UP | HOME
2019-03-27 ../../

Lab on ShellShock StageFright and HeartBleed

1 Objectives

The purpose of this lab is to bring awareness of three highly publicized exploits named ShellShock, StageFright, HeartBleed. Two of these were not Android-specific, but Android users became alarmed because of the hype.

2 Background

  1. This is a lab in the course Android Internals and Security.
  2. You will be installing two checker APKs for each, available from trusted repositories.
  3. It is safe to do this lab on a real device.

3 Tasks

3.1 Task: ShellShock

Learn what the ShellShock bug and its exploits are. E.g., read https://en.wikipedia.org/wiki/Shellshock_(software_bug). Install at least two shellshock checker APKs.

3.2 Task: StageFright

Learn what the StageFright bug and its exploits are. E.g., read (i) http://www.androidcentral.com/stagefright and (ii) https://en.wikipedia.org/wiki/Stagefright_(bug)? There are several APKs that check if your device is secure with respect to this bug. Install at least two such checker APKs.

3.3 Task: HeartBleed

Learn what the HeartBleed bug and its exploits are. E.g., read about it at http://heartbleed.com/. There are several APKs that check if your device is secure with respect to this bug. Install at least two such checker APKs.

3.4 Bonus Task

Compare the two APKs for each of the three exploits and write a comparative critique.

3.5 Deliverables

For each of the three tasks, the deliverables are as follows. (i) Include a brief (half-a-page?) technical description of what the bug/exploit is. (ii) Include names of the two APKs you installed, selected screenshots. Describe how one of the two APKs (of your choice) is working. Is the APK accurately reporting if your Android device has it? (iii) How would you make sure that your device is unaffected? Include these answers in the report PDF.

4 Submission

Submit on Pilot.

There should be one pdf file named exactly Report-SSSFHB.pdf that includes the full names of six APK files, all screenshots, and your commentary on all aspects of this lab. Scripts are used to check various things – so file names should obey "rules". Suggestions as to what this commentary should focus on are spread out in the above.

5 References

  1. Embedded in the above.
  2. Search on Google Scholar.

6 End


Copyright © 2019 Dr Prabhaker Mateti • 2019-03-27