LAS VEGAS At the Black Hat security and B-sides conferences here, mobile security will be in the cross hairs this week. While there seems to be a limitless supply of vulnerable mobile apps, defensive measures to actually easily validate and identify mobile vulnerabilities have not been as plentiful.
That's a situation that Parth Patel, vulnerability signature engineer for Qualys, is aiming to help correct. Patel is releasing a new open-source mobile vulnerability framework called the Android Security Evaluation Framework (ASEF) to enable individuals and researchers to more easily identify the security risks associated with any given Android mobile application.
"When you install and run a mobile application, in many cases, you don't know really know if the app is accessing your personal information, if it is leaking your information and if there are vulnerable components," said Patel. There are a lot of questions around using Android applications, so the idea behind ASEF is to provide a layer of transparency."
Researchers can analyze Android apps on a case-by-case basis using manual tools, but Patel wanted to build something more robust. ASEF is an automated virtual environment that replicates the entire lifecycle of an Android application, collecting analytical data on what the application is actually doing while in use.
The data that ASEF collects includes captured network activity and system access functions. All the data can then be parsed to help identify anything that is anomalous or potentially risky.
One way that risky Android applications can be identified is by the way these apps connect to them. ASEF will analyze the Web addresses that the Android app is accessing and compare those against the Google Safe Browsing list to see if there are any malware URLs or known bad sites. ASEF also tests Android apps against known malware signatures that have been publicly disclosed.
"Users can deploy ASEF and collect data at a very large scale," said Patel. "I would also expect that mobile security researchers could also integrate this with their own testing frameworks."
By default, when an application is installed on Android, a list of permissions that the app requires is displayed for the user. In Patel's view, many mobile users have 20 or more mobile applications, and in most cases, users don't read everything in the fine print about permissions. ASEF automatically collects and displays the permission information across all the apps that may be present on a device. By having information on all the app permissions for a given device, Patel's view is that trends emerge, and users and researchers can then get a better idea of how permissions are disrupted across all apps.
ASEF is still a young project and will add new features over time. One key item that ASEF does not do in its initial release, is look for unencrypted connections.
Data that is not sent over encrypted Secure Sockets Layer (SSL) connections can potentially be sniffed by an attacker, stealing log-in and other user credentials. Patel noted that looking for insecure network connections is a feature he is likely to add in a future release of ASEF.
ASEF is set to be freely available from the Qualys Website July 25.