Term Paper E.H.docx

Android Vulnerabilities to Impersonate Trusted Applications SanjuM.Tech. Cyber SecurityCentre for computer science & TechnologyCUPB/M.Tech-CS/SET/CST/2013-14/15CBS.509Central University of Punjab, Bathinda (Punjab)4

Abstract- the Linux-based Android operating system specially designed for touch screen mobile devices are becoming more and more popular. Android operating system is widely used for tablet devices. This operating system is a best platform for devices with larger screen sizes. The Android system programs are usually efficient and secure in memory management. However, there has been a few security issues reported that show Androids insufficient protection to the kernel. In this paper, we will study the recent vulnerabilities of the Android operating system and what be the implications of these vulnerabilities to the user and users data.Keywords: Android, Kernel, GPS, AOSP, OHA, Trojan, VulnerabilityI. INTRODUCTIONAndroid is described as a mobile operating system, initially developed by Android Inc. Android was sold to Google in 2005. Android is based on a modified Linux 2.6 kernel. Google, as well as other members of the Open Handset Alliance (OHA) collaborated on Android (design, development, distribution). Currently, the Android Open Source Project (AOSP) is governing the Android maintenance and development cycle. Android operating system is primarily designed for smartphones and tablets. Because Android is an open source it has become the fastest growing mobile operating system. Due to its open nature it has become favourite for many consumers and developers. Moreover software developers can easily modify and add enhanced feature in it to meet the latest requirements of the mobile technology. Android users download more than 1.5 billion applications and games from Google Play each month [6]. Due to Its Powerful development framework users as well software developers are able to create their own applications for wide range of devices. Some of the key features of Android operating system are: Application Framework, Dalvik virtual machine, integrated browser, Optimized Graphics, SQLite, Media Support, GSM Technology, Bluetooth, Edge, 3G, Wi-Fi, Camera and GPS etc. It provide JAVA programming language for application development. A. DIFFERENT SECURITY FEATURES OF ANDROID OPERATING SYSTEMSecurity is always the main concern of user while moving to any platform. Android Operating system should ensure the security of users, user's data, applications, the device, and the network. To achieve the security of these components Android provides these key security features:

1) Security at the Operating System level through the Linux kernel: Android operating system is based on Linux kernel. Due to its open source nature it is researched, attacked and fixed by many research developers. So Linux has become stable and secure kernel. Linux kernel provides Android with several key security features including: A user-based permissions model: In the Linux file system each file and directories has three user based permissions. Owner, group, other users. Owner -The Owner permissions apply only the owner of the file or directory. Group-The group permissions apply only to the group that has been assigned to the file or directory. Other users-The other Users permissions apply to all other users on the system.Each file or directory has three basic permission types: Read- The read permission means user's ability to read the contents of the file. Write- write permissions mean's user's ability to write or edit a file or directory.Execute -The execute permission means user's ability to execute a file or view the contents of a directory. This permission model ensures that proper security is maintained while accessing android files.a. Process isolation: The Android operating system assigns a unique user ID (UID) to each Android application and runs it as a separate process.b. Extensible mechanism for secure IPC.c. The ability to remove unnecessary and insecure parts of the kernel.

2) Application sandbox for all applications: A sandbox is a security mechanism for separating running programs and limiting the resources of the device to application. It is often used to execute untested code or programs from untrusted users and untrusted websites. By using sandboxing technique limited access to devices resources is given. Therefore security of the system is increased. Sandboxing technology is frequently used to test unverified programs which may contain a virus or other malware code, without allowing the software or code to harm the host device. With the help of sandbox untrusted program access only those resources of the device for which permission is granted. Permission is denied if it tries to access other resources of the device. 3) Secure inter process communication: Some of the applications still use traditional Linux techniques such as network sockets, file system and shared files for inter-process communication. But android operating system also provides new mechanism for IPC such as Binder, Services, Intents and Content Providers. All these mechanism allows developers to verify the identity of application and also used to set the security policies.

4) Application signing: In order to install and run applications on Android OS they must be digitally signed. With this mechanism Android OS identifying the author of an application. This feature also used to establishing trust relationship between applications. If an application is not signed properly then it cannot be installed on the emulator also. Some standard tools such as Key tool and Jar signer are used to generate keys and sign application .apk files.

5) Application-defined and user-granted permissions: Permissions are an Android security mechanism to allow or restrict application access. By default, Android applications have no permissions granted, making them safe by not allowing them to gain access to protected APIs. Some of the protected APIs include: Camera functions, Location data (GPS), Bluetooth functions, Telephony functions, SMS/MMS functions and Network or data connections. These resources are accessed only through the operating system.In spite of so many security features. Android operating system is not completely secure. Users are still in the eye of attackers. Because of the vulnerabilities found in the operating system, which attackers are ready to exploit. II. SOME OF THE RECENT VULNERABILITIES OF ANDROID OPERATING SYSTEM

A. FAKE ID VULNERABILITY Every Android application has its own unique identity, typically inherited from the corporate developers identity. Recently a new vulnerability in Android is discovered, which allows these identities to be copied and used for nefarious purposes.Dubbed Fake ID, the vulnerability allows malicious applications to impersonate specially recognized trusted applications without any user notification. This can result in a wide spectrum of consequences. For example, the vulnerability can be used by malware to escape the normal application sandbox and take one or more malicious actions: insert a Trojan horse into an application by impersonating Adobe Systems; gain access to NFC financial and payment data by impersonating Google Wallet; or take full management control of the entire device by impersonating 3LM [3]. Implications: This is a widespread vulnerability dating back to the January 2010 release of Android 2.1 and affecting all devices that are not patched for Google bug 13678484, disclosed to Google and released for patching in April 2014. All devices prior to Android 4.4 (KitKat) are vulnerable to the Adobe System webview plugin privilege escalation, which allows a malicious application to inject Trojan horse code (in the form of a webview plugin) into other apps, which leads to taking control of the entire app, all of the appss data, and being able to do anything the app is allowed to do. Android 4.4 is vulnerable to Fake ID, but not specifically to the Adobe System webview plugin due to a change in the webview component (the switch from webkit to Chromium moved away from the vulnerable Adobe-centric plugin code) [2].

How it work: Android applications are typically cryptographically signed by a single identity, via the use of a PKI identity certificate. The use of identity certificates to sign and verify data is commonplace on the Internet, particularly for HTTPS/SSL use in web browsers. As part of the PKI standard, an identity certificate can have a relationship with another identity certificate: a parent certificate (issuer) can be used to verify the child certificate. Android applications use the same certificate signature concepts as SSL, including full support for certificates that are issued by other issuing parties (commonly referred to as a certificate chain). Application signatures play an important role in the Android security model. An applications signature establishes who can update the application, what applications can share its data, etc. Certain permissions, used to get access to functionality, are only usable by applications that have the same signature as the permission creator. On specific devices, applications with the signature of the device manufacture, or trusted third parties, are allowed to access the vendor-specific device administration (MDM) extensions that allow for silent management, configuration, and control of the device [2]. This is an appropriate use of digital signatures in a system that supports the notion of PKI digital certificate identities. However, a vulnerability that has been relatively present in all Android versions since Android 2.1, which undermines the validity of the signature system and breaks the PKI fundamental operation. The Android package installer makes no attempt to verify the authenticity of a certificate chain; in other words, an identity can claim to be issued by another identity, and the Android cryptographic code will not verify the claim (normally done by verifying the issuer signature of the child certificate against the public certificate of the issuer). For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains the both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.B. Master Key Vulnerability:Master Key vulnerability in Androids security model that allows a hacker to modify APK code without breaking an applications cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user. This vulnerability, around at least since the release of Android 1.6 [1]. Installation of a Trojan application from the device manufacturer can grant the application full access to Android system and all applications currently installed. The application then not only has the ability to read arbitrary application data on the device (email, SMS messages, documents, etc.), retrieve all stored account & service passwords, it can essentially take over the normal functioning of the phone and control any function thereof (make arbitrary phone calls, send arbitrary SMS messages, turn on the camera, and record calls). Finally, and most unsettling, is the potential for a hacker to take advantage of the always-on, always-connected, and always-moving (therefore hard-to-detect) nature of these zombie mobile devices to create a botnet. Detail of the vulnerability is released in February 2013 [2]. How it works: The vulnerability involves discrepancies in how Android applications are cryptographically verified & installed, allowing for APK code modification without breaking the cryptographic signature [4].All Android applications contain cryptographic signatures, which Android uses to determine if the app is legitimate and to verify that the app hasnt been tampered with or modified. This vulnerability makes it possible to change an applications code without affecting the cryptographic signature of the application essentially allowing a malicious author to trick Android into believing the app is unchanged even if it has been [5].III. CONCLUSIONA vulnerability is not dangerous until it remain hidden. But attackers are working day and night to find those vulnerabilities and exploit them for malicious gain. Followings are general countermeasures against Android vulnerabilities: Its important to download the apps only from the Google Play Store and, even while downloading from the play store, make sure that you verify the author of the application before downloading it. Do not install applications from untrusted sources or other Android stores. Google has already rolled out patches for this. Make sure you update your mobile with the latest patches available. Running anti-malware software on your device.

REFERENCES

Constantin, L. (2014, July 29). android-vulnerability-allows-malware-to-compromise-most-devices-and-apps. Retrieved from www.pcworld.com: http://www.pcworld.com/article/2459240/android-vulnerability-allows-malware-to-compromise-most-devices-and-apps.htmlConstantin, L. (2014, August 1). android-vulnerability-still-a-threat-to-many-devices-nearly-two-years-later. Retrieved from www.pcworld.com: http://www.pcworld.com/article/2460760/android-vulnerability-still-a-threat-to-many-devices-nearly-two-years-later.htmlForristal, J. (2014, July 29). android-fake-id-vulnerability. Retrieved from www.bluebox.com: https://bluebox.com/technical/android-fake-id-vulnerability/master-key-android-vulnerability-used-to-trojanize-banking-app. (2013, August 2). Retrieved from blog.trendmicro.com: http://blog.trendmicro.com/trendlabs-security-intelligence/master-key-android-vulnerability-used-to-trojanize-banking-app/Rohit. (2013, august 28). android-master-key-vulnerability-poc. Retrieved from www.resources.infosecinstitute.com: http://resources.infosecinstitute.com/android-master-key-vulnerability-poc/Singh, R. (2014). An Overview of Android Operating System and Its Security . Int. Journal of Engineering Research and Applications , 519-521.threat-of-the-month-android-master-key-vulnerability. (2013, September). Retrieved from www.scmagazine.com: http://www.scmagazine.com/threat-of-the-month-android-master-key-vulnerability/article/307403/