android security

ANDROID SECURITYRobin De Croon

Lars Jacobs

|H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege

prof. dr. Ir. Bart Preneel

Content

• Introduction

• System and Kernel Level Security

• User Security Features

• Android Application Security

• Recent Security Problems

• Demo

May 8, 2013 2

http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg

INTRODUCTIONIntroduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 3

Introduction

• All data located on your smartphone• Passwords• Photos• (Text) messages• Medical records• …

• Smartphone cannot trust anyone

• Android secure?• Open Source Safer (Hoepman et al.)

May 8, 2013 4

Distribution of mobile malware byplatform in 2012

May 8, 2013 5

Mobile threats motivated by profitby year

May 8, 2013 6

Android Versions

May 8, 2013 7

Android Software Stack

May 8, 2013 8

SYSTEM AND KERNEL LEVEL

SECURITYIntroduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 9

Apps & Processes

• Own Linux Process + user ID Sandbox!• Data is protected from other apps• Secure IPC

• API calls are authorized according to permissions

• Hardware access is authorized by Group Membership

• Java, Native, WebKit

May 8, 2013 10

Bootloader

• Bootloader is locked by default

• Boot process

• Signature check

May 8, 2013 11

Memory management

• A lot of memory corruption bugs

Attacker can control the program

• Improvements• No eXecute (NX) (since Android 2.3)• Address Space Layout Randomization (since Android

4.0)• Position Independent Executables

(since Android 4.1)• FORTIFY_SOURCE (since Android 4.2)

May 8, 2013 12

Randomization in Android 2.3

May 8, 2013 13

Randomization in Android 4.0

May 8, 2013 14

Randomization in Android 4.1

May 8, 2013 15

Rooting

•Default no root access

•Possible through ‘su’ binary

Bootloader unsafe

Root apps can do ANYTHING

Latest versions of AndroidMay 8, 2013 16

http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg

USER SECURITY FEATURES

Introduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 17

Device protection

• Screen lock• Face unlock, Pattern, PIN, Passcode, …

• File Encryption• 128 AES with CBC and ESSIV:SHA256

• Master key encrypted with 128 bit AES via openssl library

May 8, 2013 18

Passwords are hashed

•Salt saved on device• /data/data/com.android.providers.settings.databases

• /data/system/locksettings.db

•‘Easily’ brute forced with salt

•Keys are stored in software!

May 8, 2013 20

Android source code

May 8, 2013 21

ANDROID APPLICATION

SECURITYIntroduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 22

Android Permissions

• Accessing protected APIs•Location (GPS), Camera, Bluetooth, Telephony,

SMS/MMS, Network/data

• Defined in AndroidManifest.xml

May 8, 2013 23

Play Store security

• App is self signed

• Bouncer• Online version• Local version (since Android 4.2)

• App encryption• Introduced in Android 4.1• Shutdown due to bugs

May 8, 2013 24

Cryptographic APIs

• Primitives• AES, DSA, RSA, SHA

• Higher level • SSL, HTTPS

• Virtual Private Network• IPsec

May 8, 2013 25

RECENT SECURITY PROBLEMS

Introduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 26

SMS problems

• Smishing• http://www.youtube.com/watch?v=baWeMbGatfs

• SMS to premium services• F-secure Mobile Threat Report Q4 2012

• Kaspersky Security Bulletin 2012

May 8, 2013 27

Exynos Exploit

• Exynos 4210 and 4412 processor• Sprint Galaxy S II, Galaxy S II, Galaxy S3, Galaxy Note, Galaxy

Note 2, Galaxy Tab 2, Galaxy Note 10.1, Galaxy Camera

•Kernel: /dev/exynos-mem R/W by all users access to all physical memory

• ExynosAbuse.apk

May 8, 2013 28

DEMOIntroduction

System and Kernel Level SecurityUser Security Features

Android Application Security

Recent Security ProblemsDemo

May 8, 2013 29

References (I)

• F-secure Mobile Threat Report Q4 2012, http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf

• Google, “Android Platform Versions.”, http://developer.android.com/about/dashboards/index.html#Platform

• Google, “Android Security Overview”, http://source.android.com/tech/security/#android-application-security

• S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, (New York, New York,USA), p. 50, ACM Press, 2012.

May 8, 2013 30

References (II)

• J.-H. Hoepman and B. Jacobs, “Increased security through open source”, Communications of the ACM, vol. 50, pp. 79–83, Jan. 2007.

• Matthias Lange, “State of the Union: Android security overview – Is Android the new XP?, http://de.droidcon.com/2013/sessnio/state-union-android-security-overview-android-new-xp

• Xuxian Jiang, “Smishing Vulnerability in Multiple Android Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html

• A. Shabtai, “Google Android: A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010

May 8, 2013 31

References (III)

• A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY

• Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012

May 8, 2013 32

http://2.bp.blogspot.com/-gZjNR3XVULs/T_ZOVgE-5lI/AAAAAAAAAg8/6YVmd5Q064o/s1600/questions11.jpg

May 8, 2013 33