ANDROID SANDBOX

Presented byANUSHA TUKE

2

ContentsIntroductionAndroidSandboxStatic software analysis vs. sandboxingAndroid application sandboxSystem call diagramsStatic &dynamic analysis of AASandbox.ExperimentsConclusionReferences.

3

• Emerging trend : Smart phones

- computational power , sensors & communication

• Threat :Malware attacks

• Anti virus: block virus, worms & Trojan horses.

• Behavioural detection: signatures.

• Generate signatures: Analysis of significant & meaningful patterns

• Sandbox: execution of suspicious binaries in an isolated environment. E.g

CWSandbox .

Introduction

4

ANDROID

An operating system for mobile device

Based on the Linux kernel

Developed by Google and later the

Open Handset Alliance (OHA).

Allows writing managed code in the

Java language

5

What is Sandbox?a sandbox is a "sealed" container, which

allows un-trusted programs to have executed within the sandbox.

6

Static Software Analysis vs. Sandboxing

Static analysis Sandboxing

Forensic techniques:

decompilation,decryption,patter

n matching.

Filtering binaries by malicious

patterns, called signatures.

Fast & relatively simple.

Code pattern has to be known in

advance.

Applications are run in an isolated

environment(sandbox).

Policy to stop system to prevent

potential damage.

Monitoring & recording system.

User space sandbox.

Kernal space sandbox.

7

Android Application Sandbox for suspicious software detection

Located in kernal space since access to critical part of OS is

realized.

System call hijacking

Monitor system & library calls.

Android uses a modified Linux basis to host a Java-based

middleware running the user applications.

Calls are monitored on lowest level possible.

8

Read() system call from user space.

9

Hijacked read() system call.

10

Features Loadable kernal module(LKM) is placed in Android emulator environment.

LKM intended to hijack all available system calls.

Two step analysis of android applications Kernal space sandbox. Fast static pre-check

Aasandbox takes android application archive which is packaged in *.apk file as input.

Java virtual machine-Dalvik.

11

Static analysis of AASandbox APK scanned for special patterns eg.

Runtime.Exec() Decompression- zip file.

AndroidManifest.xml- descriptions, security permissions.

Classes.dex- complete bytecode. Res/- layout, language etc.

Decompilation Classes.dex-bytecode which is converted

to Baksmali-human readable format, easily parsable pseudocode.

Pattern search: Java native

interface,System.getRuntime().exec(..),services & IPC provision,android permission.

12

Prepare & start emulator

• Mobile device emulator

• AVD (android virtual device)configuration

Install AASandbox

• LKM(policy)• Inserted by

ADB(android debugging bridge).

Install APK & start monkey

• ADB• 500 generated

events.

Dynamic analysis of Android applications.

App installed in android emulator. User inputs –”Android Monkey” tool generates pseudo random streams of user

events.

13

Experiments as examples Ex application- self written fork bomb it

uses Runtime.Exec() to start external

binary program.

App is started & analysis is done. Static analysis

–REPORTS/ForkBomb.apk/

Subdirectories like unzipped/ &

disasm/

The log file output after static analysis.

14

Dynamic analysis of codeDynmic analysis

Android emulator starts installed

via adb install ForkBomb.apk

Android monkey is started via

adb shell monkey –p $ACTIVITY –

vv –throttle 1000 500. Output of emulator will be logged

into LOGS/ForksBomb.apk-s2.log

as shown format

15

Experimental analysis

Upto 150 applictions..

Information is now possible to create a system call histogram as shown

Analysis is done through the official android market representing the top 150 popular application.

Current status, malware characteristics & behaviour known from other platform ,e.g. Symbian OS are analysed in sandbox.

16

ConclusionAndroid emulator can be used to run android applications

in isolated environment.

The pre-check functionality that analyses indicate usage of

malicious pattern in source code.

In dynamic analysis, system calls are traced & corresponding

reports are logged.

17

REFERENCES [1] M. Becher, F. Freiling, and B. Leider. On the effort to create smartphone

worms in windows mobile. In Information Assurance and Security Workshop,

2007. IAW ’07. IEEESMC, pages 199–206, 20-22 June 2007.

[2] Bundesamt f¨ur Sicherheit in der Informationstechnik. Mobile endger¨ate und

mobile applikationen: Sicherheitsgef¨ahrdungen und schutzmassnahmen, 2006.

[3] W. Enck, M. Ongtang, and P. McDaniel. Understanding android security. IEEE

Security and Privacy, 7(1):50–57, 2009.

[4] S. Forrest, S. Hofmeyr, and A. Somayaji. The evolution of system-call

monitoring. In ACSAC ’08: Proceedings of the 2008 Annual Computer Security

Applications Conference,pages 418–430. IEEE Computer Society, 2008.

[5] A. Rubini. Kernel system calls. http://www.ar.linux.it/docs/ksys/ksys.html.

[Online; accessed 01-March-2010].

THANK YOU