SoftwarE

HIDEDROID HideDroid is an Android app that allows the per-app anonymization of collected personal data according to a privacy level chosen by the user.

In a nutshell, HideDroid collects all the network traffic generated by the invocation of API calls belonging to analytics libraries, and extract the exported data.

Then, it anonymizes the personal and device data using a generalization technique, and the data related to the user’s behavior using an approach based on the concept of local differential privacy, in a way that preserves as much data semantics as possible.

Finally, the anonymized data are sent to the expected recipients by mimicking the original network calls.

Source code: HideDroid Github

Official publication: You can't always get what you want: towards user-controlled privacy on Android

For more information please contact davide.caputo@dibris.unige.it.

Team

• Davide Caputo, Unversity of Genova, Italy

• Francesco Pagano, Unversity of Genova, Italy

• Giovanni Bottino, Unversity of Genova, Italy

• Luca Verderame, University of Genoa, Italy

• Alessio Merlo, University of Genoa, Italy

PATRIOTIC (Pervasive Anti-Tampering and anti-Repackaging for IoT for Integrated C-based firmware) is the first solution aimed at making IoT firmware self-resistant against repackaging through the whole production and delivery process.

PATRIOTIC support the protection of IoT firmware designed in C/C++ programming language. The methodology exploits the use of cryptographically obfuscated logic bombs (CLB) to hide anti-tampering (AT) checks directly in the firmware code.

Source code: PATRIOTIC Github

Official publication: PATRIOT: Anti-Repackaging for IoT firmware

For more information please contact luca.verderame@dibris.unige.it.

Team

• Antonio Ruggia, Unversity of Genoa, Italy

• Luca Verderame, University of Genoa, Italy

• Alessio Merlo, University of Genoa, Italy

MARVEL (Mobile-app Anti-Repackaging for Virtual Environments Locking) is an anti-repackaging protection scheme that leverages the virtualization technique to mitigate traditional and virtualization-based repackaging attacks.

The implementation of MARVEL that consists of:

• Trusted Container, a virtualization app that extends the VirtualApp framework and is responsible for the enforcement of the MARVEL runtime protection.

• MARVELoid, a Java tool that implements the MARVEL protection scheme for Android apps. The tool protects a plugin app by using code splitting and Interconnected Anti-Tampering Control (IAT). Code splitting allows to remove portions of code from the original app, thus introducing mitigation against static analysis inspection. IATs involve the injection of integrity controls, evaluated during the interaction between the Trusted Container and a plugin app.

Source code: MARVEL Github

Official publication: ACSAC Conference 2021

For more information please contact luca.verderame@dibris.unige.it.

Team

• Antonio Ruggia, Unversity of Genoa, Italy

• Eleonora Losiouk, University of Padua, Italy

• Luca Verderame, University of Genoa, Italy

• Mauro Conti, University of Padua, Italy

• Alessio Merlo, University of Genoa, Italy

App repackaging refers to the practice of customizing an existing mobile app and redistributing it in the wild to fool the final user into installing the repackaged app instead of the original one. In this way, an attacker can embed malicious payload into a legitimate app for different aims, such as access to premium features, redirect revenue, or access to user’s private data.

In the Android ecosystem, apps are available on public stores, and the only requirement for an app to execute properly is to be digitally signed. Due to this, the repackaging threat is widely spread. Anti-repackaging techniques aim to make harder the repackaging process for anattack adding logical controls - called detection node - in the app at compile-time. Such controls check the app integrity at runtime to detect tampering. If tampering is recognized, the detection nodes lead the repackaged app to fail (e.g., throwing an exception).

From an attacker’s standpoint, she must detect and bypass all controls to repackage safely. We propose a novel anti-repackaging scheme - called ARMAND (Anti-Repackaging through Multi-pattern Anti-tampering based on Native Detection) - which aims to overcome the limitations of the current protection schemes. We have implemented this scheme into a prototype - named ARMANDroid - for Android ecosystems, which leverages multiple protection patterns and relies on native code.</p>

Tool

The original docker image is available on DockerHub.

The ARMANDroid jar library and Dockerfile are available on Github.

For more information please contact luca.verderame@dibris.unige.it.

Team

• Alessio Merlo, University of Genova, Italy

• Antonio Ruggia, University of Genova, Italy

• Luigi Sciolla

• Luca Verderame, University of Genova, Italy

ARES is a black-box tool that uses Deep Reinforcement Learning to test and explore Android applications.

Abstract

The state space of Android apps is huge and its thorough exploration during testing remains a major challenge. In fact, the best exploration strategy is highly dependent on the features of the app under test. Reinforcement Learning (RL) is a machine learning technique that learns the optimal strategy to solve a task by trial and error, guided by positive or negative reward, rather than by explicit supervision. Deep RL is a recent extension of RL that takes advantage of the learning capabilities of neural networks. Such capabilities make Deep RL suitable for complex exploration spaces such as the one of Android apps. However, state of the art, publicly available tools only support basic, tabular RL. We have developed ARES, a Deep RL approach for black-box testing of Android apps. Experimental results show that it achieves higher coverage and fault revelation than the baselines, which include state of the art RL based tools, such as TimeMachine and Q-Testing. We also investigated qualitatively the reasons behind such performance and we have identified the key features of Android apps that make Deep RL particularly effective on them to be the presence of chained and blocking activities.

Source code: ARES Github

For more information please contact andrea.romdhana@dibris.unige.it.

Team

• Andrea Romdhana, University of Genova & FBK Security and Trust Unit, Italy

• Alessio Merlo, University of Genova

• Mariano Ceccato, Università di Verona, Italy

• Paolo Tonella, Università della Svizzera italiana, Switzerland

The access to privacy-sensitive information on Android is a growing concern in the mobile community. Albeit Google Play recently introduced someprivacy guidelines, it is still an open problem to soundly verify whether apps actuallycomply with such rules. To this aim, in this work, we discuss a novel methodology based on a fruitful combination of static analysis, dynamic analysis, and machine learning techniques, which allows assessing such compliance. More in detail, our methodology checks whether each app i) contains a privacy policy that complies with the Google Play privacy guidelines, and ii) accesses privacy-sensitive information only upon the acceptance of the policy by the user.
Furthermore, the methodology also allows checking the compliance of third-party libraries embeddedin the apps w.r.t. the same privacy guidelines. We implemented our methodology in a tool, 3PDroid, and we carried out an assessment on a set of recent and most-downloaded Android apps in the Google Play Store. Experimental results suggest that more than 95% of apps access user’s privacy-sensitive information, but just a negligible subset of them (≈1%) fully complies with the Google Play privacy guidelines.

Demo and Results: The results of the experimental evaluation described in the paper can be downloaded here.

Source code: 3PDroid Github

For more information please contact luca.verderame@dibris.unige.it.

Team

• Luca Verderame, University of Genova, Italy

• Davide Caputo, University of Genova, Italy

• Andrea Romdhana, University of Genova, Italy

• Alessio Merlo, University of Genova, Italy

The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model where the scan author becomes the victim of a counter-strike. We developed a working prototype, called RevOK, and we applied it to 78 scanning systems. Out of them, 36 were found vulnerable to XSS. Remarkably, RevOK also found a severe vulnerability in Metasploit Pro, a mainstream penetration testing tool

Source code: RevOK Github

Obfuscapk is a modular Python tool for obfuscating Android apps without needing their source code, since apktool is used to decompile the original apk file and to build a new application, after applying some obfuscation techniques on the decompiled smali code, resources and manifest. The obfuscated app retains the same functionality as the original one, but the differences under the hood sometimes make the new application very different from the original (e.g., to signature-based antivirus software).

Source code: https://github.com/ClaudiuGeorgiu/Obfuscapk

A guided mutation-based fuzzer for ML-based Web Application Firewalls, inspired by AFL and based on the FuzzingBook by Andreas Zeller et al. Given an input SQL injection query, it tries to produce a semantic invariant query that is able to bypass the target WAF. You can use this tool for assessing the robustness of your product by letting WAF-A-MoLE explore the solution space to find dangerous "blind spots" left uncovered by the target classifier.

Source code: WAF-A-MoLE Github

FCDroid (Frame Confusion Android) is a tool to detect automatically the Frame Confusion vulnerability in Android hybrid apps.

Frame Confusion is a vulnerability affecting hybrid applications which allows circumventing the isolation granted by the Same-Origin Policy. The detection of such vulnerability is still carried out manually by application developers, but the process is error-prone and often underestimated. In this article, we propose a sound and complete methodology to detect the Frame Confusion on Android as well as a publicly-released tool (i.e., FCDroid) which implements such methodology and allows to detect the Frame Confusion in hybrid applications, automatically. We also make public the results obtained by analyzing 50K apps using FCDroid, which have revealed that many hybrid applications suffer from Frame Confusion.

Source code: FCDroid GitHub

RiskInDroid (Risk Index for Android) is a tool for quantitative risk analysis of Android applications written in Java (used to check the permissions of the apps) and Python (used to compute a risk value based on apps’ permissions). The tool uses classification techniques through scikit-learn, a machine learning library for Python, in order to generate a numeric risk value between 0 and 100 for a given app. In particular, the following classifiers of scikit-learn are used in RiskInDroid (this list is chosen after extensive empirical assessments):

• Support Vector Machines (SVM)

• Multinomial Naive Bayes (MNB)

• Gradient Boosting (GB)

• Logistic Regression (LR)

Unlike other tools, RiskInDroid does not take into consideration only the permissions declared into the app manifest, but carries out reverse engineering on the apps to retrieve the bytecode and then infers (through static analysis) which permissions are actually used and which not, extracting in this way 4 sets of permissions for every analyzed app:

• Declared permissions - extracted from the app manifest

• Exploited permissions - declared and actually used in the bytecode

• Ghost permissions - not declared but with usages in the bytecode

• Useless permissions - declared but never used in the bytecode

From the above sets of permissions (and considering only the official list of Android permissions), feature vectors (made by 0s and 1s) are built and given to the classifiers, which then compute a risk value. The precision and the reliability of RiskInDroid have been empirically tested on a dataset made of more than 6K malware samples and 112K apps.

Source code: RiskInDroid Github