False Sense of Security: A Study on the Effectivity of Jailbreak Detection in Banking Apps

People increasingly rely on mobile devices for banking transactions or two-factor authentication (2FA) and thus trust in the security provided by the underlying operating system. Simultaneously, jailbreaks gain tremendous popularity among regular users for customizing their devices. In this paper, we show that both do not go well together: Jailbreaks remove vital security mechanisms, which are necessary to ensure a trusted environment that allows to protect sensitive data, such as login credentials and transaction numbers (TANs). We find that all but one banking app, available in the iOS App Store, can be fully compromised by trivial means without reverse-engineering, manipulating the app, or other sophisticated attacks. Even worse, 44% of the banking apps do not even try to detect jailbreaks, revealing the prevalent, errant trust in the operating system's security. This study assesses the current state of security of banking apps and pleads for more advanced defensive measures for protecting user data.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[3]  Gianluca Stringhini,et al.  MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version) , 2016, NDSS 2017.

[4]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[5]  Srikanth V. Krishnamurthy,et al.  Detecting Android Root Exploits by Learning from Root Providers , 2017, USENIX Security Symposium.

[6]  Tom Chothia,et al.  Spinner: Semi-Automatic Detection of Pinning without Hostname Verification , 2017, ACSAC.

[7]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[8]  Felix C. Freiling,et al.  Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms , 2009, USENIX Security Symposium.

[9]  Harald Baier,et al.  Rooting Android - Extending the ADB by an Auto-connecting WiFi-Accessible Service , 2011, NordSec.

[10]  Sencun Zhu,et al.  Droid-AntiRM: Taming Control Flow Anti-analysis to Support Automated Dynamic Analysis of Android Malware , 2017, ACSAC.

[11]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[12]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[13]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[14]  Vikram S. Adve,et al.  The LLVM Compiler Framework and Infrastructure Tutorial , 2004, LCPC.

[15]  Andrea Cuadros Casta Android rooting: methods, detection, and evasion , 2015 .

[16]  Shi-Min Hu,et al.  Cracking App Isolation on Apple: Unauthorized Cross-App Resource Access on MAC OS~X and iOS , 2015, CCS.

[17]  Nicholas Nethercote,et al.  Valgrind: a framework for heavyweight dynamic binary instrumentation , 2007, PLDI '07.

[18]  Michael Backes,et al.  Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[19]  Azzedine Benameur,et al.  All your Root Checks are Belong to Us: The Sad State of Root Detection , 2015, MobiWac.

[20]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[21]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[22]  Vikram S. Adve,et al.  LLVM: a compilation framework for lifelong program analysis & transformation , 2004, International Symposium on Code Generation and Optimization, 2004. CGO 2004..

[23]  Yanick Fratantonio,et al.  Cloak and Dagger: From Two Permissions to Complete Control of the UI Feedback Loop , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[24]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[25]  Christopher Krügel,et al.  Challenges for Dynamic Analysis of iOS Applications , 2011, iNetSeC.

[26]  Fabio Roli,et al.  Yes, Machine Learning Can Be More Secure! A Case Study on Android Malware Detection , 2017, IEEE Transactions on Dependable and Secure Computing.

[27]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[28]  Thorsten Holz,et al.  Control-flow restrictor: compiler-based CFI for iOS , 2013, ACSAC.

[29]  Wei Zhang,et al.  System Log-Based Android Root State Detection , 2017, ICCCS.

[30]  Wenke Lee,et al.  Jekyll on iOS: When Benign Apps Become Evil , 2013, USENIX Security Symposium.

[31]  Ricardo J. Rodríguez,et al.  A Peek under the Hood of iOS Malware , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[32]  Ahmad-Reza Sadeghi,et al.  On the (In)Security of Mobile Two-Factor Authentication , 2014, Financial Cryptography.

[33]  Daniel C. DuVarney,et al.  Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits , 2003, USENIX Security Symposium.

[34]  Petar Tsankov,et al.  Statistical Deobfuscation of Android Applications , 2016, CCS.

[35]  Xiangyu Zhang,et al.  iRiS: Vetting Private API Abuse in iOS Applications , 2015, CCS.

[36]  Sara R. Jordan Liberty , 2014, Callings and Consequences.

[37]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[38]  Ahmad-Reza Sadeghi,et al.  SandScout: Automatic Detection of Flaws in iOS Sandbox Profiles , 2016, CCS.

[39]  Patrick Traynor,et al.  Mo(bile) Money, Mo(bile) Problems , 2017, ACM Trans. Priv. Secur..

[40]  Azzedine Benameur,et al.  Insights into rooted and non-rooted Android mobile devices with behavior analytics , 2016, SAC.

[41]  Tilo Müller,et al.  Honey, I Shrunk Your App Security: The State of Android App Hardening , 2018, DIMVA.

[42]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[43]  James LaBouchardiere,et al.  App Review , 2016 .

[44]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[45]  Roee Hay,et al.  fastboot oem vuln: Android Bootloader Vulnerabilities in Vendor Customizations , 2017, WOOT.

[46]  Tilo Müller,et al.  On App-based Matrix Code Authentication in Online Banking , 2018, ICISSP.

[47]  Yizheng Chen,et al.  On the Feasibility of Large-Scale Infections of iOS Devices , 2014, USENIX Security Symposium.

[48]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.