/Teaching/Mobile Security/Assignments

Assignments


The practical exercises shall foster your understanding of topics related to the lecture. In this course we pursue an approach which is slightly different from what you might have experienced in other courses: your ideas may form part of an assignment. Instead of exercises where each student tries to solve the same task, the seminar-style class enables us to highlight your individual contribution. Now, what does that mean in practice? During the course, you get two assignments. While the first task intends to introduce you to the subject, the second one challenges your individual skills and should enable you to work on a project, related to the lecture, which is fun to you.

Task 1

The first assignment focuses on combining network analysis with mobile security. Your task consists of analysing a set of min. 3 Android applications to find out if they are susceptible to MITM attacks and whether their Data Safety claims are accurate. Some background knowledge on the relevant concepts is provided at the bottom of this page and on the assignment slides. You are expected to fill in the remaining details through additional research.

Prerequisites:

  • You are expected to be familiar with HTTP(S), TLS, proxies, MITM attacks and certificate pinning from earlier courses
  • Study the Android developer documentation on Network Security Configuration
  • Read up on the TrustManager and HostnameVerifier interfaces
    • What do they do?
    • When is an implementation insecure?
    • How are they called?
    • How can developers use custom implementations with common HTTP stacks?
  • Read up on certificate pinning on Android for the default HttpsURLConnection or OkHttp stacks
  • An unrooted Android device or emulator running Android 7.0 or newer

The steps for each of the apps are:

  1. Try to intercept its traffic using a proxy server
  2. If the application uses only HTTP or it uses HTTPS, but insecure certificate validation (i.e. the proxy CA is accepted):
    • Insecure HTTPS: Decompile the app to figure out how this vulnerability was introduced. Document your findings and continue with step 5.
    • HTTP: Great find! Skip to step 5.
  3. Decompile the application to figure out why interception failed (using apktool/jadx)
    • Which HTTP stack is used? Maybe OkHttp’s CertificatePinner was used?
    • Is a custom TrustManager or HostnameVerifier defined? Is it actually used as well?
    • Is pinning configured in the Network Security Configuration?
  4. If no NSC is present (secure default), or a secure NSC is used, make it insecure
    • Modify NSC to trust user-installed certificates
    • Recompile and resign the APK
    • Install resigned APK and proceed
    • (If the modified APK crashes due to APK signature verification: Document the crash in detail, go to 6)
  5. Analyse the server communication:
    • Is the Play Store Data Safety section of the app accurate?
    • Are there any hard-coded secret in the app (i.e. Authorisation tokens, …)?
    • Any other interesting find in the communication?
  6. Document all findings in a scientific report (see below)
Please note: I’m sure I missed some case above. In general, if you don’t end at 6, or for some reason cannot sensibly follow a step, find another app 😉

Report Format

Your report is a scientific document, so it is supposed to:

  • Demonstrate your understanding of the topics mentioned in Prerequisites
  • Be well-structured, including a short conclusion for every app
  • Use appropriate language
    • Full sentences, not just a list of bullet points
  • Provide full reasoning for decisions and steps taken
  • Include code or communication snippets as text, not as screenshots (if possible)
  • Explain all steps, not simply refer to blog posts or tutorials
  • Document your environment and procedures

Include your report in your submission as a PDF document.

Submission

Important: Submit your report until 19.04.2024 at 23:59 by sending an email to mobilesec@iaik.tugraz.at. Include your name and matriculum number in the email.

Resources

In the following, a small list of task-related links is assembled. This may help you to deepen your understanding of what you should do.

FAQ

Q: Are we allowed to use tool XZY?

A: If it automates the traffic analysis: No! Otherwise: Ask on Discord.

Task 2

You will have the opportunity to propose a preferred and somehow course-related topic for this assignment. Otherwise, you may choose from one of the suggested topics. With regards to content, the focus is put on fast-prototyping research and might form a basis for subsequent projects at our institute. Please send a ZIP archive of your final work or a link to a GIT repository until TODO at 23:59 to the email address mobilesec@iaik.tugraz.at. A documentation of source code would be nice but is not explicitly required. If you want, of course, you can hand in your final delivery also alongside with your presentation. All information regarding the presentation can be found here.