Hackers of India

Androsia - A Step Ahead in Securing Sensitive In-Memory Android Application Data

 Samit Anwer 



Each Android app runs in its own VM, with every VM allocated a limited heap size for creating new objects. Neither the app nor the OS differentiates between regular objects and objects that contain security sensitive information. The sensitive objects like any other object are kept around in the heap until the app hits a memory constraint. The OS then invokes the Dalvik garbage collector in order to reclaim memory from unreferenced objects on the heap and provides the reclaimed memory back to the app. However, there is no guarantee the objects containing security sensitive information will be cleared from memory. Even though objects might not be used ahead in the program, they might still be referenced directly or indirectly by a GC root which would prevent them from getting collected - a situation known as memory leak.

Android does not provide explicit APIs to reclaim memory from sensitive objects which are not “used” ahead in the program. “java.security.*” library does provide classes for holding sensitive data (like KeyStore.PasswordProtection) and API’s (like destroy()) to remove sensitive content from the objects. However, the onus of calling these APIs is on the developer. Developers may invoke these APIs at a stage very late in the code or worst may even forget to invoke them. This leaves a window of time where the security critical objects, which are not used any further in the program, live in the heap memory and wait to be garbage collected. During this window, a compromise of the app can allow an attacker to read the credentials by dumping the heap memory. This is a needless risk every Android application lives with today.

We propose a tool called Androsia, which uses a summary based [1] inter-procedural data-flow analysis to determine the points in the program where security sensitive objects are last used (so that their content can be cleared). Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values.

[1] D. Yan, G. Xu, and A. Rountev. Rethinking soot for summary-based wholeprogram analysis. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program Analysis, SOAP ‘12, pages 9–14, New York, NY, USA, 2012. ACM