Sunday, 18 September 2016

XPrivacy- Dealing with Data Leakage in Android Apps

There has been a significant increase in the number of Android users across the globe in the recent years. And all the end users depend on Google’s Play Store for installation of applications. Google’s Play Store is considered to be a trusted repository of applications, because Google verifies the app’s content, author etc. certifies it to be safe and then hosts it on the Play Store.
One can reverse engineer an app, add malicious contents and host it on Play Store again, with the same name, in order to trick users. It is at this point, where we have to be really careful. Once the app is found malicious, it would be automatically uninstalled by Google from all the devices that has installed it, but we cannot wait for that to happen. Suppose the malicious content that was added to the app, is capable of sending data stealthily to a remote server and there are no visible traces of it. Unless someone figures this out and reports to Google, or Google finds this on its own, this app will go on spreading all over the world stealing data.
The trustworthy app can be recognized by the crowdsourcing method. The number of downloads of any application is a good indicator of trustworthiness.  A well-known app, will definitely have several thousands of downloads. But this alone, is not a measure of security, meaning, seeing a huge number of downloads, doesn’t mean that the app is secure. It just means, so many people have downloaded and used it, and there are no ‘visible’ security flaws as such.
You must have installed an application on an Android phone at least once. While installing, an app asks for permissions to access several other applications on your phone. Most of us, do not even take time to read through what all permissions the app asks for, and we go ahead and click on the ‘Allow’ button right away. Have you ever thought why this app, say X, requires so-and-so permissions on your device? Let me give you an example. You must have used the Pokemon Go app. Why does this app ask for permission to even modify your contact list! When you feel like the app X does not require permission to apps like Gallery and Contacts, is it possible to deny permission to Gallery and Contacts alone, grant permissions whichever you feel is required, and still install the app?
The answer is Yes! You can selectively deny permissions for an app and still install it successfully. Therefore, you are the one who ensure your privacy. Why blame the app owners for what they are taking from you? In order to install an app, you have to give permissions, and when you give permissions, you are giving full rights to the app owner to steal whatever data they want from your device! Privacy matters a lot, and it is in your hands.
Now coming back to the point, how do we selectively deny permissions for an application? There is an app called XPrivacy, which helps you achieve this. All you need is a rooted Android device. When you buy an Android phone, the manufacturers might have put some restrictions on the device. Rooting is a process by which you can overcome those restrictions and get privileged access. Rooting also facilitates the entire change of OS present on your device by default (which is called as the Stock ROM). After rooting, you can install a custom ROM of your choice, like CyanogenMod, Paranoid Android, Omni-ROM, MIUI etc. This process is called Flashing. Most of the users don’t understand rooting. (In case you want to read upon this, I am giving you this link to my blogpost, in which I wrote how to root a Sony Xperia E device. Click here to read more . The blog post is exclusive for the Sony Xperia E device). Rooting methods differ from device to device and version to version.
Now, let us think about how this XPrivacy app is able to do selective denial. A group of developers on the famous forum of Android, the XDA Developers forum, has developed a framework called Xposed, consisting of several modules, one of which is XPrivacy. The app works based on a mock response mechanism. Once this app is installed on your phone, for every other app that you install, when it asks for permissions, you can decide which one to be granted. The rest of the permissions asked by the new app, will be tricked by sending a mock response, as in, it will send an empty template as a response to the app. To understand this better, let me illustrate an example. Say you have to install a new app X. You found it on Play Store, clicked on Install, and then it is asking for permissions to access your Contacts, Location, Calendar and Gallery.
You feel that the permissions asked for the Calendar and Gallery are legitimate and must-have, but you don’t think there is a need to access your Contacts and Location. Since the XPrivacy app is already installed in your device, it runs in the background, and allows you to select only what is required, i.e., the Calendar and Gallery. The rest two, namely, Contacts and Location, are responded with fake data or an empty template of Contact list and Location, so that, the app feels that everything that it asked for is granted, and you ensure that there is no leakage of data at the same time. We can also do selective denial/grant of permissions for already installed applications too. The following is a screenshot of the XPrivacy app.
Fig. 1: A glance into the XPrivacy app [Source: Google]
In the above screenshot(Fig.1), you can see a checkbox for every app present on the device, where you can select/deselect. The XPrivacy app is released for Lollipop and Marshmallow versions as well.
Hence, the key take-away is, pay attention while installation of applications on your device, and do not give away too much. Take time to check what is really required, and grant access on a need-to-have basis. 

Authored by Priyanka Shetti
TCS Enterprise Security and Risk Management

Importance of Secure coding

Bringing in more security, demands for more complexity, whatever the scenario may be. To secure your house, you put multiple locks and fix a camera in the premises. To secure your cell phone, you put a screen lock, fingerprint scanning and multiple levels of authentication. To secure your documents on your computer, you encrypt them. Even for operating systems, this holds true.
In an operating system, there’s a huge volume of code, which is written by the developers, compiled and tested multiple times, checking for its effectiveness and performance. Though there’s a lengthy testing process being carried out before the OS launch (even using the static and dynamic testing tools), there could be some bugs(vulnerabilities) which could not be caught by the tool/the tester. These bugs are not errors as such and would not raise an exception at runtime, but they have a potential to get exploited, and open a backdoor in the system.
The operating system is guaranteed to start at boot and since it has administrator privileges, an attacker who pushes a malicious code is guaranteed access into the system. Assuming that most users are aware of the application level flaws, this article is written more from an OS kernel perspective. But the secure coding practices to be followed, are applicable to the applications on the OS as well.
As the famous saying goes, security is as strong as its weakest link. This weakest link could be because of a bad coding practice of the programmer or an irrelevant line of code, which could have resulted in the successful exploit. Let me give you a scenario for a better understanding.
A developer needs to copy the contents of a string to another. An in-built library function used for the same is strcpy(). The syntax of strcpy() goes like this:
                           strcpy(string1,string2)
which copies the contents of string2 into string1.
Case 1: Suppose string1 and string2 are character arrays of length 10. Contents of string2 would be copied to string1, as expected.
Case 2: Suppose string1 and string2 are character arrays of length 10 and 6 respectively. Contents of string2 would be copied to string1, as expected.
Case 3: The real exploit ! Here comes the twist. Suppose string1 and string2 are character arrays of length 6 and 10 respectively. Ever wondered what would happen?
The system would try to accommodate 10 characters of string2 into string1, which string1 can’t afford to. This results in a condition called buffer overflow. As we all know, every data variable is stored in a respective section in memory. In an attempt to write 10 characters in place of 6, the remaining 4 characters which string1 could not accommodate, overwrites the next 4 bytes of the memory address space, and the return address pointer will get overwritten. This could reveal memory address space details on the user terminal, which is a security flaw and could be used to pose another exploit!
Blunt code always lures attackers. This is a very basic example of how dangerous a small vulnerability could be. The developer should have looked for the length of both the strings and then given a copy command. The safest way to do this is to use an strncpy() function, which checks for the length of the strings to be copied, as well.
There is another attack named as Return Oriented Programming (ROP), wherein the clever attacker would enter his shellcode (malicious code crafted by him to pose an exploit) in the memory section called the buffer. After the buffer lies the region to store return addresses. The attacker carries out a buffer overflow exploit successfully which washes out the return address and the attacker makes the return address point to his shellcode in the buffer so that it gets executed. The results of this attack could be disastrous! The attack could go on and on, in a chained never ending manner.
The bottom-line of this article would be to adopt the secure coding practices always. It is always safe to stay updated by applying the patches regularly, because these patches are fixes for the OS’s vulnerabilities which are either found by the developers or reported to them and which were taken care of.
So, as developers and end users, let’s practice the art of secure coding, let’s stay updated on the latest bugs and fixes, and let’s be aware of why secure coding and other security methods are important.
Authored by Priyanka Shetti
TCS Enterprise Security and Risk Management