Analyzing of Android Application
As mobile phones are becoming a main approachfor people to use to access internet, security is a major concernwhen people are using their mobile phones. Different from theweb browser which has mature isolation mechanisms to protectusers’ information such as cookies and credentials, Androidapp developers have to implement the isolation mechanism suchas the Single Origin Policy (SOP) ,  themselves. Duringthe implementation process, it is highly likely that there isvulnerability in the implementation. Therefore, it is necessaryto perform analysis to the implementation before it is releasedto market. As part of an ongoing Ph.D. research project, thisdissertation inspects two scenarios. The first scenario is an appwhich provides Single Sign-on (SSO) service using FacebookSDK. The author builds formal models from the capturednetwork traffic of the app and uses a verifier Proverif to checkagainst the defined properties of the formal models. After theanalysis, one vulnerability is discovered which violates SOP. Asfor the second scenario, it is an initial analysis of informationflow leak in Android apps. CodeShoppy
Information security is becoming more and more importantnowadays. Companies, governments and militaries are con-necting themselves to the internet for various reasons suchas to provide certain services to public, to cooperate withpartners and to allow their staffs to work remotely and soon. However, when they connect to internet, they are alsoexposing a possible entrance for the adversaries to break intotheir internal networks and to access to their private data ifthere are vulnerabilities. It is also the same case when it comesto the individual person who connects oneself to the internetwith mobile devices. Personal data leak may cause troubles oreven financial lost , .As mobile devices are replacing traditional desktop as amain portal to internet, people rely on their mobile devicesto handle all sorts of daily activities such as online shopping,internet banking and subscribing to premium services, whichare almost impossible in the past on mobile devices. Onemight not even realize that its mobile device stores so much ofits personal information that the security of such informationon these mobile devices has become a critical and seriousproblem.Android operating system has become the most popularmobile operating system  , however, Android apps are notas secure as one might think it should be. The vulnerabilitiesmight come from flaws of protocol an Android applicationadopted , the misunderstandings when implementing proto-cols in the apps , not aware of the assumptions when usingcertain SDKs  and even from Android operating systemitself , .Many of the vulnerabilities are actually implementation spe-cific. Therefore, it’s imperative to study the security propertyof concrete implementation of Android apps to improve thesecurity level of them.In this dissertation, the author presents the preliminaryresults of his ongoing research project mainly in two scenarios:A formal analysis of Android apps that provide Single Sign-on (SSO) service and the initial analysis of information flowleak in Android apps.
SSO BackgroundWith the development of information technology, more andmore websites emerge and they have demands to record users’data. User needs to register at these websites before they canuse the services from them. However, the more accounts auser has, the more reluctant the user becomes to register newaccounts as this will increase the cost of managing differentaccounts across different websites. Therefore, the user maytend to use a same password for its different accounts. Never-theless, it will inevitably increase the risk that one passwordbeing compromised endangers its identities on other websites, . The attacker can try to break user’s other accountswith brute-force attack. It even exacerbates this situation whenuser uses simple password.Single Sign-on is an authentication scheme which allowsa user to login to a third party application (service provider,SP) with the identity it registers in an identity provider (IdP).This protocol mainly involves three parties, namely, the user,the SP and the IdP. Although SSO protocol does not solve theproblem of using a same password across different websites,but it simplifies the account creation process or even skips ittotally, which eases the burden when a user uses a new website