Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Beat Google's Bouncer

timothy posted more than 2 years ago | from the sneak-in-the-back-way dept.

Google 44

An anonymous reader writes "When earlier this year Google introduced Bouncer — an automated app scanning service that analyzes apps by running them on Google's cloud infrastructure and simulating how they will run on an Android device — it shared practically nothing about how it operates, in the hopes of making malicious app developers' scramble for a while to discover how to bypass it. As it turned out, several months later security researchers Jon Oberheide and Charlie Miller discovered — among other things — just what kind of virtual environment Bouncer uses (the QEMU processor emulator) and that all requests coming from Google came from a specific IP block, and made an app that was instructed to behave as a legitimate one every time it detected this specific virtual environment. Now two more researchers have effectively proved that Bouncer can be rather easily fooled into considering a malicious app harmless."

Sorry! There are no comments related to the filter you selected.

LOL grammar nazis (-1)

Anonymous Coward | more than 2 years ago | (#40791853)

This is cause Google is full of nigerfagets. This is why you should not of trusted them with you're privacy and security. Its a fucking owneasy it was to bypass this.

Re:LOL grammar nazis (-1)

cpicon92 (1157705) | more than 2 years ago | (#40792105)

Its a fucking owneasy it was to bypass this.

What on earth does that mean?

Re:LOL grammar nazis (0, Flamebait)

Stormthirst (66538) | more than 2 years ago | (#40792145)

Apparently spelling isn't your forte either. And I'm not even going to get started on how much of a racist piece of shit you are.

Re:LOL grammar nazis (-1, Offtopic)

Dishevel (1105119) | more than 2 years ago | (#40793697)

This is cause Google is full of nigger faggots. This is why you should not have trusted them with you're privacy and security. Its a fucking owneasy(not sure how to even begin to fix this). it was to bypass this.

Fucking idiot troll is fucking idiot.

Re:LOL grammar nazis (2, Insightful)

mcgrew (92797) | more than 2 years ago | (#40794679)

Please, STOP FEEDING THE FUCKING TROLLS!!! Ignore them For God's sake, don't quote them!!! Jesus, man, what the fuck is wrong with you? Anonymous troll is at -1 so you gave him a voice! Mods, please downmod every response to the troll, including mine but especially the parent's, who stupidly quoted the racist bullshit. Fucking trollbiters are often as bad as the fucking trolls.

Re:LOL grammar nazis (-1, Flamebait)

Dishevel (1105119) | more than 2 years ago | (#40795359)

You mad bro?
Seriously. Calm the fuck down. You should spend your time browsing at +5. Then you will not have to see any of this.
Of course it is not nearly as much fun as screaming at people. I read at -1. I comment when I feel like it.
There are a plethora of tools available to you so that you do not have to see my comments. Use them.
Or, you can scream at me because I am not commenting the way you want me to.
Let me be real clear.
I did not come here to please mcgrew. Nor do I care if you are pleased or not be my comment.

pretty easy to fix, though (4, Insightful)

Trepidity (597) | more than 2 years ago | (#40791867)

It seems like they just found that the sandbox Google simulates the apps in is a little sloppy in its simulation (IP addresses are predictable), so it's easy to tell you're inside the sandbox. But they could fix that part pretty easily.

Was hoping for something more halting-problem-esque, since it's really difficult to "scan an app for malware" in general.

Re:pretty easy to fix, though (1)

TheLink (130905) | more than 2 years ago | (#40792265)

Yeah it's harder than solving the halting problem. In theory the halting problem is impossible, but at least with the halting problem you are provided with the full accurate description of the program (the program and complete inputs).

Whereas with the "is this malware" problem you're not.

One workaround is sandboxing. From the "halting problem" perspective, sandboxing would be the like setting a time limit so that all programs will halt by a certain time.

Re:pretty easy to fix, though (0)

Anonymous Coward | more than 2 years ago | (#40793799)

What I am surprised at is Google overlooking such a uniquely identifiable thing as an IP in a simulation.

Oh well, at least it was found now. Let's hope that is all that can be identified inside of it.

Re:pretty easy to fix, though (1)

sourcerror (1718066) | more than 2 years ago | (#40800227)

I don't think searching for malware is equivalent to solving the halting problem. For e.g. for a game it's enough to check where it wants to write; if it wants to write outside of it's own directory than it raises red flags. Basically it's enough to analyse what kind of APIs it uses. (The OS sandbox should provide an API that jails your writes to a certain directory.)

Meh (2)

oldhack (1037484) | more than 2 years ago | (#40791885)

I thought bunch of nerds gave a drubbing to a bouncer at Google-sponsored party. Must be the bad coffee.

Re:Meh (2, Funny)

localman57 (1340533) | more than 2 years ago | (#40791959)

I thought bunch of nerds gave a drubbing to a bouncer at Google-sponsored party.

Just out of curiousity, when have a bunch of nerds -- ever -- given a drubbing to a bouncer? (Physical drubbings only please, chicken-shit revenge tactics don't count...)

Re:Meh (2, Informative)

somersault (912633) | more than 2 years ago | (#40792141)

Not all nerds are weak. A guy in my CompSci course actually worked as a bouncer. Really nice guy too - not just someone who was out to beat people up. A bunch of drunken nerds could take a single bouncer if they actually had the motivation. Bouncers tend to have backup though.

Re:Meh (1)

oldhack (1037484) | more than 2 years ago | (#40792443)

That's why it would be a news, dumb-dumb.

Re:Meh (1)

SilentStaid (1474575) | more than 2 years ago | (#40794499)

As the global telecom guru for a Fortune 500 I max my bench at 350 while weighing 170 and I've just recently got my squat to 505. Some people geek out over numbers in D&D and some geek out over what an extra 2g of glutamine will do in a post workout drink.

Let's grow up, shall we? /rant

Community Relations (5, Insightful)

schitso (2541028) | more than 2 years ago | (#40791925)

"Google was aware of and blessed the research, and has been apprised of its results so that it can make changes and better secure Google Play against malicious individuals."

"A renowned security researcher who claims he discovered a flaw in iOS was kicked out of Apple's iOS Developers program."

Just sayin'.

Re:Community Relations (2)

Desler (1608317) | more than 2 years ago | (#40792037)

Yes, because he didn't apprise Apple of the research beforehand. That makes a pretty big difference than having the company be aware you are doing the research and give its blessing.

Re:Community Relations (2, Informative)

Anonymous Coward | more than 2 years ago | (#40793809)

Actually, he did. (Assuming we're talking about Charlie Miller). He did several times and was promptly ignored. I'm sure if you google it, you'll find that out real quick.

Then he made an application that abused said bug silently to prove a point, since nobody was listening.

Re:Community Relations (0)

Anonymous Coward | more than 2 years ago | (#40793957)

Actually, he did. (Assuming we're talking about Charlie Miller). He did several times and was promptly ignored. I'm sure if you google it, you'll find that out real quick.

Then he made an application that abused said bug silently to prove a point, since nobody was listening.

If you ask for permission to do something and get no response, do not be surprised when people treat you as not having had permission when you do it anyway.

Re:Community Relations (3, Insightful)

crmarvin42 (652893) | more than 2 years ago | (#40792097)

My impression was that they kicked him out for submitting the app to the store (for customers to purchase), not for finding the vulnerability. I know it's a bit of splitting hairs, but I suspect no penalty would have occured had he limited his actions to telling apple about the problem. Still think it was a bad response though.

If Apple wants to seriously engage the security community there ought to be a way for the researchers to submit proof of concept apps to the app store to see if their current review process can catch them (obviously the reviewers would need to be blinded as to the identity of the submitter). They could improve their review process, catch security issues, AND avoid the negative press of booting a developer like this.

Re:Community Relations (1)

swillden (191260) | more than 2 years ago | (#40792853)

My impression was that they kicked him out for submitting the app to the store (for customers to purchase), not for finding the vulnerability.

As did the guys who were testing Bouncer. They put an SMS blocker app on the Google Play Store and repeatedly updated it, adding more malicious behavior each time.

Re:Community Relations (2)

BonzaiThePenguin (2528980) | more than 2 years ago | (#40792131)

He was kicked out for knowingly creating and releasing malware that downloaded malicious code to take control of the user's device, not because he discovered a flaw in iOS. Just sayin'.

Re:Community Relations (1)

Anonymous Coward | more than 2 years ago | (#40793335)

He was kicked out for making Apple look bad by allowing any security flaw ever to become public

That's what they want you to think (0)

cellocgw (617879) | more than 2 years ago | (#40791945)

Actually any malware that's "smart" enough to fool Bouncer is left alone while the NSA, FBI, and MPAA are alerted. Black helicopters full of hot women in black latex arrive...

Re:That's what they want you to think (0)

Anonymous Coward | more than 2 years ago | (#40792227)

Hot women in black latext arrive?

[cracks open Android dev kit, begins coding...] ...
if ( isInGoogleIPAddressBlock(testIPAddr) == true ) { ...
} ...

News Flash (0)

thePowerOfGrayskull (905905) | more than 2 years ago | (#40792023)

News Flash: Any automated security system can be beaten.

In further news, using technology to secure against technology is only as effective as the minds behind it.

Tune in at 11.

And what would Apple's response have been? (-1)

Anonymous Coward | more than 2 years ago | (#40792073)

Apple would have their private security^H^H^H^H the police bust their door down and haul them off for deigning to offend the precious iShit. Nice job on Google's part to not reduce themselves to that level!

Require signed apps? (1)

bhlowe (1803290) | more than 2 years ago | (#40792085)

Running unsigned apps on a smart phone is just plain stupid. Why not just require android apps to be signed by a revokable certificate.. Charge at least $100 to get the certificate.. and then reward the malware-free app developers with a credit of at least $100 to cover the certificate cost.

Re:Require signed apps? (1, Troll)

h4rr4r (612664) | more than 2 years ago | (#40792541)

They already do that, unless the user decides to turn it off.

Any other ideas you want to share that are already in use?

Re:Require signed apps? (1)

stanlyb (1839382) | more than 2 years ago | (#40792995)

Running signed apps will help you how from the corrupt government? You remember MS and some "safe" certificates used by some "safe" viruses???

Re:Require signed apps? (1)

bhlowe (1803290) | more than 2 years ago | (#40795001)

Yes, the gubmint will be able to sign code and spy on you. And your point? Required signing would certainly help with malware, as the cost to produce and maintain a fresh supply of certs will be costly and will allow instant removal from the phone. And with a certificate, you can learn more about an app vendor--see if they appear legit or shady.

Re:Require signed apps? (1)

stanlyb (1839382) | more than 2 years ago | (#40796985)

With malware i could fight. But with corrupt government i am helpless.

Why not mandatory open source? (0)

Anonymous Coward | more than 2 years ago | (#40792559)

If they want secure apps in their stores, why don't they just demand that app-salesmen provide the source so that everyone can inspect it? They have the clout to do it, and it's not like any phone apps are going to contain any super-secret algorithms that must be kept secret for economical reasons.

Re:Why not mandatory open source? (1)

jekewa (751500) | more than 2 years ago | (#40794331)

Of course it's because of the slew of people wouldn't bother paying for apps they could build and install themselves. Or those who would take it for their own, fork it, make it better, make it worse...

Surprised??? (0)

stanlyb (1839382) | more than 2 years ago | (#40792975)

Lets see what we have:
1. Inside Google - A bunch of college boys (no girls, as they are not smart enough for google), very, extremely good at solving entry interview quiz and questions, but extremely poor and incompetent at actually doing what they were hired to do, DEVELOPING.
2. Outside Google - A bunch of software developers, usually old, with a lot of experience, some of them even PhD, and who are actually DEVELOPING a software that google buys, because their bunch is so incompetent...
So to sumarize it:
SURPRISE. The guys outside always outwit the boys inside.

Re:Surprised??? (0)

Anonymous Coward | more than 2 years ago | (#40796681)

What are you trying to say? Because, interestingly, your post neither qualifies as serious nor sarcastic.

Re:Surprised??? (1)

stanlyb (1839382) | more than 2 years ago | (#40797005)

That the researchers exploited some development decisions made by the stupid google's employees. Stupid, because it is pretty easy to avoid them. And why they did these stupid mistakes? I do believe that i did answer to that question.

In soviet russia... (0)

Anonymous Coward | more than 2 years ago | (#40793523)

Bounced googles you!

Hmmmmmmm.... (2)

endus (698588) | more than 2 years ago | (#40794153)

It's almost as though they're trying to achieve security by making information about their service very obscure. Has anyone ever tried this before?

it's another layer (1)

Chirs (87576) | more than 2 years ago | (#40796025)

As long as you know what you're doing, obscurity can work just fine as another layer of protection.

The problem is that most people choosing obscurity aren't secure to start with, so it's the *only* layer of protection.

This is the best approach to security... (1)

Ghjnut (1843450) | more than 2 years ago | (#40795369)

Google was aware of and blessed the research, and has been apprised of its results so that it can make changes and better secure Google Play against malicious individuals.

2 big mistakes (1)

GameboyRMH (1153867) | more than 2 years ago | (#40795391)

1 - not using random proxies
2 - not going out of their way to make the VMs look like real machines. This is already a problem with PC viruses, many of them are designed not to infect a VM to slow analysis.

"Bouncer" provably cannot win (2)

chithanh (1921670) | more than 2 years ago | (#40796533)

The problem that Bouncer is trying to solve (telling whether an app is malicious or not) is otherwise known as program verification. Rice's theorem states that this is undecidable, not totally unlike the Y2K problem. It may even be highly undecidable, so even if Google had a hypercomputer at their disposal, Bouncer would still lose.

So if Google wants to keep malware out, Bouncer is fundamentally the wrong approach.

ROFLMAO (0)

Anonymous Coward | more than 2 years ago | (#40797469)

Pawned.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?