Skip to main content
Springer Nature Link
Log in

On the (In)Security of Manufacturer-Provided Remote Attestation Frameworks in Android

  • Conference paper
  • First Online:
Computer Security – ESORICS 2023 (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14347))

Included in the following conference series:

  • 683 Accesses

Abstract

To provide a tamper-proof mechanism for mobile apps to check the integrity of the device and their own code/data, Android phone manufacturers have introduced Manufacturer-provided Android Remote Attestation (MARA) frameworks. The MARA framework helps an app conduct a series of integrity checks, signs the check results, and sends them to remote servers for a remote attestation. Nonetheless, we observe that real-world MARA frameworks often adopt two implementations of integrity check (hardware-based and software-based) for compatibility consideration, and this allows an attacker to easily conduct a downgrade attack to force the app to utilize the software-based integrity check and forge checking results, even if the Android device is able to employ hardware-supported remote attestation securely. We demonstrate our MARA bypass approach against MARA frameworks (i.e., Google SafetyNet and Huawei SafetyDetect) on real Android devices, and design an automated measurement pipeline to analyze 35,245 popular Android apps, successfully attacking all 104 apps that use these MARA services, including well-known apps and games such as TikTok Lite, Huawei Wallet, and Pokémon GO. Our study reveals the significant risks against MARA frameworks in use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

     National Computer Network Emergency Response Technical Team/Coordination Center of China, the national CERT of China and responsible for handling severe cyber-security incidents [35].

  2. 2.

     OnePlus5T Hydrogen_43_OTA_065_all_2012030405_03dba2c095454647.

References

  1. Tian, Y., Chen, E., Ma, X., et al.: Swords and shields: a study of mobile game hacks and existing defenses. In: Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 386–397 (2016)

    Google Scholar 

  2. Karkallis, P., Blasco, J., Suarez-Tangil, G., Pastrana, S.: Detecting video-game injectors exchanged in game cheating communities. In: Bertino, E., Shulman, H., Waidner, M. (eds.) ESORICS 2021. LNCS, vol. 12972, pp. 305–324. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-88418-5_15

    Chapter  Google Scholar 

  3. Nguyen-Vu, L., Chau, N.T., Kang, S., et al.: Android rooting: an arms race between evasion and detection. Secur. Commun. Netw. 2017 (2017)

    Google Scholar 

  4. Chen, S., Fan, L., Meng, G., et al.: An empirical assessment of security risks of global android banking apps. In: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, pp. 1310–1322 (2020)

    Google Scholar 

  5. Sun, S., Yu, L., Zhang, X., et al.: Understanding and detecting mobile ad fraud through the lens of invalid traffic. In: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pp. 287–303 (2021)

    Google Scholar 

  6. Li, L., Bissyandé, T.F., Klein, J.: Rebooting research on detecting repackaged android apps: Literature review and benchmark. IEEE Trans. Software Eng. 47(4), 676–693 (2019)

    Article  Google Scholar 

  7. Song, W., Ming, J., Jiang, L., et al.: App’s auto-login function security testing via android OS-level virtualization. In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pp. 1683–1694. IEEE (2021)

    Google Scholar 

  8. Xue, L., Zhou, H., Luo, X., et al.: Happer: unpacking Android apps via a hardware-assisted approach. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1641–1658. IEEE (2021)

    Google Scholar 

  9. Pokémon GO. https://play.google.com/store/apps/details?id=com.nianticlabs.Pokemongo &hl=en_US. Accessed 14 May 2023

  10. Pokémon Go hits \$6 billion in player spending. https://play.google.com/store/apps/details?id=com.nianticlabs.Pokemongo &hl=en_US. Accessed 14 May 2023

  11. Pokémon Go Revenue and Usage Statistics (2023). https://www.businessofapps.com/data/pokemon-go-statistics/. Accessed 14 May 2023

  12. Android - Google Mobile Services. https://www.android.com/gms/. Accessed 14 May 2023

  13. Fake GPS Location Spoofer. https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre. Accessed 14 May 2023

  14. HMS Core. https://developer.huawei.com/consumer/en/hms/. Accessed 14 May 2023

  15. Mobile Application Distribution Agreement (Android). https://www.sec.gov/Archives/edgar/containers/fix380/1495569/000119312510271362/dex1012.htm. Accessed 14 May 2023

  16. HMS Core (APK) Preloading Guide: Ecosystem Cooperation. https://developer.huawei.com/consumer/en/doc/development/hmscore-common-Guides/overview-0000001222509146. Accessed 14 May 2023

  17. Google Play Store. https://apkpure.com/google-play-store/com.android.vending. Accessed 14 May 2023

  18. YouTube. https://play.google.com/store/apps/details?id=com.google.android.youtube. Accessed 14 May 2023

  19. HUAWEI Wallet. https://consumer.huawei.com/en/mobileservices/wallet/. Accessed 14 May 2023

  20. HUAWEI Health. https://consumer.huawei.com/en/mobileservices/health/. Accessed 14 May 2023

  21. HMS Core 5.0 launched for the global developers. https://www.huaweicentral.com/hms-core-5-0-launched-for-the-global-developers-comes-with-7-new-kits-and-services/. Accessed 14 May 2023

  22. Google I/O 2023: What’s new in Google Play. https://io.google/2023/program/9019266d-186c-4a61-9cc5-b1c665eb40fb/. Accessed 21 May 2023

  23. Verifying hardware-backed key pairs with Key Attestation. https://developer.android.com/training/articles/security-key-attestation. Accessed 14 May 2023

  24. Protect against security threats with SafetyNet. https://developer.android.com/training/safetynet. Accessed 14 May 2023

  25. Safety Detect. https://developer.huawei.com/consumer/en/hms/huawei-safetydetectkit/. Accessed 14 May 2023

  26. Mulliner, C., Kozyrakis, J.: Inside Android’s SafetyNet Attestation. Black Hat EU (2017)

    Google Scholar 

  27. Thomas, R.: DroidGuard: a deep dive into SafetyNet. Black Hat Asia (2022)

    Google Scholar 

  28. Examining the value of SafetyNet Attestation as an Application Integrity Security Control. https://census-labs.com/news/2017/11/17/examining-the-value-of-safetynet-attestation-as-an-application-integrity-security-control/. Accessed 14 May 2023

  29. How I discovered an easter egg in Android’s security and didn’t land a job at Google. https://habr.com/en/articles/446790/. Accessed 14 May 2023

  30. RFC 9334: Remote ATtestation procedureS (RATS) Architecture. https://datatracker.ietf.org/doc/rfc9334/. Accessed 14 May 2023

  31. Coker, G., Guttman, J., Loscocco, P., et al.: Principles of remote attestation. Int. J. Inf. Secur. 10, 63–81 (2011)

    Article  Google Scholar 

  32. Ibrahim, M., Imran, A., Bianchi, A.: SafetyNOT: on the usage of the SafetyNet attestation API in Android. In: Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services, pp. 150–162 (2021)

    Google Scholar 

  33. Aldoseri, A., Chothia, T., Moreira-Sanchez, J., et al.: Symbolic modelling of remote attestation protocols for device and app integrity on android. In: 18th ACM ASIA Conference on Computer and Communications Security. Association for Computing Machinery (ACM) (2023)

    Google Scholar 

  34. Duan, Y., Zhang, M., Bhaskar, A.V., et al.: Things you may not know about android (un) packers: a systematic study based on whole-system emulation. In: NDSS (2018)

    Google Scholar 

  35. CNCERT/CC: National Computer Network Emergency Response Technical Team/Coordination Center of China. https://www.cert.org.cn/publish/english/index.html. Accessed 14 May 2023

  36. Google Bug Hunters. https://bughunters.google.com/. Accessed 14 May 2023

  37. A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain. https://googleprojectzero.blogspot.com/2022/11/a-very-powerful-clipboard-samsung-in-the-wild-exploit-chain.html. Accessed 15 May 2023

  38. Upcoming Change: New certificate chain in the API response signature. https://groups.google.com/g/safetynet-api-clients/c/-2ShuYt5kFg. Accessed 17 May 2023

  39. SysIntegrity API. https://developer.huawei.com/consumer/en/doc/development/Security-Guides/dysintegritydevelopment-0000001050156331. Accessed 15 May 2023

  40. CA-certificates. https://android.googlesource.com/platform/system/ca-certificates/. Accessed 15 May 2023

  41. Pin certificates. https://developer.android.com/training/articles/security-config#CertificatePinning. Accessed 15 May 2023

  42. Frida. https://frida.re/. Accessed 15 May 2023

  43. ShakaApktool. https://github.com/rover12421/ShakaApktool. Accessed 15 May 2023

  44. Apktool: A tool for reverse engineering Android APK files. https://ibotpeaches.github.io/Apktool/. Accessed 15 May 2023

  45. Grep. https://www.gnu.org/software/grep/manual/grep.html. Accessed 15 May 2023

  46. Smali. https://github.com/JesusFreke/smali/wiki. Accessed 15 May 2023

  47. Soot. http://soot-oss.github.io/soot/. Accessed 15 May 2023

  48. Application Signing. https://source.android.com/docs/security/features/apksigning. Accessed 15 May 2023

  49. XDA Portal & Forums. https://www.xda-developers.com/. Accessed 15 May 2023

  50. Universal SafetyNet Fix. https://github.com/kdrag0n/safetynet-fix. Accessed 15 May 2023

  51. Shamiko v0.7.2. https://github.com/LSPosed/LSPosed.github.io/releases. Accessed 15 May 2023

  52. Magisk. https://github.com/topjohnwu/Magisk/releases. Accessed 27 May 2023

  53. CVE-2020-0069. https://nvd.nist.gov/vuln/detail/CVE-2020-0069. Accessed 27 May 2023

  54. APKPure: Download APK on Android with Free Online APK Downloader. https://apkpure.com/. Accessed 27 May 2023

  55. 360 Mobile Assistant. http://m.app.so.com/. Accessed 27 May 2023

  56. ProGuard: Java Obfuscator and Android App Optimizer. https://www.guardsquare.com/proguard. Accessed 27 May 2023

  57. UI/Application Exerciser Monkey. https://developer.android.com/studio/test/other-testing-tools/monkey. Accessed 27 May 2023

  58. XAPK file. https://apkpure.com/xapk.html. Accessed 27 May 2023

  59. FGL Pro. https://play.google.com/store/apps/details?id=com.ltp.pro.fakelocation &hl=en_US &gl=US. Accessed 27 May 2023

  60. Fake GPS Location-GPS JoyStick. https://play.google.com/store/apps/details?id=com.theappninjas.fakegpsjoystick &hl=en. Accessed 27 May 2023

  61. Cha Cha Helper. https://www.xxzhushou.cn/?channelid=352666. Accessed 27 May 2023

  62. Moloc. https://www.coolapk.com/apk/top.xuante.moloc. Accessed 27 May 2023

  63. Fake GPS Location Spoofer. https://play.google.com/store/apps/details?id=com.incorporateapps.fakegps.fre. Accessed 27 May 2023

  64. Huawei has the highest number of active smartphone users globally: how is this possible? https://www.gizchina.com/2022/08/27/huawei-has-the-highest-number-of-smartphone-users-globally-how-is-this-possible/. Accessed 27 May 2023

  65. One of China’s most popular apps has the ability to spy on its users. https://edition.cnn.com/2023/04/02/tech/china-pinduoduo-malware-cybersecurity-analysis-intl-hnk/index.html. Accessed 27 May 2023

  66. Protocol Buffers. https://protobuf.dev/. Accessed 30 May 2023

Download references

Acknowledgments

The authors would like to thank the anonymous reviewers for their valuable feedback to improve the manuscript. This work is partially supported by Shanghai Pujiang Program (No. 22PJ1405700), the National Key Research and Development Program of China (No. 2021YFB3101402) and the Project of Shanghai Science and Technology Innovation Action Program under Grant (No. 22511101300). The authors would like to thank the support from the ZhiXun Crypto Testing Group as well. We also express our sincere appreciation to Professor Douglas Leith from Trinity College Dublin for his patient and detailed responses to our emails. He addressed our confusion regarding his previous research works and generously shared his experimental details with us. Furthermore, we are grateful to Professor Lei Xue from Sun Yat-sen University for his extensive expertise and patient assistance in resolving the technical difficulties we encountered during the experiments. Their contributions have been instrumental in the successful implementation of this study.

Author information

Authors and Affiliations

  1. Shanghai Jiao Tong University, Shanghai, China

    Ziyi Zhou, Xuangan Xiao, Tianxiao Hou, Yikun Hu & Dawu Gu

Authors
  1. Ziyi Zhou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xuangan Xiao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tianxiao Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yikun Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Dawu Gu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Yikun Hu or Dawu Gu .

Editor information

Editors and Affiliations

  1. University of California, Irvine, CA, USA

    Gene Tsudik

  2. University of Padua, Padua, Italy

    Mauro Conti

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. Delft University of Technology, Delft, The Netherlands

    Georgios Smaragdakis

Appendices

Appendix A Integrity Checking Items

1.1 A.1 Device Integrity Checking Items

figure ak

1.2 A.2 App Integrity Checking Items

figure al

Appendix B Bypassing app integrity check

Fig. 7.
figure 7

Bypassing app integrity check.

Full size image

Appendix C Device details

Table 3. Details about the Android devices used in Sect. 5.1
Full size table

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhou, Z., Xiao, X., Hou, T., Hu, Y., Gu, D. (2024). On the (In)Security of Manufacturer-Provided Remote Attestation Frameworks in Android. In: Tsudik, G., Conti, M., Liang, K., Smaragdakis, G. (eds) Computer Security – ESORICS 2023. ESORICS 2023. Lecture Notes in Computer Science, vol 14347. Springer, Cham. https://doi.org/10.1007/978-3-031-51482-1_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-51482-1_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-51481-4

  • Online ISBN: 978-3-031-51482-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics