Smartphone Security 20-00-0615-pr Stephan Heuser Projects Proposals in a Nutshell Rootkit for Android (1/2)  Tasks:  Setup environment to develop kernel modules for Android  Implement known kernel rootkit techniques, e.g.,  Hide: Processes, kernel modules, network connections  Sniff: User credentials, inter App communication, mobile data (SMS, conversations)  Anti-Anti-Rookit techniques  Required knowledge:  Kernel programming  C, ARM assembler Rootkit for Android (2/2)  Variants:  Userland rootkit  Kernel rootkit  Galaxy S5 kernel rootkit Anti-Rootkit for Android  Tasks:  Setup environment to develop kernel modules for Android  Develop an integrity scanner, i.e.,  Plausibility of data structure  Integrity of code  Required knowledge:  Kernel programming  C, ARM assembler Remote Exploit against iOS 7.1.x  Tasks:  Setting up debugging infrastructure  Understand necessary code/data structures  Extend existing PoC exploit:  Custom payload  Bypass defense strategies (ASLR, NX)  Required knowledge:     Exploitation techniques Defense strategies Debugging C, ARM assembler Transparent data encryption  Extend Android with a mechanism to transparently encrypt/decrypt data  If possible, provide an implementation on top of the ASM framework  Transparently encrypt / decrypt SMS messages exchanged between two Android emulators based on keys exchanged between contacts  Implement a key Exchange mechanism via NFC or QR Codes. 7 Blue Pill / KeyLogger  Develop malicious versions of the default Launcher and Keyboard app which are able to hide/re-link installed apps or log the user’s input, respectively  Consider how security mechanisms like the “Home” button can be prevented or the user be tricked into “taking this blue pill” 8 Privacy Enhancements  Develop Android privacy enhancements based on the Android Security Modules platform  Security Modules for different use cases  Access Control on  individual contacts fields  Location sensor information  Images taken by the camera  Configurable by the user and a central policy distribution point  Enforcement is provided by the ASM platform 9 Context-dependent Access Control  Develop Context-aware Android privacy enhancements based on the Android Security Modules platform  The access control layer’s task is to observe a context parameter and determine, based on given criteria, whether the device is in a sensitive context or not.  Integrate with one simple access control enforcement based on ASM (e.g. Contacts) 10 Dynamic Android App Analysis  Develop a plugin-based architecture for Android app analysis  Use the Android Security Modules Framework to monitor security-critical operations performed by apps  Log whenever security-critical operations are performed in human-readable form  Develop a user interface for analysts to interpret the logs. Ideally in real-time. 11 Reverse Engineering Environment  Test and evaluate state of the art Android (and iOS?) reverse engineering open-source software  Describe and select solutions  Setup a virtual machine  Install the solutions  Integrate examples with documentation how to reverse-engineer and modify them 12 TrustZone support for the Android Emulator  Extend the Android emulator with support for TrustZone  Apply / Backport the QEMU TrustZone support patches to the Android emulator  Boot the emulator into the secure world, configure emulated board  Boot Android in the normal world  Provide a simple mechanism for communication between the insecure and secure world  Build a simple TrustZone application which communicates with the secure world (Hello World)  ONLY choose this topic if you feel that you are up to the task! 13