• Journal of Internet Computing and Services
• /
• v.17 no.6
• /
• pp.93-101
• /
• 2016

As the Android smart phones become more popular, applications that handle users' personal data such as IDs or passwords and those that handle data directly related to companies' income such as in-game items are also increasing. Despite the need for such information to be protected, it can be modified by malicious users or leaked by attackers on the Android. The reason that this happens is because debugging functions of the Linux, base of the Android, are abused. If an application uses debugging functions, it can access the virtual memory of other applications. To prevent such abuse, access controls should be reinforced. However, these functions have been incorporated into Android O.S from its Linux base in unmodified form. In this paper, based on an analysis of both existing memory access functions and the Android environment, we proposes a function that verifies thread group ID and then protects against illegal use to reinforce access control. We conducted experiments to verify that the proposed method effectively reinforces access control. To do that, we made a simple application and modified data of the experimental application by using well-established memory editing applications. Under the existing Android environment, the memory editor applications could modify our application's data, but, after incorporating our changes on the same Android Operating System, it could not.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1457-1465
• /
• 2017

With the growing of smart devices market, malicious behavior has gradually expanded its scope. Accordingly, many studies have been conducted to analyze malicious apps and automated analysis tools have been released. However these tools cause the side effects that the application protection tools such as ProGuard, DexGuard become vulnerable to analyzers or attackers. This paper suggests the protection mechanism to apply to the Android apps using security token, rather than general-purpose protection solutions that can be applied in malicious apps. The main features of this technique are that Android app is not properly loaded in the memory when the security token is abnormal or is not inserted and protected parts using the technique are not exposed.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.30 no.5
• /
• pp.881-893
• /
• 2020

CFI(Control Flow Integrity) is a mitigation mechanism that protects programs by verifying control flows. IFCC(Indirect Function Call Checks) and SCS(Shadow Call Stack), CFI supported by LLVM Clang compiler, were introduced to protect applications in Android. IFCC protects function calls and SCS protects function returns. In this paper, we propose attacks to bypass CFI on the application environment with IFCC and SCS. Even if IFCC and SCS were applied to user applications, it was confirmed that there were many code segments not protected by IFCC and SCS in the application memory. We execute code in CFI unprotected segments to construct 1) bypassing IFCC to call a protected function, 2) modulating return address via SCS bypass. We identify code segments not protected by IFCC and SCS in Android10 QP1A. 191005.007.A3. We also implement proof-of-concept exploits to demonstrate that modulation of control flow is possible in an environment where IFCC and SCS are applied.

• Journal of the Korea Society of Computer and Information
• /
• v.17 no.11
• /
• pp.101-105
• /
• 2012

Various social problems through violating personal information and privacy are growing with the rapid spread of smartphones. For this reason, variety of researches and technology developments to protect personal information being made. The smartphone, contains almost all of the personal information, can cause data spill at any time. Collecting or analyzing evidence is not an easy job with forensic analyzing tool. Android forensics research has been focused on techniques to collect and analyze data from non-volatile memory but research for volatile data is very slight. Android log is the non-volatile data that can be collected by volatile storage. It is enough to use as a material to track the usage of the Android phone because all of the recent driven records from system to application are stored. In this paper, we propose a method to respond to determining the existence of personal information leakage by filtering logs without forensic analysis tools.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1049-1055
• /
• 2013

Smartphones are rapidly growing because of easy installation of the apps (application software) that users actually want. There are increasingly many apps that require cryptographic suites to be installed, for instance, for protecting account and financial data. Android platform provides protection mechanisms for memory and storage based on Linux kernel, but they are vulnerable to rooting attacks. In this paper, we analyze security mechanisms of Android platform and point out security problems. We show the security vulnerabilities of several commercial apps and suggest appropriate countermeasures.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.4
• /
• pp.873-880
• /
• 2015

Since hardware-based kernel-integrity monitoring systems run in the environments that are isolated from the monitored OS, attackers in the monitored OS cannot undermine the security of monitoring systems. However, because the monitoring is performed by using physical addresses, the hardware-based monitoring systems are vulnerable to Address Translation Redirection Attack (ATRA) that manipulates virtual-to-physical memory translations. To ameliorate this problem, we propose a scheduler-based ATRA detection method. The method detects ATRA during the process scheduling by leveraging the fact that kernel scheduler engages every context switch of processes. We implemented a prototype on Android emulator and TizenTV, and verified that it successfully detected ATRA without incurring any significant performance loss.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.27 no.6
• /
• pp.1271-1280
• /
• 2017

The android packer service using runtime execution compression technology switches to the original application using DexClassLoader. However the API interface of the DexClassLoader receives the path of the loaded DEX(Dalvik EXcutable) and the path of the compiled file. So there is a problem that the original file is exposed to the file system. Therefore, it is not safe to use the API for the packer service. In this paper, we solve this problem by changing the compile and load flow of the DexClassLoader API. Due to this changed execution flow, the complied file can be encrypted and stored in the file system or only in the memory and it can be decrypted or substituted at the time of subsequent loading to enable the original application conversion. we expected that the stability of the packer will increase beacause the proposed method does not expose the original file to the file system.