Episode 26

How Play Protect secures GMS Android from harmful apps

Published on: 8th September, 2022

This episode of Android Bytes, we're talking about mobile app security. Android has a lot of robust, built-in mechanisms that protect against exploits and security vulnerabilities, but there's only so much it can do to protect against misuse of sensitive permissions and APIs. Google augments Android's protection mechanisms with Play Protect, a service that looks out for potentially harmful applications.

Brian Reed, Chief Mobility Officer from NowSecure, joins us on the show to explain how Android and Google Play Protect work together to secure your device.

  • 2:05 - How does Android's app security model work at a platform level?
  • 3:27 - What does NowSecure do?
  • 4:16 - How does Android sandbox apps?
  • 5:30 - How does Android's security model compare to other platforms?
  • 7:24 - How does sideloading affect Android security?
  • 13:28 - How is Google Play Protect distributed to GMS Android devices?
  • 14:17 - What is the App Defense Alliance (ADA)? What is static and dynamic analysis?
  • 17:12 - What are the reverse engineering/disassembly tools security firms use to analyze Android apps?
  • 18:55 - Why is dynamic analysis important?
  • 24:05 - What is a potentially harmful application (PHA)?
  • 25:32 - What is a mobile bundled application (MHA)? Are there any security risks?
  • 27:42 - What can developers do to protect their Android apps from hackers?

Additional links mentioned in the show:

Android Bytes is hosted by Mishaal Rahman, Senior Technical Editor, and David Ruddock, Editor in Chief, of Esper.

Esper enables next-gen device management for company-owned and managed tablets, kiosks, smart phones, IoT edge devices, and more.

For more about Esper:

Our music is "19" by HOME and is licensed under CC BY 3.0.

Transcript
Mishaal:

Hello, and welcome to Android bys powered by Esper, the podcast that

Mishaal:

dives deep into the world of Android.

Mishaal:

I'm Michelle Ramon.

Mishaal:

And while I'd normally be joined by my co-host David Ruddock, he unfortunately

Mishaal:

couldn't make it to this one.

Mishaal:

Still.

Mishaal:

We've got a great topic and guest lined up on the show this week,

Mishaal:

we'll be talking about security, specifically mobile app security.

Mishaal:

So if you listen to our podcast before, you know, we've talked about Android

Mishaal:

security model, at least when it comes to applications, as well as our

Mishaal:

permissions work in the previous episode.

Mishaal:

But this time, we want to focus more specifically on how Google app

Mishaal:

developers and outside firms team up to protect you and your Android device.

Mishaal:

So today we've invited Brian Reed, chief mobility officer at now secure

Mishaal:

to talk about mobile app security.

Mishaal:

Welcome to the show,

Brian:

Brian.

Brian:

Thanks, Michelle.

Brian:

It's great to be here and part of your community.

Brian:

Thanks for having me.

Brian:

Thanks for joining us.

Brian:

So

Mishaal:

this is the topic that in my now seven years of covering Android, you know,

Mishaal:

I've kind of delved into the security side a bit here and there, even though, while

Mishaal:

it's been up in my primary focus, just covering the Android platform ecosystem,

Mishaal:

these security issues come up and tend to cover them pretty much every week.

Mishaal:

You'll hear from some mobile security threat firm that there's

Mishaal:

some new malware strain out in the wild, and that is wing havoc.

Mishaal:

And then when you dive into the details you discover, oh, they're mostly misusing

Mishaal:

some Android API or application some permission or they're tricking users

Mishaal:

into enabling some sensitive permiss.

Mishaal:

And so like, this is a topic that is ever pervasive in our lives, because

Mishaal:

you probably know people in your lives who could be tricked into enabling

Mishaal:

something they shouldn't have when songs something they shouldn't have.

Mishaal:

And even if you think that you wouldn't do that, there's a very high

Mishaal:

chance that you could be tricked to.

Mishaal:

No one is ever completely foolproof from fishing or any other malware attacks.

Mishaal:

There are many things you can do to prevent yourself from

Mishaal:

being taken advantage of.

Mishaal:

But on the ecosystem side, there are also many things that Android

Mishaal:

does and that Google does and that outside firms can do to proactively

Mishaal:

protect you from harming yourself.

Mishaal:

So just so we're all on the same page, I kind of wanna just touch upon

Mishaal:

the background of Android security model and how Android actually

Mishaal:

protects you at a platform level.

Mishaal:

So we talked about this before, but every time you install

Mishaal:

an app, it comes an APK file.

Mishaal:

And within that APK file.

Mishaal:

There's all the assets, the code, the resources, et cetera, but there's also

Mishaal:

a digital signature that is generated whenever the developer signs a package.

Mishaal:

And whenever that app installs on your device, it's given a unique package name.

Mishaal:

And whenever you try to install an app that has a package name matching an

Mishaal:

existing app, it installed on the device.

Mishaal:

If that signature doesn't match the signature, that was with the previous.

Mishaal:

Then Android will object the installation.

Mishaal:

And because it's assumed that the signing key, the developer used to sign that

Mishaal:

app is generally kept somewhere safe and secure within their own repository on

Mishaal:

their computer, or upload it to Google.

Mishaal:

Then you can assume that some third party didn't just modify

Mishaal:

the app and then upload it.

Mishaal:

And then you installed it onto your device.

Mishaal:

So that's how Android generally secures updating applications.

Mishaal:

The one challenge with that is while it ensures that some outside developer

Mishaal:

didn't modify and push an app onto your device, it doesn't guarantee that the

Mishaal:

update hasn't been tampered with hasn't had in any malicious or potentially

Mishaal:

harmful code within the update.

Mishaal:

Like it could still be signed by the original developer, but how do you.

Mishaal:

If that update is still safe to use.

Mishaal:

And that's generally where firms like now secure come in.

Mishaal:

So I wanted to ask you, Brian, can you tell us a bit about the company?

Mishaal:

Sure.

Brian:

So now secure actually got started as a forensics company in 2008 and 2009.

Brian:

So the birth of Android that was around the same time as iOS.

Brian:

Our founder got interested in these cool little devices that seemed to

Brian:

have a whole lot of computing power and a lot of forensic data on him.

Brian:

And while he wasn't a forensic specialist, he actually became the world's expert

Brian:

in mobile forensics and ultimately build a business that is now secure today.

Brian:

We're kind of an all in one solution provider we have for

Brian:

mobile application securities.

Brian:

So we have testing tools, developing tools, pen testing

Brian:

services, open source tools.

Brian:

Training all of those kinds of things and partner with lots of organizations

Brian:

to make sure they're able to deliver those secure applications on whatever

Brian:

mobile operating system they want.

Brian:

So our roots are in Android, cuz that's really where he started and we

Brian:

continue to do a lot with Google and the entire ecosystem community today.

Mishaal:

Thanks Brian.

Mishaal:

And just to follow up on the Android aspect, one other thing that Android

Mishaal:

does at the platform level to protect you is that it has a very secure

Mishaal:

model of protecting applications from interacting with other applications.

Mishaal:

So you may have heard the term sandbox before.

Mishaal:

So whenever you install an app on Android, every app that has a unique

Mishaal:

package name, you know, every app has to have a unique package name.

Mishaal:

You can't have two apps with the same package name solved on a.

Mishaal:

So what happens is that that package is assigned a, a unique identifier.

Mishaal:

And when you run that app, Android runs it in a container

Mishaal:

and it's called the process.

Mishaal:

And then that identifier is called the P I D for that process.

Mishaal:

So by putting processes in containers, Android ensures

Mishaal:

that apps can only interact with other apps through a well-defined

Mishaal:

process called the binder IPC.

Mishaal:

So this way apps can only interact and only execute only like send a

Mishaal:

request to get data from another app.

Mishaal:

Through well defined permissions through well defined, intense and whatnot.

Mishaal:

So like you can't just have one app poking around the data of another app

Mishaal:

without break the sandbox, which is just not something that is very easily

Mishaal:

achievable without some very serious exploit in the Android platform.

Mishaal:

I wanted to ask you, Brian, how does this in your experience,

Mishaal:

how does Android security model compare to other operating systems?

Mishaal:

Would you say it's more or less secure?

Brian:

Yeah, that's always a loaded question.

Brian:

What I would say is that the Linux kernel underneath the Android in and

Brian:

of itself with its advanced security capabilities, gives it a strength.

Brian:

Apple has a more closed system on iOS, just in terms of how they operate.

Brian:

Uh, the sandboxing model is very strong.

Brian:

You know, the containerization of applications, the

Brian:

control of the IPC channel.

Brian:

All of those things are good strengths for Android.

Brian:

What's been really interesting to watch is that Android kind of was very heavy.

Brian:

I've been around this since Blackberry, just to be my background.

Brian:

I was with the original mobile security company called Blackberry.

Brian:

So I've seen a lot over the years and Blackberry was completely locked down

Brian:

and completely impossible to innovate.

Brian:

Just about it all, but it was really secure, right?

Brian:

And that's an example of a niche user experience with high security,

Brian:

but it was really inflexible when you wanted to write applications.

Brian:

The Android world kind of has two communities.

Brian:

You have the, I just wanna get stuff done.

Brian:

And then you have kind of the fanboy world I wanna customize

Brian:

and do really interesting things and, you know, so on and so forth,

Brian:

which leads to rooting and more customizations in the operating system.

Brian:

What has been really interesting to watch is that Android has become incredibly.

Brian:

If you look at the number of CVEs and cess listed for Android operating system

Brian:

or for device hardware for at least the tier one manufacturers, they have gone

Brian:

down as a rate over time, apple hasn't.

Brian:

Now apple may have been a little bit ahead.

Brian:

So there sort of is this, it depends.

Brian:

On who your hardware manufacturer is, how they are properly or improperly

Brian:

using the operating system and the licensing that they're doing around the

Brian:

play store and the tooling around that.

Brian:

But Android today is a very safe environment.

Brian:

And so I live in a blended world.

Brian:

So I have yes, one of everything because I'm in a mobile business.

Brian:

I have no qualms about saying which device or which operating system is better.

Brian:

Android and iOS are both better than windows, frankly.

Brian:

And so from that perspective, there's lots of different places we can go

Brian:

in terms of talking about, well, how do I make sure I'm safe and secure?

Brian:

And how do I make sure I do the right things?

Brian:

You mentioned

Mishaal:

something that I wanna kind of wanted to follow up on power users.

Mishaal:

You know, there are people who like the brute and tinker their devices.

Mishaal:

That's something that wasn't really possible with the older,

Mishaal:

more lockdown operating systems and current ones like iOS.

Mishaal:

So on Android, you are allowed.

Mishaal:

Side load applications.

Mishaal:

This term side loading.

Mishaal:

Isn't really much of a thing in the windows world, but it is

Mishaal:

something that exists in Android.

Mishaal:

And in order to side load, an application from outside of the official

Mishaal:

Google play store, you have to opt in, you have to enable permission.

Mishaal:

You have to do it on a per application basis.

Mishaal:

And there are also other security features that kind of irk power users.

Mishaal:

And I wanted to ask you your thoughts first on side loading.

Mishaal:

Like how does Google balance.

Mishaal:

Ability to allow users to side load applications with actually protecting

Mishaal:

them from installing something that's potentially untrusted.

Brian:

Yeah.

Brian:

I think there's kind of two ways to look at it.

Brian:

So I'm gonna take a macro view and then kind of a micro view.

Brian:

So the macro view is there are three or 4 billion users of Android, and

Brian:

that means everybody of every kind everywhere in the world, trying

Brian:

to do everything you can imagine.

Brian:

Right.

Brian:

And so there's lots of different segments of people that wanna

Brian:

use it in certain behavior.

Brian:

I do a lot of work with companies that use lockdown, Android tablets that are

Brian:

purpose designed for a specific use.

Brian:

They may have one application on them.

Brian:

I do work in automotives.

Brian:

I do work in healthcare, right?

Brian:

And so there's that class financial services where regulatory matters control

Brian:

matters, sensitive data matters you as a patient, don't want that data lost.

Brian:

If it's your car, you don't want that car broken into.

Brian:

Right.

Brian:

So there's that category.

Brian:

And then you kind of move into the more general maybe business user.

Brian:

Then you move into the more generalized consumer and then you move into the

Brian:

tinkerer category, like the fanboy and you know, and what I think

Brian:

Google's done a pretty good job of is trying to balance all of them, right.

Brian:

From that perspective.

Brian:

And so they've set up the guardrails.

Brian:

They've continued to improve the guardrails and gates to

Brian:

make it hard to be malicious.

Brian:

So you've got the containerized model.

Brian:

We just talked about side loading to me is an enabler for the category

Brian:

of people who want it, but most people should stay away from it.

Brian:

If you were to ask me how do regular people, consumers, not more technical,

Brian:

advanced customizer, stay safe.

Brian:

Don't side.

Brian:

Because Google play with play protect data, safety labels, and all of the system

Brian:

services that are built into the premium level are designed to keep you safe.

Brian:

And it's really easy to stay safe when you're leveraging those things.

Brian:

Side loading is one of the top malware paths.

Brian:

The other biggest breach vector actually is SMS fishing, and that's not Google

Brian:

or apple or anybody else's fault.

Brian:

That's the nature of the way SMS behaves.

Brian:

And that's a whole different security conversation.

Brian:

And the fact that people click on that stuff just in the same way,

Brian:

they sometimes click on spam email.

Brian:

Right.

Brian:

So side loading, isn't a bad thing, but side loading can get you in trouble.

Brian:

So you really should focus on brand name apps from brand name companies,

Brian:

you know, that have attestation in them with data safety program.

Brian:

That have four or more stars have millions of downloads, right?

Brian:

That's just the collective being safe, doing the smart thing, which

Brian:

is probably 80% of the world really.

Mishaal:

Right.

Mishaal:

I kind of like in side loading to deciding where to purchase something online.

Mishaal:

So if you're a side loader, you're kind of bypassing all the.

Mishaal:

Extra scrutiny that is placed on those applications by Google play and by

Mishaal:

play protect and all the stuff that's that developers have to go through

Mishaal:

to even get their apps on there.

Mishaal:

So like if you were to shop online, sure.

Mishaal:

You could go to all express.

Mishaal:

You could find literally anything you want at any time, but you're

Mishaal:

kind of putting yourself at risk by, you know, are you actually gonna

Mishaal:

get what you're trying to order?

Mishaal:

Is the seller actually legitimate is the product actually as described.

Mishaal:

Or could you just do the easy thing and go to like Amazon, you know?

Mishaal:

Sure.

Mishaal:

There are going to be some fakes.

Mishaal:

There are going to pieces of product issues, but generally those are

Mishaal:

more vetted because there's more barriers to entry to get on there.

Brian:

Right.

Brian:

You know, a lot of this is risk and reward for the bad guys.

Brian:

Right?

Brian:

So those barriers of entry, the friction that's put in the system make it harder

Brian:

for the people who wanna be malicious to behave malicious and the cost of being M.

Brian:

Becomes so high, it's not worth it.

Brian:

So from that perspective, take advantage of everything.

Brian:

You can buy a first class device from a first class vendor, make sure they're

Brian:

using they're licensing, Google correctly, and leveraging that technology and so

Brian:

on and so forth and you can be safe.

Brian:

And when we look at what Google has done for the two primary safety systems, we

Brian:

have the play protect side of the house.

Brian:

We have the data safety label side of the house and data safety labels just

Brian:

became mandatory in the last week.

Brian:

And so between those two things, if I can play protect is basically

Brian:

Google's giant malware engine.

Brian:

Google is continuously scanning for malware.

Brian:

Google has a lot of partners that are in security and endpoint management that are

Brian:

contributing to the malware signature.

Brian:

While you sometimes see it.

Brian:

And I'm not saying they're in any it's way better now than it used to be.

Brian:

And that database allow our signatures and the sophistication of the testing

Brian:

between Google and Google's partners continues to get better and better and

Brian:

better take advantage of play protect.

Brian:

You can run it on your own device.

Brian:

It's being scanned when it's going into the app store.

Brian:

If you find something reported and kind of help the community, the data

Brian:

safety label is really interesting.

Brian:

So I'll show my age.

Brian:

I remember when my parents would only buy electronics if they had the

Brian:

underwriter's laboratory safety label on it, which meant some third party

Brian:

company tested that piece of electronics.

Brian:

So it wouldn't like burn you or blow up your house or, you

Brian:

know, something else like that.

Brian:

And for the first time, anywhere in software that I have ever seen, Google's

Brian:

actually added labeling that this thing's.

Brian:

It's called a data safety label.

Brian:

And so one half of a label is the software developer is going to attest and say,

Brian:

here is what my app does with your data.

Brian:

I transmit it.

Brian:

I collect it.

Brian:

I send it.

Brian:

What have you, the other half is you can get an independent security verification

Brian:

done by an accredited third party.

Brian:

And that accredited third party now secures one of them will actually

Brian:

test it sufficiently to say, yeah, this app is safe based on

Brian:

this industry standard benchmark.

Brian:

That's like a good housekeeping seal of approval or underwriter's

Brian:

lab label on it now.

Brian:

So now with play protect, I'm protecting myself from malware

Brian:

with data safety labels.

Brian:

I'm also ensuring that the app manufacturer is doing the right thing.

Brian:

And that's really great for users.

Brian:

So

Mishaal:

just to take a step back, because on this show, we love to

Mishaal:

talk about a O S P and GMs, and try to differentiate between them.

Mishaal:

Google play protect, as Brian had mentioned is part

Mishaal:

of Google mobile services.

Mishaal:

So it's something that is available on devices with GMs, Android.

Mishaal:

So, if you were to compile a S P from Google ski repositories, you would

Mishaal:

not have play protect available to you because it is part of, I believe Google

Mishaal:

play store app itself, or Google play services, either one of those two.

Mishaal:

And as Brian mentioned, it is a massive database of malware signatures.

Mishaal:

And I kind of wanted to talk about now, like I wanted to ask you how exactly.

Mishaal:

Is that malware signature database actually built.

Mishaal:

How does Google go out and decide to add something to its database?

Mishaal:

So for the two who looked up anything related to this before you might have

Mishaal:

heard terms like static and dynamic analysis, can you walk us through what

Brian:

those mean?

Brian:

Sure.

Brian:

So there is something called the app defense Alliance.

Brian:

So I'm just gonna introduce the, how does the data get collected?

Brian:

So the app defense Alliance was created.

Brian:

Five six years ago.

Brian:

And it's a group of folks who do malware.

Brian:

They do endpoint management, they do antivirus a lot of the subjects

Brian:

you might expect in this world.

Brian:

And so Google said, Hey, we wanna crowdsource this stuff.

Brian:

We've got a whole bunch.

Brian:

We know you have more.

Brian:

So let's start collecting them.

Brian:

So through all of the different vendors who participate in that, when

Brian:

they find something, they submit it through a special channel to Google.

Brian:

Google adds it to their database, verifies that the giant database gets bigger.

Brian:

And it's because there's multiple vendors scanning billions of device.

Brian:

You get a pretty good signature database as a result of that.

Brian:

Now, what we're all doing under the hood is we're basically doing

Brian:

some combination of static and dynamic analysis or SAST and DAS.

Brian:

And so SAST is basically scanning code either the source code or binary image

Brian:

of the app to statically identify coding failures in the application.

Brian:

So with SAST, you might find things like say hard coded secrets embedded

Brian:

in the application or debugging code that made it into production

Brian:

in the app store submission or hard coded URLs or stuff like that.

Brian:

Those are vulnerabilities.

Brian:

You could.

Brian:

You can also find malicious behavior, like, Hey, it's scooping up this data

Brian:

and transmitting it to this IP address.

Brian:

And then dat, which is dynamic analysis is actually running the app.

Brian:

Most of us who participate in the program have some sort of dynamic

Brian:

analysis, which we observe the app running on a real device, whether it's

Brian:

in a lab or it's on some customer's device that has an agent running on it.

Brian:

And we see the malicious behavior, we capture it.

Brian:

So dynamic finds things like permissions, escalation,

Brian:

because something changes over.

Brian:

It finds transmission of sensitive data that maybe shouldn't be there.

Brian:

Is that data properly encrypted?

Brian:

Does it go to a bad end point?

Brian:

That's a known malware harvester endpoint from the endpoint databases on the.

Brian:

Things like that.

Brian:

So what's interesting about it is the collective is kinda looking for

Brian:

malware through bad behaviors, but also looking for vulnerabilities.

Brian:

Some of the more recent issues we found in the market weren't actually malware.

Brian:

They were vulnerable commercial applications used by millions of

Brian:

people where the bad guys figured out how to exploit weakness in them.

Brian:

There was a security weakness that their developers had introduced to.

Brian:

So that's a little bit about how that works.

Brian:

Now, the app defense Alliance recently added the MAs specification,

Brian:

which is that independent security verification strategy.

Brian:

So this is how to use SAS and dat to analyze the app for vulnerabilities that

Brian:

could be exploited work with the vendor to fix them, and then give them that good

Brian:

housekeeping label of approval, which is the independent security review stamp.

Brian:

So that when you go their data safety label, In the Google play store.

Brian:

You see, it says independent security review has been completed

Brian:

by an attested third party.

Brian:

This is deep save for use in these categories.

Brian:

And now you have that attestation, which is great from the third party.

Brian:

So you mentioned

Mishaal:

before that, you know, you typically look at either the source

Mishaal:

code or the compiled code of an application, and I'm guessing like 99%

Mishaal:

of the time you don't have access to the source code of the application.

Mishaal:

You're looking for most of the time, you're looking at the binary, the

Mishaal:

compiled binary, and you'd have to use some kind of de compilation.

Mishaal:

Or some kind of analyzer to analyze behavior while it's on device.

Mishaal:

Can you tell us about like some of the tools that you might use?

Mishaal:

Are they like all inhouse?

Mishaal:

We use any

Brian:

commercial for those who are into reversing, you may have heard of Frida

Brian:

and rod Aari are the top two reversing disassembly tools in the market.

Brian:

Frida and red were created by researchers on our now secure.

Brian:

And pancake are their handles.

Brian:

And so those are used by a lot of security researchers.

Brian:

They're also used in some other tooling by other folks, and

Brian:

those are embedded in our tools.

Brian:

So we can reverse and disassemble an iOS or an Android app, whether it's DRM

Brian:

or not with it, you can break most of the obfuscation tools and hook the app.

Brian:

Even the ones that have anti Frita capabilities in it, it's

Brian:

like a cat and mouse game.

Brian:

They try to block and then you find new ways around it.

Brian:

But in reversing it, you can get down to bite code or Java code or some

Brian:

intermediate language that you can then scan to get a sense from a static

Brian:

perspective about what's going on.

Brian:

What I will say is that freedom and Dari are great tools.

Brian:

Have a look at them.

Brian:

If you really wanna kinda learn your way through what this world looks.

Brian:

There's some free training on how to use freedom, Ary and participate in the

Brian:

community on our academy.now secure.com or you can just find them on the internet.

Brian:

They're great tools.

Brian:

There's some other tools out there.

Brian:

There are various other tools that might go into kit.

Brian:

You might use perp suite to do network sniffing and some things like that

Brian:

when you kind of build out a tool kit.

Brian:

So we leverage those and other advance.

Brian:

IP that we built.

Brian:

So do the other vendors have all built something that involves some combination

Brian:

of static and dynamic analysis?

Mishaal:

Speaking of static and dynamic analysis, there is one thing

Mishaal:

I wanted to follow up with you on.

Mishaal:

And it's something that I think requires some clarification for

Mishaal:

listeners who may not be familiar.

Mishaal:

And it's that why is dynamic analysis actually important to do?

Mishaal:

Why do you have to test on a real device versus why can't you just statically

Mishaal:

analyze the code and look for some, say potentially malicious thing happening.

Brian:

We talked earlier about containers in IPC and data transmission between

Brian:

say two containers or two processes.

Brian:

Right?

Brian:

Well, that's why you need dynamic analysis, static analysis.

Brian:

We'll never see if data was improperly transmitted to the IPC

Brian:

found from one process to another.

Brian:

You need dynamic analysis to understand what's being written to the device in

Brian:

log files, or being stored on the device.

Brian:

We find key material, forensic data.

Brian:

IP.

Brian:

We actually found a, uh, coupon code generator.

Brian:

The actual IP generation of that was spewed out and log

Brian:

files under error conditions.

Brian:

Now static source code scanning.

Brian:

Won't find that you only find that when you run it dynamically.

Brian:

So it's a general rule.

Brian:

Dynamic is about testing the crypto.

Brian:

Is the crypto working correctly.

Brian:

And then it's testing storage, which is what is being written

Brian:

and what can I forensically find?

Brian:

And what's being written into my own address, space, my own storage,

Brian:

other storage file system log files, and then network transmission.

Brian:

So what is getting transmitted over the air?

Brian:

Is it intercept?

Brian:

Am I doing proper certificate pinning?

Brian:

Am I using the TLS channel?

Brian:

Correct.

Brian:

What endpoints am I talking to?

Brian:

Are those endpoints safe?

Brian:

There's a whole bunch of things you can test around authentication

Brian:

and authorization that you'll pick out through testing dynamically.

Brian:

So I'll give you wild data.

Brian:

We scan all the apps in the app store.

Brian:

So there are 6 million app and Google play store apps.

Brian:

Approximately we scan almost all of them on a regular basis.

Brian:

And what I can tell you is that 80% of them have security vulnerability.

Brian:

The good news is 20%.

Brian:

Don't have really bad security vulnerabilities in 'em, but 80% do.

Brian:

And that number's been the same for five or six years since

Brian:

we've been benchmarking them.

Brian:

What's also interesting is that when you carve into that static

Brian:

versus dynamic, almost everything we're finding is dynamically found.

Brian:

It's really hard to do dynamic analysis and dynamic testing

Brian:

at scale in a development.

Brian:

So a lot of 'em just don't do it.

Brian:

So they run a static analyzer until we find a very low proportion

Brian:

of static vulnerabilities in production apps, because most

Brian:

people are using static tools.

Brian:

Dynamic is really hard to do.

Brian:

It's expensive if you pay somebody to do it, not a lot of people do it.

Brian:

And that's why we find that's where most of the vulnerabilities

Brian:

are in storage in crypto, in network and backend APIs by far.

Mishaal:

Yeah, I'm not surprised because you know, they want to avoid detection.

Mishaal:

So if you just have all your malicious code statically, it's in the application

Mishaal:

itself and it's easy to find, then there's nothing in it for them.

Mishaal:

It's, it's gonna be detected and, you know, added to the database

Mishaal:

and then detected in the future again and over and over again.

Mishaal:

And I've heard stories of like these malicious applications

Mishaal:

that behave differently or.

Mishaal:

Different parts of code differently, depending on your location or

Mishaal:

what device you're running or a combination of those factors.

Mishaal:

So like you need to be able to test, and that

Brian:

can be hard to find exactly.

Brian:

It can be hard to find two dynamics.

Brian:

So, uh, screw an ator.

Brian:

You're not necessarily gonna see all the IC conversation to the ator.

Brian:

You're not necessarily gonna see the interaction with the OS layer all the

Brian:

way down through the hardware or the wifi chip before the carrier chip.

Brian:

Right.

Brian:

So what we have found.

Brian:

For a number of clients who have done emulator based

Brian:

testing, they bring it to us.

Brian:

We find stuff.

Brian:

I mean, you can't truly emulate the environment to get full coverage.

Brian:

And again, sometimes it's malware.

Brian:

A lot of it's just vulnerabilities.

Brian:

I mean, last year, Walgreens slack, they had vulnerabilities that were exploited.

Brian:

People stole prescription data to the Walgreens mobile app

Brian:

because of a vulnerability in it.

Brian:

Slack had a zero day.

Brian:

So even what you would think would be really great companies.

Brian:

They can make mistakes, their developers can make mistakes, it might be code.

Brian:

They write party libraries that put in it.

Brian:

But what we're actually seeing is the nation state actors and

Brian:

the criminals are finding these zero days in these applications.

Brian:

And they're exploiting them as bad or worse as they are the malware,

Brian:

the price of building malware and getting it into the app store

Brian:

is getting higher and higher.

Brian:

Cuz it's harder and harder cuz of everything we just talked about today.

Brian:

But you know what, if I can find a zero.

Brian:

In slack and go steal a bunch of corporate data or, you know, shopping cart X and

Brian:

there's numerous applications like that.

Brian:

Well, then I can harvest information off of that and use that, you know, there, uh,

Brian:

if I can diverge for a second, a couple years ago, British airway was preached.

Brian:

They found a weakness in the way British airways mobile app

Brian:

was talking to its back backend.

Brian:

So they learned how to attack the backend by the mobile app.

Brian:

Then they attacked the backend 380,000 records were stolen, including passport

Brian:

information, travel history, credit cards.

Brian:

They were fine.

Brian:

Bridge share was fined 158 million pounds by the EU as the first GDPR.

Brian:

Fine.

Brian:

Now all of that had to do with the fact of a poorly written mobile application.

Brian:

That was exploitable.

Brian:

There was no malware involved.

Brian:

It was just straight up good scientific research that discovered it.

Brian:

And then they used it to go after the back end.

Brian:

And that's what we need to think about is mobile's just part of the overall chain of

Brian:

all the it systems that some company has.

Brian:

Then you make sure the mobile app and what it talks to is secure, whether it's

Brian:

malware or whether it's a commercial app.

Brian:

So this

Mishaal:

whole time we've been talking mostly about malware

Mishaal:

and like malicious applications.

Mishaal:

But if you read online about like what Google pay, protect actually

Mishaal:

identifies it, doesn't usually.

Mishaal:

Positively identify actual malicious behavior.

Mishaal:

It identifies potentially harmful applications.

Mishaal:

Can you describe what exactly qualifies to potentially harmful application?

Brian:

Yeah, so potentially harmful application is the app is collecting and

Brian:

maybe transmitting over the error data.

Brian:

It shouldn't be the app is trying to execute system level commands.

Brian:

It shouldn't have rights to execute.

Brian:

It could be spyware.

Brian:

It could be fishing.

Brian:

You know, more common things.

Brian:

We know it could be ransomware in terms of its behavior.

Brian:

I haven't heard a lot of production ransomware on mobile, but we've seen some

Brian:

academic experiments along those lines.

Brian:

Uh, there's a lot of system logging going on, data harvesting going on.

Brian:

And so what kind of comes back is, Hey, this has some unusual beha,

Brian:

it's a camera app and it's great.

Brian:

The entire contact database and shipped it to the cloud.

Brian:

Right.

Brian:

And that's gonna get a flag.

Brian:

If it's picked up, right?

Brian:

Cause it doesn't make sense that someone who's taking photos is scraping the

Brian:

entire address book off the device or the history of all the wifi nodes that this

Brian:

device ever connected to with the S S I D and whatever passwords hashed or not.

Brian:

Right.

Brian:

So that's part of what it's looking for is it doesn't make sense that this app

Brian:

would be doing that thing, whether it's obviously malicious or possibly malicious.

Mishaal:

Right.

Mishaal:

And another thing is that potentially dodgy and sketchy or malicious behavior,

Mishaal:

isn't only limited to apps that you can install from the Google play store

Mishaal:

or outside of the Google play store.

Mishaal:

It can also be happening within pre-installed applications, which Google

Mishaal:

refers to as mobile bundle applications.

Mishaal:

This isn't really talked about much from what I can see, mostly because it's

Mishaal:

like a conversation Google has with O.

Mishaal:

They have like strict requirements about what these mobile bundle applications can.

Mishaal:

And can't do.

Mishaal:

I wanted to ask you, what do you know about the security risks

Mishaal:

with mobile bundle applications?

Mishaal:

I

Brian:

can't speak for all the carriers.

Brian:

I can't speak for all Google.

Brian:

I can't speak for all the device manufacturers.

Brian:

You need to talk to each of them.

Brian:

What I would say is that most manufacturers and carriers are

Brian:

working hard to do it the right way.

Brian:

So for example, we work with at and T and Google.

Brian:

And so the things that at and T sells are tested and certified by us.

Brian:

And we work with a lot of the other carriers.

Brian:

There are other vendors like us that work with the carriers

Brian:

to try to do the right thing.

Brian:

Google has some attestation and testing requirements that the device manufacturers

Brian:

and carriers must submit, especially if they're part of the Google play ecosystem.

Brian:

And if they're, you know, full GMs licensees.

Brian:

And so what they're trying to do is enable lots of people to grow

Brian:

vibrant businesses and enable.

Brian:

This very broad ecosystem that we have today that has so many users and

Brian:

so many kinds of applications on it.

Brian:

The trick is saying, Hey, here's a set of standards.

Brian:

We want you to align with.

Brian:

And we are either gonna test you or have used an independent third

Brian:

party or self attest that you are doing the right things here and here.

Brian:

And by and large, everybody's got the right idea and

Brian:

trying to do the right thing.

Brian:

You don't hear so much about really bad stuff happening.

Brian:

I will say that supply chain attacks like we've been hearing in the market

Brian:

overall on lots of different things, whether you're the colonial pipeline

Brian:

or what have you, those are out there, and those are hitting mobile, just like

Brian:

they're hitting other corporate systems.

Brian:

And so to no fault of their own developers may wind up with an

Brian:

exploitable or malicious app because of some third party library they're

Brian:

using or system service they're using that suddenly changed because

Brian:

a bad actor got in there and made a.

Brian:

So that will be something I think we're gonna live on in the mobile world,

Brian:

the web world, the network world, and every other world, until we really get

Brian:

supply chain management under control and, and more safe use of components.

Brian:

All right.

Mishaal:

So on that front, what can app developers do to protect their

Mishaal:

applications from any malicious exploits?

Brian:

You know, I think there's a handful of things.

Brian:

So when we work with organizations who are application developers,

Brian:

whether they're large or small, we give them a set of recommendations.

Brian:

First one is make sure you've got some basic security

Brian:

training for your developers.

Brian:

Make sure they understand the fundamentals.

Brian:

Make sure we've got like a guide.

Brian:

That's like here's 10 APIs.

Brian:

You should make sure you use and how to configure them properly.

Brian:

And then a guide on permissioning.

Brian:

A lot of it has to do with just don't collect and store it.

Brian:

If you don't need it, then there are things about how to handle storage,

Brian:

how to handle crypto, how to handle network, how to handle backend API.

Brian:

They're not very difficult.

Brian:

In many instances, it's they didn't know there was a flag they should set.

Brian:

They didn't know there was a configuration option they should be using.

Brian:

They didn't know there was an ordering of operations.

Brian:

They should be using, make sure devs doing the right thing.

Brian:

The second thing is, make sure that there are product requirements that.

Brian:

What kind of security, this thing should have, right?

Brian:

If I'm building a banking app, there should be fundamental requirements

Brian:

that say I'm regulated by the industry.

Brian:

Here's a set of requirements.

Brian:

Well, if I'm not building a banking app, we've been building something else.

Brian:

This requirements may not clear, but just like you're saying, you want a

Brian:

really cool augmented reality experience, make sure that you're protecting

Brian:

using multifactor authentication and protecting my Phi while you do it.

Brian:

Right test it.

Brian:

Whether you using SAS in the pipeline or SA and da in the pipeline, there

Brian:

are open source and paid commercial tools that are cheap and easy to use.

Brian:

They can run autonomously, they catch all the low hanging through.

Brian:

They make your life easier.

Brian:

What's really cool about a lot of the DAS tools including now secure.

Brian:

Now, is it also identifies app store blockers?

Brian:

So you may have a build version issue.

Brian:

You may have a third party SDK issue.

Brian:

You may have some other reason.

Brian:

Google may say, Nope, I'm not gonna accept this binary because you're

Brian:

not following one of my rules.

Brian:

You can catch that too.

Brian:

So that's not just security and privacy.

Brian:

That's finding those rules.

Brian:

And if you're super high end app, you're that embedded health app, that's

Brian:

maintaining my heartbeat to a cardiac monitor or you're my banking app or

Brian:

my financial account management app.

Brian:

You should be doing pen testing once in a while and have really smart

Brian:

experts, tear it down just to make sure there isn't something exploitable.

Brian:

So teach requirements, automate your testing everywhere you.

Brian:

Pen test the high risk stuff.

Brian:

Be serious enough that say, Hey, we wanna have a great user experience

Brian:

and millions or billions of downloads.

Brian:

And we just wanna make sure that people's data does what it's supposed to do.

Mishaal:

Security is essential, of course, for every application and developer

Mishaal:

should be top of mind, but it should be even more top of mind, especially

Mishaal:

if you're dealing with sensitive data.

Mishaal:

And as Brian mentioned, medical financial, you don't want to be slapped with, uh,

Mishaal:

billions of dollars in a lawsuit for mishandling or having some data breach.

Mishaal:

That you could have solved by protecting your application better.

Mishaal:

And if you are dealing with any mission critical application or you need to

Mishaal:

deploy mission critical applications onto fleets of dedicated devices, and

Mishaal:

you wanna make sure that the firmware it's running on and the data you

Mishaal:

depend on secured, come talk to us.

Mishaal:

That SPER we specialize in helping companies manage fleets of dedicated

Mishaal:

devices, including deploying and keeping your apps updated on them.

Mishaal:

If you're trying to deploy a kiosk or point of sale terminal,

Mishaal:

you need to lock it down.

Mishaal:

So potentially malicious applications, can't be side loaded onto.

Mishaal:

That's especially important because most of the time, these dedicated

Mishaal:

devices won't have GMs on them.

Mishaal:

So you can't count on Google, play, protect for protection.

Mishaal:

And if you're worried about any mobile bundle applications that are pre-installed

Mishaal:

on the off the shelf hardware that you've picked up for your dedicated device

Mishaal:

fleet, you'll need to look at deploying your own firmware based on AOS P.

Mishaal:

We can also help with that.

Mishaal:

Check us out@esper.io and Brian, thanks for joining us on

Mishaal:

this episode of Android bites.

Mishaal:

Is there anything you'd like to close us off with?

Mishaal:

Can you like work?

Mishaal:

Can people find you online and work?

Mishaal:

Can people work with now secure on securing their application?

Brian:

Yeah, so you, you can find us online.

Brian:

There's a bunch of great resources.

Brian:

I'm gonna talk out real quick.

Brian:

So now secure.com/nasa, M a S a that will help you understand the app defense

Brian:

Alliance and the independent security.

Brian:

If you're a user look to see that the apps you're choosing have

Brian:

an independent security review.

Brian:

If you're a developer, get your independent security review, we

Brian:

can help you expedite that process.

Brian:

That's cheap and easy to go do.

Brian:

If you want some training@cat.now secure.com is a free training environment.

Brian:

It's for development, QA, DevOps, and security teams to learn everything they

Brian:

needed to know about building testing and running secure apps in production.

Brian:

Again, that's a free resource.

Brian:

You can find me all over the place.

Brian:

I'm actually known as read on the run is my handle.

Brian:

So you can find me on, you know, LinkedIn, Twitter, and other kinds of fun places.

Brian:

Speaking to events of all kinds.

Brian:

The last thing I'll give you is O O is growing dramatically.

Brian:

The O OS mobile project is advancing.

Brian:

There's some really great things coming from O O this fall.

Brian:

And until later this year with the evolution of the

Brian:

mobile app security project.

Brian:

So if you're into the community activities, come join us at OAS, spend the

Brian:

mobile project and get involved because there's some really great stuff going on.

Brian:

It's a place you can learn a place you can contribute.

Brian:

And really be part of a community.

Brian:

Who's trying to do the right thing for mobile application

Mishaal:

security.

Mishaal:

And just to clarify, what is O OSP?

Mishaal:

Exactly?

Mishaal:

What does it stand for?

Mishaal:

Oh,

Brian:

O OSP is the open web application security project or program.

Brian:

It's an independent vendor, agnostic community of, uh, security professionals.

Brian:

Who've been building standards and specifications for how to build secure web

Brian:

apps, mobile apps, how to secure your APIs on the back end and things of that nature.

Brian:

So O O for those who are in the security.

Brian:

Are generally familiar with it as a non-for-profit that drives that

Brian:

O OSP has a number of initiatives going on in the development world.

Brian:

And what's really great about it is that Google has fully embraced O O

Brian:

so the app defense Alliance master certification program, which gets you

Brian:

that independent security verification actually is using the O OSP standard.

Brian:

And you're gonna see the O OSP standard in many other places.

Brian:

As a mechanism for a common industry standard for what security means, whether

Brian:

it's web mobile network, device or API.

Brian:

So there's some really great things going on at that

Mishaal:

standards body.

Mishaal:

All right.

Mishaal:

Thank you, Brian.

Mishaal:

And thank you everyone again for listening to another episode of Android bites.

Next Episode All Episodes Previous Episode
Show artwork for Android Bytes (powered by Esper)

About the Podcast

Android Bytes (powered by Esper)
A weekly show that dives deep into the Android OS
Android Bytes (powered by Esper) is the podcast that dives deep into the engineering and business decisions behind the world’s most popular OS. https://www.esper.io

Android powers over 3 billion devices worldwide and is the platform of choice for over a thousand companies. You’ll find Android on smartphones, tablets, watches, TV, cars, kiosks, and so much more. How does Google architect Android to run on so many form factors, and how do companies fork AOSP to make it run on even more devices? These are the kinds of questions the Android Bytes podcast considers each week.

Join cohosts Mishaal Rahman and David Ruddock, two journalists with extensive knowledge covering the Android OS platform and ecosystem, as they speak to system architects, kernel engineers, app developers, and other distinguished experts in the Android space.

Get in touch with us at Esper.io if you’re looking to use Android for your product — we have the experience you need.

About your hosts

David Ruddock

Profile picture for David Ruddock
David is the Editor in Chief of Esper, and cohosts Android Bytes. David spent over 10 years as the Editor in Chief of Android Police, where he reviewed more phones than he'd care to admit, broke dozens of exclusive mobile industry stories (and also, phones), and ran one of the web's most vibrant Android communities.

Mishaal Rahman

Profile picture for Mishaal Rahman
Mishaal is the Senior Technical Editor at Esper.io and a cohost of the Android Bytes podcast. At his previous role as Editor-in-Chief at XDA-Developers, Mishaal was at the forefront of Android tech journalism, breaking story after story on new OS features and platform changes.