[KSCI] Korea Science Citation Index Service

http://dx.doi.org/10.3837/tiis.2015.03.021

A Strengthened Android Signature Management Method

Cho, Taenam (Dept. of Information Security, Woosuk University)
Seo, Seung-Hyun (Dept. of Mathematics, Korea University, Sejong Campus)

Publication Information

KSII Transactions on Internet and Information Systems (TIIS) / v.9, no.3, 2015 , pp. 1210-1230 More about this Journal

Abstract

Android is the world's most utilized smartphone OS which consequently, also makes it an attractive target for attackers. The most representative method of hacking used against Android apps is known as repackaging. This attack method requires extensive knowledge about reverse engineering in order to modify and insert malicious codes into the original app. However, there exists an easier way which circumvents the limiting obstacle of the reverse engineering. We have discovered a method of exploiting the Android code-signing process in order to mount a malware as an example. We also propose a countermeasure to prevent this attack. In addition, as a proof-of-concept, we tested a malicious code based on our attack technique on a sample app and improved the java libraries related to code-signing/verification reflecting our countermeasure.

Keywords

Android; Code-signing; Security; Malware;

Citations & Related Records

Reference

1	M.C.Grace, W.Zhou, X.Jiang, A.R.Sadeghi, "Unsafe exposure analysis of mobile in-app advertisements," in Proc. of WiSec'12 ACM, pp.101-112, 2012.
2	S.Shekhar, M.Dietz and D.S.Wallach, "AdSplit: Separating smartphone advertising from applications," In Proc. of USENIX 2012.
3	KISA, "A Survey on the trends of domestic and foreign smartphone application black markets and A Study on the code signing technology for domestic smartphone applications markets," 2011.
4	Taenam Cho, Seung-Hyun Seo, Nammee Moon, "Double Code-Signing for Enhanced Android Application Security," Information - An International Interdisciplinary Journal, vol.15, no.5, pp.1913-1926, 2012.
5	AndroidManifest.xml, http://developer.android.com/guide/topics/manifest/manifest-intro.html
6	Application Signing, http://developer.android.com/tools/publishing/app-signing.html.
7	eclipse, http://www.eclipse.org/.
8	JDK, http://javadoc.ankerl.com/.
9	ADT, http://developer.android.com/tools/sdk/eclipse-adt.html.
10	keytool, http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html.
11	jarsigner - JAR Signing and Verification Tool, http://docs.oracle.com/javase/6/docs/technotes/tools/windows/jarsigner.html.
12	zipalign, http://developer.android.com/tools/help/zipalign.html.
13	NIST, "Digital Signature Standard," FIPS PUB vol. 186, no. 3, 2009.
14	R. Rivest, A. Shamir, L. Adleman, "A Method for Obtaining Digital Signatures and Public-Key Cryptosystems," Communications of the ACM, vol. 21, no. 2, pp. 120-126, 1978. DOI
15	NSA, "Secure Hash Standard," FIPS PUB, vol. 108, no. 1, 1993.
16	S. Josefsson, "The Base16, Base32, and Base64 Data Encodings," RFC 4686, 2006.
17	D. Cooper, et al., "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," RFC 5280, 2008.
18	Cheol Jeon, Yookun Chom, Jiman Hong, "Detecting Collaborative Privacy Information Leaks on Android Applications," in Proc. of Korea Computer Congress, vol. 39, no. 1, pp. 92-94, 2012.
19	http://www.gartner.com/newsroom/id/2482816.
20	http://www.gartner.com/it/page.jsp?id=1421013, 2010.9.
21	A.P.Felt, M.Finifter, E.Chin, D.Wagner, "A Survey of Mobile Malware in the Wild," in Proc. of ACM Workshop on Security and Privacy in Mobile Devices, vol.17, pp.3-14, Oct, 2011.
22	Y.Zhou, X.Jiang, "Dissecting Android Malware: Characterization and Evolution," in Proc. of IEEE Symposium on Security and Privacy, pp.95-109, May, 2012.
23	Basebridge, http://www.ubergizmo.com/2011/05/basebridge-new-android-malware/
24	AnserverBot, http://www.csc.ncsu.edu/faculty/jiang/AnserverBot/
25	ADRD, http://www.f-secure.com/weblog/archives/00002100.html/
26	Pjapps, http://www.symantec.com/security\_response/writeup.jsp?docid=2011-022303-3344-99/
27	DroidKungFu, http://www.f-secure.com/weblog/archives/00002259.html
28	Jifake, http://www.dataprotectioncenter.com/antivirus/quickheal/malicious-qr-code-used-for-spreading-android-malware/
29	Zitmo, http://www.securelist.com/en/blog/208193760/New\_ZitMo\_for\_Android\\\_and\_Blackberry.
30	Y.Zhou, X.Zhang, X.Jiang, V.W. Freeh, "Taming information-stealing smartphone applications (on Android)," In Proc. of TRUST'11, pp.93-107, 2011.
31	P.Hornyack, S.Han, J.Jung, S.E.Schechter, D.Wetherall, "These aren't the droids you're looking for: retrofitting Android to protect data from imperious applications," in Proc. of the 18th ACM Conference on Computer and Communications Security, pp.639-652, 2011.
32	W. Enck, M. Ongtang, P. McDaniel, "On Lightweight Mobile Phone Application Certification," in Proc. of the 16th ACM Conference on Computer and Communications Security, 2009.
33	M.Ongtang, S.E.McLaughlin, W.Enck, P.D. McDaniel, "Semantically rich application-centric security in Android," in Proc. of the 25th Annual Computer Security Applications Conference, pp.340-349, 2009.
34	M. Lange, S. Liebergeld, A. Lackorzynski, A. Warg, M. Peter, "L4Android: A Generic Operating System Framework for Secure Smartphones," ACM, 2011.
35	Android, http://en.wikipedia.org/wiki/Android.