TBD Android Security and Privacy #2

Prabhaker Mateti

Android Security 2

TBD

• Mix of slides from various sources• TBD Properly merge

Mateti

Android Security 3

Android Security Policy

• Android focuses on Inter Component Communication (ICC)

• AndroidManifest.xml can define an access control policy– Each component can be assigned an access

permission label– Each application requests a list of permission

labels (fixed at install)

Mateti

Android Security 4

Public and Private Components

• Components can be public or private. Default is dependent on “intent-filter” rules.

• Components may unknowingly become accessible to other applications.

• <activity android:name=“…” android:exported=“false” />

Mateti

Android Security 5

Manifest

• If the manifest file does not specify an access permission on a public component, any component in any application can access it.

• Components without access permissions should be exceptional cases, and inputs must be scrutinized (consider splitting components).

• <receiver … android:permission=…> … </receiver>

Mateti

Android Security 6

Intent

• The code broadcasting an Intent can set an access permission restricting which Broadcast Receivers can access the Intent.

• Always specify an access permission on Intent broadcasts (unless explicit destination).

Mateti

Android Security 7

• PendingIntent objects allow another application to “finish” an operation for you via RPC. Execution occurs in the originating application’s “process” space.– Used in a number of system APIs (Alarm, Location,

Notification)• Implication: The remote application can fill in

unspecified values. May influence the destination and/or data integrity. Allows a form of delegation

• Best Practice: Only use Pending Intents as “delayed callbacks” to private Broadcast Receivers/Activities and always fully specify the Intent destination.

Mateti

Android Security 8

• Content Providers have two additional security features– Separate “read” and “write” access permission

labels– URI permissions allow record level delegation

Mateti

Android Security 9

• A component (e.g., Service) may arbitrarily invoke the checkPermission() method to enforce ICC. You can add reference monitor hooks

Mateti

Android Security 10

• The system uses permission labels to mediate access to certain resource APIs.– android.permission.INTERNET label

Mateti

Android Security 11

• Permission requests are not always granted.– normal - always granted– dangerous - requires user approval– signature - matching signature key– signature or system - same as signature, but also system apps

• Users may not understand implications when explicitly granting permissions.

• Use signature permissions for application “suites” and dangerous permissions otherwise– Include informative descriptions

Mateti

Android Security 12

• Relatively straightforward model with policy defined in the manifest file ... but many exceptions

• Some thought is needed to avoid ...– “Spoofing” Intent messages (FriendReceiver)– Privacy leaks (e.g., FRIEND_NEAR broadcast)

• The policy expands into the code– Broadcast permissions, checkPermission(), etc

• Keeping malicious applications from acquiring permissions is tricky

Mateti

Android Security 13

Install-time Verification

• Android does not have a way to holistically evaluate system and application policy or specify security goals. For example, to evaluate if the system and installed applications fulfill some security requirement.– Will granting a permission break the phone’s security?

• Kirin - enhanced installer http://siis.cse.psu.edu– Extracts policy from the manifest files of all applications– Uses Prolog to generate automated proofs of compliance of

provided “policy invariants”– Evaluation performed at install-time, and therefore does not

impact runtime performance

Mateti

Vulnerability Study of the Android

Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson

(Group 8)

Android Security 15

Security Architecture - Overview

Mateti

Android Security 16

Scope of Vulnerabilities

• Refinements to MAC Model

– Delegation– Public and Private Components– Provision - No Security Access to Public Elements– Permission Granting Using User's Confirmation

• Solutions ???• Precautions by Developers• Special Tools for UsersMateti

Android Security 17

Known Vulnerabilities

– Image Vulnerablities• GIF• PNG• BMP

– Web Browser

Mateti

Android Security 18

GIF Image Vulnerability

– Decode function uses logical screen width and height to allocate heap

– Data is calculated using actual screen width and height

– Can overflow the heap buffer allowing hacker can allow a hacker to control the phone

Mateti

Android Security 19

PNG Image Vulnerability

– Uses an old libpng file– This file can allow hackers to cause a Denial of

Service (crash)

Mateti

Android Security 20

BMP Image Vulnerability

– Negative offset integer overflow– Offset field in the image header used to allocate a

palette– With a negative value carefully chosen you can

overwrite the address of a process redirecting flow

Mateti

Android Security 21

Web Browser Vulnerability

– Vulnerability is in the multimedia subsystem made by PacketVideo

– Due to insufficient boundary checking when playing back an MP3 file, it is possible to corrupt the process's heap and execute arbitrary code on the device

– Can allow a hacker to see data saved on the phone by the web browser and to peek at ongoing traffic

– Confined to the "sandbox"

Mateti

Android Security 22

General Mobile Phone Vulnerabilities

– GSM• SMS• MMS

– CDMA– Bluetooth– Wireless vulnerabilities

Mateti

Android Security 23

GSM Vulnerabilities

– GSM• Largest Mobile network in the world• 3.8 billion phones on network

– David Hulton and Steve Muller• Developed method to quickly crack GSM encryption• Can crack encryption in under 30 seconds• Allows for undetectable evesdropping

– Similar exploits available for CDMA phones

Mateti

Android Security 24

SMS Vulnerabilities

– SMS• Short Messaging System• Very commonly used protocol• Used to send "Text Messages"

– GSM uses 2 signal bands, 1 for "control", the other for "data".

– SMS operates entirely on the "control" band.– High volume text messaging can disable the

"control" band, which also disables voice calls.– Can render entire city 911 services unresponsive.

Mateti

Android Security 25

MMS Vulnerabilities

– MMS• Unsecure data protocol for GSM• Extends SMS, allows for WAP connectivity

– Exploit of MMS can drain battery 22x faster• Multiple UDP requests are sent concurrently, draining

the battery as it responds to request

– Does not expose data– Does make phone useless

Mateti

Android Security 26

Bluetooth Vulnerabilities

– Bluetooth• Short range wireless communication protocol• Used in many personal electronic devices• Requires no authentication

– An attack, if close enough, could take over Bluetooth device.

– Attack would have access to all data on the Bluetooth enabled device

– Practice known as bluesnarfing

Mateti

Android Security 27

Hackers for Android

– Hackers make Android stronger– White hats want to plug holes– Example

• Browser Threat reported by Independent Security Evaluators

• Jailbreak hole fixed by Google over-the-air

• • •

Mateti

Securing a mobile platform from the ground up

Rich Cannings <richc@google.com>Alex Stamos <alex@isecpartners.com>

Android Security 29

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android security Prevention Minimization Detection Reaction

Mateti

Android Security 30

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android security Prevention Minimization Detection Reaction

Mateti

Android Security 31

Some Statistics

• 6.77 billion people[1]

• 1.48 billion Internet enabled PCs[2]

• 4.10 billion mobile phones[1]

• Mobile phone replacement rateo 12-18 month average[3]

o 1.1 billion mobile phones are purchased per year[4]

o 13.5% of mobile phone sales are smartphones[5]

• The number of smartphones will soon compare with the number of Internet enabled PCs

[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook)[2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1 [3] [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp[5] http://www.gartner.com/it/page.jsp?id=985912

Mateti

Android Security 32

Mobile Security is Getting Interesting

• Techniques for desktop analysis are more useful to smart phones

• Mobile networks can now be easily manipulatedo  From phones:

Miller, Lackey, Miras at BlackHat 2009o From false base stations:

 http://openbts.sourceforge.net/

Mateti

Android Security 33

Mobile Security Matures

We are now seeing attacks against all layers of mobile infrastructure:

• Applications• Platform• OS• Baseband• Network

Mateti

Android Security 34

Mobile Security Matures

We are now seeing attacks against all layers of mobile infrastructure:

• Applications• Platform• OS• Baseband• Network

Mobile devices must be treated as fully fledged computers.

Do not assume they are "special".

Mateti

Android Security 35

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android security Prevention Minimization Detection Reaction

Mateti

Android Security 36

• Free, open source mobile platformo Source code at http://source.android.com

• Any handset manufacturer or hobbyist can install• Any developer can use

o SDK at http://developer.android.com• Empower users and developers

The Android Platform 

Mateti

Android Security 37

The Android Technology Stack

• Linux kernel• Relies upon 90+ open source libraries

o Integrated WebKit based browsero SQLite for structured data storageo OpenSSLo BouncyCastleo libc based on OpenBSDo Apache Harmonyo Apache HttpClient

• Supports common sound, video and image codecs• API support for handset I/O

o Bluetooth, EDGE, 3G, wifio Camera, Video, GPS, compass, accelerometer, 

          sound, vibratorMateti

Android Security 38

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android security Prevention Minimization Detection Reaction

Mateti

Android Security 39

Android Development

• Java applications are composed of:o Activities

Visual user interface for one focused endeavor

Mateti

Android Security 40

Android Development

• Java applications are composed of:o Activities

Visual user interface for one focused endeavoro Services

Runs in the background for an indefinite period of time

Mateti

Android Security 41

Android Development

• Java applications are composed of:o Activities

Visual user interface for one focused endeavoro Services

Runs in the background for an indefinite period of time• Intents

o Asynchronous messagingo URL dispatching on steroidso Glues many Activities and Services together to make an

applicationo Provides interactivity between applications

Mateti

Android Security 42

Example Email Application

Mateti

Android Security 43

Application Lifecycle

• Designed to protect battery life

Mateti

Android Security 44

Application Lifecycle

• Designed to protect battery life• Activities live on a stack

Mateti

Android Security 45

Application Lifecycle

• Designed to protect battery life• Activities live on a stack

Mateti

Android Security 46

Application Lifecycle

• Designed to protect battery life• Activities live on a stack• Background activities can be

killed at any moment

Mateti

Android Security 47

Application Lifecycle

• Designed to protect battery life• Activities live on a stack• Background activities can be

killed at any moment• The platform makes it easy for

developers to code applications that are killed at any moment without losing stateo Helps with DoS issues

Mateti

Android Security 48

Android Market

• Connects developers with users• Darwinian environment

o Good applications excel o Bad applications forgotten

• ~10,000 applications on Market• Balance of openness and security

o Not the only way to install appso Not a walled garden

• Developers self-sign applicationso For updatingo Uses Java's keytool and jarsigner

Mateti

Android Security 49

Application Signing

Why self signing?• Market ties identity to developer account• CAs have had major problems with fidelity in the past• No applications are trusted.  No "magic key"

What does signing determine?• Shared UID for shared keys• Self-updates

Mateti

Android Security 50

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android security Prevention Minimization Detection Reaction

Mateti

Android Security 51

Security Philosophy

• Finite time and resources• Humans have difficulty understanding risk• Safer to assume that

o Most developers do not understand securityo Most users do not understand security

• Security philosophy cornerstoneso Need to prevent security breaches from occurringo Need to minimize the impact of a security breacho Need to detect vulnerabilities and security breacheso Need to react to vulnerabilities and security breaches

swiftly

Mateti

Android Security 52

Prevent

• 5 million new lines of code• Uses almost 100 open source libraries• Android is open source can't rely on obscurity⇒• Teamed up with security experts from

o Google Security Teamo iSEC Partnerso n.runs

• Concentrated on high risk areaso Remote attackso Media codecso New/custom security features

• Low-effort/high-benefit featureso ProPolice stack overflow protectiono Heap protection in dlmalloc

Mateti

Android Security 53

dlmalloc 

• Heap consolidation attack• Allocation meta-data is stored in

band• Heap overflow can perform 2

arbitrary pointer overwrites• To fix, check:

o b->fd->bk == bo b->bk->fd == b

Mateti

Android Security 54

WebKit Heap Overflow

Mateti

Android Security 55

Minimize

• We cannot rely on prevention aloneo Vulnerabilities happen

• Users will install malware• Code will be buggy• How can we minimize the impact of a security issue?• My webmail cannot access my banking web app

o Same origin policy• Why can malware access my browser? my banking info?• Extend the web security model to the OS

Mateti

Android Security 56

Minimize

• Traditional operating system securityo Host basedo User separation

• Mobile OSes are for single users• User separation is like a "same user policy"• Run each application in its own UID is like a "same

application policy" o Privilege separation

• Make privilege separation relatively transparent to the developer

Mateti

Android Security 57

Application Sandbox

• Each application runs within its own UID and VM

• Default privilege separation model

• Instant security featureso Resource sharing

CPU, Memoryo Data protection

FS permissionso Authenticated IPC

Unix domain sockets• Place access controls close to

the resource, not in the VM

Mateti

Android Security 58

Application Sandbox

• Place access controls close to the resourceo Smaller perimeter easier to protect⇒

• Default Linux applications have too much power• Lock down user access for a "default" application• Fully locked down applications limit innovation• Relying on users making correct security decisions is

tricky

Mateti

Android Security 59

Permissions

• Whitelist model1.Allow minimal access by

default2.Allow for user accepted

access to resources• Ask users less questions• Make questions more

understandable• 194 permissions

o More granularity⇒o Less understandability⇒

Mateti

Android Security 60

More Privilege Separation

• Media codecs are very complex very insecure⇒• Won't find all the issues media libraries• Banish OpenCore media library to a lesser privileged

processo mediaserver

• Immediately paid offo Charlie Miller reported a vulnerability in our MP3 parsingo oCERT-2009-002

Mateti

Android Security 61

Detect

• A lesser-impact security issue is still a security issue

• Internal detection processeso Developer educationo Code auditso Fuzzingo Honeypot

• Everyone wants security allow everyone to ⇒detect issueso Userso Developerso Security Researchers

Mateti

Android Security 62

External Reports

• Patrick McDaniel, William Enck, Machigar Ongtango Applied formal methods to access SMS and Dialer

• Charlie Miller, John Heringo Outdated WebKit library with PCRE issue

• XDA Developerso Safe mode lock screen bypass

• Charlie Miller, Collin Mullinero MP3, SMS fuzzing results

• Panasonic, Chris Palmero Permission regression bugs

• If you find a security issue, please email security@android.com

Mateti

Android Security 63

User Reporting

Mateti

Android Security 64

A User Report

• MemoryUp: mobile RAM optimizero faster, more stable, more responsive, less waiting timeo not quite

Mateti

Android Security 65

React

• Autoupdaters are the best security tool since Diffie-Hellman• Every modern operating system should be responsible for:

o Automatically updating itselfo Providing a central update system for third-party

applications• Android's Over-The-Air update system (OTA)

o User interaction is optionalo No additional computer or cable is requiredo Very high update rate

Mateti

Android Security 66

Shared UID Regression

• Shared UID featureo Malware does not hurt computers, malware authors doo Two applications are signed can share UIDs⇒o More interactivity

• Panasonic reported that shared UID was brokeno If the user installs malware, then the attacker could share

UIDs with an existing installed app, like the browsero Breaks Application Sandbox

Mateti

Android Security 67

Update Process

• 2009-05-14o Panasonic reported the issueo Patched the issue, wrote regression tests

• 2009-05-15o Kicked off internal audito Built and tested every flavour of Androido Coordinated a public response with the reporter, carriers,

PR and oCERT• 2009-05-21

o Received critical-mass approval• 2009-05-22

o OTAed users, rolled out patches to factories, SDK, and open source

o Released advisory (oCERT-2009-006)Mateti

Android Security 68

Not over yet!

• 2009-07-06o Completed audit and testso Coordinated a public response with, carriers, PR and

oCERT• 2009-07-15

o Received critical-mass approval• 2009-07-16

o OTAed users, rolled out patches to factories, SDK, and open source

• 2009-07-16o Released advisory (oCERT-2009-011)

Mateti

Android Security 69

Conclusion

• Securityo an ongoing processo not a checkbox

• Processo Prevento Minimizeo Detecto React

Mateti

Android Security 70

Questions?

• Want to contribute code?o Visit http://source.android.como Add me as a code reviewer!

• Want to write an Android application?o Visit http://developer.android.com

• Want to email us?o Email richc@google.com or alex@isecpartners.como We are both hiring

Mateti

Android Security 71

References

• Found a security issue? Email security@android.com• William Enck and Patrick McDaniel, Understanding Android's

Security Framework, 2010, siis.cse.psu.edu/ android-tutorial.html Source code: android-sec-tutorial-src.tar.gz

• Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson, Vulnerability Study of the Android

• Jesse Burns, Mobile Application Security On Android, Black Hat 2009. www.isecpartners.com/ files/ iSEC_Securing_Android_Apps.pdf

• Rich Cannings, Alex Stamos, Securing a mobile platform from the ground up

Mateti