Keywords: IT Security, Activity Auditing, Log Management, Logging, Open Source Software
Astract: Activity auditing is the practice of recording activities on a system and later analysing them regarding abuse of the system or for unauthorized activity. Being able to audit a system is also necessary to comply with certain regulations and certifications that restrict system and information usage. An auditor can use the audit log data to verify that the organisations systems, and the information that is stored on them, were used in accordance with the requirements of the relevant regulations. By proving such compliance, auditing not only allows detection of abuse, but also allows the organisation to prove their accountability by showing that they adhere to strict standards. An example where auditing system usage is useful can be found in exercise environments at universities. Various security courses provide exercises where students can try security related tasks on (virtual) machines and experiment with security tools in a controlled environment. Students reach this environment from the internet by using Secure Shell (SSH). This environment may deliberately contain vulnerable services or software for teaching purposes, but students are not allowed to misuse the environment by attacking it or other hosts on the internet. The purpose of this thesis is to develop an activity auditing concept that allows the course administration to track abuse of the environment back to an attacker. To achieve this goal, this thesis uses expert interviews, threat modelling techniques and risk management methods to determine the requirements for an activity auditing solution. It further performs a literature review to supplement the requirements profile. The identified requirements profile is compared with published solutions and, based on the obtained overall picture, an adequate solution concept is created. This concept is then implemented as a proof of concept implementation. The implementation is evaluated and tested to show that the identified requirements are fulfilled. A central element of the concept is the recording of all activities without exception by logging all inand output data that is being transfered via Secure Shell (SSH). The concept records all student activity by recording all inand output data sent over the encrypted SSH connection. The resulting activity audit logs can then be forensically examined and they can be replayed for additional insights. Finally, the work shows if and to what extent the solution concept is fit for use in different environments.

Keywords: web applications, security, model based testing, test data generation, automated testing
Astract: Modern web applications are used in order to communicate with others, to carry out banking transactions, to do shopping, and more. The complexity of these applications contributes to the increasing number of security vulnerabilities found, which endangers not only the data of users, but also the business of companies operating the applications. A technique to make applications more secure is security testing. Since a large number of vulnerabilities is caused by unanticipated input, security testing requires submitting large amounts of possibly dangerous input to an application. Thus, it is desirable to automate this process. In this thesis, a framework for test data generation designed for both functional testing and security testing will be designed and implemented. It uses a model-based approach: The structure of an application is expressed by a tester in a test model. Security professionals create application- independent, reusable testing strategies, which can then generate test data for a model. The framework is evaluated by conducting a proof-of-concept. A simple security test data generation strategy is implemented. An open source application containing known vulnerabilities is selected. Functional tests are performed on this application. The models created for the functional tests are then reused for performing security tests using the implemented strategy. These tests found three potential security vulnerabilities and two bugs in the application. The contributions of this thesis are as follows: First, the framework separates the concerns between testers, who create test models based on their domain knowledge, and security professionals, who implement test data generation strategies. Second, the framework provides opportunities for code reuse, since it is suitable for both functional and security testing. Third, it allows to perform security testing earlier in the development lifecycle, since security tests can be performed as soon as models have been developed.

Keywords: Android, mobile apps, IT-security, data privacy, data security, medical- & health-apps, IT-security analysis
Astract: Especially data privacy and app security are challenges of mobile technologies. Recently, the number of reports that deal with data leakage and exploits is increasing constantly and the difficulties of these challenges are frequently addressed in political and legal discussions. Within these dis- cussions, sensitive data like financial-, medical- or other datasets with personal identification are of particular importance. This diploma thesis sets a focus on the protection of such datasets, since an increasing number of mobile applications utilize such data. In order to gain an insight in the level of data security of current mobile applications, an overview on basic security principles and mechanisms is given. In respect to the distribution of market shares in operating systems for smartphones, a focus is set on Android, the leading software system. At the beginning of this thesis, basic principles of IT-security and the architecture of the Android operating system are discussed. Based upon this basic principles, critical threats and risks for Android systems are presented and a concept for testing the data security of Android apps in the medical & health-related category is elaborated. Finally, a set of 5 applications, that are obtained within Google’s Play Store and are free of charge, is tested against the given concept. During the analysis of the chosen apps, several potential weaknesses and vulnerabilities of both, the apps and their backends, are discovered. An example for an uncovered weakness of an App is a lack in the implementation of mechanisms that provide a reliable protection against advanced man-in-the-middle attacks like certificate pinning. Another finding of this thesis is an uncovered vulnerability on the backend of a popular Android app. The web interface, that is used by the app to store and retrieve user databases, left the server prone to brute force attacks. A successful attack would potentially empower an attacker to obtain an unencrypted, full-featured copy of such a stored user database. Starting from the results of the conducted analysis, several approaches lead to further work. One possible course would be the deepening of the practical analysis by adding a detailed static and dynamic code analysis to the testing concept that is elaborated within this thesis. A different approach for further work could focus on designing mandatory guidelines and rulesets for the development of mobile applications that need to be fulfilled to gain permission for publishing a mobile app on Google’s Play Store. Furthermore, the extension of the analysis in terms of operating systems would be another example for a further work. Such research could apply the testing concept onto different mobile operating systems and strive for a meta-analysis. The results of such an analysis could be used to create a universal statement of data security across multiple mobile systems.

Keywords: IT security, methodology, Android, mobile malware, static analysis, dynamic analysis
Astract: For decades malware has been a threat to many software systems and their users. Until today, no generically applicable scheme exists to protect these systems from malware. The first known malware to be considered a threat to mobile devices was Android.FakePlayer, which was circulated by cyber criminals in 2010. Similar to the desktop versions of Windows, Android became the primary target of malware on mobile devices due to its dominant market share of 87.6% as documented in IDC [73]. In contrast to notebooks and desktop computers, smartphones have become our everyday and all-day companion for accessing and managing our digital life. Due to this strong tie between human and machine, personal, secret and even sensitive data is stored on these devices. Doubtlessly this fact makes them primary targets for cyber criminals and their malicious software. Both industrial and research communities try to solve this issue by developing automatic malware detection systems, but often research results are unsuitable for real-life application and industrial approaches are fault-prone and do not provide comprehensive protection. Manual analysis, executed by skilled professionals, is needed to drive and support the development of malware countermeasures, deconstructing malicious software to show its goals and internal mechanisms. Furthermore, the result of such analysis helps to judge imminent risks and provide possible solutions to limit hazards. This thesis elaborates on appropriate techniques and tools to analyze Android malware. Android protection schemes are derived from generic state-of-the-art malware analysis approaches. Also, known malware and anti-virus characteristics are discussed to form an appropriate mindset for malware analyses. The discussion of different obfuscation strategies shows the complexity of malicious mobile applications and identifies techniques that are used by malware authors to hinder analyses. To ensure an efficient and goal-oriented approach, this thesis suggests ways to combine techniques into an Android malware analysis methodology, which is derived from existing analysis models. This methodology allows an efficient and structured analysis without restricting the usage of creative approaches. To conclude the thesis, a case study on the analysis of Android.FakePlayer demonstrates the practice-oriented application of the methodology described.

Keywords: Smartphones, Security, Near Field Communication, Secure Elements, Secure Element Evaluation Kit, Relay Attacks, Privilege Escalation, Mobile Payment
Astract: Mobile phones have been part of our daily use for many years, evolving from devices providing basic voice communication to modern smartphones, which offer a feature-rich, highly customizable platform as well as comprehensive connectivity such as in the case of Near Field Communication. This technology opens the way to new applications like digital wallets, electronic tickets and access control systems. Actual applications of these use cases may involve storage and handling of confidential data such as cryptographic material, authorization codes or payment-related balances, which are to be protected from disclosure or unauthorized modification by all means. Secure Elements (SEs) provide an isolated, secure environment to operate on this kind of sensitive information inside untrusted devices. This thesis discusses hardware and software-based features in modern smartphones regarding secure storage and processing of sensitive information on SEs. A primary focus of this work are security design flaws found in Secure Element Evaluation Kit (SEEK), an application framework providing limited access to secure elements in smartphones running the Android operating system. These flaws may give an attacker unrestricted access to any SE managed by SEEK. An exploit for one of the flaws in SEEK, running on an unmodified Android-based smartphone, is presented, giving a potential attacker full control of SEEK and its access control mechanism. The same vulnerable device is then used to perform a mobile payment transaction in a relay attack setup over Bluetooth and mobile networks to demonstrate the risks of these new technologies.