14-829 / 18-638: Mobile and IoT Security - Fall 2020
Lab 3: Analyzing Mobile Apps in the Wild
- Due: Oct 9
- Description: Part of understanding the app security landscape is grasping the state of the art. As such, we want
you to see what kinds of apps are being published by developers in Android or other app markets. Your task in this assignment
is to take the role of the security analyst and study mobile apps in the wild, mainly by analyzing mobile apps from
different markets to identify implementation details, design choices, and potential security vulnerabilities. A major component
of this assignment will be familiarizing yourself with the variety of software analysis tools that exist for mobile application
analysis.
- Tasks:
- Identify and collect suitable apps to analyze - Identify at least two (2) mobile apps that are accessible to a novice
security analyst. In other words, find apps that are not heavily obfuscated, packed, or protected in other ways (that will come
in Lab 4). Make sure that the apps include interesting and potentially sensitive functionality, meaning they rely on non-trivial
permissions, collection of user data, or non-trivial interaction between client and server. Try to avoid apps that have extremely
high (millions) or extremely low (less than 10) number of installs. If possible, choose your apps from different markets.
- Analyze your apps - Given your collection of apps, use any available tools to analyze the
.apk
, code, and
resources to identify potential security vulnerabilities or privacy issues. Pay particular attention to aspects of data leakage,
insecure data management, and incorrect permission use. Mobile app security resources and whitepapers such as those from
OWASP or DataTheorem
may be helpful to get you started.
- Deliverables and Submission: Prepare a written summary of your efforts and responses for the above tasks. The summary
report should include:
- A brief description of each app you studied, what tools and techniques you used to analyze it, and a few screenshots of
tools being used.
- A detailed description of any interesting finds, whether you identified issues or whether your apps appeared to be secure
and compliant with best practices.
- Suitable images or other artifacts to demonstrate that you accomplished the goals of each task. Beyond screenshots of
tools, this would include a summary of tool outputs and any approaches that were unsuccessful.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted as a .pdf
document.
- Grading: This lab is worth 20 points, with 8 points allocated to the description of your app collection
and analysis efforts, 8 points for describing and illustrating your findings, and 4 points for demonstrating use and
output of various analysis tools. We reserve the right to take off points for unreadable reports, poor writing, missing details,
inappropriate content, etc.