Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Beat Google's Bouncer

Posted by timothy on from the sneak-in-the-back-way dept.

An anonymous reader writes "When earlier this year Google introduced Bouncer — an automated app scanning service that analyzes apps by running them on Google's cloud infrastructure and simulating how they will run on an Android device — it shared practically nothing about how it operates, in the hopes of making malicious app developers' scramble for a while to discover how to bypass it. As it turned out, several months later security researchers Jon Oberheide and Charlie Miller discovered — among other things — just what kind of virtual environment Bouncer uses (the QEMU processor emulator) and that all requests coming from Google came from a specific IP block, and made an app that was instructed to behave as a legitimate one every time it detected this specific virtual environment. Now two more researchers have effectively proved that Bouncer can be rather easily fooled into considering a malicious app harmless."

12 of 44 comments (clear)

  1. pretty easy to fix, though by Trepidity · · Score: 4, Insightful

    It seems like they just found that the sandbox Google simulates the apps in is a little sloppy in its simulation (IP addresses are predictable), so it's easy to tell you're inside the sandbox. But they could fix that part pretty easily.

    Was hoping for something more halting-problem-esque, since it's really difficult to "scan an app for malware" in general.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  2. Meh by oldhack · · Score: 2

    I thought bunch of nerds gave a drubbing to a bouncer at Google-sponsored party. Must be the bad coffee.

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
    1. Re:Meh by localman57 · · Score: 2, Funny

      I thought bunch of nerds gave a drubbing to a bouncer at Google-sponsored party.

      Just out of curiousity, when have a bunch of nerds -- ever -- given a drubbing to a bouncer? (Physical drubbings only please, chicken-shit revenge tactics don't count...)

    2. Re:Meh by somersault · · Score: 2, Informative

      Not all nerds are weak. A guy in my CompSci course actually worked as a bouncer. Really nice guy too - not just someone who was out to beat people up. A bunch of drunken nerds could take a single bouncer if they actually had the motivation. Bouncers tend to have backup though.

      --
      which is totally what she said
  3. Community Relations by schitso · · Score: 5, Insightful

    "Google was aware of and blessed the research, and has been apprised of its results so that it can make changes and better secure Google Play against malicious individuals."

    "A renowned security researcher who claims he discovered a flaw in iOS was kicked out of Apple's iOS Developers program."

    Just sayin'.

    1. Re:Community Relations by Desler · · Score: 2

      Yes, because he didn't apprise Apple of the research beforehand. That makes a pretty big difference than having the company be aware you are doing the research and give its blessing.

    2. Re:Community Relations by crmarvin42 · · Score: 3, Insightful

      My impression was that they kicked him out for submitting the app to the store (for customers to purchase), not for finding the vulnerability. I know it's a bit of splitting hairs, but I suspect no penalty would have occured had he limited his actions to telling apple about the problem. Still think it was a bad response though.

      If Apple wants to seriously engage the security community there ought to be a way for the researchers to submit proof of concept apps to the app store to see if their current review process can catch them (obviously the reviewers would need to be blinded as to the identity of the submitter). They could improve their review process, catch security issues, AND avoid the negative press of booting a developer like this.

      --
      Bureaucracy expands to meet the needs of the expanding bureaucracy.-Oscar Wilde
    3. Re:Community Relations by BonzaiThePenguin · · Score: 2

      He was kicked out for knowingly creating and releasing malware that downloaded malicious code to take control of the user's device, not because he discovered a flaw in iOS. Just sayin'.

    4. Re:Community Relations by Anonymous Coward · · Score: 2, Informative

      Actually, he did. (Assuming we're talking about Charlie Miller). He did several times and was promptly ignored. I'm sure if you google it, you'll find that out real quick.

      Then he made an application that abused said bug silently to prove a point, since nobody was listening.

  4. Hmmmmmmm.... by endus · · Score: 2

    It's almost as though they're trying to achieve security by making information about their service very obscure. Has anyone ever tried this before?

  5. Re:LOL grammar nazis by mcgrew · · Score: 2, Insightful

    Please, STOP FEEDING THE FUCKING TROLLS!!! Ignore them For God's sake, don't quote them!!! Jesus, man, what the fuck is wrong with you? Anonymous troll is at -1 so you gave him a voice! Mods, please downmod every response to the troll, including mine but especially the parent's, who stupidly quoted the racist bullshit. Fucking trollbiters are often as bad as the fucking trolls.

    --
    Free Martian Whores!
  6. "Bouncer" provably cannot win by chithanh · · Score: 2

    The problem that Bouncer is trying to solve (telling whether an app is malicious or not) is otherwise known as program verification. Rice's theorem states that this is undecidable, not totally unlike the Y2K problem. It may even be highly undecidable, so even if Google had a hypercomputer at their disposal, Bouncer would still lose.

    So if Google wants to keep malware out, Bouncer is fundamentally the wrong approach.