Androsia: A step ahead in securing in-memory Android application data presented at codeblue 2017

by Samit Anwer,

Summary : Android does not provide explicit APIs to reclaim memory from sensitive objects which are not "used" ahead in the program. "java.security.*" library does provide classes for holding sensitive data (like KeyStore.PasswordProtection) and API's (like destroy()) to remove sensitive content. However, the onus of calling these APIs is on the developer. Developers may invoke these APIs at a stage very late in the code or may even forget to invoke them.
In this work, we propose a novel approach to determine at every program statement which security critical objects will not be used by the app in the future. Using results from our 'data flow analysis' we can decide to flush out the security sensitive objects immediately after their last use, thereby preventing an attacker from dumping security critical information. This way an app can truly provide defence in depth.
We incorporate support for tracking objects in all possible scopes (instance field, static field, local) in our tool called Androsia, which uses static code analysis to perform a summary based inter-procedural data flow analysis to determine the points in the program where security sensitive objects are last used. Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values.