This is the demo website for the Euro S&P  submission -- Open Ports for Bob and Mallory: Open Port Usage in Android Apps and Security Implications.

Demos References:
Name  Description Reference
 Attack demo 1Threat model #1: On-device malware Sec. 2 & Sec. 6 
 Attack demo 2Threat model #2 and #4: Attacker from the network Sec. 2 & Sec. 6
 Attack demo 3Threat model #3: Malicious script on the web Sec. 2 & Sec. 6
 Attack demo 4 Attacking AirDroid: Authentication hijacking attack Sec. 7 par. 5
 Defense demo SecureServerSocket: Protecting physical proximity usage Sec. 7 par. 6

Note that we have reported all the vulnerabilities in those open port apps shown in the demos to the corresponding developers. 

Demos overview:
  • Threat models:
    • On-device malware:
      • Attack Demo1: stealing photos with on-device malware that only requires Internet permission
    • Attacker from the network:
      • Attack Demo2: network attacker scans for victim devices and steals photos. 
    • Malicious script on the web: 
      • Attack Demo3: forcing victim device to send premium-rate SMS with one-click.
  • Attacking AirDroid ( www.airdroid.com)
    • Attack Demo4: Hijacking the authentication process of legitimate client
      • CVE-2016-5227
      • Vulnerability patched by the manufacturer
  • Proposed Defense:
    • Defense Demo: protecting physical proximity usage using SecureServerSocket