 C'est tout. Merci beaucoup Monsieur Siavou. So, Finlande d'Ang, for the first time. So, good evening. We are trying to survive with all the different program with technology and make all the demo. There is only one demo that it will be not possible to do, but we will put all the technical details on the website alongside with the slide. So, I'm Eric and Paul. We have worked on security or insecurity of money banking and we are going to present a few results about what we have found. So, here is the agenda of this presentation. So, I will first introduce the background. In fact, all these studies have been performed during the DEF-FIP project. I will present this project. And then Paul will explain the different tool he has developed to perform static analysis to collect different APK and to perform dynamic analysis. Then, we will switch to the results. First, I will give some statistics about the different apps we have analysed and Paul will present four cases which are rather illustrative of what we have found. And you will see that, especially for the first one, very surprising things can be found. And then, I will conclude. So, in fact, the DEF-FIP project was a two-year project to develop a sovereign entrusted AV for Android platform, Linux platform and Windows. Not for Apple, because French government was not interested in Apple to much big brother. And it has been funded partly by the French government, in fact, by the Prime Minister of this in the context of the digital plan for sovereignty. The grand total was about 6 million euros and the state, the government, has funded only 35%. So, as a research lab, we have produced the proof of concept and then we have delivered the product and as well as the intellectual property to society and the marketing. And the name is no longer DEF-FIP because DEF-FIP was a project and is OO mobile and for the mobile Android platform and OO anti malware for Linux and Windows. Normally, it was in the timetable. Normally, free and open versions should be released, at least for non-commercial use. I hope they will do it. At the lab, we have decided to work on the fork version and for Linux at least and normally by mid-march we should release everything including the source code and the name will be OpenDafil Linux. But if you want more information, please refer to the official web page of the project. So, if we focus on the Dafi Android platform, in fact we have delivered the product 1 year ahead of the schedule and so in October 2013 it was based on Cienogen and IOSP sources. In fact, from the beginning it was clear that implementing another anti-malware application will be a failure because if you go deeper into the system you can get rid of the application. So, in fact, we decided to build a complete anti-malware operating system. So, we will write the Android system based on these two sources and we have added some additional security features like total file system encryption, SMS encryption, VoIP encryption and especially an application market accepting only secure and analyzed, certified and digitally signed applications. So, that's why we decided to analyze a lot of applications including banking applications. So, all those apps are analyzed, static analysis, dynamic analysis and Paul will present the different techniques and of course we are going until the production of the source code by reversing steps. And we have defined of course a security policy, a trust policy I'm going to present right after and if it is not a malware if the application does not contain any malicious feature and is compliant to this security policy then the application is certified and is digitally signed and put on the market. And for the different feature please refer to the official website of Noviti Company. So, the trust policy. In fact, if you just consider whether the app is a malware or not it's not sufficient because between malware and very safe application you can have a lot of things. Non desirable property and especially regarding data confidentiality and user privacy which is a big problem. So, in fact, the malware what is malicious must be extended to something a little bit broader simple malware functions. And in fact, we have we have defined a trust policy an application is trust policy if of course it is not a malware it is a minimum but it does not contain hidden functionalities no information is collected unless it is strictly necessary for the application and every communication between the application and the remote server must be encrypted and of course there is non vulnerabilities. So, why did we focus on banking applications? But in fact banks are forcing us to use more and more the old tablets and smartphones in order to connect to a bank account and more and more the conventional banks will disappear. So, it is ormonet banking application give direct access to our money and all the data about what we have purchased and so on. So, of course, it is a critical issue and for example as a user I don't want that my bank has too much or too many information about what I am doing and of course any external attacker. So, and the other aspect since banks have much money normally they are supposed to do a clean job perfect job and they should normally release only very secure and safe application. So, we have contacted all the banks in order to alert them about the problem we have found and everything that was free but up to now only a few of banks have answered and asked for more details. Only two in France a asked for the technical details and are currently correcting the part regarding vulnerabilities I am not sure that we will do it for users privacy but it is a problem. We will check however. So, so, I I make three tools one for and static analysis called AGIL second one for web web application to find wild malware and third one for dynamic analysis in fact network communication monitoring and I started with 1800 application both malware and genuin and this tool are not present are not open source at the time. So, the goal of AGIL is to detect malware based on similarity with non-malwares. The main hypothesis is that there is no common not necessarily common characteristics that defines that characterize all malware. It's why the traditional way of detecting malware is to splitting them into families of malware. It's these families that share common characteristics. So, if we could do some sort of statistics on these families and we compare them to the statistics from genuin application we could reveal this common characteristics. AGIL can also produce static analysis reports for manual analysis I will show you it. Sorry, there was demonstration between but because of the bugs at the beginning I could not show you it. So, it's... It will be on the website. So, you will find all the information. When you scan an application with AGIL it basically reverse it to an equivalent source code and it extracts lots of characteristics like permission file digest, class and methods name, entry point method known behavior from malware something like that. All this information I use to make similarity scores to compare an app with the malware family. Ok, this is the demonstration I could not show you but I will explain you quickly. So, this report summarize some of these extracted data tu peux remettre juste au début, s'il te plaît. This report summarizes some of these extracted data to help a manual analysis. So, we get basic basic data like permission but more important one like risky behaviors we can see there it's not translated because it's for internal use so it's in fresh French sorry and the table of risky Android API call. So, these risky calls are seen 2 times more in malware than in genuine application. It's why it's nice to see where they are used in the code. So, when I click on for example location service which is a known behavior detected I can see where on the code it is used and when I click on one of these function I can see the reverse code. So, it's a sort of guide analysis, a starting point. Sorry for the format. It's Windows Normally we should do it online but Windows has some... Windows is plug and play but just can print text correctly. Because we have a direct link between the report and the source code and it is possible then to check whether it is a genuine call, non dangerous call and all malware code. So, we have a constant link between the report and the source code. Ok. Let's let's carry on. So... Let's carry on. It's messy start. Sorry for this. So, let's go on... Yeah. The antivirus works pretty well but not as I expected and the reason was the database of malware application was too small for being serious in the antivirus game. So, I designed a massive web caller called Tarantula to download lots of application and hoping they were malware. So, in reality this subject of gathering samples in the antivirus game is the heart of the matter. It's a subject that is rarely explained or detailed in a research paper and basically a data mining algorithm need strong statistics so a big database. So, how can we gather lots of samples? Several university share them freely like North Carolina State University with the Malgenon project and the University of Göttinger here in Germany with the Driven dataset. Also, some websites share Android malware like Villagerre and ContagioDump. Maybe you have heard of it. It's a good starting point but not enough. So, I research on how the malware company antivirus companies get their sample. So, my main guess is that they they get the sample from client and users mission and inter company exchange mainly. Here is an database report you can see that 70% of their app they got it's from inter company exchange and unknown sample something labelled as unknown sample which is in fact user and client's mission. So, it's mean you cannot mimic in a laboratory. So, I designed a crawler called Tarantula which get sample from wild FTP Torrance and alternative market mainly. I stopped crawling at 280 1000 applications and it's the internal structure of Tarantula and est ce que tu peux passer la suite s'il te plaît. And the malware discovery with the application I've got is a work in progress but I hope I will find lots of malware. The last tool I'm going to present to you is a dynamic analysis one I called it PanopTest and it basically monitor almost all communications between an app and internet even the encrypted one. So, at the end of the analysis it generates a graph of network communication to help detecting some behavior in this mess of informations. You will see the graph when I will present the banking application. So, I just told you it bypass SSL. As I control the phone I put certification, fake certification authorities in the phone and my phone connect to a fake access point and basically the SSL request are intercepted and the request the destination server address request is sent back to the phone signed by our fake certificate so the phone actually believes that it is a legit communication. So, at the present time we have analyzed in detail 27 applications and of course we are going and increasing the results and everything will be made public little by little. So, as you can see we have at the beginning French bank but we try to cover all the world and the next step will be to analyze banks from Asia because there are a lot of development in banking application. So, before presenting the Fourier strategies we have identified in fact I would like to present some statistics which we are summarizing what we have found. First, if we have a look to permission we see that those applications generally are very invasive and they they get a lot of access to many many internal data in our smartphone or tablets which is very worrying because they can eavesdrop many many information but it is probably more interesting if you consider the behaviors you have here the main behavior that are involved in the application between the smartphone and the server and two of them are rather interesting. First, here it is possible to identify specifically a phone but if you consider here this percentage which is rather high, 96% are loading dynamically the content of the app from the web. It means that this content can be a legal content but it can be on purpose and very specifically malicious content it depends whether you trust your bank or not. And here the second behavior which is rather interesting is this. Many phones are by now vulnerable to the execution or arbitrary JavaScript instructions. So it means that it is possible by perverting this and exploiting the fact that many phones are still able to are still vulnerable but now for the newer version the number of JavaScript that can be executed is limited but for older version it is not and it is possible to remotely execute possible malicious JavaScript. Of course, if you are on the banks or if you are an attacker for example in Man's middle attack we will see when bank is vulnerable to this kind of attack. Donc je te montre le truc. Let's get started with the demonstration. The report. I will start by GP Morgan Access which is mobile banking app of GP Morgan and here is the graph of network communication I've told you about just before. So there are an interesting JSON file received from GP Morgan servers we can see there so the the graph shows all the session and summarise all communication for a server address ok and we can also see all strings that the application send to a certain to an host so it's for finding some data lake, personal data lake so here we can see just two strings are send it's either in the argument of get method or in a post request so here the application received a JSON file there so here we can see signature at the beginning I thought it was a bit long for signature for authentication for example so maybe it is an encrypted string I just after that I used a tool called API monitor to see if after receiving the string the app decrypt something so API monitor basically it reverse the app function around android calls that we configure and at runtime dump the content of the arguments into the lock cat which is the centralized android lock system so we can see argument of function we configure dynamically so est ce que tu peux remettre juste avant s'il te plaît voilà c'est pas très visible mais sorry for this here it's the received string signature it's a little messy but it's the string I just show you before and this is this is a decryption function used and this ascii codes are in fact the argument of the decipher function and here the result value at runtime so what I did is I I copy the return value and I use just some scripting commands to get a readable string so here we go the readable string voilà so it's a several string separated by a pattern and the content of the string are not very important because it's the pattern with this pattern we can search in the code in the code where this string are used and what the application do so it's what I did I cannot show you the code because it's proprietary so it's just a subset just to show you what it do so the string is responsive passed with this pattern a part of this string is send directly into a shell command I reversed this function run command it's not a basic Android function and if the phone have root privilege this command execute the argument as root privilege so basically what it mean it's a remote shell why they did this at run time when you launch the app send a command from the website and execute it on your phone it's a part of a framework that verify the security of the phone and a part of this verification done by sending shell commands to verify if the phone have been infected or so on but they could have done it differently for example loading verification procedure from encrypted assets for example but this way of verification let the phone vulnerable and send arbitrary command targeted because the connection are the application send the IME EI which identify one particular device so if they want they can send arbitrary command at a targeted device so basically we have to consider it as a backdoor the next application is BNP Paribas it's a fresh application so let's see the network communication so here we receive an interesting javascript code it's there in clear text you can see it, HTTP in clear text and let's get the javascript so we cannot see because there are nothing to see here so this not seems to be a regular javascript function so maybe this is a javascript interface and javascript interface in android are bad it's it's grant the javascript the right to call define function of java application but in older version version of android there was a flow and the javascript could call arbitrary command by reflection so the javascript could get a shell for example and there are lots of vulnerable phones in use today so when you when they do it in clear text it's any mind in the middle attacker can control the phone basically so it is a major vulnerability so BNP as taken this information trying to correct the vulnerability so it is summarized there the next one is a russian bank the spare bank and it's an interesting it's an interesting example not because it is vulnerable it's not vulnerable it's leak some informations but you will see why it is very interesting so here so we choose an api called yondex maps api and let's see what it sounds wifi networks and this is the MAC address of my feck access point used for doing network monitoring so it dump all surrounding it map the wifi networks the surrounding wifi networks so why why they do it it's I don't some research and it is in fact it is used for find indoor location and every every other operator did this way google maps do it this way too and it send also the SSID of all wifi networks and when we can see the responses of these calls so let's try one now this is not one it's a random try so maybe not the first ok yeah so it send wifi networks and the response is phone by wifi so they know my wifi and they get my location with my wifi it means that they have my wifi MAC address in their database but how do they have all this information in fact when you for example google maps all the time they send all surrounding wifi networks with your last known gsm location because gsm cannot locate you precisely indoor so the map uofi networks with the last last find gsm location this way they populate their database and so they can locate other users so basically they have a database of world wifi networks wonderful and it's not it's not especially yandex it's google maps and other companies that do wifi location and it's not it's not the end because they reimplement the google map api they do not use it yandex your option for disabling the location have just no effect on this application on spare bank so we can disable your location it's track your location so the last one is bradesco brasilian bank in this application is some exchange are sent with this host web service infomony.com dbair and an instantiation there we receive a private key in clear text there so why is this private key I just done some quick research so basically you take this address copy no internet connection so I can see you but I will explain you this private key is for accessing the web service of the bank and this is not over the application embed a jQuery javascript file the library but it is very very good data from 2010 so there are several several vulnerabilities that have been discovered and they are in the cve database I did not find a way to exploit these vulnerabilities but others surely can do it is just what I say thank you this is the end of the presentation I will be pleased to answer your question and I will let Eric Fierre conclure in fact it will be a small sample because 27 apps a small part of what we intend to cover but in the forthcoming weeks many details will be published in fact we just we are waiting either for the answer of the bank or for the correction of the problem and of course if the banks do not answer so we will have to publish at least in order to make them aware of the problem so we intend of course to analyze other kind of apps because for example games maybe games is less important than banking of course but it can leak a lot of data and we intend to to see whether the new for example the new version of Angry Bird still contains many non-disabled functionalities email clients, security tools or we have some concern about apps who are supposed to protect our phone but in fact they are leaking information and making our smartphones or tablets weaker so in fact all those tools are still under development and we intend to put more mathematics in order for example to use some advanced techniques in data mining in order to have a better view and understanding of the different relationship between IPI call or internal functionalities of course every time a bank will correct the security issue we will look afterwards in order if they correct the security and the users privacy as well because in fact just switching from HTTP to HTTPS if you don't correct the vulnerability it is not a solution so we will be very careful about the respect of the privacy aspect in banking apps so it is only a small we are very sorry not to have been able to show all the technical details but everything will be public as soon as possible in fact it is clear that the banking application market is not a very mature market and of course we have found some vulnerabilities but as main aspect in fact the users privacy is not respected so banks are collecting a lot of information that they should not collect and we are not strictly related to the bank account management so I think that everyone should put a big pressure on developers and of course maybe it is maybe a dream but I think that as users and consumer we should have we should ask for more security and especially for regarding privacy and data connectivity the main problem was to find identify contact in banks if you and even for French bank we are French it was very very difficult and even going through a third computer emergency response team in the banks they are not communicating between themselves so it's very difficult so what is interesting all those apps are as well on the google play it means that google does not perform any security verification so don't trust application on the google play there is no verification I think that google has a power maybe to enforce some trust policy and to ask for more security well so what's the solution once again if they are available choose open source apps but in bulking world it's difficult because it's a closed world and as a main observation it would be better to prefer local or national banks instead of international banks because they try to collect a lot of data so sorry for the problem of demo but everything once again will be made available as soon as possible and thank you for your attention thank you very very much for the insight into this huge ongoing effort before taking questions some practical advice if there are questions please line up after the microphones some practical advice you find all the slides and all the links to the websites on the congress webpage if you go to the schedule the far plan click on the lecture click on the lecturers site you find all the links and even a pdf of all the slides and the links and it's a very well worth the visit now I think we wait half a minute until those who want to leave have left the room those of you who want to ask questions please line up on the microphones c'est un peu l'abroyo au début c'est ta première tu vois pourquoi les plan B c'est important croisons un vieux routier jamais fonctionné sans plan B j'avais Windows c'est un compte que Windows est marché face à Dolinix les problèmes de reconnaissance vidéo j'ai tellement fait de conférences que maintenant si tu veux ça c'est l'horreur ok ok, ask your question yeah I you had this one slide regarding which apps please use the microphone yeah it's one slide statistics page and the second point was I think that the ability to use plain text communication use clear text communications what does it mean exactly that they could use HTTP but I configure to use HTTPS or what does it mean if you have well understood why they use HTTP instead of HTTPS no do they use HTTP for sending banking information no when we I never seen an banking application connecting to the bank account in HTTP it's the other functionality like user tracking and things we have seen like the private key this private key is not used for connecting to your account it's used for other services so your money is pretty safe if they not choose some backdoor like in the GP Morgan case ok but do they check the certificates of the server and there were some lectures last year and the year before on how they all do it wrong and not check the certificates and SSL connections and stuff so your question is any app trusting all hosties or not doing good SSL ok I've seen one app but it's not an official booking app it's a knapsack aggregate I don't know it's exist in English but in French it exists which agree a lots of banking accounts when you have multiple accounts and this app was sending the password with SSL communications that trust all hosties so there was not no security at all but the only one case where I've seen a misconfiguration in SSL ok so it's not as bad as it sounded on the slide but in fact the apps were aggregating several banking application will be probably a problem in the future because at the present time we are mainly banking apps alone but those aggregation application will have to be monitored there are only a very few but the problem will be maybe at that level yeah but this whole different problem right if you trust your bank to deliver a secure application that's one thing if you trust somebody else to do the job implementation of all banking APIs that's gonna be a tough thing ok thank you ok next question after we now quite a few of very good examples for horrible practices which was the best app you found and to directly add on the question how the two german bank apps compare ah the best I don't know if they are the best application but more generally I found that for example some national bank in France was good like Société Générale and some app from India was good but they are not known at the international level the commerce bank in Germany was pretty good the Dutch bank was also quite good so they were they were not all horrible if it can reassure you yes thank you there is one problem there is two different point you have vulnerability and security issue but from a more general point of view you have users privacy respect in this case banks may be less respectful of all data maybe you have not you don't know the concept of user tracking in websites of or if you are ok you know so each time you click on something you request send on to a server each user have clicked on this and it stayed each time on this windows so it's like all you do is known and is stored and is the Adamson statistic and some behaviors they can know some behaviors but consumption it's pretty creepy to me thank you next question here thanks a lot for your work and for presenting it because it is really interesting I would like to ask this question your program reverse does some reverse engineering of the code and you are able to browse the reverse engineered code but how does it behave when the code is obfuscated for example with pro guard, dex guard or if the code is developed using NDK or something like that the reverse never fail but the code can be obfuscated but when you are trying to understand reverse code you can understand all it happen the main important thing in android application android API call which is the function that the phone provides to access valuable information so if I can see this function I basically can see what the application can do even if there are some junk code here and there it's not important and I never I never seen an application that obfuscates API calls but it is theoretically possible but I never seen it moreover static analysis we all know we have limitations on obfuscation and nobody can beat all obfuscation it's okay it's why we use also dynamic analysis in fact when obfuscation is used this is poor obfuscation it means that with the tool it is possible to bypass obfuscation but if some day you will find very deeply obfuscated application we will do by hand but most of the time the automatic reversing is sufficient in order to bypass very poor obfuscation excuse me what do you mean with bypass because when you obfuscate you lose some information at least understand some functionalities at the present time we didn't ever found very obfuscated application sophisticatedly obfuscated they don't care about protecting the apps okay thanks a lot well that's another question on the other microphone okay in the beginning of the talk you said you used man in the middle to be able to analyze the SSL communication but to me it means that the applications should have understood they are not talking to the bank to have just stopped communication at all it's a very interesting question because BNP Paribas with his vulnerability bit my SSL man in the middle the vulnerability I've discovered is because of user tracking framework but I could not connect to their server because they refuse my connection why? because I think I'm not sure 100% but 100% but I think they embed their own list of certification authorities and they do not use the system list so it basically bypass bit my my system it happens only with BNP Paribas can you repeat please it happens with maybe five of the 27 banks but the banks are more more careful some of the bank implement that trick but not all apps at all thank you more questions if not again you find the slides and the links on the congress website and keep an eye on it thank you very much gentlemen for the the useful word