ZertApps – Project description

The strong increase in the distribution of smartphones and easily installable applications (apps) carry by the large number of, often unknown, providers for the Consumer, as well as for usage in enterprises, significant risks. Accordingly to current reports more and more vulnerabilities occur in apps that are very widespread, an example is the WhatsApp Messenger and even safety-critical apps for payment processes cannot be protected against faulty implementations of SSL encryption.

Methods, currently used to check apps for security vulnerabilities, are not yet sufficient and can easily be circumvented. So, for example, apps can detect that they are tested for vulnerabilities and disguise themselves as harmless at that time and cause damage later during runtime. Also the usage of checksums or statistical evaluations can be easily circumvented by changes in the program code. In addition, apps can also communicate with each other and this way the harmful potential of existing mechanisms cannot be detected. Furthermore, most apps use next to the platform-specific frameworks (eg Android or iOS) cross-platform HTML5 and JavaScript (in WebViews) extentions. In order to assess the safety of such combinations, the different security models have to be merged and data flows have to be evaluated across technology limits.

In summary one can say that the safety of apps cannot be guaranteed with existing techniques. The aim of the research project ZertApps is to fundamentally and comprehensively deal with the theme “Security Analysis of Mobile Applications” and to develop an analysis and certification platform for apps. Therefore, the entire supply chain from development to the deployment of apps shall be covered and certificates will be awarded for the safety of apps. The initial focus is on the Android operating system, but it is planned to transfer the findings to iOS.

In this project it is planned to combine static preliminary analyzes for apps with dynamic analyzes on the device itself. This way a malware app cannot miss detection: An attack will be eventually detected when it comes to execution of the app. Hereby, the dynamic analyzes are statically optimized, if an app has been programmed so that it satisfies (partly) provable a security policy, the dynamic testing of this Directive are omitted (in these parts). In addition cross-technology safety analyzes will be developed to investigate hybrid apps in its entirety. The different ways of communication of a smartphone with the outside world such as Internet, SMS / MMS, Bluetooth or Near Field Communication (NFC) makes the task more complex but also more interesting.

The consortium is well set up to manage these challenging goals successfully. On the one hand, the above mentioned supply chain is completely covered, as with OTARIS an app maker, with privacy cert testing laboratory (with several years of experience in the field of the Common Criteria) and with SAP, a market operator (SAP Enterprise App Store) and a provider of a Device Management solution (SAP Afaria and SAP Mobile Platform) are involved in the project. On the other hand, the research partners can demonstrate a profound expertise in the relevant subject. The BSI considers the project idea as relevant and has agreed to participate in an advisory capacity to the project.

Duration: 01.01.2014 – 31.12.2015
Partner: OTARIS Interactive Services GmbH, datenschutz cert GmbH, SAP AG, Fraunhofer-Institut für Sichere Informationstechnologie SIT, TU Darmstadt
Sponsor: BMBF