Android Security #1. Prabhaker Mateti A frst lecture on Android Security, assuming familiarity with Android Internals.

Size: px

Start display at page:

Download "Android Security #1. Prabhaker Mateti A frst lecture on Android Security, assuming familiarity with Android Internals."

Warren Freeman
5 years ago
Views:

1 Android Security #1 Prabhaker Mateti A frst lecture on Android Security, assuming familiarity with Android Internals.

2 Pwned Pwn is a leetspeak slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership Your Android device is now pwned by me A real possibility in 201x. Not because it was stolen. Through malware. Anything you can 2

3 No 100% Secure Devices Exist 1. Every OS in use today has 1000s of bugs. 2. No software longer than 1000 SLOC is bug-free 3. TCP/IP suite designed without security as a goal. 4. State of the Art: Do not know how to develop without security holes 5. Ability to exploit these holes is increasing. 3

4 Screen Lock, Enable Screen Lock Slide Connect the Dots (Pattern) PIN Password Face Unlock Finger print All exploited already Security Settings Apps from Unknown Device Admins Verify Apps Trusted CA SMS limit per minute Install a Stolen Device Location App Kill switc 4

5 Labeling People Hacker One who programs enthusiastically (even obsessively) or who enjoys programming rather than just theorizing about programming. Noobie Whitehat Whitehats are the "good" guys. They Attackers Script kiddies A script kiddie is an unskilled individ ual who uses scripts or programs developed by others to attack computer systems. Blackhat Blackhats are the "bad" guys in that they use their 5

6 Security/Privacy of Android Devices All the security/privacy issues of Mobile Computing Linux OS Specifc to the Android Application framework AndroidManifest.xml Activity, Service, Provider, We focus on Android Mateti Android Security #1 6

7 Breadth of MobiComp Security Issues Mobile Computing includes standard TCP/IP networking Wi-Fi, Access Points, WEP, WPA, bluetooth, cellular, networking So all network security relevant Additional areas of concern theft/loss of mobile device and its content limited computational power limited storage capacity 7

8 Security Philosophy Prevent vulnerabilities and security breaches Minimize their impact Detect vulnerabilities and security breaches when they happen React swiftly afterwards 8

9 Prevent Prevent before they happen Design and build better source code Examined by security experts Prevent installation of bad apps. Runtime Vigil Test for known security issues Bufer Overfow Attacks ProPolice stack overfow protection Heap protection in dlmalloc Remote (via Network) attacks Media codecs 9

10 Apps From Unknown Google Play does check the APK. But dynamic analysis tools do fail Sources s.com/2014/05/dynam ic-analysis-tools-f or-android-fail.htm l Before install Android checks. Settings > Security > Verify apps. Apps from identifable sources Code signing Trust To install apps from other sources, go to Settings > Security, then touch the box next to Unknown sources. 10

11 Better Design + Build Android Code Complexity 5+ million lines of code on top of Linux kernel Uses 100+ libraries open source can't rely on obscurity Code audits Secure Code Dev Edu Correct by design? Known to be free of bugs via thorough testing? Can compilers and other build tools be Trojans? Yes. K&R Turing Lecture. 11

12 Keep Software Up-to-date Every OS should be responsible for: Automatically updating itself Providing a central update system for third-party applications Auto updaters Android Over-The- Air update system (OTA) User interaction is optional No additional computer or cable is required Very high update rate 12

13 Minimize the Impact of Security Holes Traditional OS security Host based User separation Same origin policy webmail cannot access banking app Mobile OS are for single users Sandboxed Each app runs as a process owned by its own UID. 13

14 Detection of Security Holes Fuzzing Testing via invalid, unexpected, or random data as the inputs org/wiki/fuzz_testin g Enable everyone to detect. Everyone: Users Developers Security Researcher s Honeypot A sting operation. A trap set to detect, defect, or counteract unauthorized use of systems. (computing) 14

15 React to Security Incidents Suppose we discovered a security incident. What to do now? Shut the device down? How long does it take? Meanwhile Collect info. But, how and what? Answers are non- For enterprise situations osoft.com/en-us/lib rary/ cc aspx / groups/ SMA/ fasp/ documents/ incident_response / Incident-Response - Guide.pdf 15

16 Android Platform Security Architecture Security at the OS through the Linux kernel Mandatory application sandbox Secure IPC (inter-process communication) Application signing Application-defned and user-granted permissions 16

17 Linux Security Linux is used in millions of securitysensitive environments. constantly being researched, attacked, and fxed by thousands of developers Linux has become trusted by many A user-id-based permissions model Process isolation Extensible mechanism for secure IPC The ability to remove unnecessary and potentially insecure parts of the 17 kernel

18 Android Security Basics Apps have NO permissions, by default Permissions list: Manifest.permission Apps declare the permissions required in source code AndroidManifest.xml e.g., <uses-permission android:name = "android.permission.receive_sms" /> Android system prompts the user for 18 consent at the time the application is

19 Code Injection The virtual memory model of processes in execution consists of Code pages and segments. Assumed not writeable. Readable and Executable. Text Stack of variables local to method/proc/func Heap of objects dynamically allocated. Should a CPU fetch code from Stack 19

20 Code Injection #2 Code injection was often called Bufer Overfow because of the technique used to inject. Abstract idea: Masquerade code as data. Transfer control to this data. Other concrete versions Format strings SQL injection Remote fle injecttion Cross-site scripting 20

21 Qs on the State of the Art Without reading the source code, can we detect that an app contains (malicious) code injection? With reading? Recall the size of software. Can we prevent the execution of such? Can we detect that it happened (after the fact)? 21

22 Android Security Features Hardware-based No execute (NX) to prevent code execution on the stack and heap ProPolice canaries to prevent stack bufer overruns safe-iop safe integer op lib for C Extensions to dlmalloc to prevent double free() exploits Linux mmap_min_addr() to mitigate null pointer dereference privilege 22

23 Safe Mode When the device is in Safe Mode only core Android applications are available. free of third-party software. A user can boot into safe mode. Some non-obvious button presses. Android detects a problem and goes into the safe mode. 23

24 OS protected APIs Cost-Sensitive APIs Telephony SMS/MMS Network/Data connections In-App Billing NFC Access Personal Information Sensitive Data Input Devices Location data (GPS) Camera functions Microphone Bluetooth functions 24

25 Interprocess Communication Standard IPC fle system, local sockets, or signals. Linux permissions still apply. Binder: RPC mechanism for inprocess and crossprocess calls. Via a custom Linux driver. Services: interfaces directly accessible using binder. Intents: A message object that represents an "intention" to do something. ContentProviders: A data storehouse 25

26 Application Signing CA = certifcate authority Why self signing? Market ties identity to developer account CAs have had major problems with fdelity in the past No applications are trusted. No "magic key" All.apk fles must be signed with a certifcate identifes the author of the application. does not need to be signed by a CA 26

27 Application Signing #2 What does signing determine? Shared UID for shared keys Self-updates If the public key matches, the new APK may request to share UID of the other APK. Allows the system to grant or deny access signature-level perm issions request to be given the same Linux ident ity as another app 27

28 User IDs and File Access Each apk is assigned a distinct Linux UID no /etc/passwd as in Linux diferent device => may have a diferent UID fles created by apk are owned by this user Shared UID feature Two applications can share UIDs More interactivity 28

29 Android Permissions Whitelist model Allow minimal access by default User accepted access Facilitate asking users fewer questions Make questions more understandable 200+ permissions 29 More granularity

30 Permissions #2 PERMISSION_GRAN TED or PERMISSION_DENI ED Context.checkPermi ssion (String, pid, uid) Context.checkCalli ngpermission () Arbitrarily fnegrained permissions 30

31 Android Sandbox The sandbox is based on separation of processes fle permissions Authenticated IPC Sandboxes native code and sys applications Each application is a diferent user ; its own UID runs in its own Linux process its own Dalvik VM 31

32 Application Sandbox Place access controls close to the resource, not in the VM Smaller perimeter easier to protect Default Linux applications have too much power Lock down user access for a "default" application Fully locked down applications limit innovation Relying on users making correct 32

33 File System Encryption Full fle system encryption AES128 Password random salt CPU and mem intense id.com/devices/tech /encryption/ Encryption on Android uses the dm-crypt layer in the Linux kernel. Works at the block device layer. Emmc and similar Android volume daemon (vold) Android 3.0 and later 33

34 Rooting of Android Devices root uid == 0 as in Linux has full access to all applications and all application data system the kernel and sys applications Boot Loaders embedded system boot techniques Locked : Check a signature of the OS fles being booted, or installed. 34

35 SIM Card Access Low level access to the SIM card is not available to third-party apps. The OS handles all communications with the SIM card including access to personal information (contacts, ) on the SIM card memory. Apps also cannot access AT commands, as these are managed exclusively by the Radio Interface Layer (RIL). The RIL provides no high 35

36 GSM/CDMA Vulnerabilities GSM = Global System for Moblie Communication GSM: Largest Mobile network in the world GSM: 3.8 billion phones on network USA GSM: AT&T, T- Mobile CDMA: Others Crack GSM encryption Can crack encryption in under 30 seconds Allows for undetectable eves dropping gsm/ simtoolkit Similar exploits available for CDMA 36

37 SMS Vulnerabilities SMS = Short Messaging System GSM uses two signal bands: control, data. SMS operates entirely on the control band. High volume text messaging can disable the control band, which also disables voice calls. Can render entire city 911 services unresponsive. 37

38 MMS Vulnerabilities MMS = Multimedia Messaging Service Insecure data protocol for GSM Extends SMS, allows for WAP connectivity Exploit of MMS can drain battery 22x faster Multiple UDP requests are sent concurrently, draining the battery as it responds to request Mateti Does not expose Android data Security #1 38

39 Bluetooth Vulnerabilities Bluetooth Short range wireless communication protocol Requires no authentication, just pairing An attack could take over Bluetooth device. Attacker would have access to all data on the Bluetooth enabled device 39 ing

40 A Study of Android Market Apps 40

41 Information Misuse by Apps Phone identifers phone number, IMEI (device identifer), I MSI (subscriber identifer), and ICC-ID (SIM card serial number). Phone identifers are frequently leaked through plaintext requests. Phone identifers are used as device fnger prints. to track individual users. for ad and analytics servers. 41

42 Android Privacy Private information is written to Android s general logging interface. Apps broadcast private information in IPC accessible to all applications. A few apps are vulnerable to forging attacks to dynamic broadcast receivers. Some apps defne intent addresses based on IPC input. 42

43 Null Pointers Null dereferences cause an application to crash, and can thus be used to as a DoS (denial of service). Apps should perform null checks on IPC input. 43

44 More Privilege Separation Media codecs are very complex very insecure Won't fnd all the issues in media libraries Banish OpenCore media library to a lesser privileged process mediaserver Immediately paid of Charlie Miller reported a vulnerability in our MP3 parsing Mateti Android Security #1 44 CERT

45 References Android Security Overview, ndex.html -android-security-basics Google's director of Android Security explains the operating system's builtin security features. Aug 30, 2016

Security Philosophy. Humans have difficulty understanding risk

Security Philosophy. Humans have difficulty understanding risk Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy