
• Identification and detailed description of the various vulnerabilities or issues that you identified for each app in your collection, including relevant details of the type of issue, whether it appears to be accidental or the result of an explicit design decision, the severity of the issue in regard to security or privacy protections, and potential impact of the issue for the developer or their users,
• Step-by-step explanation of the process you followed to identify the vulnerabilities or issues described, including any analysis or coding tools that you used,
• Detailed explanation and justification of your recommendations to the developers.

The written summary should be formatted as a single-column document using font size 11 or greater, converted to a .pdf document for submission.

Submission Instructions: Each student should submit a .pdf version of their written summary via Canvas, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all analysis, design, and writing components must be done individually.

Grading: This assignment is worth 35 points: eight (8) points for a detailed description of your relevant set of Android apps, ten (10) points for discussion of your identified vulnerabilities including severity, impact, etc., eight (8) points for step-by-step details of the process used to identify vulnerabilities, and nine (9) points for per-app description and justification of developer recommendations. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.