Perils of Running Apps in Android Virtual Containers

About the speakers

Gautam Arvind Pandian
Thales DIS, Singapore

Gautam is a security researcher with expertise in mobile applications. He has over 6 years of experience in designing security mechanisms and hardening mobile applications. He has successfully overseen secure development of many applications including banking and government applications. He believes in designing security schemas which are easier to understand and develop by programmers who are not security experts.

Vikas Gupta
Thales DIS, Singapore

Vikas is a security researcher and pentester, with expertise in mobile applications. He holds masters in security and mobile computing from DTU, Copenhagen and NTNU, Trondheim (Erasmus Mundus program). In over 6 years of experience he has worked on both side of the spectrum - in attacking and hardening mobile applications. He is among top contributors to OWASP MSTG guide and thoroughly enjoys reverse engineering binaries by using combination of techniques involving symbolic execution, emulators and manual analysis.

Abstract

Android plugin frameworks are application level virtualisation technology enabling to run multiple instances of an app on same device, without actually installing them. These frameworks solve a common problem encountered by many users – maintaining two sets of accounts for commonly used applications, like Instagram or Whatsapp. But not all is good about these frameworks. The convenience offered comes at a cost of weak security. Android applications are developed around the basic security guarantees offered by the underlying operating system, but none of these guarantees are applicable anymore under such virtual environments, for instance application permissions or data sandboxing. This makes the applications running inside these containers vulnerable.

Such plugin frameworks are thriving on the Google Play store, with Parallel Space having over 90 million users. Previously this topic has been researched in detail with security researchers documenting multiple security weaknesses in these frameworks. In this presentation we build on the previous work and present some new attacks on applications running inside such virtual containers. Broadly we will be covering following topics:

  1. Discuss our newly discovered security vulnerability for apps using Android Keystore when running inside virtual containers.
  2. Discuss how virtual frameworks provide a conducive environment for malwares to steal user sensitive data.
  3. How virtual containers can provide an ideal pentest environment where applications can be instrumented without a root or repackaging them.
  4. Finally discuss mechanisms to detect such virtual containers from a developers perspective and ensure security of their applications.