seven%ways%to%% hang%%yourself%with%% googleandroid%...seven%ways%to%% hang%%yourself%with%%...
TRANSCRIPT
![Page 1: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/1.jpg)
Seven Ways to Hang Yourself with Google Android
Yekaterina Tsipenyuk O'Neil
Principal Security Researcher
Erika Chin
Ph.D. Student at UC Berkeley
![Page 2: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/2.jpg)
§ Founding Member of the Security Research Group at For@fy (now an HP Company)
§ Code audits, iden@fying insecure coding paFerns, and providing security content for For@fy's soHware security products
§ B.S. and M.S. in CS from UC San Diego § Thesis focused on mobile agent security
2
![Page 3: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/3.jpg)
§ Ph.D. student in Computer Science at UC Berkeley (Security research group)
§ B.S. from University of Virginia § Research interest in improving mobile phone security
§ Recently presented at MobiSys 2011 on vulnerabili@es stemming from inter-‐applica@on communica@on in Android
![Page 4: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/4.jpg)
§ Introduc@on to Google Android § Seven Ways to Hang Yourself § Results of Empirical Analysis § Conclusion
4
![Page 5: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/5.jpg)
GOOGLE ANDROID Introduc)on to
![Page 6: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/6.jpg)
§ Android architecture § Security model § Applica@on breakdown § Android manifest § Inter-‐component communica@on
6
![Page 7: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/7.jpg)
§ Applica@ons § Applica@on framework (SDK) § Dalvik virtual machine
– Customized bytecode (.dex files) § Na@ve libraries
– Graphics, database management, browser, etc. – Accessed through Java interfaces
§ Linux kernel – Device drivers, memory management, etc.
7
Lower
Higher
![Page 8: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/8.jpg)
§ Applica@ons have unique UIDs – Run as separate processes on separate VMs – Typically cannot read each other’s data and code
§ Linux-‐style file permissions § Android permissions protect
– Access to sensi@ve APIs – Access to content providers – Inter-‐ and intra-‐applica@on communica@on
8
![Page 9: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/9.jpg)
§ Applica@ons are divided into components § 4 types of components
– Ac@vi@es – Services – Broadcast Receivers – Content Providers
![Page 10: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/10.jpg)
Each applica@on contains a manifest
10
<manifest ...> <application> <activity android:name=“.MyActivity”>...</activity> <receiver android:name=“.MyReceiver”>...</receiver> </application> <uses-sdk android:minSdkVersion=“8” /> <uses-feature android:name=“android.hardware.CAMERA”/> <uses-permission android:name=“android.permission.INTERNET” /> <uses-permission android:name=“android.permission.CAMERA” /> <permission android:name=“com.emc.NewPermission” /> </manifest>
![Page 11: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/11.jpg)
§ Uses Intents (messages) § Intents can be sent between components
– Used for both intra-‐ and inter-‐applica@on communica@on
– Event no@fica@ons (including system events)
11
Sender Receiver
Intent
![Page 12: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/12.jpg)
§ Exact recipient is specified
12
Yelp Map App
Name: MapAc@vity
To: MapAc@vity
Only the specified des@na@on receives this message
![Page 13: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/13.jpg)
§ LeH up to the plaeorm to decide where it should be delivered
13
Yelp
Clock App
Map App
Handles Ac@on: VIEW
Implicit Intent Ac@on: VIEW
![Page 14: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/14.jpg)
14
Yelp
Browser App
Map App
Handles Ac@on: VIEW
Handles Ac@on: VIEW
Implicit Intent Ac@on: VIEW
![Page 15: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/15.jpg)
§ Components can be made accessible to other applica@ons (exported) or be made private
§ Components can be protected by permissions
15
![Page 16: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/16.jpg)
16
Displays Picture
Retrieves Picture
Requires RETRIEVE Permission
App 1
Has RETRIEVE Permission
App 2
Takes Picture
Requires CAMERA Permission
![Page 17: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/17.jpg)
GOOGLE ANDROID Seven Ways to Hang Yourself with
![Page 18: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/18.jpg)
1. Intent Spoofing 2. Query String Injec@on 3. Unauthorized Intent Receipt 4. Persistent Messages: S@cky Broadcasts 5. Insecure Storage 6. Insecure Communica@on 7. Overprivileged Applica@ons
![Page 19: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/19.jpg)
§ AFack: Malicious app sends an Intent, resul@ng in data injec@on/state change
§ Arises when components are public and do not require senders to have strong permissions
<receiver android:name=“my.special.receiver”> <intent-filter> <action android:name=“my.intent.action” /> </intent-filter> </receiver>
![Page 20: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/20.jpg)
20
Malicious Component
Results UI
IMDb App
Handles Ac@on: willUpdateShow?mes, show?mesNoLoca?onError
Ac@on: show?mesNoLoca?onError
Malicious Injec)on App
Receiving Implicit Intents makes the component public
![Page 21: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/21.jpg)
21 Typical case
AFack case
![Page 22: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/22.jpg)
<receiver android:name=“my.special.receiver” android:exported=false> ... </receiver>
or <receiver android:name=“my.special.receiver” android:exported=true android:permission=“my.own.permission”> ... </receiver>
![Page 23: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/23.jpg)
§ Unlike SQL injec@on, SQLite string injec@on allows malicious users to view unauthorized records, but not to alter the database
§ Query string injec@on occurs when: 1. Data enters a program from an untrusted source 2. The data is used to dynamically construct a
SQLite query string
![Page 24: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/24.jpg)
c = invoicesDB.query( Uri.parse(invoices), columns, "productCategory = '" + productCategory + "' and customerID = '" + customerID + "'", null, null, null, "'" + sortColumn + "'asc", null );
![Page 25: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/25.jpg)
select * from invoices where productCategory = 'Fax Machines' and
customerID = '12345678' order by 'price' asc
productCategory = “Fax Machines” customerID = “12345678” sortColumn = “price”
Returns invoice records for ONE customer
![Page 26: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/26.jpg)
select * from invoices where productCategory = ‘Fax Machines’ or
productCategory = "' and customerID = '12345678' order by '"
order by 'price' asc
productCategory = “Fax Machines’ or productCategory = \ “” customerID = “12345678” sortColumn = “\” order by ‘price”
Returns invoice records for ALL customers
![Page 27: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/27.jpg)
c = invoicesDB.query( Uri.parse(invoices),
columns, "productCategory = ? and customerID = ?",
{productCategory, customerID},
null, null,
"'" sortColumn + "'asc", null );
Use parameterized queries!!!
![Page 28: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/28.jpg)
§ AFack: Malicious app intercepts an Intent § Arises when Intents are implicit (public) and do not require receiving components to have strong permissions
§ Can leak sensi@ve program data and/or change control flow
Intent i = new Intent(); i.setAction(“my.special.action”); [startActivity|sendBroadcast|startService](i);
![Page 29: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/29.jpg)
29
Show@me Search
Results UI
IMDb App
Handles Ac@ons: willUpdateShow?mes, show?mesNoLoca?onError
Implicit Intent Ac@on: willUpdateShow?mes
![Page 30: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/30.jpg)
30
![Page 31: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/31.jpg)
31
Show@me Search
Results UI
IMDb App
Handles Ac@ons: willUpdateShow?mes, show?mesNoLoca?onError
Implicit Intent Ac@on: willUpdateShow?mes
![Page 32: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/32.jpg)
32
Show@me Search
Malicious Receiver
IMDb App
Handles Ac@on: willUpdateShow?mes, show?mesNoLoca?onError
Implicit Intent Ac@on: willUpdateShow?mes
Eavesdropping App
Sending Implicit Intents makes communica@on public
![Page 33: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/33.jpg)
Intent i = new Intent(); i.setClassName(“some.pkg.name”, “some.pkg.name.TestDestination”);
or
Intent i = new Intent(); i.setAction(“my.special.action”); sendBroadcast(i, “my.special.permission”);
![Page 34: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/34.jpg)
§ Broadcast Intent – One-‐to-‐many message – Delivered to all components registered to receive them
§ “S@cky” Broadcast Intents are broadcasts that persist – Remain accessible aHer they are delivered – Re-‐broadcast to future Receivers
![Page 35: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/35.jpg)
§ Cannot be restricted to a certain set of receivers (cannot require a receiver to have a permission)
§ Accessible to any receiver, including malicious receivers
§ Can compromise sensi@ve program data § Stays around aHer it has been sent
– But anyone with BROADCAST_STICKY permission can remove a s@cky Intent you create
![Page 36: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/36.jpg)
36
Requests BROADCAST_STICKY Permission
S@cky broadcasts: Malicious App
Newly connected receiver will be unaware of the change
S@cky broadcast 1
S@cky broadcast 2
S@cky broadcast 3
Vic@m app
?
Receiver (expects s@cky broadcast 2)
![Page 37: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/37.jpg)
§ Use regular broadcasts protected by the receiver permission instead, if possible
§ Thoroughly scru@nize data in broadcasted messages
![Page 38: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/38.jpg)
§ Files on the SD Card are world-‐readable § Files stay even aHer applica@on that wrote them is uninstalled
§ Can compromise sensi@ve program data – Passwords – Loca@on – SMS – Etc.
![Page 39: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/39.jpg)
§ Skype for Android exposes your name, phone number, chat logs and more
§ Ci@bank iPhone app “accidentally” saved account numbers, bill payments and security access codes in a secret file
§ iPhone loca@on file contains informa@on about your loca@on
![Page 40: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/40.jpg)
§ Write to an applica@on’s SQLite database § Write to the device’s internal storage and use Context.MODE_PRIVATE
![Page 41: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/41.jpg)
§ Be careful of leaking sensi@ve data through HTTP connec@ons
§ When using WebViews, connect to HTTPS when possible
§ Treat your mobile app as you would a web app
§ Don’t send passwords in the clear
![Page 42: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/42.jpg)
§ TwiFer: Tweets are sent in the clear § Google Calendar: Calendar traffic is sent in the clear
§ Facebook: Despite having a fully encrypted traffic op@on on the web app, the mobile app sends everything in the clear
Courtesy: hFps://freedom-‐to-‐@nker.com/blog/dwallach/things-‐overheard-‐wifi-‐my-‐android-‐smartphone
![Page 43: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/43.jpg)
§ Overprivileged applica@ons – applica@ons that request more permissions than the app actually requires
![Page 44: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/44.jpg)
§ Violates the principle of least privilege § Any vulnerability may give the aFacker that privilege
§ Users may get accustomed to seeing and accep@ng unnecessary permission requests from third party applica@ons
![Page 45: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/45.jpg)
§ Common causes – Confusing permission names – Tes@ng ar@facts – Using depu@es – Error propaga@on through message board advice – Related methods
![Page 46: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/46.jpg)
46
Wants Picture Takes Picture
App 1
Handles Ac@on: IMAGE_CAPTURE
Implicit Intent Ac@on: IMAGE_CAPTURE
Camera App
Do not need CAMERA permission
Needs CAMERA permission
![Page 47: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/47.jpg)
GOOGLE ANDROID
Empirical Results Analyzing Applica)ons Built on
![Page 48: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/48.jpg)
Vulnerability Type % of Apps that are Vulnerable
Intent Spoofing 40%
Unauthorized Intent Receipt 50%
Overprivileged Applica@ons 31%
![Page 49: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/49.jpg)
§ Obtaining applica@on source code – Dedexers available fail to generate valid Java – Many applica@ons are not open source
§ Coding conven@ons – Callbacks and other implicit control flow are a challenge for tradi@onal sta@c analysis techniques
§ Documenta@on – Google provides liFle documenta@on, which is oHen incomplete or out-‐of-‐date
![Page 50: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/50.jpg)
§ Analysis of overprivileged applica@ons showed that: – Android 2.2 documents permission requirements for only 78 out of 1207 API calls
– 6 out of 78 are incorrect – 1 of the documented permissions does not exist
![Page 51: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/51.jpg)
§ Of the 7 vulnerabili@es presented: – 5 vulnerability categories currently can be iden@fied by For@fy’s SCA tools
– 4 vulnerability categories currently can be iden@fied by UC Berkeley’s tools
– 6 categories will be integrated into the current tools
![Page 52: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/52.jpg)
§ Adrienne Porter Felt, David Wagner, UC Berkeley [’11] -‐ Overprivilege
§ Will Enck, Penn State [’09] – informa@on leakage through Broadcast Intents
§ Jesse Burns [’09] – other common developers’ errors
§ Dan Wallach – WiFi leaks
![Page 53: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/53.jpg)
§ Android has its own set of security piealls § Sta@c analysis can help developers avoid these problems
§ UC Berkeley and For@fy are working to incorporate state-‐of-‐the-‐art sta@c analysis into For@fy’s tools
![Page 54: Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid%...Seven%Ways%to%% Hang%%Yourself%with%% GoogleAndroid% Yekaterina Tsipenyuk O'Neil Principal Security Researcher Erika Chin Ph.D](https://reader035.vdocuments.us/reader035/viewer/2022062918/5edecdbcad6a402d666a27f2/html5/thumbnails/54.jpg)
Seven Ways to Hang Yourself with Google Android
Yekaterina Tsipenyuk O'Neil
Principal Security Researcher
Erika Chin
Ph.D. Student at UC Berkeley