mobile device and platform security –part ii · mobile device and platform security –part ii...
TRANSCRIPT
MobileDeviceandPlatformSecurity– PartII
JohnMitchell
CS155 Spring2017
GuestLectureTuesdayJune6
• Diogo Mónica,DirectorofsecurityatDocker• Topicsincludecontainersecurityandwhatitislikeworkingasasecurityengineer
• Diogo averygoodspeaker.Pleaseshowyourappreciatingandcometoclass.
• Wewillincludetopicsonthefinalexam
Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories
– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses
– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel
• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation
Tues
Thurs
ANDROID
Historyandearlydecisions
Androidhistory
• Android,IncfoundedbyAndyRubinaround2005– WorkedwithHTC-builtdevicewithaphysicalkeyboard– ScrappedBlackberry-likephonewheniPhonecameout– FirstAndroidphoneHTCDream,Oct2008(T-MobileG1):touchscreenandkeyboard
• Open-sourcesoftwareproject• BackedandacquiredbyGoogle
HTCDream• Firstphonehad
– Android1.6(Donut)– 3.15megapixelrear
camerawithauto-focus– 3.2inchtouchscreen– Gmail, GoogleMaps,
Search,GoogleTalk, YouTube,calendar,contacts,alarm
Androidecosystem
• Open-sourcesoftwaredistributedbyGoogle– IncreasenumberofusersanddeviceslinkedtocoreGoogleproducts
• Multiplehardwarevendors– Cancustomizesoftwarefortheirproducts
• Openmarketplaceforapps
Appmarket
• Self-signedapps• Apppermissions
– grantedonuserinstallation
• Openmarket– Badappsmayshowuponmarket– Shiftsfocusfromremoteexploittoprivilegeescalation
ANDROIDPLATFORM
Devicelockingandpermissions
Devicelockandunlock
• SimilarPINandfingerprint• FingerprintAPIletsusers
– Unlockdevice– Securelysignintoapps– UseAndroidPay– PurchaseonPlayStore
Androidpermissions
• ExampleofpermissionsprovidedbyAndroid
– “android.permission.INTERNET”– “android.permission.READ_EXTERNAL_STORAGE– “android.permission.SEND_SMS”– “android.permission.BLUETOOTH”
• Alsopossibletodefinecustompermissions
Androidpermissionmodel
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
ANDROIDPLATFORM
Platformsecurityfeatures
Android
• Platformoutline:– Linuxkernel,browser,SQL-litedatabase– Softwareforsecurenetworkcommunication
• OpenSSL,BouncyCastlecryptoAPIandJavalibrary
– Clanguageinfrastructure– Javaplatformforrunningapplications
• Dalvik bytecode,virtualmachine
Exploitprevention• Opensource:publicreview,noobscurity• Goals
– Preventremoteattacks,privilegeescalation– Securedrivers,mediacodecs,newandcustomfeatures
• Overflowprevention– ProPolice stackprotection
• FirstontheARMarchitecture– Someheapoverflowprotections
• ChunkconsolidationinDLmalloc (fromOpenBSD)
• ASLR– Avoidedininitialrelease
• Manypre-linkedimagesforperformance– LaterdevelopedandcontributedbyBojinov,Boneh
dlmalloc (DougLea)
• Storesmetadatainband• Heapconsolidationattack
– Heapoverflowcanoverwritepointerstopreviousandnextunconsolidatedchunks
– Overwritingthesepointersallowsremotecodeexecution
• Changetoimprovesecurity– Checkintegrityofforwardandbackwardpointers
• Simplycheckthatback-forward-back=back,f-b-f=f– Increasesthedifficultyofheapoverflow
ANDROIDPLATFORM
Appexecutionenvironment
Applicationdevelopmentconcepts• Activity– one-usertask
– Example:scrollthroughyourinbox– Emailclientcomprisesmanyactivities
• Service– Javadaemonthatrunsinbackground– Example:applicationthatstreamsanmp3inbackground
• Intents– asynchronousmessagingsystem– Fireanintenttoswitchfromoneactivitytoanother– Example:emailapphasinbox,composeactivity,vieweractivity
• Userclickoninboxentryfiresanintenttothevieweractivity,whichthenallowsusertoviewthatemail
• Contentprovider– Storeandsharedatausingarelationaldatabaseinterface
• Broadcastreceiver– “mailboxes”formessagesfromotherapplications
SecurityFeatures• Isolation
– Multi-userLinuxoperatingsystem– Eachapplicationnormallyrunsasadifferentuser
• Communicationbetweenapplications– MaysharesameLinuxuserID
• Accessfilesfromeachother• MaysharesameLinuxprocessandDalvik VM
– Communicatethroughapplicationframework• “Intents,”basedonBinder,discussedinafewslides
• Batterylife– Developersmustconservepower– Applicationsstorestatesotheycanbestopped(tosavepower)andrestarted– helpswithDoS
Applicationdevelopmentprocess
Applicationsandbox
• Applicationsandbox– EachapplicationrunswithitsUIDinitsownDalvikvirtualmachine
• ProvidesCPUprotection,memoryprotection• AuthenticatedcommunicationprotectionusingUnixdomainsockets
• Onlyping,zygote(spawnanotherprocess)runasroot
– Applicationsannouncepermissionrequirement• Createawhitelist model– usergrantsaccess
– Don’tinterruptuser– allquestionsaskedasinstalltime
• Inter-componentcommunicationreferencemonitorcheckspermissions
Androidpermissionmodel
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
AndroidIntents
• Msg betweencomponentsinsameordifferentapp• Intentisabundleofinformation,e.g.,
– actiontobetaken– datatoacton– categoryofcomponenttohandletheintent– instructionsonhowtolaunchatargetactivity
• Routingcanbe– Explicit:deliveredonlytoaspecificreceiver– Implicit:allcomponentsthathaveregisteredtoreceivethatactionwillgetthemessage
• Layersofsecurity– Eachapplicationexecutesasitsownuseridentity– Androidmiddlewarehasreferencemonitorthatmediatestheestablishmentofinter-componentcommunication(ICC)
Source: Penn State group Android security paper
Source: Penn State group, Android security tutorial
Securityissueswithintents
• Senderofanintentcanverifythattherecipienthasapermissionbyspecifyingapermissionwiththemethodcall
• Senderscanuseexplicitintentstosendthemessagetoasinglecomponent(avoidingbroadcasting)
• Receivershavetohandlemaliciousintents
Attack:Permissionredelegation
• Definition:anapplicationwithoutapermissiongainsadditionalprivilegesthroughanotherapplication
• Exampleofthe“confuseddeputy”problem
Permissionredelegation
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
Permissionredelegation
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
Howcouldthishappen?
• Appw/permissionsexposesapublicinterface• Studyin2011
– Examine872apps– 320ofthese(37%)havepermissionsandatleastonetypeofpubliccomponent
– Constructattacksusing15vulnerabilitiesin5apps• Reference
– PermissionRe-Delegation:AttacksandDefenses,AdrienneFelt,HelenWang,AlexanderMoshchuk,StevenHanna,ErikaChin,Usenix 2011
Example:powercontrolwidget• DefaultwidgetsprovidedbyAndroid,presentonalldevices
• CanchangeWi-fi,BT,GPS,DataSync,ScreenBrightnesswithonlyoneclick
• UsesIntenttocommunicatetheeventofswitchingsettings• AmaliciousappwithoutpermissionscansendafakeIntentto
thePowerControlWidget,simulatingclicktoswitchsettings
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
Vulnerableversions(inred)
• Principleofleastprivilegehelpsbutisnotasolution• Appswithpermissionsneedtomanagesecurity
https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf
JavaSandbox
• Fourcomplementarymechanisms– Classloader
• Separatenamespacesforseparateclassloaders• Associatesprotectiondomainwitheachclass
– VerifierandJVMrun-timetests• NOuncheckedcastsorothertypeerrors,NOarrayoverflow• Preservesprivate,protectedvisibilitylevels
– SecurityManager• Calledbylibraryfunctionstodecideifrequestisallowed• Usesprotectiondomainassociatedwithcode,userpolicy
StackInspection
• Permissiondependson– Permissionofcallingmethod
– Permissionofallmethodsaboveitonstack
• Uptomethodthatistrustedandassertsthistrust
Manydetailsomittedhere
java.io.FileInputStream
method f
method g
method h
Stories:Netscapefont/passwd bug;Shockwaveplug-in
ANDROIDMALWARE
.
Androidmalwareexample
Installmalicious“conferenceapp”
MalwarebehaviortriggeredbyC&Cserver(Chuli)
Chuli source-to-sink flows
ANDROIDWEBAPPS
.
A Large-Scale Study of Mobile Web App Security
Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna
MobileApps
MobileApps
MobileApps
• Mobile web app: embeds a fully functional web browser as a UI element
MobileWebApps
Obj foo = new Object();addJavascriptInterface(foo, ‘f’);
JavaScriptBridge
JavaJavaScript
JavaScriptBridge
JavaJavaScript
f.bar();
Why?
• Full-featuredmobilewebapps
• ExposephonefunctionalitytoJavaScript
SecurityConcerns
• Whocanaccessthebridge?
– Everyone
Isolated in Browser
NoorigindistinctioninWebView
Java
JavaScript
f.bar();
StaticAnalysis
• Howmanymobilewebapps?
• HowmanyuseJavaScriptBridge?
• Howmanyvulnerable?
ExperimentalResults
• 737,828freeappsfromGooglePlay(Oct’13)
• 563,109appsembedabrowser
• 219,404usetheJavaScriptBridge
• 107,974haveatleastonesecurityviolation
Mostsignificantvulnerabilities
1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to foreign apps
1. Loading untrusted web content
2. Leaking URLs to foreign apps
3. Exposing state changing navigation to foreign apps
“You should restrict the web-pages that can load inside your WebView with a whitelist.”
“…only loading content from trusted sources into WebView will help protect users.”
- Adrian Ludwig, Google
1. Navigate to untrusted content
// In app codemyWebView.loadUrl(“foo.com”);
<!-- In HTML --><a href=“foo.com”>click!</a>
<!-- More HTML --><iframe src=“foo.com”/>
// In JavaScriptwindow.location = “foo.com”;
public boolean shouldOverrideUrlLoading(WebView view, String url){
// False -> Load URL in WebView// True -> Prevent the URL load
}
public boolean shouldOverrideUrlLoading(WebView view, String url){
String host = new URL(url).getHost();if(host.equals(“stanford.edu”))
return false;log(“Overrode URL: ” + url); return true;
}
ReachUntrustedContent?
• 40,084appswithfullURLsanduseJavaScript
Bridge
• 13,683apps(34%)canreachuntrusted
content
UseHTTPS?
• 152,706appswithpartiallycomputedURLs• 87,968apps(57%)withHTTPURLs
HandlingSSLErrors
onReceivedSslError
1. handler.proceed()2. handler.cancel()3. view.loadUrl(...)
MishandlingSSLErrors
• 117,974appsimplementonReceivedSslError
• 29,652apps(25%)must ignoreerrors
Vulnerability % Relevant % Vulnerable
Unsafe Nav 15 34
HTTP 40 56
Unsafe HTTPS 27 29
Primaryresults
Popularity
Outdated Apps
29% unsafe nav
Libraries
51% HTTP
53% unsafe HTTPS
AdditionalsecurityissuesBasedon998,286freewebappsfromJune2014
Takeaways
• Apps must not load untrusted content into WebViews
• Able to identify violating apps using static analysis
• Vulnerabilities are present in the entire app ecosystem
ANDROIDVERSIONING
.
Target Fragmentation in Android Apps
Patrick MutchlerJohn Mitchell
Yeganeh SafaeiAdam Doupe
Android apps can run using outdated OS behavior- The large majority of Android apps do this- Including popular and well maintained apps
Takeaways
Outdated security code invisibly permeates the app ecosystem- “Patched” security vulnerabilities still exist in the wild- “Risky by default” behavior is widespread
What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
“If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running.
- Android Developer Reference
“If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running.
- Android Developer Reference
“If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.”
- Android Developer Reference
What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
1,232,696 Android Apps
Popularity, Category, Update, and Developer metadata
Collected between May 2012 and Dec 2015
Broken into five datasets by collection date
Dataset
Android 5.0
Released
Android 5.1
Released
Android 6.0
Released
App Collected
Outdatedness
App Collected
Outdatedness
App Updated
Negligent Outdatedness
Android 5.0
Released
Android 5.1
Released
Android 6.0
Released
What is target fragmentation?
Target fragmentation statistics
Security consequences
Roadmap
Fragment InjectionVulnerable App
PreferenceActivity
AttackedFragment
Malicious Intent
Extra.SHOW_FRAGMENT “Attacked Fragment”
Extra.SHOW_FRAG_ARG
Data OtherExtras
A malicious application can invoke any exported PreferenceActivity class and supply it with
an :android:show_fragment Intent extra in order to make it load an arbitrary class.
securityintelligence.com/new-vulnerability-android-framework-fragment-injection/
Fragment Injection
Fixed in Android 4.4
Developers implement isValidFragment to authorize fragments
// Put this in your appprotected boolean isValidFragment(String fName){
return MyFrag.class.getName().equals(fName);}
Fragment Injection
Vulnerable if:- Targets 4.3 or lower (31%)- Some class inherits from PreferenceActivity (4.8%)- That class is exported (1.1%)- That class does not override isValidFragment (0.55%)
4.2% of apps vulnerable if no fix was ever implemented
Mixed Content in WebView
Mixed Content in WebView
Major web browsers block Mixed Content
In Android 5.0, WebViews block Mixed Content by default
Can override default with setMixedContentMode()
SOP for file:// URLs in WebView
Android 4.1 separate file:// URLs are treated as unique origins
Can override with setAllowFileAccessFromFileURLs()
Android apps can run using outdated OS behavior- The large majority of Android apps do this- Including popular and well maintained apps
Outdated security code invisibly permeates the app ecosystem- “Patched” security vulnerabilities still exist in the wild- “Risky by default” behavior is widespread
Summary of Target Fragmentation
Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories
– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses
– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel
• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation
Tues
Thurs
Comparison:iOS vs Android
• Appapprovalprocess– Androidappsfromopenappstore– iOS vendor-controlledstoreofvettedapps
• Applicationpermissions– Androidpermissionbasedoninstall-timemanifest– AlliOS appshavesamesetof“sandbox”privileges
• Appprogramminglanguage– AndroidappswritteninJava;nobufferoverflow…– iOSappswritteninObjective-C
ComparisoniOS Android Windows
Unix x x
Windows
Open market x
Closedmarket x
Vendorsigned x
Self-signed x
Userapprovalofpermissions x
Managedcode x
Nativecode x
ComparisoniOS Android Windows
Unix x x
Windows x
Open market x
Closedmarket x x
Vendorsigned x
Self-signed x x
Userapprovalofpermissions x 7-> 8
Managedcode x x
Nativecode x
Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories
– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses
– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel
• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation
Tues
Thurs