Black Hat Asia 2020: Android vulnerability scanners tackle code obfuscation and false positives

Open source reverse engineering suite and static code scanner showcased at virtual hacking conference

Android apps can be probed comprehensively for known security vulnerabilities without being fooled by code obfuscation techniques, attendees at Black Hat Asia heard yesterday.

Adhrit, an APK reversing and analysis suite, scans Android applications “for vulnerable code patterns in the bytecode rather than the Java or source code”, the open source project’s lead, Abhishek J M, told virtual attendees.

As a result, the application’s search for tell-tale vulnerability patterns is “immune to usual code obfuscation techniques”, he added.

Adhrit was one of two security tools that scan Android apps for security flaws to be showcased on day one of the Black Hat Asia Arsenal sessions this week.

One-stop shop

Developed for Indian credit card payment app CRED, Adhrit performs bytecode analysis based on Ghera benchmarks, automated ADB payload generation for exported activities, and reconnaissance for embedded URLs, API keys, and native library strings.

“The idea was to come up with a lightweight, easy-to-set-up tool that would be a one-stop for all things Android Security,” said Abhisheka, an application security engineer at CRED.

More specifically, CRED’s development team wanted an application that could “scan for vulnerable code patterns at the source code level” in order to “provide an overview of what lies under the hood” and to identify “the root causes of a lot of problems”.

READ MORE Grinder Framework helps overcome Shodan false negatives and blind spots

They also wanted to map “the major components of the application”, which could reveal, for example, “whether the application is storing data on the device, if it is using SQL databases, or using shared preferences.”

Finally, the tool should have the capacity to scan “for hardcoded secrets embedded in the app.”

Ghera benchmarks

“One of the pros” of using the Ghera benchmarks (PDF), which document known Android security flaws for the benefit of developers, pen testers, and security researchers, “is that it covers issues even on recent Android versions and every issue is well documented,” said Abhishek.

Each of the 61 known Android vulnerabilities so far included in Ghera’s open source repository “has a vulnerable app, a corresponding malicious app which exploits that particular vulnerability, and a secure app that has patched that issue”.

The security flaws are assigned to categories – web, storage, networking, crypto, and Inter-Component Communication (ICC) bugs – and classified “based on various factors like the attack surface, the exploitability of the attack, the severity of the affected components, etc”, said the speaker.

Static analysis tool

Later on in the Arsenal schedule at Black Hat Asia this week, a quartet of security engineers showcased a ‘static application scanning tool’ – or SAST – which they claimed could cost-effectively achieve a low rate of false positives.

Thanks to the application’s “static taint analysis engine”, the team was able to “cover most vulnerabilities occurring in Android APKs,” attendees heard.

The speakers contend that tools with both dynamic and static scanning functions are typically plagued by false positives. And even those that achieve a higher accuracy only do so at the cost of being unwieldy and expensive to maintain.

In contrast, SAST, claim its developers, boasts a simple architecture, is easy to use and inexpensive to maintain, and is highly accurate despite lacking the capacity for dynamic scans.

Read more of the latest news from Black Hat Asia 2020

The tool leverages Androguard, a customizable open source tool and Python library for reverse engineering Android applications.

Vulnerability patterns can be added easily as new security flaws emerge, claims the project team.

Using SAST, the security engineers told Black Hat attendees that they had already uncovered and reported several potential security vulnerabilities to some of the most popular applications available in Google Play, including a path traversal and SQL injection vulnerability on one hugely popular app.

The speakers were Todd Han and Lilang Wu from Sangfor Technologies, Lance Jiang from TopSec, and Junzhi Liu from Trend Micro.

COMMENT Black Hat Asia: Need for global security perspectives underlined at virtual event