14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2019



Assignment #2 - Analyzing Real-World App Security and Privacy

Due: Oct 17, 2019

Description: Part of understanding the app security landscape is grasping the state of the art. As such, we want you to see what kinds of applications are being published by developers in a variety of Android app markets. Your task in this assignment is to analyze relevant mobile apps from multiple Android app markets and identify any vulnerabilities or odd design choices made by the developers. A major component of this assignment will be familiarizing yourself with a variety of software analysis tools that exist for Android applications.

Tasks:
  1. Create your Android app collection - Identify at least three (3) Android apps that satisfy the following constraints:
    • You should be able to recover significant portions of the apps' source code, meaning they should not be heavily obfuscated to the extent that your results are trivial and uninteresting.
    • Each app should include interesting functionality based on collection and analysis of user data, a non-trivial set of permissions, and non-trivial client-side processing (e.g., not just a wrapper for a website).
    • Your apps should have non-trivial usage (i.e., not an app with 5 installs), but maybe not one of the most popular apps (see the note below).
    • Your collection of apps should be taken from multiple Android app markets.
    Important Note: Apps from major companies like Facebook, Instagram, etc. are usually not a good choice for this assignment, as these apps are already heavily analyzed and protected through respective companys' security teams and bug-bounty programs. As such, you likely won't be able to find any interesting results.
    Another Important Note: Don't finalize your app collection until you've considered Task 2. This may require some iteration through the tasks until you converge to an interesting collection of apps.
  2. Analyze apps in your collection - Given your collection of Android apps, use whatever tools you want to study the APK and containing code to identify potential vulnerabilities and other issues with security and privacy. Pay particular attention to aspects of data leakage or unnecessary data collection, insecure data management/storage, issues with permission usage/implementation, and insufficient protection of source code. If possible, study available whitepapers about mobile app security (possibly including but not limited to those from OWASP or DataTheorem), and include relevant risks in your app analysis study.
  3. Recommend changes to developers - For each app in your collection, come up with at least one recommendation that you would make to the development team to help improve the overall security or privacy protection of their mobile app. In forming your recommendation, keep in mind the typical business considerations that may compete against security or privacy. Discuss any trade-offs that would be required to implement your recommendation, and argue why your suggested changes are a good idea. Be sure your recommendation and discussion is clear and complete.

Deliverables: Each student will submit a written summary of their efforts for the above tasks. Your report should include:
  • A description of each app in your collection, including relevant functionality both on the user-facing app and the backend system and a justification for why these apps meet the constraints,
  • Identification and detailed description of the various vulnerabilities or issues that you identified for each app in your collection, including relevant details of the type of issue, whether it appears to be accidental or the result of an explicit design decision, the severity of the issue in regard to security or privacy protections, and potential impact of the issue for the developer or their users,
  • Step-by-step explanation of the process you followed to identify the vulnerabilities or issues described, including any analysis or coding tools that you used, (NOTE: simply pasting the output of a tool is not sufficient, as it doesn't demonstrate that you've actually learned anything)
  • Detailed explanation and justification of your recommendations to the developers and discussion of the business trade-offs.
The written summary should be formatted as a single-column document using font size 11 or greater, converted to a .pdf document for submission.

Submission Instructions: Each student should submit a .pdf version of their written summary via Canvas, using the format requested above. All students are expected to complete the assignment on their own; discussion about the assignment is allowed and encouraged, but all analysis, design, and writing components must be done individually.

Grading: This assignment is worth 40 points: four (4) points for a detailed description of your relevant set of Android apps, nine (9) points for discussion of your identified vulnerabilities including severity, impact, etc., nine (9) points for step-by-step details of the process used to identify vulnerabilities, nine (9) points for per-app description and justification of developer recommendations, and nine (9) points for discussion of trade-offs. We reserve the right to take off points for presentation aspects, e.g., incorrect format, poor writing, etc.