![Page 1: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/1.jpg)
Aurasium: Practical Policy Enforcement for Android Applications
Rubin XuUniversity of
Cambridge
Hassen SaidiSRI International
Ross AndersonUniversity ofCambridge
USENIX Security Symposium 2012
![Page 2: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/2.jpg)
Goal Address the multiple threats posed by
malicious applications on Android
![Page 3: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/3.jpg)
Android Malicious Apps
![Page 4: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/4.jpg)
Introduction to Android
Security FeaturesProcess IsolationLinux user/group permissionApp requests permission to OS functionalities
Most checked in remote end i.e. system services A few (Internet, Camera) checked in Kernel, as
special user group
![Page 5: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/5.jpg)
Introduction to Android
Security Features
Application Code------------------------
ActivityService
Broadcast ReceiverContent Provider
Framework Code
Kernel Boundary
Process Boundarycom.android.demo. app
Binder (IPC)
Telephony MangerLocation MangerActivity ManagerPackage Manager
……
Framework Code
SocketCamera
System Services
Permission Check
Permission Check
Android Runtime (Dalvik VM)
![Page 6: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/6.jpg)
Malicious Android Apps Abuse permissions:
Permissions are granted for as long as an App is installed on a device
No restrictions on how often resources and data are accessed
Access and transmit private data Access to malicious remote servers application-level privilege escalation
Confused deputy attacks Gain root privilege
![Page 7: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/7.jpg)
Alternative Approaches App vetting: Google’s Bouncer
40% decrease in malware Ineffective once App installed on the device
AV products:ScanningHave no visibility into the runtime of an App
Fine grain permissions checkingRequire modifications to the OS
VirtualizationRequire modification to the OS
![Page 8: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/8.jpg)
Related work Existing Work
TaintDroid (OSDI 10)CRePE (ISC 10)AppFence (CCS 11)Quire (USENIX Security 2011)SELinux on AndroidTaming Privilege-Escalation (NDSS 2012)
LimitationsModify OS – requires rooting and flashing
firmware.
![Page 9: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/9.jpg)
Related Approaches
HardwareHardware
Linux kernelLinux kernel
Android MiddlewareAndroid Middleware
Quire SELinux
TainDroid
AppFence
CRePE
Information flowAccess controlCall chain IPC
![Page 10: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/10.jpg)
Solution: Aurasium
HardwareHardware
Linux kernelLinux kernel
Android MiddlewareAndroid Middleware
X
Repackage Apps to intercept all Interactions with the OS
Information flowAccess controlCall chain IPCand many more!X
![Page 11: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/11.jpg)
Aurasium Internals
Two Problems to Solve Introducing alien code to arbitrary application
packageReliably intercepting application interaction
with the OS
![Page 12: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/12.jpg)
Aurasium Internals
How to add code to existing applicationsAndroid application building and packaging
process
Java Source Code
Application Resource
.class files Classes.dex
javac dx
Compiled Resources
AndroidManifest.xml
Application Package (.apk)
aapt
Other Files
Zip & Sign
![Page 13: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/13.jpg)
Aurasium Internals
How to add code to existing applicationsapktool
Application Resources
.smali files
Classes.dex
Compiled Resources
Textual AndroidManifest.xml
Application Package
Insert Our Java Code
Other Files
Insert Metadata
Insert Our Native Library
apktoolSecuredApplication
apktool
![Page 14: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/14.jpg)
Enforcing Security & Privacy Policy
Aurasium wayPer-application basisNo need to root phone and
flash firmwareAlmost non-bypassable
Application Code------------------------
ActivityService
Broadcast ReceiverContent Provider
Framework Code
com.android.demo.SecuredApp
Kernel
Aurasium
![Page 15: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/15.jpg)
Aurasium Internals
How to InterceptA closer look at app process
Application Code
Framework Code - Java
Kernel
Framework Code - Native (C++)
Java Native Interface
libdvm.so libandroid_runtime.so libbinder.so …….
libm.so libstdc++.solibc.so
![Page 16: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/16.jpg)
Aurasium Internals
How to InterceptExample: Socket Connection
Application Code
Framework - Java
Framework - Native
Java Native Interface
Native Libraries
ApkMonitorActivity.onClick()
HttpURLConnectionImpl.makeConnection()HttpConnection.<init>()Socket.connect()PlainSocketImpl.connect()OSNetworkSystem.connect()
OSNetworkSystem_connect() @ libnativehelper.so
connect() @ libc.so
![Page 17: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/17.jpg)
Aurasium Internals
How to InterceptExample: Send SMS
Application Code
Framework - Java
Framework - Native
Java Native Interface
Native Libraries
ApkMonitorActivity.onClick()
SmsManager.sendTextMessage()Isms$Stub$Proxy.sendText()BinderProxy.transact()
transact() @ libbinder.so
ioctl() @ libc.so
![Page 18: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/18.jpg)
Aurasium Internals
How to Intercept Intercept at lowest boundary – libc.so
Application Code
Framework Code – Native (C++)
Framework Code - JavaJava Native Interface
libdvm.so libandroid_runtime.so libbinder.so …….
libm.so libstdc++.solibc.so
Monitoring Code
Detour
![Page 19: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/19.jpg)
Aurasium Internals
How to InterceptLook closer at library calls - dynamic linking
libbinder.so libc.so
Indirect memory reference
Control flow transfer
![Page 20: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/20.jpg)
Aurasium Internals
How to Intercept Key: Dynamically linked shared object file Essence: Redo dynamic linking with pointers to our
detour code.
somelib.so
libc.so
Monitoring Code
X
![Page 21: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/21.jpg)
Aurasium Internals
How to Intercept Implemented in native codeAlmost non-bypassable
Java code cannot modify arbitrary memory Java code cannot issue syscall directly Attempts to load native code is monitored
dlopen()
![Page 22: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/22.jpg)
What can you do with Aurasium? Total visibility into the interactions of an App
with the OS and other Apps Internet connections
connect()
IPC Binder communications ioctl()
File system manipulations write(), read()
Access to resources Ioctl(), read, write()
Linux system calls fork(), execvp()
![Page 23: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/23.jpg)
Aurasium Internals
How to add code to existing applications Inevitably destroy original signature
In Android, signature = authorship
Individual app not a problem
![Page 24: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/24.jpg)
Aurasium Internals
How to add code to existing applicationsapktool
Application Resources
.smali files
Classes.dex
Compiled Resources
Textual AndroidManifest.xml
Application Package
Insert Our Java Code
Other Files
Insert Metadata
Insert Our Native Library
apktoolSecuredApplication
apktool
Detour libc calls
Point to Detour Activity
GUI & Policy
![Page 25: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/25.jpg)
Evaluation
![Page 26: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/26.jpg)
Evaluation
![Page 27: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/27.jpg)
Evaluation
![Page 28: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/28.jpg)
Evaluation
![Page 29: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/29.jpg)
Evaluation
![Page 30: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/30.jpg)
Evaluation
Tested on Real-world Apps3491 apps from third-party application store.1260 malware corpus from Android Genome.Results
Repackaging: 3476/1258 succeed (99.6%/99.8%) Failure mode: apktool/baksmali assembly crashes
Device runs Nexus S under Monkey – UI Exerciser in SDK Intercept calls from all of 3189 runnable application.
![Page 31: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/31.jpg)
Limitations
99.9% is not 100%Rely on robustness of apktoolManual edit of Apps as a workaround
Native code can potentially bypass Aurasium:Already seen examples of native code in the
wild that is capable of doing soSome mitigation techniques exist
![Page 32: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/32.jpg)
Conclusion
New approach to Android security/privacy Per-app basis, no need to root phone Tested against many real world apps Have certain limitations
![Page 33: Aurasium: Practical Policy Enforcement for Android Applications Rubin Xu University of Cambridge Hassen Saidi SRI International Ross Anderson University](https://reader035.vdocuments.us/reader035/viewer/2022070308/551c39c4550346ea388b48b6/html5/thumbnails/33.jpg)
The End
Try it out at www.aurasium.com