How to improve the security of a mobile application in Android based on nDPI library implementation?

Tech leaders often say that absolute security does not exist. Instead, it represents a set of measures, accumulated and combined, to slow down the inevitable.

Application security is a key issue in data control. Therefore, developers go to great lengths to build secure applications by preventing hackers from circumventing security features. For this purpose, it is crucial to provide users with advanced security and privacy controls.

It includes, for example, practices used in projects together with RAW CYBER, where we worked to provide a highly secure cellular system to protect against attacks and the disclosure, eavesdropping, or alteration of data. We created an Android smartphone security system that would be highly secure but at the same time have standard smartphone features. One of the main goals was to create an entire ecosystem of secure applications served from an internal app store.

According to RAW's managing director, "We were looking for a company we could trust to handle the project, which is primarily R&D but also be able to handle the entire project, including UI/UX design, mobile & web development, custom OS development, and testing."

What was the scope of work to be implemented in the mobile app?

The project aims to create a secure operating system for government officials or corporate clients that would benefit most of the standard mobile operating systems, such as an app store and data synchronization.

In the project, there was a need to design and implement a place for administrators, who could add applications to the store, which would be located in the "safe phone" and a place where it would be possible to manage permissions, check information about, e.g., potential attack attempts, etc.

Technologies used in the implementation of the safety library

C/C++, Django, Python, Java, Nginx/Gunicorn, CopperheadOS, Biocoded SSO

Meeting the business goal of the mobile application development

The business requirement for implementing the NDPI library was full packet inspection, i.e., in addition to primary IP, URL verification, we can include a library that allows us to filter packets on the fly according to predefined rules.

The idea was not to break the structure of the NDPI library itself but to do it natively in the Android OS architecture itself. It is the last line of defense, detecting malware communication with suspicious C&C (command and control.) servers.

The following graphic shows what our goal was to accomplish. We see an incoming packet; we wanted to identify its protocol or application, apply rules, and then decide if the package will be allowed for subsequent packet processing on the phone.

It proved to be a challenge due to the difficulty in finding, analyzing and classifying network traffic packets in Linux, the low-level cross-compiling implementation, and the overall Android architecture. It was a challenge that touched many areas and domains, so many people had to work on it, from packet analysis and classification through how traffic is handled in Linux because it is virtually identical to Android. The implementation was deficient level, so we modified existing sources, added our libraries in C++, and used external libraries (cross-compiling). Working on Android architecture, we used machine learning.

How did we identify the suitable, Android integrity packages?

We started the whole problem in the middle of the project. We decided to start with packet analysis because this is potentially the most challenging thing we wanted to do. We started searching and eventually decided to implement Deep Packet Inspection. We found a very current and developed NDPI library, which in 2012 was taken over and extended from another library. It is based on the analysis of multiple packets based on which the solution can be made. The clear code of this library allows further development, while the fact that the packages and the ability to block traffic are not part of the library promotes security.

Packet expansion itself is not part of the implementation of this library; we added it. We have made a number of our tests, which were to verify the operation of the library. The example in the following graphic shows the recognition of packages based on the Skype application (of course, the code is a little longer).

Intercepting and blocking packets

For interception itself, we use libraries that work with kernel modules in Linux viz: NETFILTER, NFQUEUE, CONNTRACK. These libraries are freely available under an open-source license. They are mainly responsible for reading the packets from the queue and marking them as to whether the package will be blocked or not.

As far as the packet handling itself is concerned, we added a lot of implementation in packet capture, passing it on to the NDPi library. We relied on the IPTABLES solution with CONNMARK and NFQUEUE modules when it comes to the blocking itself.

It means that each packet is sent to a queue that we handle. In the target implementation, we operate on four queues, and then if any packet has been marked "1", it is then discarded. The diagram shows the general implementation, while in the Network layer we block this.

Library compilation in a mobile application

Wondering how to implement these libraries, assuming it was an R&D solution, we looked at the performance. Knowing that not all libraries will be compiled during the Android development, we decided to install Docker with the Android NDK pre-installed. We then made changes to 6 libraries.

Not all libraries had properly prepared configurations for compilation so we had to do some changes manually to depend on our own changes. Finally, we built our own set of libraries, in 32-bit and 64-bit versions, which are used to collect, analyze and block (if required by rules) packages

Implementation of nDPI library in Android

A summary of the library implementation and operation you can see in the graphic.

Android architecture - framework layer implementation

Raw Management is an integral part of the system that communicates with the framework layer and retrieves system settings for blocking network traffic. What is very important this application is responsible for sending notifications to the user that something is wrong with the phone and there is suspicious traffic in the background.

We implemented the DPI service in the framework layer because we needed to communicate with the lowest native layer. For this purpose, a RAW ML trained model classifies whether the packet retrieved by our system, NDPI service is malicious or not. For this purpose, we added our configurations to communicate with services, our own API, and the ability to run the NDPI library together with the phone. We went so low in the Android architecture because we care about the performance or the high scalability of the system.

Implementation in the native layer

In the native layer, we have built a set of tools written in C and C++, including a basic module like DPI through which we communicate with the native layer in Android. We also did some analysis to block network traffic, checking if when network traffic goes through our rules in real-time, it is safe or not. All this is done so that the user on his side does not feel any disturbance in the background and feels safe.

Some of the ways to block:

• Regex links checked for maliciousness
• Blocking by predefined URLs
• Potentially dangerous keywords
• blocking by the application protocol, e.g., we can block skype, FB, WhatsApp

Implementation of network traffic analysis in RAW OS

Mobile application security in the hands of specialists

Currently, we are still working on the security of mobile systems. From the beginning, the main challenge in the project was the core of the whole project, which was the operating system. Considering how many activities of mobile phone users are connected with sensitive data such as photos, personal data, passwords, and access to banks, providing high-class security is more important than ever. We welcome the opportunity to implement such a level of protection so that the user of the phone we provide feels safe.

If you are interested in building a mobile application that is secure, efficient, and scalable, talk to our tech experts, who will be happy to share their know-how in the latest technologies.