14-829: Mobile and IoT Security

14-829 / 18-638: Mobile and IoT Security - Fall 2021



Lab 3: Analyzing Mobile Apps in the Wild

Due: Sep 24

Description: Part of understanding the app security landscape is grasping the state of the art. As such, we want you to see what kinds of apps are being published by developers in Android or other app markets. Your task in this assignment is to take the role of the security analyst and study mobile apps in the wild, mainly by analyzing mobile apps from different markets to identify implementation details, design choices, and potential security vulnerabilities. A major component of this assignment will be familiarizing yourself with the variety of software analysis tools that exist for mobile application analysis.

Tasks:
  1. Identify and collect suitable apps to analyze - Identify at least two (2) mobile apps that are accessible to a novice security analyst. In other words, find apps that are not heavily obfuscated, packed, or protected in other ways (that will come in Lab 4). Make sure that the apps include non-trivial functionality, otherwise your analysis will be uninteresting, and try to avoid apps that have extremely large (millions) or extremely small (fewer than 10) number of installs. If possible, choose your apps from different markets.
  2. Analyze your apps - Given your collection of apps, use any available tools to analyze the .apk, code, and resources to identify potential security vulnerabilities or privacy issues. Pay particular attention to aspects of data leakage, insecure data management, and incorrect permission use. Mobile app security resources and whitepapers such as those from OWASP or DataTheorem may be helpful to get you started.


Deliverables and Submission: Prepare a written summary of your efforts and responses for the above tasks. The summary report should include:
  • A brief description of each app you studied, what tools and techniques you used to analyze it, and a few screenshots of tools being used.
  • A detailed description of any interesting finds, whether you identified issues or whether your apps appeared to be secure and compliant with best practices.
  • Suitable images or other artifacts to demonstrate that you accomplished the goals of each task. Beyond screenshots of tools, this would include a summary of tool outputs and any approaches that were unsuccessful.
This summary should be formatted in an easy-to-read way, using font size 10 or greater, and submitted as a .pdf document.

Grading: This lab is worth 20 points, with 8 points allocated to the description of your app collection and analysis efforts, 8 points for describing and illustrating your findings, and 4 points for demonstrating use and output of various analysis tools. We reserve the right to take off points for unreadable reports, poor writing, missing details, inappropriate content, etc.