![Page 1: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/1.jpg)
Mobile Security and Privacy
Alexandra Dmitrienko
Cyberphysical Mobile Systems Security Group Fraunhofer SIT, Darmstadt
Center for Advanced Security Research in Darmstadt (CASED)
![Page 2: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/2.jpg)
Smartphone is Your Best Freind !
8 October, 2013 Intel European Research Conference 2013
![Page 3: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/3.jpg)
Nomophobia: New Epidemic of Smartphone Addiction
![Page 4: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/4.jpg)
An App for Every Wish….
8 October, 2013 Intel European Research Conference 2013
Large Attack Surface
![Page 5: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/5.jpg)
Attack and Threat Classification Attack Classes
Malware
Single App Malware
Ad Libraries
Privilege Escalation
Confused Deputy
Colluding Apps
Kernel Exploits and Jailbreaks
Runtime Attacks
Code Injection
Return-Oriented Programming
Hardware Attacks
Baseband
Sensors
![Page 6: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/6.jpg)
![Page 7: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/7.jpg)
Apple iPhone Jailbreak Disable signature verification and escalate privileges to root
Request http://www.jailbreakme.com/_/iPhone3,1_4.0.pdf
1) Exploit PDF Viewer Vulnerability by means of Return-Oriented Programming
2) Start Jailbreak
3) Download required system files
4) Jailbreak Done
![Page 8: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/8.jpg)
Google Android: Install arbitrary applications without the users knowledge
Android Web Browser
Permission: INSTALL_PACKAGES
1) Exploit Bug in web Browser 2) Enforce the installation of various apps
![Page 9: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/9.jpg)
Confused Deputy Attack: Internet access without INTERNET Permission
Malicious App
0 Permissions
Android Web Browser
INTERNET Permission
1) Ask Browser for data transfer from a remote server 2) Browser forwards request 3) Files are transmitted to SD card
![Page 10: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/10.jpg)
Collusion Attack: Soundcomber [Schlegel et al., NDSS 2011]
APP_A
Permission: Record Audio
1) Call Credit Institute 2) Credit Card Number is extracted from the speech
APP_B
Permission: Internet
A stealthy and context-aware Sound Trojan
![Page 11: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/11.jpg)
Soundcomber Internals Exploiting Covert Channels in Android
APP_A
Permission: Record Audio
APP_B
Permission: Internet
Volume Setting
Android Core Application
Write
Read
![Page 12: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/12.jpg)
Sensoric Malware: TapLogger / TouchLogger
Infer user’s input to virtual keyboard by measuring the accelerometer and gyroscope during typing [Xu et al., WiSec 2012; Cai et al., HotSec 2011]
12
S A F E
http://devfiles.myopera.com/articles/9472/device-gamma.png
![Page 13: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/13.jpg)
Breaking Two-Factor Authentication: Mobile TAN (mTAN)
Bank
User PC User phone
3. Read mTAN
3. Initiate transaction
2. Steal login credentials
1. Compromise
6. Confirm transaction
![Page 14: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/14.jpg)
Malware Statistics: Total Mobile Malware Samples
McAfee Labs, “McAfee threats report: First quarter 2013"
![Page 15: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/15.jpg)
Malware Statistics: Total Mobile Malware per Platform
McAfee Labs, “McAfee threats report: First quarter 2013"
![Page 16: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/16.jpg)
0
20,000,000
40,000,000
60,000,000
80,000,000
100,000,000
120,000,000
140,000,000
160,000,000
Q4/2012
144,720,300
43,457,400
7,333,000
Android
iOS
Research In Motion
Microsoft
Symbian
Bada
Other OSes
Based on Gartner Statistics (February 2013) http://www.gartner.com/newsroom/id/2335616
Worldwide Smartphone Sales to End Users by Operating System Sold Units Q4/2012
![Page 17: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/17.jpg)
![Page 18: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/18.jpg)
Why Most Research is Done on Android?
![Page 19: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/19.jpg)
Security Extensions and Tools
Detecting and Preventing
Private Data Leakage
TaintDroid [Enck et al., USENIX OSDI
2010]
TISSA [Zhou et al., TRUST 2011]
AppFence [Hornyack et al., ACM CCS
2011]
Application Hardening and Context-Based
Policies
SAINT [Ongtang et al., ACSAC
2009]
CRePE [Conti et al., ISC 2010]
AppGuard [Backes et al., TR 2012]
Mr Hide/Dr Android [Jeon et al., ACM SPSM
2012]
Aurasium [Xu et al., USENIX
Sec. 2012]
Security Aspects of App Stores
DroidRanger [Zhou et al., NDSS 2012]
DroidMOSS [Zhou et al., CODASPY
2012]
Meteor [Barrera et al., IEEE MoST
2012]
In-App Ad Library
Malware
AdRisk [Grace et al., WISec
2012]
AdDroid [Pearce et al., AsiaCCS
2012]
AdSplit [Dietz et al., USENIX
Sec. 2012]
![Page 20: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/20.jpg)
More Security Extensions and Tools
Privilege Escalation (Application-Level)
Confused Deputy
• IPC Inspection [Felt et al., USENIX Sec. 2012]
• QUIRE [Dietz et al., USENIX Sec. 2012]
• XManDroid [Bugiel et al., NDSS 2012]
• SORBET [Fragkaki et al., TR 2012]
Privilege Escalation
(Kernel-Level)
Android SELinux
[Shabtai et al., IEEE S&P Magazine 2010]
SEAndroid [Smalley et al.,
NDSS 2012]
L4Android [Lange et al., ACM
SPSM 2011]
Malware Detection
Kirin [Enck et al., ACM CCS
2009]
Apex [Naumann et al.,
AsiaCCS 2010]
Paranoid [Portokalidis et al.,
ACSAC 2010]
Airmid [Nadji et al., ACSAC
2011]
DroidScope [Yan et al., USENIX
Sec. 2012]
DRM Policies and Domain
Isolation
Porscha [Ongtang et al., ACSAC
2010]
Colluding Apps
• XManDroid [Bugiel et al., NDSS 2012]
• FlaskDroid [Bugiel et al., USENIX 2013]
TrustDroid [Bugiel et al., ACM SPSM
2011]
![Page 21: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/21.jpg)
XManDroid: Mitigation of Confused Deputy
Attacks and Colluding Apps
![Page 22: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/22.jpg)
XManDroid: High-level Idea
23
Application layer
Middleware
Linux kernel
IPC
File System
Network Sockets
Discretionary access control
of Linux
Reference Monitor
Monitors all communication channels between apps Validates if the requested communication link complies to a system-
centric security policy
XM
anD
roid
AppA AppB
![Page 23: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/23.jpg)
XManDroid: Graph-based System Representation
24
Android Core
System Components
Application sandboxes
Files
Internet sockets
IPC calls
Access to files
Socket connections
![Page 24: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/24.jpg)
XManDroid against Soundcomber
25
A B
Android Core
C
Policy Rule: Sandbox A: permission INTERNET, no AUDIO Sandbox B: permission AUDIO, no INTERNET
Decision: Deny
AUDIO INTERNET
Volume Settings
![Page 25: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/25.jpg)
TrustDroid (BizzTrust): Dual Persona Phone
![Page 26: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/26.jpg)
Trends: One Phone for Business and Private Tasks
Business / Work Private
![Page 27: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/27.jpg)
How Does It Work?
28
Application layer
Middleware
Linux kernel
IPC
File System
Network Sockets
Discretionary access control
of Linux
Reference Monitor
Colors private and corporate apps into different colors Controls all communication channels between the apps Enforces isolation between apps with different colors
Biz
zTru
st
AppA AppB
![Page 28: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/28.jpg)
FlaskDroid: A Generic Fine-Grained MAC
![Page 29: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/29.jpg)
FlaskDroid: Supports Multi Stackholder Policies
System Policy
3rd Party Policies
Developer Policies
User Policy
Application Framework
Middleware Access Control
Kernel Access Control
Consolidated Access Control
![Page 30: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/30.jpg)
Phone Booth Mode (lending phone)
Prevent side-channels
31
Dual Persona
Many Use-Cases
XManDroid
![Page 31: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/31.jpg)
Challenge: The Gap Between Solutions in
Theory and Practice
Need More Integration of Research in to Industrial Solutions
![Page 32: Mobile Security and Privacy - Inteldownload.intel.com/newsroom/kits/EMEA/Europe/... · Exploiting Covert Channels in Android APP_A Permission: Record Audio APP_B ... Write Read](https://reader030.vdocuments.us/reader030/viewer/2022041016/5ec7e522ba98d85a5f5670f0/html5/thumbnails/32.jpg)
Summary
Smartphones process a lot of privacy-sensitive data
Large attack surface and rapid grow of malware
Active academic research particularly on Android to harden overall system
Kernel, middleware, applications
The gap between academic research and industrial solutions
34