Leave The App Alone! - Attack and Defense of Android App Hijack SESSION ID:MBS-W05 Rongyu Zhou Senior Research Engineer Baidu Inc. #RSAC #RSAC Outline Root or Not Root  App Hijack  Hook Insight  Demo: App Hijack  Detection & Fix for App Hijack  Leave My App Alone – Create A Trusted App Runtime  #RSAC 2 Root or Not Root #RSAC #RSAC Root or Not Root It’s not the main topic I’d talk about today  But it’s indeed a simple question  Root: pre-installed, auto startup, customization, etc.  Not Root: unsafe!  So, what we need is ‘Safe Root’  #RSAC 4 Root Risks Android keeps each App’s security by creating a different  user for each App to distinguish permissions Each App could apply for Root permission  After Root, your App could be accessed by others  Memory modifications  File access  ……  #RSAC 5 Process of Chrome after hijacked #RSAC 6 App Hijack #RSAC #RSAC What’s App Hijack? App Hijack: App’s workflow is redirected by others  Usually achieved by ‘Inject’ and ‘Hook’  #RSAC 8 App Hijack’s Process Reverse App to get its main logic  Inject evil module into App’s process  Ptrace  Dlopen  Hook  Java Hook  Native(so) Hook  #RSAC 9 Process of Inject and Hook #RSAC 10