The purpose of this lab is to get you deeper into security issues
in/around Android using APKs of free open source versions
Recall the content of our
Background: The lecture notes titled APK (Malware) Dissection describes how we can dissect an APK. Reversing an APK goes further: Even without source code, given only the binary, can we re-generate a collection of source code files that will rebuild into an equivalent APK. During this rebuild, one can introduce additional pieces that can turn the APK into a Trojan.
Deliverables: A report similar to the one from the Internet Archive, but based on *your* experience of dissection and running.
Task: Study the design, the source code, and actual use of a malicious app. Use the one described below or some other, but open source, of your choice.
https://code.google.com/p/sms-bomber/ bombards your "friends" with many SMS in a short period. Study the code so that you truly understand all its internals. Before bombarding install an Anti SMS Spam app. Alternate download: https://github.com/pmateti/sms-bomber/
SMS messages can be sent among AVDs running on the same machine, but not between an AVD and a real device.
Deliverables: (i) A design description of the app. (ii) Screenshots showing all the bad effects implemented. (iii) The apk you chose. Include even if it is the one above. (iv) Complete source code bundled as a tar ball or zip.
Task: Experience a privacy enhancing app. Use the one described below or some other well trusted app of your choice.
TextSecure "encrypts your text and chat messages over the air and on your phone." It is available on Google Play. Downloading from F-Droid.org is recommended. FOSS: whispersystems.org.
Deliverables: (i) The apk you chose. Include even if it is the one above. (ii) A description why you trust this app. (iii) A design description of the app after a quick read of the source code. (iv) Selected screenshots of the app annotated.
Task: Learn more of Android Internals related to security. Answer any two of the "exercises" presented by the following app.
IGLearner app is designed to teach internals and security of Android through puzzles/ quizzes. It is available on Google Play. FOSS: github.com/intrepidusgroup/ig-learner
Deliverables: Studying the source code of iglearner is optional. (i) Your answers to two of the "exercises" presented by iglearner. (ii) Related annotated screenshots.
Task: Reverse engineer the details of an apk for which we do not have source code. Use the one described below or some other of your choice. It need not be a malware.
Zeam is an "underdog minimalistic launcher" rated 4+ stars, with a 1M+ installs. It is available on Google Play . It is free to use, but not known to be open source. Our goal is not to break the intentions of its author but practice the art of reversing on a tool that is impressively small for all the functionality it packs.
Deliverables: (i) The apk you chose. Include even if it is the one above. (ii) Bundle of all derived/ reverse engineered files as a tar ball or zip. (iii) A deduced design description of the app. (iv) Selected screenshots, not of the app but of the reversing, annotated.
This part is optional, but highly encouraged. Your score is proportional to your success. Bonus points, from P2, P3, ..., are used to help push you into one-better-letter grade than what you would otherwise get. E.g., if you are about get a B, with enough bonus points, you might get an A instead. This is done without having any lowering effect of the normal A's for other students. All of this is subjectively judged; no algorithmic details or grading rubric will be given.
Task: Write a pair of apps: one a malicious app (20 points) and the other that protects (20 points) from this app. These must be of your own design. Make sure that there are no lingering "bad" effects after terminating your app. Assume that your apps are side-loaded by the user, but verified by the built-in app-install subsystem.
Ten additional bonus points if your app is devious.
Deliverables: (i) A design description of the app. (ii) Screenshots showing each of the bad effects implemented. (iii) The APKs. (iv) Complete source code bundled as a tar ball or zip.
Common Contacts, edu.virginia.cs.secgrp.seccomp.contacts2, is available on Google Play. It deserves lot more downloads. It was done in 2011. "CommonContacts allows two users to collaboratively discover common entries in their address books without disclosing any other information about their contacts. The application uses a secure computation framework built using [author] Yao's garbled circuit technique. All computation involving private data is performed on encrypted data so no information is released to the other party (other than what can be inferred from the result)."
Task: (20 points) Web search and find its source code. Update this for Lollipop/Marshmallow. Use material design, etc. (20 points) Write a design document.
Deliverables: (i) A design description of the revised app. (ii) Screenshots showing off the revised app. (iii) The revised APK. (iv) Complete source code bundled as a tar ball or zip.
Prabhaker Mateti, (i) APK (Malware) Dissection Lecture Notes, 2016. (Includes reverse engineering of SimpleLocker.). (ii) Reversing an APK.