Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33

Size: px

Start display at page:

Download "Rooting Android. Lecture 10. Security of Mobile Devices. SMD Rooting Android, Lecture 10 1/33"

Jeffry Thompson
5 years ago
Views:

1 Rooting Android Lecture 10 Security of Mobile Devices 2018 SMD Rooting Android, Lecture 10 1/33

2 Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 2/33

3 Outline Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 3/33

4 Root Linux kernel - DAC security model Root user (UID 0) - absolute power Root on Android: Bypass Android sandbox Access and modify any file Modify read-only partitions Control system services Remove system applications SMD Rooting Android, Lecture 10 4/33

5 Android Security Measures Root access not allowed on production devices Limit system processes with root permission Avoid privilege escalation SELinux - global security policy Root processes don t have unrestricted access Still have access to private data Can modify system behavior Exploit kernel vulnerability SMD Rooting Android, Lecture 10 5/33

6 Advantages of root access Debugging and reverse engineering apps System customizations Implementing special applications Firewall Full device backup Network sharing SMD Rooting Android, Lecture 10 6/33

7 Outline Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 7/33

8 User Builds ro.build.type system property user build: No diagnostics and development tools ADB daemon disabled Debugging only for apps with debuggable true No root access using shell userdebug build: Allows debugging of all apps ADB enabled SMD Rooting Android, Lecture 10 8/33

9 User Build - Demo Pixel XL m a r l i n : / $ g e t p r o p r o. b u i l d. t y p e u s e r m a r l i n : / $ getprop ro. s e c u r e 1 m a r l i n : / $ ps e f grep adb s h e l l : 4 2 : 0 5? 0 0 : 0 0 : 0 5 adbd r o o t s e c l a b e l=u : r : su : s0 m a r l i n : / $ c a t / p r o c /693/ s t a t u s Name : adbd S t a t e : S ( s l e e p i n g ) Tgid : 693 Pid : 693 PPid : 1 TracerPid : 0 Uid : Gid : Ngid : 0 FDSize : 64 Groups : [.. ] CapInh : CapPrm : CapEff : CapBnd : c0 CapAmb : Seccomp : 0 [.. ] SMD Rooting Android, Lecture 10 9/33

10 Engineering Build Allows debugging of all apps ADB enabled ro.secure = 0 ADB daemon continues to run as root Does not drop capabilities - full capability bounding set SMD Rooting Android, Lecture 10 10/33

11 Su command Obtain root shell Run command as another UID On userdebug without restarting ADB as root Default su can be used only by root (0) and shell (2000) users Sets UID and GID to 0 Commands executed from the shell inherit priviledges SMD Rooting Android, Lecture 10 11/33

12 Outline Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 12/33

13 Production Builds In production: user build ADB daemon runs as shell user No su command No system/core OS configuration No access to the kernel Rooting a device Unlocked bootloader SMD Rooting Android, Lecture 10 13/33

14 Rooting by Changing Boot or System Image 1. Write new boot image (custom kernel) eng or userdebug ro.secure, ro.debuggable Current user builds disable ADB root ADB daemon ignores properties 2. Unpack system image, write su, write system partition Would allow su access from third-party apps From Android 4.3, system mounted with nosetuid Apps cannot execute SUID programs Zygote processes without capabilities SMD Rooting Android, Lecture 10 14/33

15 Rooting by Changing Boot or System Image SELinux enforcing mode: Execute with root -> security context unchanged, MAC policy SELinux must be disabled for root access Disable security measures No system updates from the manufacturer SMD Rooting Android, Lecture 10 15/33

16 Rooting Through OTA Package OTA package - add and modify system files Without rewriting the whole OS Superuser apps: OTA package to be installed from recovery OS Manager application (updatable) SMD Rooting Android, Lecture 10 16/33

17 SuperSU OTA package and application Developed by Jorrit Chainfire Jongma Actively maintained Most popular SMD Rooting Android, Lecture 10 17/33

18 SuperSU OTA package Native binaries for arm, arm64, armv7, mips, mips64, x86, x64 Scripts for installing and starting SuperSU daemon Apk of management application Updater scripts update-binary, updater-script SMD Rooting Android, Lecture 10 18/33

19 SuperSU installation (1) Mount rootfs, system and data partitions as read-write Copy su and daemonsu to /system/xbin/ Copy apk to /system/app/ -> installed at reboot Copy install-recovery.sh to /system/etc/ SMD Rooting Android, Lecture 10 19/33

20 SuperSU installation (2) Set permissions and SELinux security labels of installed binaries u:object_r:system_file:s0 label Call /system/xbin/su --install Post-install initialization Unmount system and data partitions SMD Rooting Android, Lecture 10 20/33

21 SuperSU Initialization Samsung Galaxy S7 Edge h e r o 2 l t e : / # c a t i n i t. s u p e r s u. r c # e a r l i e s t p o s s i b l e SuperSU daemon launch, w i t h f a l l b a c k to s e r v i c e on post f s data exec u : r : supersu : s0 root root / sbin / launch daemonsu. sh post fs data # mount / data / su. img to / su on p r o p e r t y : s u k e r n e l. mount=1 mount ext4 loop@ / data / su. img / su noatime # l a u n c h SuperSU daemon s e r v i c e daemonsu / s b i n / launch daemonsu. sh s e r v i c e c l a s s l a t e s t a r t u s e r r o o t s e c l a b e l u : r : s u p e r s u : s0 o n e s h o t SMD Rooting Android, Lecture 10 21/33

22 SuperSU - Daemonsu Bypass security constraints (no capabilities, SELinux) Usage: Apps use su binary Sends commands through socket to daemonsu Executes commands as root in u:r:supersu:s0 SELinux context SMD Rooting Android, Lecture 10 22/33

23 SuperSU - Demo Samsung Galaxy S7 Edge h e r o 2 l t e : / $ ps Z LABEL USER PID PPID VSIZE RSS WCHAN PC NAME u : r : s u p e r s u : s0 r o o t s k b r e c v S daemonsu : mount : master u : r : supersu : s0 root s k b r e c v S daemonsu : master [.. ] u : r : u n t r u s t e d a p p : s0 : c512, c768 u0 a S y S e p o l l S eu. c h a i n f i r e. s u p e r s u [.. ] u : r : s h e l l : s0 s h e l l p o l l s c h e d 7 c09943a78 S su u : r : supersu : s0 root p o l l s c h e d aea78 S daemonsu : 0 : u : r : s u p e r s u : s0 r o o t p o l l s c h e d 78 d326ca78 S s u s h h e r o 2 l t e : / $ su c s l e e p 100 SMD Rooting Android, Lecture 10 23/33

24 SuperSU - Demo Run su -c sleep 100 from shell su process executes as shell, in the u:r:shell:s0 domain su sends command to daemonsu:0:24047 An instance of daemonsu created to run the command daemonsu executes as root, in u:r:supersu:s0 domain daemonsu executes starts sush to run sleep sush executes as root, in u:r:supersu:s0 domain SMD Rooting Android, Lecture 10 24/33

25 SuperSU Management Application eu.chainfire.supersu process Asks the user to grant root access when needed One time, a period, permanently White list of applications SMD Rooting Android, Lecture 10 25/33

26 Root Access on Custom ROM CyanogenMod (now LineageOS) Start su as daemon in init.superuser.rc service su_daemon /system/xbin/su --daemon Service started or stopped using persist.sys.root_access property Value root access to none, apps, adb shell, or both SMD Rooting Android, Lecture 10 26/33

27 Outline Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 27/33

28 Full Tutorial for Rooting Samsung Galaxy S7 Edge Settings -> Enable Developer Options, OEM unlocking, USB debugging Download TWRP for hero2lte (code name) Enter Download/Odin mode by pressing [Volume Down] + [Home] + [Power] Write TWRP on device using Odin (Windows) Immediately enter Recovery mode by pressing [Volume Up] + [Home] + [Power] SMD Rooting Android, Lecture 10 28/33

29 Full Tutorial for Rooting Samsung Galaxy S7 Edge In TWRP - format data partition Push SuperSU and no-verity archives to sdcard Install no-verity using TWRP Install SuperSU using TWRP Reboot - it might take a little while SMD Rooting Android, Lecture 10 29/33

30 Full Tutorial for Rooting Samsung Galaxy S7 Edge Download the latest SuperSU application Download the latest TWRP application From SuperSU, grant permissions to apps that require root adb shell -> $ su -> # SMD Rooting Android, Lecture 10 30/33

31 Outline Root Root Access on Different Types of Builds Root Access on Production Builds Full Rooting Tutorial Bibliography SMD Rooting Android, Lecture 10 31/33

32 Bibliography Android Security Internals, Nicolay Elenkov, 2015 Android Hacker s Handbook, Joshua J. Drake, 2014 SMD Rooting Android, Lecture 10 32/33

33 Keywords Root access SELinux User build Engineering build SuperSU TWRP LineageOS SMD Rooting Android, Lecture 10 33/33

Android Bootloader and Verified Boot

Android Bootloader and Verified Boot Lecture 7 Security of Mobile Devices 2018 SMD Android Bootloader and Verified Boot, Lecture 7 1/38 Bootloader Recovery Verified Boot Bibliography SMD Android Bootloader