Published on August 16th, 2012 | by NJ Ouchn0
ASEF – Android Security Evaluation Framework available
Android Security Evaluation Framework(ASEF) to perform this analysis while alerting you about other possible issues. Use it to become aware of unusual activities of your apps, expose vulnerable components and help narrow down suspicious apps for further manual research.
The framework takes a set of apps, either pre-installed on a device or as individual APK files, and migrates them to the test suite which runs through test cycles on a pre-configured Android Virtual Device (AVD). The technique is to simulate the entire lifecycle of an Android app on an Android device (virtual/physical) and collect data while triggering behavioral aspects of it. In simple words, download an Android app from an internet, install it on an Android device, launch it and mess with it (e.g clicking different buttons, scrolling up/down, swipe etc..) While doing so, collect an activity log using adb (Android debug bridge utility which is available as a part of an Android SDK) and network traffic using tcpdump (a widely used packet capturing tool).
During such a simple yet thorough approach of performing a behavioral analysis for various apps, interesting results were found about apps leaking sensitive information like IMEI, IMSI, SIM card or a phone number of a device. Some malicious apps might just send this data in clear text over the Internet and are much easier to be caught by analyzing collected behavioral data. However some malicious apps can be sophisticated enough to detect the default settings of a virtual Android device and might behave differently in such settings. In order to overcome such limitations, a virtual device can be custom built by fine-tuning the kernel and also altering default settings to emulate a real device or it can be replaced by a physical Android device.
ASEF is now available as open source at http://code.google.com/p/asef/. With it, users can gain access to security aspects of android apps by using this tool with its default settings. An advanced user can fine-tune this, expand upon this idea by easily integrating more test scenarios, or even find patterns out of the data it already collects. ASEF will provide automated application testing and facilitate a plug and play kind of environment to keep up with the dynamic field of Android Security.
Note From ToolsWatch
The package (ASEF_OSP.zip ) comes with 55 vulnerabilities. The format looks like(1) pkg:'com.adobe.flashplayer' os:'android 2.x or 3.x' hvv:'' hpv:'22.214.171.124' lvv:'0' info:'"object confusion vulnerability" - allows remote code execution' sev:'HIGH' cve:'CVE-2012-0779' noi:'575,913'
The perl file apkeval.pl reads the vulnerability db and check it against the android apps installed. Check Readme file first to undestand how to set up the tool.
Sounds like this year, Blackhat was more focused on Smartphones and Apps !!