The Internet resources can be accessed via HTTP, the basic Internet protocol, or HTTPS, which initializes encrypted connections to allow au- thentication of the requested resource and protection of the integrity of the exchanged data between client and server. HTTPS should always be pre- ferred to HTTP, especially when the app manages user private information. To check if an app opens secure connections when accessing the Internet, we need to identify the main Java class used to open connections, analyze all of its dependencies until we find the most low-level functions called by the Java class, and access their data in search of information about the protocol and the connection integrity.
This is how a basic HTTPS connection is created in Android [34]: 1 URL url = new URL (" h t t p s :// w i k i p e d i a . org ") ;
2 U R L C o n n e c t i o n u r l C o n n e c t i o n = url . o p e n C o n n e c t i o n () ; 3 I n p u t S t r e a m in = u r l C o n n e c t i o n . g e t I n p u t S t r e a m () ; 4 c o p y I n p u t S t r e a m T o O u t p u t S t r e a m ( in , S y s t e m . out ) ;
URLConnection is the abstract class for every class that acts as communica- tion link between the app and a Uniform Resource Locator (URL). In general, creating a connection to a URL is a multistep process [35]: the connection is initialized by invoking the openConnection() method on a specific URL, and then it is completed by the connect() method, which makes the ac- tual connection to the remote object and allows to access its content. The connection process sub-methods are also listed in Table 2.1. We identify URLConnection as the main Java class used to open connections, and we acknowledge that connect() is the most low-level native function called by the Java class.
Follows connect() declaration in /bionic/libc/bionic/connect.cpp: 1 # i n c l u d e " p r i v a t e / N e t d C l i e n t D i s p a t c h . h "
2 # i n c l u d e < sys / s o c k e t . h >
3 int c o n n e c t (int sockfd , c o n s t s o c k a d d r * addr , s o c k l e n _ t a d d r l e n ) {
openConnection() Manipulates parameters that affect the connection to the remote resource. High abstraction level. connect() Interacts with the resource; queries header fields
and contents. Low abstraction level. Table 2.5: URLConnection sub-methods
4 r e t u r n _ _ n e t d C l i e n t D i s p a t c h . c o n n e c t ( sockfd , addr , a d d r l e n ) ;
5 }
This function takes sockaddr* as a parameter, which is a struct storing an array of characters, char sa_data[14].
1 s t r u c t s o c k a d d r {
2 s a _ f a m i l y _ t s a _ f a m i l y ; 3 c h a r s a _ d a t a [ 14 ] ; 4 } ;
This array of characters contains information about the opening connection port number, which could be our first classifier for HTTP and HTTPS con- nections, but unfortunately it comes as raw data. However, in Network Programming, whenever we have a function taking a sockaddr* struct as a parameter, we can play with the struct sockaddr_in instead, and cast it to sockaddr* type with safety. The struct sockaddr_in is the basic Internet Protocol version 4 (IPv4) structure used for all system calls and functions dealing with Internet addresses, and it is of the same memory size of the struct sockaddr, so we can freely cast the pointer of one type to the other without any risk [36]. The struct sockaddr_in stores an address family in sin_family, a port in sin_port, and an IPv4 address in sin_addr:
1 # i n c l u d e < n e t i n e t / in . h > 2 // I P v 4 A F _ I N E T s o c k e t s : 3 s t r u c t s o c k a d d r _ i n { 4 s h o r t s i n _ f a m i l y ; // e . g . A F _ I N E T 5 u n s i g n e d s h o r t s i n _ p o r t ; // e . g . h t o n s ( 3 4 9 0 ) 6 s t r u c t i n _ a d d r s i n _ a d d r ;
7 c h a r s i n _ z e r o [ 8 ] ; 8 } ;
This trick will grant us access to the connection port number every time we hook the connect(), which becomes our first pivotal function. Follows the hooking method for connect():
1 int m y _ c o n n e c t (int sockfd , s t r u c t s o c k a d d r * addr , s o c k l e n _ t a d d r l e n )
2 {
3 int (* o r i g _ c o n n e c t ) (int sockfd , s t r u c t s o c k a d d r * addr , s o c k l e n _ t a d d r l e n ) ; 4 o r i g _ c o n n e c t = (v o i d*) eph . o r i g ; 5 s t r u c t s o c k a d d r _ i n * a d d r _ i n = (s t r u c t s o c k a d d r _ i n *) a d d r ; 6 log (" m y _ c o n n e c t () c a l l e d ! ") ; 7 log (" P o r t : % d ", n t o h s ( a d d r _ i n - > s i n _ p o r t ) ) ; 8 h o o k _ p r e c a l l (& eph ) ;
9 int res = o r i g _ c o n n e c t ( sockfd , addr , a d d r l e n ) ; 10 h o o k _ p o s t c a l l (& eph ) ;
11 r e t u r n res ; 12 }
The ntohs function [37] converts the port number from network byte or- der (big-endian4) to host byte order (little-endian5 on Intel and many ARM
processors6).
To verify the hooking function efficacy, we want our test app to open a basic HTTP connection. To do that, we create the class NetworkTask.java and we call its execution from the MainActivity.
1 p a c k a g e d i s i . u n i t n . t e s t . a d b i t e s t ; 2 i m p o r t a n d r o i d . os . A s y n c T a s k ;
4Parameters are always sent most significant byte first. 5Parameters are always sent least significant byte first.
6The ARM architecture was purely little-endian before version 3, when it became bi-
endian. Bi-endianness allows for switchable endianness in data and instruction fetches. A bi-endian machine can compute or send data in either endian format. The vast majority of architectures use little-endian as host byte order, anyway.
3 i m p o r t a n d r o i d . u t i l . Log ; 4 i m p o r t j a va . net . H t t p U R L C o n n e c t i o n ; 5 i m p o r t j a va . net . URL ; 6 7 p u b l i c c l a s s N e t w o r k T a s k e x t e n d s A s y n c T a s k < String , Void , Void > { 8 p r i v a t e E x c e p t i o n e x c e p t i o n ; 9 10 @ O v e r r i d e 11 p r o t e c t e d V o i d d o I n B a c k g r o u n d ( S t r i n g . . . u r l s ) { 12 try {
13 URL url = new URL ( u r l s [ 0 ] ) ; 14 H t t p U R L C o n n e c t i o n c o n n = n u l l; 15 c o n n = ( H t t p U R L C o n n e c t i o n ) url . o p e n C o n n e c t i o n () ; 16 c o n n . c o n n e c t () ; 17 Log . d (" N e t w o r k T a s k : ", " A f t e r C o n n e c t ! ") ; 18 } c a t c h ( E x c e p t i o n e ) { 19 t h i s. e x c e p t i o n = e ; 20 r e t u r n n u ll; 21 } 22 r e t u r n n u ll; 23 } 24 } 1 S t r i n g l i nk = " h t t p :// www . g o o g l e . com "; 2 Log . d (" R e t u r n fr . N H T T P T a s k ", new N e t w o r k T a s k () . e x e c u t e ( l i n k ) . t o S t r i n g () ) ;
The following is the output of the program: the hooking code tampers the virtual method reference, invokes the custom connect(), which retrieves the port number, and then it resumes the original connect() execution.
I / H O O K L I B : n a m e : c o n n e c t 11 c99 I / H O O K L I B : h o o k i n g : c o n n e c t = 0 x b 6 d 7 e c 9 9 I / H O O K L I B : T H U M B u s i n g 0 x b 0 3 a d 6 5 9 I / H O O K L I B : m y _ c o n n e c t () c a l l e d ! I / H O O K L I B : P o r t : 80 D / N e t w o r k T a s k :: A f t e r C o n n e c t !
The port detected is 80, which is in line with the type of protocol requested. If we open a secure HttpsURLConnection() instead of the HTTP based connection, the output will change accordingly.
1 p a c k a g e d i s i . u n i t n . t e s t . a d b i t e s t ; 2 i m p o r t a n d r o i d . os . A s y n c T a s k ; 3 i m p o r t a n d r o i d . u t i l . Log ; 4 i m p o r t j av a . net . H t t p U R L C o n n e c t i o n ; 5 i m p o r t j av a . net . URL ; 6 i m p o r t j a v a x . net . ssl . H t t p s U R L C o n n e c t i o n ; 7 8 p u b l i c c l a s s N e t w o r k H T T P S T a s k e x t e n d s A s y n c T a s k < String , Void , Void > { 9 p r i v a t e E x c e p t i o n e x c e p t i o n ; 10 11 @ O v e r r i d e 12 p r o t e c t e d V o i d d o I n B a c k g r o u n d ( S t r i n g . . . u r l s ) { 13 try { 14 /* H T T P S c o n n e c t i o n t e s t */
15 URL url = new URL (" h t t p s :// w i k i p e d i a . org ") ; 16 U R L C o n n e c t i o n u r l C o n n e c t i o n = url . o p e n C o n n e c t i o n () ; 17 I n p u t S t r e a m in = u r l C o n n e c t i o n . g e t I n p u t S t r e a m () ; 18 c o p y I n p u t S t r e a m T o O u t p u t S t r e a m ( in , S y s t e m . out ) ; 19 Log . d (" N e t w o r k T a s k : ", " A f t e r H T T P S C o n n e c t i o n ! " ) ; 20 } c a t c h ( E x c e p t i o n e ) { 21 t h i s. e x c e p t i o n = e ; 22 r e t u r n n ul l; 23 } 24 r e t u r n n ul l; 25 } 26 } 1 S t r i n g l in k = " h t t p s :// www . g o o g l e . com "; 2 Log . d (" R e t u r n fr . N H T T P S T a s k ", new N e t w o r k H T T P S T a s k () . e x e c u t e ( l i n k ) . t o S t r i n g () ) ;
I / H O O K L I B : n a m e : c o n n e c t 11 c99 I / H O O K L I B : h o o k i n g : c o n n e c t = 0 x b 6 d 7 e c 9 9 I / H O O K L I B : T H U M B u s i n g 0 x b 0 3 b 3 6 5 9 I / H O O K L I B : m y _ c o n n e c t () c a l l e d ! I / H O O K L I B : P o r t : 443 D / N e t w o r k T a s k :: A f t e r H T T P S c o n n e c t i o n !
In the majority of cases, this verification will detect insecure connections of the malicious application. However, a skilled adversary could force an insecure connection on port 443, thus avoiding to be spotted. Therefore, checking the connection port number is not enough to tell if the connection is truly secure. To go deeper into the analysis, we examine other native libraries, such as libssl and libcrypto, in search of functions which could be useful to extract data related to the Transport Layer Security (TLS) handshake. For example, we could retrieve information about certificates, cipher suites and their validity.
However, hooking native functions included in the libssl or libcrypto libraries is much more complicated than hooking libc functions. Initially, we thought that these libraries were public, meaning that we could access their functions directly from our program. On the contrary, we found out that libssl and libcrypto are not public libraries, but platform private libraries. Private libraries can not be accessed from the program unless we manually include the library header files in the project, to override access to the library. Moreover, from API 24 (N7), Android imposes stricter restrictions on the type
of libraries that can be loaded. More specifically, the dynamic linker does not load private libraries anymore. Consequently, apps do not access libssl and libcrypto directly. Instead, they use Google Mobile Services (GMS) Security Provider, when required. This implies that access to libssl and libcrypto libraries from our native code program might not be possible. Therefore, we conclude that our solution is not compatible with Android Nougat, which limits the hooking library compatibility to Android API 23
(M8).
In order to hook libssl and libcrypto functions from our native code program, we build them locally by including their header files in the project9. We identify SSL_connect as the first pivotal function from the libssl li- brary. This function takes the SSL* struct as a parameter, and it access lots of TLS information and values. The following are attempt of hooking function for SSL_connect and its output:
1 int m y _ S S L _ c o n n e c t ( SSL * ssl ) { 2 int (* o r i g _ S S L _ c o n n e c t ) ( SSL *) ; 3 o r i g _ S S L _ c o n n e c t = (v o i d*) eph . o ri g ; 4 log (" m y _ S S L _ c o n n e c t () c a l l e d ! ") ; 5 log (" c i p h e r _ l i s t : % d ", ssl - > c i p h e r _ l i s t - > c i p h e r s ) ; 6 log (" c l i e n t _ C A : % d ", ssl - > c l i e n t _ C A ) ; 7 log (" c e r t : % d ", ssl - > c e r t ) ; 8 log (" ctx : % d ", ssl - > ctx ) ; 9 log (" e n c _ m e t h o d : % d ", ssl - > e n c _ m e t h o d ) ; 10 log (" h a n d s h a k e _ f u n c : % d ", ssl - > h a n d s h a k e _ f u n c ) ; 11 log (" p a r a m : % d ", ssl - > p a r a m ) ; 12 h o o k _ p r e c a l l (& eph ) ; 13 int * res = o r i g _ S S L _ c o n n e c t ( ssl ) ; 14 h o o k _ p o s t c a l l (& eph ) ; 15 r e t u r n res ; 16 } I / H O O K L I B : h o o k i n g : S S L _ c o n n e c t = 0 x b 5 d 0 f f 2 1 I / H O O K L I B : m y _ S S L _ c o n n e c t () c a l l e d ! I / H O O K L I B : c i p h e r _ l i s t : 1 9 7 3 9 8 I / H O O K L I B : c l i e n t _ C A : 0 I / H O O K L I B : c e r t : 0 I / H O O K L I B : ctx : 0 I / H O O K L I B : e n c _ m e t h o d : - 1 2 1 9 6 8 7 8 8 8 I / H O O K L I B : h a n d s h a k e _ f u n c : 1 I / H O O K L I B : p a r a m : 0 D / N e t w o r k T a s k :: A f t e r H T T P S c o n n e c t i o n ! 8Marshmallow.
We are successful in hooking the function from libssl, but we access raw data instead of human readable information. We address this problem in Chapter 5, where we highlight TLS analysis as one of the major future works to be done in this research.