Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Androsia: A Tool for Securing 'In Memory' Data

Samit Anwer

0 vote(s)

Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information like user authentication credentials, authorization tokens, en/decryption keys, PINs, etc. These critical objects like any other object are kept around in the heap until the OS hits a memory constraint and realizes that it needs more memory. The OS then chooses to invoke garbage collector in order to reclaim memory from the apps.

Java does not provide explicit APIs to reclaim memory occupied by objects. This leaves a window of time where the security critical objects live in the memory and wait to be garbage collected. During this window a compromise of the app can allow an attacker to read the credentials. This is a needless risk every Android application lives with today. To exacerbate the situation, apps today heavily make use of Identity providers to implement Open ID/OAuth based authentication and authorization.

In this paper we propose a novel approach to determine at every program statement, which security critical objects will not be used by the app in the future. An Android application once compiled, has all the information needed to determine this. Using results from our data flow analysis we can decide to flush out the security sensitive information from the objects immediately after their last use, thereby preventing an attacker who has compromised the app from reading security critical information. This way an app can truly provide defence in depth, protecting sensitive data even after a compromise.

We propose a new tool called Androsia, which uses static program analysis techniques to perform a summary based interprocedural data flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared).

About Samit Anwer

Samit Anwer is a Web and Mobile Application pentester and researcher. He has been active in the security community since the last 3 years, soon after completing his Master's degree from IIIT, Delhi in Mobile and Ubiquitous Computing. He is an active member of the Null Bangalore Chapter and has spoken on various security topics. He is actively involved with vulnerability research in popular Web and Mobile apps and has responsibly disclosed several security issues with Google Cloud Print API, XSS filter evasion on IE 11/MS Edge, code execution on Microsoft Windows 10, and buffer overflows on MS Edge/IE 11. He currenlty works for Citrix R&D India Pvt. Limited, Bangalore as a Security researcher.

His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms. When he is not breaking apps, you can find him occupied with outdoor sports, on a food spree or traveling.

His previous published works are as follows:

1. Chiromancer: A Tool for Boosting Android Application Performance [MobileSOFT Conference 2014, Hyderabad, India]
2. Detecting Performance Antipatterns before migrating to the Cloud [IEEE CloudCom 2013, Bristol, U.K.]
3. Performance Antipatterns: Detection and Evaluation of their Effects in the Cloud [IEEE Services 2014, Anchorage, Alaska]