A Practical Approach to Android Mobile Application Security

Abstract

In parallel to rapid developments in computer technology, the number of mobile applications developed for the devices also increases. Mobile applications make life easier, but also bring some risks. These applications may create some weaknesses due to mistakes in the app development or use phase. In this study, a sample security test was performed for mobile application security awareness. This paper related to phising attacks to Android mobile users and data storage security on Android device. The sample mobile application has been decompiled. The malicious code was injected into the sample app. After the code was injected into the sample banking application developed, the user interface was modified. In addition, when the application is open, the user's credit card information is requested. After the user fills information, the credit card information is sent to a different phone number (attacker’s phone number) through an SMS. The mobile user is at risk of stealing sensitive information. This study also shows that the data stored in the device can be accessed through the Android Debug Bridge (ADB) shell commands. As a result, this paper shows that the application developer should be more careful during the development phase and the device user should be more careful during the use phase.

Keywords

• Android,Spyware,Reverse Engineering,Vulnerability,Phishing,Security

References

1. 1. WeAreSocial. 2018 28.03.2018]; Available from: https://wearesocial.com/blog/2018/01/global-digital-report-2018.2. KantarWorldPanel. 2018 01.04.2018]; Available from: https://www.kantarworldpanel.com/global/smartphone-os-market-share/.3. Benítez-Mejía DGN, Sánchez-Pérez G, and Toscano-Medina LK. Android Applications and Security Breach. in 2016 Third International Conference on Digital Information Processing, Data Mining and Wireless Communications (DIPDMWC). 2016.4. Arshad S, et al., Android Malware Detection & Protection: A Survey. International Journal of Advanced Computer Science and Applications, 2016. 7(2): p. 463-475.5. Park JH, et al., An Enhanced Security Framework for Reliable Android Operating System. Security Comm. Networks, 2016. 9: p. 528-234.6. Abualola H, et al., An Android-based Trojan Spyware to Study the NotificationListener Service Vulnerability. Procedia Computer Science, 2016. 83: p. 465-471.7. Utku A and Doğru İA, Mobil Kötücül Yazılımlar ve Güvenlik Çözümleri Üzerine Bir İnceleme. Gazi University Journal of Science, 2016. 4(2): p. 49-64.8. Heinl M, Android Security, in Department of Media and Information Technology. 2015, Offenburg University of Applied Sciences: Almanya. p. 92.9. Wang Y and Alshboul Y, Mobile Security Testing Approaches and Challenges, in First Conference On Mobile And Secure Services. 2015: Gainesville, Florida/USA.10. Zou S, Zhang J, and Lin X, An effective behavior-based Android malware detection system. Security and Communication Networks, 2015. 8(12): p. 2079-2089.11. Cho J, Cho G, and Kim H. Keyboard or Keylogger?: a security analysis of third-party keyboards on Android. in 13th Annual Conference on Privacy, Security and Trust (PST). 2015. İzmir.12. Acar ÖF. Android Zararlı Yazılımlarını Tespit Etme, İmza Oluşturma ve Sınıflandırma. in 7. Uluslararası Bilgi Güvenliği ve Kriptoloji Konferansı. 2014. İstanbul/Türkiye.13. Gökçe KG, Şahinaslan E, and Dincel S, Mobil Yaşamda Siber Güvenlik Yaklaşımı, in 7. Uluslararası Bilgi Güvenliği ve Kriptoloji Konferansı. 2014: İstanbul/Türkiye. p. 214-221.14. Mohsen F and Shehab M. Android Keylogging Threat. in 9th International Conference Conference Collaborative Computing: Networking, Applications and Worksharing (Collaboratecom). 2013.15. Kazancı T, Mobil Bankacılıkta Güvenlik Sorunlarının Analizi, in İstanbul Üniversitesi Fen Bilimleri Enstitüsü. 2013, İstanbul Üniversitesi: İstanbul/Türkiye. p. 111.16. Kiraz Ö and Doğru İA, Android Kötücül Yazılım Tespit Sistemleri İncelemesi. Düzce Üniversitesi Bilim ve Teknoloji Dergisi, 2017. 5(1): p. 281-298.17. Li X, et al. An Android Malware Detection Method Based on AndroidManifest File. in Proceedings of CCIS2016. 2016. China.18. Aung Z and Zaw W, Permission-Based Android Malware Detection. International Journal of Scientific & Technology Research, 2013. 2(3): p. 228-234.19. Sanz B, et al., MAMA: Manifest Analysis for Malware Detection in Android. Cybernetics and Systems, 2013. 44(6-7): p. 469-488.20. Narman AE, Android Programlama. 2013, İstanbul: Kodlab Yayın Dağıtım Yazılım ve Eğitim Hizmetleri San. ve Tic. Ltd. Şti.