Methodology

 


 

Research method

There is a mixture of research methods, designed to perfect the results.  The objectives and methodologies were analysed and designed as set out in 2.1 Steps in the Research Process.  (Sreejesh et al., 2014)

A case study of two Android applications, now available on the Google Play Store.

The applications will be trialled and examined to review whether the developers have managed to circumvent the inbuilt permissions and security features or either the Android framework or the Google APIs or both.  A functional review of the applications in use by investigation of the behaviour and study of the application on an Android device.  If the applications exploit a zero-day vulnerability, the project continues with a technical analysis of the application source code.  This method involves decompiling and examining the source code.

Dependent upon the results of the first method, an attempt will be made to write hack the framework to gain access to private user data, as a White Hat Hacker, if no exploit is found,(S. Al-Sharif, F. Iqbal, T. Baker, & A. Khattack, 2016) (Schumacher)

Back to Top

Data collection methods

 

  1. Examine two applications now on the Google Play Store by downloading and installing them to a local device.
  2. Screenshot all stages throughout installation and use these to display relevant permissions and security notifications.
  3. The test Google account needs to have a paid for application from the Google Play Store, and for that application to make an in-app purchase. This gives the account personal data to collect.
  4. If the applications access the private data, try to decompile the source code of these applications.
  5. If the prior methods yield negative results, try to write a program (potential malware) that can circumvent the inbuilt permissions and security of both the Android and Google API frameworks.

 

Back to Top

Ethical Issues and Compliance Requirements

Ethical issues

 

Investigating security vulnerabilities leads to many ethical dilemmas.

Discovering and, more so, writing a program that exploits a zero-day hole, potentially leads to, not only, unethical behaviour, but unlawful behaviour.

The Issues

  1. Using the program to hack into a third parties account and obtain private information.
  2. Publishing such a program in the public domain.
  3. Potential damage to devices.
  4. Public examination of specific applications.
  5. Making potentially libellous statements against developers.

Compliance

 

  1. All Google accounts, or devices, for testing purposes, must belong to the researcher, not third parties.
  2. The researcher guarantees to inform Google of any zero-day exploits, found due to this research.
  3. The researcher guarantees to keep any zero-day exploits found secret, until Google patches the security holes.
  4. Protecting confidentiality. (Runeson & Höst, 2008)
  5. Anonymize the applications and developers unless there is a proof of concept.

Seek legal advice before making any confidential details known.

Back to Top

Analysis of data

Access to private account information by these applications will serve as a proof of concept that there is a security flaw, as hypothesized.

Failure to hack the permissions and security features of these platforms within this project, does not mean

Back to Top

 

Step 1 of 2
Please sign in first
You are on your way to create a site.

Log in

© Yvette Colomb 2018  |   About the Author