tbd android security and privacy #2 prabhaker mateti
TRANSCRIPT
TBD Android Security and Privacy #2
Prabhaker Mateti
Android Security 2
TBD
• Mix of slides from various sources• TBD Properly merge
Mateti
Android Security 3
Android Security Policy
• Android focuses on Inter Component Communication (ICC)
• AndroidManifest.xml can define an access control policy– Each component can be assigned an access
permission label– Each application requests a list of permission
labels (fixed at install)
Mateti
Android Security 4
Public and Private Components
• Components can be public or private. Default is dependent on “intent-filter” rules.
• Components may unknowingly become accessible to other applications.
• <activity android:name=“…” android:exported=“false” />
Mateti
Android Security 5
Manifest
• If the manifest file does not specify an access permission on a public component, any component in any application can access it.
• Components without access permissions should be exceptional cases, and inputs must be scrutinized (consider splitting components).
• <receiver … android:permission=…> … </receiver>
Mateti
Android Security 6
Intent
• The code broadcasting an Intent can set an access permission restricting which Broadcast Receivers can access the Intent.
• Always specify an access permission on Intent broadcasts (unless explicit destination).
Mateti
Android Security 7
• PendingIntent objects allow another application to “finish” an operation for you via RPC. Execution occurs in the originating application’s “process” space.– Used in a number of system APIs (Alarm, Location,
Notification)• Implication: The remote application can fill in
unspecified values. May influence the destination and/or data integrity. Allows a form of delegation
• Best Practice: Only use Pending Intents as “delayed callbacks” to private Broadcast Receivers/Activities and always fully specify the Intent destination.
Mateti
Android Security 8
• Content Providers have two additional security features– Separate “read” and “write” access permission
labels– URI permissions allow record level delegation
Mateti
Android Security 9
• A component (e.g., Service) may arbitrarily invoke the checkPermission() method to enforce ICC. You can add reference monitor hooks
Mateti
Android Security 10
• The system uses permission labels to mediate access to certain resource APIs.– android.permission.INTERNET label
Mateti
Android Security 11
• Permission requests are not always granted.– normal - always granted– dangerous - requires user approval– signature - matching signature key– signature or system - same as signature, but also system apps
• Users may not understand implications when explicitly granting permissions.
• Use signature permissions for application “suites” and dangerous permissions otherwise– Include informative descriptions
Mateti
Android Security 12
• Relatively straightforward model with policy defined in the manifest file ... but many exceptions
• Some thought is needed to avoid ...– “Spoofing” Intent messages (FriendReceiver)– Privacy leaks (e.g., FRIEND_NEAR broadcast)
• The policy expands into the code– Broadcast permissions, checkPermission(), etc
• Keeping malicious applications from acquiring permissions is tricky
Mateti
Android Security 13
Install-time Verification
• Android does not have a way to holistically evaluate system and application policy or specify security goals. For example, to evaluate if the system and installed applications fulfill some security requirement.– Will granting a permission break the phone’s security?
• Kirin - enhanced installer http://siis.cse.psu.edu– Extracts policy from the manifest files of all applications– Uses Prolog to generate automated proofs of compliance of
provided “policy invariants”– Evaluation performed at install-time, and therefore does not
impact runtime performance
Mateti
Vulnerability Study of the Android
Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson
(Group 8)
Android Security 15
Security Architecture - Overview
Mateti
Android Security 16
Scope of Vulnerabilities
• Refinements to MAC Model
– Delegation– Public and Private Components– Provision - No Security Access to Public Elements– Permission Granting Using User's Confirmation
• Solutions ???• Precautions by Developers• Special Tools for UsersMateti
Android Security 17
Known Vulnerabilities
– Image Vulnerablities• GIF• PNG• BMP
– Web Browser
Mateti
Android Security 18
GIF Image Vulnerability
– Decode function uses logical screen width and height to allocate heap
– Data is calculated using actual screen width and height
– Can overflow the heap buffer allowing hacker can allow a hacker to control the phone
Mateti
Android Security 19
PNG Image Vulnerability
– Uses an old libpng file– This file can allow hackers to cause a Denial of
Service (crash)
Mateti
Android Security 20
BMP Image Vulnerability
– Negative offset integer overflow– Offset field in the image header used to allocate a
palette– With a negative value carefully chosen you can
overwrite the address of a process redirecting flow
Mateti
Android Security 21
Web Browser Vulnerability
– Vulnerability is in the multimedia subsystem made by PacketVideo
– Due to insufficient boundary checking when playing back an MP3 file, it is possible to corrupt the process's heap and execute arbitrary code on the device
– Can allow a hacker to see data saved on the phone by the web browser and to peek at ongoing traffic
– Confined to the "sandbox"
Mateti
Android Security 22
General Mobile Phone Vulnerabilities
– GSM• SMS• MMS
– CDMA– Bluetooth– Wireless vulnerabilities
Mateti
Android Security 23
GSM Vulnerabilities
– GSM• Largest Mobile network in the world• 3.8 billion phones on network
– David Hulton and Steve Muller• Developed method to quickly crack GSM encryption• Can crack encryption in under 30 seconds• Allows for undetectable evesdropping
– Similar exploits available for CDMA phones
Mateti
Android Security 24
SMS Vulnerabilities
– SMS• Short Messaging System• Very commonly used protocol• Used to send "Text Messages"
– GSM uses 2 signal bands, 1 for "control", the other for "data".
– SMS operates entirely on the "control" band.– High volume text messaging can disable the
"control" band, which also disables voice calls.– Can render entire city 911 services unresponsive.
Mateti
Android Security 25
MMS Vulnerabilities
– MMS• Unsecure data protocol for GSM• Extends SMS, allows for WAP connectivity
– Exploit of MMS can drain battery 22x faster• Multiple UDP requests are sent concurrently, draining
the battery as it responds to request
– Does not expose data– Does make phone useless
Mateti
Android Security 26
Bluetooth Vulnerabilities
– Bluetooth• Short range wireless communication protocol• Used in many personal electronic devices• Requires no authentication
– An attack, if close enough, could take over Bluetooth device.
– Attack would have access to all data on the Bluetooth enabled device
– Practice known as bluesnarfing
Mateti
Android Security 27
Hackers for Android
– Hackers make Android stronger– White hats want to plug holes– Example
• Browser Threat reported by Independent Security Evaluators
• Jailbreak hole fixed by Google over-the-air
• • •
Mateti
Securing a mobile platform from the ground up
Rich Cannings <[email protected]>Alex Stamos <[email protected]>
Android Security 29
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
Mateti
Android Security 30
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
Mateti
Android Security 31
Some Statistics
• 6.77 billion people[1]
• 1.48 billion Internet enabled PCs[2]
• 4.10 billion mobile phones[1]
• Mobile phone replacement rateo 12-18 month average[3]
o 1.1 billion mobile phones are purchased per year[4]
o 13.5% of mobile phone sales are smartphones[5]
• The number of smartphones will soon compare with the number of Internet enabled PCs
[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook)[2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1 [3] [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp[5] http://www.gartner.com/it/page.jsp?id=985912
Mateti
Android Security 32
Mobile Security is Getting Interesting
• Techniques for desktop analysis are more useful to smart phones
• Mobile networks can now be easily manipulatedo From phones:
Miller, Lackey, Miras at BlackHat 2009o From false base stations:
http://openbts.sourceforge.net/
Mateti
Android Security 33
Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
• Applications• Platform• OS• Baseband• Network
Mateti
Android Security 34
Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
• Applications• Platform• OS• Baseband• Network
Mobile devices must be treated as fully fledged computers.
Do not assume they are "special".
Mateti
Android Security 35
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
Mateti
Android Security 36
• Free, open source mobile platformo Source code at http://source.android.com
• Any handset manufacturer or hobbyist can install• Any developer can use
o SDK at http://developer.android.com• Empower users and developers
The Android Platform
Mateti
Android Security 37
The Android Technology Stack
• Linux kernel• Relies upon 90+ open source libraries
o Integrated WebKit based browsero SQLite for structured data storageo OpenSSLo BouncyCastleo libc based on OpenBSDo Apache Harmonyo Apache HttpClient
• Supports common sound, video and image codecs• API support for handset I/O
o Bluetooth, EDGE, 3G, wifio Camera, Video, GPS, compass, accelerometer,
sound, vibratorMateti
Android Security 38
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
Mateti
Android Security 39
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavor
Mateti
Android Security 40
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavoro Services
Runs in the background for an indefinite period of time
Mateti
Android Security 41
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavoro Services
Runs in the background for an indefinite period of time• Intents
o Asynchronous messagingo URL dispatching on steroidso Glues many Activities and Services together to make an
applicationo Provides interactivity between applications
Mateti
Android Security 42
Example Email Application
Mateti
Android Security 43
Application Lifecycle
• Designed to protect battery life
Mateti
Android Security 44
Application Lifecycle
• Designed to protect battery life• Activities live on a stack
Mateti
Android Security 45
Application Lifecycle
• Designed to protect battery life• Activities live on a stack
Mateti
Android Security 46
Application Lifecycle
• Designed to protect battery life• Activities live on a stack• Background activities can be
killed at any moment
Mateti
Android Security 47
Application Lifecycle
• Designed to protect battery life• Activities live on a stack• Background activities can be
killed at any moment• The platform makes it easy for
developers to code applications that are killed at any moment without losing stateo Helps with DoS issues
Mateti
Android Security 48
Android Market
• Connects developers with users• Darwinian environment
o Good applications excel o Bad applications forgotten
• ~10,000 applications on Market• Balance of openness and security
o Not the only way to install appso Not a walled garden
• Developers self-sign applicationso For updatingo Uses Java's keytool and jarsigner
Mateti
Android Security 49
Application Signing
Why self signing?• Market ties identity to developer account• CAs have had major problems with fidelity in the past• No applications are trusted. No "magic key"
What does signing determine?• Shared UID for shared keys• Self-updates
Mateti
Android Security 50
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
Mateti
Android Security 51
Security Philosophy
• Finite time and resources• Humans have difficulty understanding risk• Safer to assume that
o Most developers do not understand securityo Most users do not understand security
• Security philosophy cornerstoneso Need to prevent security breaches from occurringo Need to minimize the impact of a security breacho Need to detect vulnerabilities and security breacheso Need to react to vulnerabilities and security breaches
swiftly
Mateti
Android Security 52
Prevent
• 5 million new lines of code• Uses almost 100 open source libraries• Android is open source can't rely on obscurity⇒• Teamed up with security experts from
o Google Security Teamo iSEC Partnerso n.runs
• Concentrated on high risk areaso Remote attackso Media codecso New/custom security features
• Low-effort/high-benefit featureso ProPolice stack overflow protectiono Heap protection in dlmalloc
Mateti
Android Security 53
dlmalloc
• Heap consolidation attack• Allocation meta-data is stored in
band• Heap overflow can perform 2
arbitrary pointer overwrites• To fix, check:
o b->fd->bk == bo b->bk->fd == b
Mateti
Android Security 54
WebKit Heap Overflow
Mateti
Android Security 55
Minimize
• We cannot rely on prevention aloneo Vulnerabilities happen
• Users will install malware• Code will be buggy• How can we minimize the impact of a security issue?• My webmail cannot access my banking web app
o Same origin policy• Why can malware access my browser? my banking info?• Extend the web security model to the OS
Mateti
Android Security 56
Minimize
• Traditional operating system securityo Host basedo User separation
• Mobile OSes are for single users• User separation is like a "same user policy"• Run each application in its own UID is like a "same
application policy" o Privilege separation
• Make privilege separation relatively transparent to the developer
Mateti
Android Security 57
Application Sandbox
• Each application runs within its own UID and VM
• Default privilege separation model
• Instant security featureso Resource sharing
CPU, Memoryo Data protection
FS permissionso Authenticated IPC
Unix domain sockets• Place access controls close to
the resource, not in the VM
Mateti
Android Security 58
Application Sandbox
• Place access controls close to the resourceo Smaller perimeter easier to protect⇒
• Default Linux applications have too much power• Lock down user access for a "default" application• Fully locked down applications limit innovation• Relying on users making correct security decisions is
tricky
Mateti
Android Security 59
Permissions
• Whitelist model1.Allow minimal access by
default2.Allow for user accepted
access to resources• Ask users less questions• Make questions more
understandable• 194 permissions
o More granularity⇒o Less understandability⇒
Mateti
Android Security 60
More Privilege Separation
• Media codecs are very complex very insecure⇒• Won't find all the issues media libraries• Banish OpenCore media library to a lesser privileged
processo mediaserver
• Immediately paid offo Charlie Miller reported a vulnerability in our MP3 parsingo oCERT-2009-002
Mateti
Android Security 61
Detect
• A lesser-impact security issue is still a security issue
• Internal detection processeso Developer educationo Code auditso Fuzzingo Honeypot
• Everyone wants security allow everyone to ⇒detect issueso Userso Developerso Security Researchers
Mateti
Android Security 62
External Reports
• Patrick McDaniel, William Enck, Machigar Ongtango Applied formal methods to access SMS and Dialer
• Charlie Miller, John Heringo Outdated WebKit library with PCRE issue
• XDA Developerso Safe mode lock screen bypass
• Charlie Miller, Collin Mullinero MP3, SMS fuzzing results
• Panasonic, Chris Palmero Permission regression bugs
• If you find a security issue, please email [email protected]
Mateti
Android Security 63
User Reporting
Mateti
Android Security 64
A User Report
• MemoryUp: mobile RAM optimizero faster, more stable, more responsive, less waiting timeo not quite
Mateti
Android Security 65
React
• Autoupdaters are the best security tool since Diffie-Hellman• Every modern operating system should be responsible for:
o Automatically updating itselfo Providing a central update system for third-party
applications• Android's Over-The-Air update system (OTA)
o User interaction is optionalo No additional computer or cable is requiredo Very high update rate
Mateti
Android Security 66
Shared UID Regression
• Shared UID featureo Malware does not hurt computers, malware authors doo Two applications are signed can share UIDs⇒o More interactivity
• Panasonic reported that shared UID was brokeno If the user installs malware, then the attacker could share
UIDs with an existing installed app, like the browsero Breaks Application Sandbox
Mateti
Android Security 67
Update Process
• 2009-05-14o Panasonic reported the issueo Patched the issue, wrote regression tests
• 2009-05-15o Kicked off internal audito Built and tested every flavour of Androido Coordinated a public response with the reporter, carriers,
PR and oCERT• 2009-05-21
o Received critical-mass approval• 2009-05-22
o OTAed users, rolled out patches to factories, SDK, and open source
o Released advisory (oCERT-2009-006)Mateti
Android Security 68
Not over yet!
• 2009-07-06o Completed audit and testso Coordinated a public response with, carriers, PR and
oCERT• 2009-07-15
o Received critical-mass approval• 2009-07-16
o OTAed users, rolled out patches to factories, SDK, and open source
• 2009-07-16o Released advisory (oCERT-2009-011)
Mateti
Android Security 69
Conclusion
• Securityo an ongoing processo not a checkbox
• Processo Prevento Minimizeo Detecto React
Mateti
Android Security 70
Questions?
• Want to contribute code?o Visit http://source.android.como Add me as a code reviewer!
• Want to write an Android application?o Visit http://developer.android.com
• Want to email us?o Email [email protected] or [email protected] We are both hiring
Mateti
Android Security 71
References
• Found a security issue? Email [email protected]• William Enck and Patrick McDaniel, Understanding Android's
Security Framework, 2010, siis.cse.psu.edu/ android-tutorial.html Source code: android-sec-tutorial-src.tar.gz
• Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson, Vulnerability Study of the Android
• Jesse Burns, Mobile Application Security On Android, Black Hat 2009. www.isecpartners.com/ files/ iSEC_Securing_Android_Apps.pdf
• Rich Cannings, Alex Stamos, Securing a mobile platform from the ground up
Mateti