Application Insecurity with Android Virtual Containers — by Gautam Arvind Pandian & Vikas Gupta
SINCON 2020 Conference Deep-Tech Track
Day 1 (2 Jan 2021)
@ Main Stage
Android Virtual Containers (Parallel Space, Dual Space, etc) are application-level virtualisation technology that enables executing multiple instances of an app on the same device, without actually installing them. This concept solves a common problem for users in maintaining two sets of accounts for commonly used applications such as Instagram, Telegram or Whatsapp. But the convenience offered comes at a cost of weak security. Android applications are developed around the basic security guarantees offered by the underlying operating system, but none of these guarantees are applicable anymore under such virtual environments. This makes the applications running inside these containers vulnerable.
These virtual containers are thriving on the Google Play store with a massive user base of over 90 million. Previously this topic has been researched in detail with security researchers documenting multiple security weaknesses. In this presentation, we build on the previous work and present some new attacks on applications running inside such virtual containers.
Broadly we will be covering the following topics: Discuss our newly discovered security vulnerability for apps using Android Keystore when running inside virtual containers. Discuss how virtual containers provide a conducive environment for malware to steal user sensitive data. Details about how virtual containers can provide an ideal pentest environment where applications can be instrumented without root or repackaging apps. Finally, discuss mechanisms to detect such virtual containers from a developers perspective to safeguard security-sensitive applications.
About the Speakers
Gautam Arvind Pandian, Mobile Security Researcher, Thales DIS (Singapore)
GAUTAM ARVIND PANDIAN is a security researcher with expertise in mobile applications. He has over 6 years of experience in designing security mechanisms and hardening mobile applications. He has contributed to the Android CTF challenge in r2con2020 with several niche protection mechanisms. He has successfully overseen secure development of many applications including banking and government applications. He believes in designing security schemas which are easier to understand and develop by programmers who are not security experts.
Vikas Gupta, Mobile Security Researcher, Thales DIS (India)
VIKAS GUPTA is a security researcher and pentester, with expertise in mobile applications. He holds masters in security and mobile computing from DTU, Copenhagen and NTNU, Trondheim (Erasmus Mundus program). In over 6 years of experience he has worked on both side of the spectrum - in attacking and hardening mobile applications. He is among top contributors to OWASP MSTG guide and thoroughly enjoys reverse engineering binaries by using combination of techniques involving symbolic execution, emulators and manual analysis.