Android Application Vulnerabilities

PROJECT REPORT
Submitted in partial fulfilment for the J-Component

INFORMATION SECURITY AND ANALYSIS

by

Abhay Manoj – 20BCE2569

Department of Computer Science and Engineering
Vellore Institute of Technology
Vellore, India

Fahad Salim Dalwai - 20BCE0610

Department of Computer Science and Engineering
Vellore Institute of Technology
Vellore, India

under the guidance of

Dr. MURALI S
SCOPE
VIT
ABSTRACT:
This paper presents a mobile application called MeetIn, which
is a social media centric application where users can post, view
and share images with other users.
The main aim of the project is to demonstrate various attacks
that can be performed on a vulnerable mobile application such
as tap jacking, database tampering, SQLite Injection as well as
various methods through which malicious users can access
information either locally, or through the cloud database
provider such as Firebase.
Finally, different techniques and tools will be demonstrated to
prevent attacks and secure the application in order to harden
security as well as protect User Generated Content and overall
safety of mobile application.
INTRODUCTION
A mobile application or app is a computer program or software
application designed to run on a mobile device such as a
phone, tablet, or watch. Mobile applications often stand in
contrast to desktop applications which are designed to run on
desktop computers, and web applications which run in mobile
web browsers rather than directly on the mobile device.
Apps were originally intended for productivity assistance such
as email, calendar, and contact databases, but the public
demand for apps caused rapid expansion into other areas such
as mobile games, factory automation, GPS and location-based
services, order-tracking, and ticket purchases, so that there are
now millions of apps available. Many apps require Internet
access. Apps are generally downloaded from app stores, which
are a type of digital distribution platforms.
Mobile app security is the practice of safeguarding high-value
mobile applications and your digital identity from fraudulent
attack in all its forms. This includes tampering, reverse
engineering, malware, key loggers, and other forms of
manipulation or interference. A comprehensive mobile app
security strategy includes technological solutions, such as
mobile app shielding, as well as best practices for use and
corporate processes.

Mobile app security has quickly grown in importance as mobile

devices have proliferated across many countries and regions.
The trend towards increased use for mobile devices for
banking services, shopping, and other activities correlates with
a rise on mobile devices, apps, and users.
Another tool that is required is a cloud hosting database
service, and these can be in the form of various vendors.
 Firebase is a set of hosting services for any type of application
(Android, iOS, JavaScript, Node.js, Java, Unity, PHP, C++ ...). It
offers NoSQL and real-time hosting of databases, content,
social authentication (Google, Facebook, Twitter and GitHub),
and notifications, or services, such as a real-time
communication server. Some form of attacks are

1. Application Binary-Level Attacks

Unlike web apps, mobile apps are able to be exposed to binary-level
attacks, as this application must be made public. The attacker is
capable of downloading the app and compromising the source code
and exploiting it. Ways of doing so are:

2. Reverse-engineering
Some hackers use dedicated tools to reverse-engineer the app's
source code. This can reveal a company's core business logic, which
can be used by competitors to steal ideas and tactics.

3. Extracting sensitive information

Some tools are available which can extract string constants from the
binary. This can call out critical information, such as an Administrator's
login credentials, or a sensitive URL.

4. Inserting malicious code and redistributing your app

Some hackers will hack directly into the binary file of the app, then
insert their own malicious code into the binary itself. They will then
distribute the app through unofficial channels and gets them installed
on the unsuspecting user's devices.

Doing so enables them to do things like 'phish' a user's details, redirect

users to their website/products unwittingly, or show things that can
harm your company's reputation and credibility.
 5. Mobile Device-Level Attacks
A device-level attack is when a vulnerable device is exploited to gain
access to a network. The attack can be performed on any connected
device(s). They come in many different forms, such as:

6. Malicious apps that steal data

Hackers distribute their own apps disguised as games, utilities, etc.
which will, behind the scenes, observe user’s actions and inputs. Thus
they'll be able to steal lot of details such as, what other apps are
installed, all of the user's keyboard inputs, all network activity, etc.

7. Installing your app on Rooted / Jail-broken devices

Hackers modify the OS installed on their phone and then run your app.
With this, they are able to observe the internal activity of your app like
what data you are storing internally, what network calls are being
made, etc., which a normal user would not be able to see. With all
these data available, they have more knowledge about how your
product or service is working, and can abuse them.

8. Modifying app data

Hackers will look at the file system and see how the app is storing files
and data locally. Sometimes modifying the data files can make the app
behave differently to suit the hacker's intents. For example, by
modifying a file, the hacker might be able to appear logged in to the
application, without any credentials.

9. Observing logs
Sometimes the developers of the app put logs to debug the
application, and forget to remove them before releasing to
production. Anyone can simply observe these logs and get insight into
the working of the apps.
 10. Observing unencrypted network traffic
If the app's communication with server is not encrypted correctly, all
the communication can be read in plain language by an observer. This
includes the credentials passed to the server, sensitive information
returned by the server etc.

11. Server-Level Attacks

By hacking the mobile application as described in the previous two
levels, the hacker could have gained knowledge about how the app is
interacting with the web service, and can try to exploit the web
service.

• Man-in-the-middle attacks: The hacker understands the API calls

made by the app, and uses authentication sent by the app and
poses as a legitimate user. The unsuspecting server might serve
confidential data to the hacker.
• DDoS attacks: By knowing the API end points used by the app,
the hacker could use automated tools to push heavy traffic to
those end points, causing the server to go down. In effect, your
product or service would become unusable to real users.
 RELATED SURVEY
Survey done by well-established company NowSecure had
found out that:
• 82% of Android devices were susceptible to at least one out
of 25 vulnerabilities in the Android operating system.
• Business apps are three times more likely to leak log-in
credentials (both personal and corporate data) than the
average app.
• One in four mobile applications contains at least one high-
risk security flaw.
• 50% of apps with five to ten million downloads include a
security flaw.
• 25% of 2 million applications available on Google Play alone
include a security flaw.
It also found out that most of the threat were of the following
forms

MOBILE APP SECURITY THREATS

Without implementing any form of mobile app security, your app is
vulnerable to reverse engineering attacks and is prone to
manipulation Take a look at the most common mobile security threat
that you should keep an eye on:

POOR DATA ENCRYPTION

In case your app is storing sensitive data in a local file without
encryption, it's time to switch things up. Encrypt those data and use
Keychain (iOS) or Keystore (Android) for storing decryption keys.
 VULNERABLE OSS
Hackers are up to date with all of the loopholes in the operating
systems in order to tamper with them. Make sure that your operating
system is always up to date with the latest version.

REVERSE ENGINEERING
In simple terms, reverse engineering, in this case, is application
development, only backward. Hackers often disassemble apps piece
by piece in order to understand the algorithms and workflows,
followed by exploiting detected vulnerabilities.

MOBILE APP ATTACKS

Rooting or jailbreaking your device puts your smartphone at high risk.
This is because the default OS security measures can be easily
removed. Your phone won't be able to recognize if an app from an
unsecured source is being installed. Exact copies of an original app
developed by hackers, injected with malware, can steal data
contained on your phone.
System Architecture

The overall system is based on the MVVM architectural pattern

and is locally storing all the database in an SQLite database and all
the back end database is stored in firebase as a Firestore database
and real time database for extra backing capabilities. Model —
View — View Model (MVVM) is the industry-recognized
software architecture pattern that overcomes all drawbacks of
MVP and MVC design patterns. MVVM suggests separating the
data presentation logic(Views or UI) from the core business logic
part of the application.
The separate code layers of MVVM are:

• Model: This layer is responsible for the abstraction of the

data sources. Model and View Model work together to get
and save the data.
• View: The purpose of this layer is to inform the View Model
about the user’s action. This layer observes the View Model
and does not contain any kind of application logic.
• View Model: It exposes those data streams which are
relevant to the View. Moreover, it serves as a link between
the Model and the View.
MVVM pattern has some similarities with the MVP(Model — View
— Presenter) design pattern as the Presenter role is played by View
Model. However, the drawbacks of the MVP pattern has been
solved by MVVM in the following ways:
1. View Model does not hold any kind of reference to the
View.
2. Many to-1 relationships exist between View and View
Model.
3. No triggering methods to update the View.
The app is intended to be online first and has the following
features:
• Enable users to upload an image
• Enable users to view other people's images
• Enable users to search other friends and comment and
• Authenticate login and logout
• View on pictures and create captions and likes
The app follows the repository pattern since it allows to create
an offline force mode and the other benefactor is that the
efficiency and cleanliness of the code is much more simply
enabling the back-end team to entirely maintain and sustain the
app fast and productively.
Kotlin coroutines are also used to make asynchronous calls to
firebase database since making direct calls would block the UI
thread and make the app crash and mutable livedata a feature
enabled in Android allows us to continuously update the UI
elements as soon as it received updates from the back end in the
form of kotlin flows.
WORKING MECHANISM:

There are two main flows through which the user can interact
and navigate.
1.Authentication flow through which user can either log in
or sign up through their own e-mail and ID or through Gmail e-
mail address in order to log in and create an account for the
meeting application.
2.The next 3 pages are all intended to be used with the
main of functionality and includes searching for a friend
through the search tab by which a list of various friends will be
listed and the user can select or choose them and add them to
their following list. Another page is the view-all page, where
viewers can see their friends’ pages and interact with them as
well as see their caption or log out of the application the third
and final page is the users on profile page through which he can
view his profile details update them as well as view his images
that he's uploaded and upload images to his friends
3.Users will also be able to view the various events
happening around the university campus through the
information page which stores various information such as the
location the event name the event timing so that they can go
and share them to their friends as well.
APP SCREENSHOTS:
IMPACT:
The impact of the system is to better integrate and connect
student to the social media platform specifically to VIT Vellore
itself and to find out more about all the events happening, as well
as know about and discover their friend circles around them.
While normal media platforms provide an audience much larger,
MeetIn aims to create a homegrown audience through its User
Generated Content and its localization to VIT and the events there
itself. The various attacks on the application will have a significant
impact. This is because the user database will get compromised as
well as the safety of private information and the organization as
well since the large-scale attack will create billing impact and thus
negatively affect developer by high request reads to the database,
which can also reduce service and stop app main functionality.
 EXPLANATION AND ARCHTECTURE DIAGRAM:

1. SQLite Injection:

The android database framework Room is built on top of SQLite in

order to ease developers local database needs, however a large
amount of security aspects have been left out and unless proper
care is taken by developer, can be susceptible to hacking.

2.Intent Injection:

It is the process by which a hacker or an application gains access

to user components which cannot be directly accessed from the
application itself through intent filters and intents. This is
dangerous because an attacker can force the app to launch a non-
exported component that cannot be launched directly from
another app, or to grant the attacker access to its content
providers.

3.Core Device hardware hacking:

Various components such as Camera, Microphone, and the

storage are considered high priority by Google in Android.
However there is a possibility to gain access through the user
permissions without them knowing and exploiting it and
uploading it to a database in the backend.

4.Authentication Spoofing:

Getting access to the users login and password by sniffing and

sending it to backend without their knowledge is what this is
concerned with. Of all the vulnerabilities, this is the easiest to
perform. Hence it is recommended that a user logins with their
Google account and not with a custom account since it cannot be
accessed and spoofed into.

The application accesses the firebase products through API’s

provided by Firebase itself. The various API’s are those such as
Authentication, Write document into database, reading values,
filtering as well as sending OTP for authentication. These different
methods have been bundled to provide meaningful document
structure and flow for the entire applications and are stored in the
app repository as show below.
ATTACKS PERFORMED:

Database Hacking:

It is possible to access and hack into the firebase database by

simply getting the URL of the Realtime Database Location. This is
due to lack of any secure rules created in the Firebase Database.

Tap Jacking
Clicking on the homepage redirects you to a random
advertisement page on your web browser without user
permission. this is because malicious user creates a view in front
of the actual activity in order to make user click on something they
are not. This is like an iframe in the case of websites on the
Internet

SQLite Injection

This causes the app to become unresponsive during internal error

occurring from passing an SQL Lite query in the search field.
Intent Sharing:

This is like tap jacking but in the sense that user is able to access
another application using external intents which allows them to
send data to any form of other social media which can be
WhatsApp Facebook etc. In the given case the application where
is sending data is to the e-mail and it automatically filling in the
information without explicitly asking you.
RESULTS:

It can hence be seen that all of these different attacks can be

easily performed by even layman and has huge implications to
the user safety especially to user generated content. it is of most
vital that these flaws and vulnerabilities are quickly patched up
as malicious users can easily break in and compromise users
sensitive information. This causes the following in general.

1. Your Application Loses Users

Data breaches often release droves of personal data into

unknown, malicious hands. If your customers entrust you with
credit card numbers or other financial information, these
incidents can be especially harmful. When you experience a data
breach, your affected customers face quite the ordeal. Some
may subsequently experience identity theft or credit card fraud.
When customers experience issues because of a company’s
cybersecurity negligence, they often feel like their trust has been
broken. Many may stop doing business with you

2. It Can Damage Brand Reputation

All press is good press — except in the case of cybersecurity

negligence. Large-scale data breaches for major brands are
highly publicized. Every month of 2019 was plagued with at least
one.

3.You Lose Intellectual Property

Your cyber network and even your emails contain intellectual
property and industry secrets. Some of what your company
keeps closest to its chest — blueprints, designs and strategies —
can be targeted in cyberattacks. Manufacturers can lose
proprietary product designs before they can obtain their patents.
Gaming and software companies can have valuable coding
exposed. Entertainment companies can lose unreleased films,
shows, and music to leaks.

4.Database Side:

Despite being a relatively safe server side database storage

platform, the main issue is in the form of security rules. Firebase
Security Rules stand between data and malicious users.
Developers can write simple or complex rules that protect the
app's data to the level of granularity that your specific app
requires.

Firebase Security Rules leverage extensible, flexible configuration

languages to define what data your users can access for Realtime
Database, Cloud Firestore, and Cloud Storage. Firebase Realtime
Database Rules leverage JSON in rule definitions, while Cloud
Firestore Security Rules and Firebase Security Rules for Cloud
Storage leverage a unique language built to accommodate more
complex rules-specific structures.

Firebase Security Rules work by matching a pattern against

database paths, and then applying custom conditions to allow
access to data at those paths. All Rules across Firebase products
have a path-matching component and a conditional statement
allowing read or write access. You must define Rules for each
Firebase product you use in your app.
HOW ATTACKS WORK:

How SQLite attack works

In SQLite injection means injecting some malicious code to gain
access to other databases while accepting the input from web
application.
Suppose we have registration page where the user needs to enter
username but instead of that if he enters SQLite statement then it
will run on our database and return the data based on his query
statement.
The basic idea for SQLite injection attacks is to get secure
information from your database and to perform some vulnerable
actions like updating existing records information or delete/drop
tables in the database, etc.
Generally, these SQLite injection attacks can happen whenever your
application relies on user input to construct the SQLite query
statements. So while taking the input from users we need to validate
that data before we send it to the database by defining pattern
validations or accepting the input parameters in standard way.

How Tap Jacking works

Tap jacking is the Android-app equivalent of the clickjacking web
vulnerability: A malicious app tricks the user into clicking a security-
relevant control (confirmation button etc.) by obscuring the UI with
an overlay or by other means. On this page, we differentiate two
attack variants: Full and partial occlusion. In full occlusion, the
attacker overlays the touch area, while in partial occlusion, the touch
area remains unobscured.
Tap jacking attacks are used to trick users into performing certain
actions. The impact depends on the action targeted by the attacker.
PREVENTIVE MEASURES:
Room Database

Using a library such as a room database which is the official API

provided by Android in order to prevent SQL injection attacks as well
as a host of different vulnerabilities as well as simplify the interface
for writing well is one method to prevent SQLite injections. it is
officially recommended by Google and the Android team and has
backticks which ensure that the statement cannot be converted into
SQL by a malicious person.
Firebase Security Rules

Writing robust secure roles in the firebase role section is the most
versatile and important method in order to secure the database in
the given scenario the database is secured by confirming the user
unique ID that firebase assigned on creation of a new user. This
prevents unknown person from accessing the database, and only
admin can do so only after authorization as well.
Attempting to perform a database snooping using .json method
now shows an error since we are not authorized to access the
database.

Permission Manager:
Using a permission manager application ensures that there is no
application overall which is snooping into the phone and asking
for unnecessary requests or permissions. It also prevents apps
from accessing and moving into another application from their
current application. This is the most common and deadliest form ,
so restricting an apps permission to only what it needs is an
important task that must be performed.

Android: Exported=”false”

The exported flag indicating whether the given application

component is available to other applications. If false, it can only
be accessed by applications with its same user id (which usually
means only by code in its own package). If true, it can be invoked
by external entities, though which ones can do so may be
controlled through permissions. The default value is false for
activity, receiver, and service components that do not specify any
intent filters; it is true for activity, receiver, and service
components that do have intent filters (implying they expect to be
invoked by others who do not know their particular component
name) and for all content providers. Hence it allows us to prevent
unknown tasks from running in front of our application and
causing intent jacking.
App Check:

Using Firebase AppCheck to monitor and view any suspicious

activities and behavior to the user database or the authentication
is a good method to ensure billing fraud does not occur as well.
CONCLUSION:
In conclusion, Android is the most widely used mobile operating
system. Improvising the security of an Android OS is very
important to safeguard the user's privacy and confidential
information. In this study, it was shown how to avoid misusing app
permissions, prevent cloud and local database attacks as well as
tap jacking and intent hacking.

All the various attacks can be performed from a relatively easy

vector; hence it is of vital importance that app security and user
safety is of utmost privacy.
REFERENCES:

[1] "Number of Google play store apps 2016 | statistic," Statista,

2014. [Online]. Available:
http://www.statista.com/statistics/266210/number-of-available-
applications-in-the-google-play-store.

[2] "Normal Permissions,". [Online]. Available:

https://developer.android.com/guide/topics/security/normal-
permissions.html.

[3] "Dangerous Permissions,". [Online]. Available:

https://developer.android.com/guide/topics/security/permissio
ns.html#normal-dangerous.

[4] C. Security and P. Foundation, “Gimme Rat – Android

Malware In The Wild,” XSec Technologies Pvt Ltd and Cyber
Security & Privacy Foundation, India, p.5, mar 2014.

[5] L. Whitney, "Almost no one is using Android marshmallow,

still," CNET, 2016. [Online]. Available:
http://www.cnet.com/news/almost-no-one-is-using-android-
marshmallow-still.