Grab’n Run: a practical and secure library for dynamic code loading on Android devices

Recent studies [Poeplau. 2014] show developers of Android apps, even the most famous ones (i.e. Facebook, Google Ads), may need to dynamically load additional code during execution. Such code can be recovered from both local or remote containers. This technique has clear advantages, as minimizing code occupancy in memory or helping deploy “silent updates” to decouple updates of our app from those of its third-party libraries.
Unluckily some drawbacks in terms of security are also carried out. Firstly, malware authors may use dynamic code loading (DCL) to bypass antivirus checks by loading malicious code at runtime after that an apparently benign APK has been installed. Secondly, native Android API do not implement any kind of integrity check on DCL. This means that a remote attacker, that succeeds in modifying the bytecode of the APK or JAR container specified as source for DCL, will, not only, not been caught but also see his repackaged code kindly executed by the Dalvik VM. This kind of vulnerabilities was found in 9.25% of apps present on Play Store in 2012. In our opinion devs should not be required to be security or crypto experts and that’s why we think that API should abstract security details by implementing the best practices in a truly transparent way for devs.
In this talk an overview on this issue will be depicted alongside with Grab’n Run, an open-source drop-in library that wraps current DexClassLoader API with an extra layer and makes DCL easier, safe and secure.

Best practice Development Security
Location: Sala Lisbona Date: 9 April 2015 Time: 15:20 - 16:00 falsina Luca Falsina