1 / 49

Android Security

Android Security. COSIC Summer Course 2013 Dr. Ir. Stefaan Seys, KU Leuven, ESAT/COSIC. Outline. Introduction Android Security Mechanisms … for the End User … for the Developer … for the Enterprise Looking to the future. Android: When? What? How Many and Why? . Android History. time.

redell
Télécharger la présentation

Android Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Android Security COSIC Summer Course 2013 Dr. Ir. Stefaan Seys, KU Leuven, ESAT/COSIC

  2. Outline Introduction Android Security Mechanisms … for the End User … for the Developer … for the Enterprise Looking to the future Mobcom Annual Workshop February 5th, 2014

  3. Android: When? What? How Many and Why?

  4. Android History time • October 2003 • August 2005 • November 2007 • September 2008 • October 2009 • May 2010 • December 2010 • February 2011 • October 2011 • July 2012 • October 2012 Android Inc founded by  Andy Rubin, Rich Miner, Nick Sears and Chris White Google acquires Android Inc Open Handset Alliance formed, Android unveiled to public First Android handset:HTC Dream, Android 1.0 Android 2.0 Eclair Android 2.2 Froyo Android 2.3 Gingerbread Android 3.0 Honeycomb Android 4.0 Ice Cream Sandwich Android 4.1 Jelly Bean Android 4.2 Jelly Bean 4.2 Mobcom Annual Workshop February 5th, 2014

  5. Android version distribution evolution v2.3 still 25% [http://www.appbrain.com/stats/top-android-sdk-versions] Mobcom Annual Workshop February 5th, 2014

  6. Android version distribution (Feb 2014) [developer.android.com] Mobcom Annual Workshop February 5th, 2014

  7. Android Software Stack In the heart of Android lives a Linux kernel • 2.6.x until Ice Cream Sandwich, 3.0.x afterwards • Hardware abstraction layer, memory management, network stack, IPC, file system, etc. The kernel runs a set of open source libraries • Graphics, Media, FreeType, WebKit, System C libs, SQLite, etc. • Android runtime: Java core libraries and Dalvik VM Android Apps interact with the Application Framework • Activity Mgr, Notification Mgr, Resource Mgr, Package Mgr, Content Providers, etc. Mobcom Annual Workshop February 5th, 2014

  8. Android Software Stack [Wikipedia] Mobcom Annual Workshop February 5th, 2014

  9. Dalvik Virtual Machine Google has chosen not to use standard Java libraries nor the standard JVM Instead Google opted for the Dalvik VM Reason • Hardware constrains: ARM processor with 128MB RAM and 256MB Flash • Hardware diversity • Support for Sandboxed application runtimes • Avoid licensing fees to Oracle for J2ME Every App runs in its own VM (as apposed to a single VM in J2ME) New VMs are forked from the Zygote Dalvik VMs run DEX code Mobcom Annual Workshop February 5th, 2014

  10. App Installation Complete application packaged in a single .APK file Content is signed using the developers private key • It is only used to link apps of the same developer (updates) • Says nothing about the trustworthiness of the app/developer Signature only verified at installation • So changes afterwards are not detected Every App gets its own unique Linux user id Every App gets its own data folder • /data/data/com.example.my_app Mobcom Annual Workshop February 5th, 2014

  11. Android’s Security Reputation

  12. Android’s Security Reputation • 2012 – new threats: • Android 103 • iOS 1 • 2012 – new vulnerabilities: • Android 13 • iOS 387 [Symantec, Q1/2013, 2] Android 72% market share vs iOS 14% [Gartner, Q4/2012, 1] Market share and “openness” makes Android the favored target: Mobcom Annual Workshop February 5th, 2014

  13. Malware Incentives Attackers are interested in [F-Secure, Q1/2013, 3] • Making money • Stealing your personal data • to make money, or • to set up a targeted attack Examples: • Send SMS to premium numbers • Set up calls to premium numbers (while user is sleeping) • Forward all mails, SMS, twitter, etc. to attacker’s server • Send location of user to attacker’s server Mobcom Annual Workshop February 5th, 2014

  14. Software Attack Paths Publish Malware Malware with “additional” permissions Malware that elevates its permissions by exploiting some bug in OS/App (browser) Mobcom Annual Workshop February 5th, 2014

  15. Malware as a Service 1. Username/password Internet Cellular PC Malware Inject code in web page, ask user to install Perkele on phone Steal credentials Perkele Looks genuine (tailored to bank) Keeps running in background Intercepts SMS 2. mTAN Malware kits are also sold.... Currently on high demand: “Perkele”(Finnish curse; “damn”) Mobcom Annual Workshop February 5th, 2014

  16. Android security updates/patches Android installs depend on three parties • Google (developer) • OEM (personalization phase 1) • Carrier (personalization phase 2) Short shelf-life of devices (e.g., new Galaxy S every year) Meaning short support/no updates by OEM/Carrier Resulting in millions of devices with known vulnerabilities • Gingerbread still largest 25% install base Mobcom Annual Workshop February 5th, 2014

  17. Android Security Essentials

  18. Locked BootLoader ARM SoC INIT IMAGE SYSTEM IMAGE Signature Signature Hash(root PK) Cert. chain Cert. chain Actual implementation depends on OEM “Unlocking capabilities” also depend on OEM • Samsung ships mostly unlockable • HTC supports official unlocking (voids warranty) • LG ships unlocked, but no default flashing support • Motorola tends to be locked tight (requires exploit) Mobcom Annual Workshop February 5th, 2014

  19. Android Application Sandboxing Separate process Unique UID Separate process Unique UID Separate process Unique UID Zygote Dalvik VM Dalvik VM App 1 App 2 Core Libs (Core Libs) (Core Libs) Every Android App • Runs in its own process • Has its own Dalvik VM instance • Is assigned a unique Linux user ID • Uses Linux file permissions linked to that user ID Mobcom Annual Workshop February 5th, 2014

  20. Android UID’s Mobcom Annual Workshop February 5th, 2014

  21. Root user not available Mobcom Annual Workshop February 5th, 2014 Android does not allow to use “sudo” to gain root privileges • No root shell user over ADB • Apps cannot ask root privileges Sandboxing Apps relies on this! “Rooting” your phone means enabling the use of root privileges

  22. Android Permissions Access to low-level resources (network, phone calls, SMS, etc.) is enforced through user and group permissions at kernel level Higher level permissions restricted by the Android Runtime App developers need to specify the required permissions Mobcom Annual Workshop February 5th, 2014

  23. Bouncer Scans apps for “malicious activities” while uploading to Google Play • Apps are executed on emulator • Easy to detect this…. Since Jelly Bean 4.2: local version of Bouncer • Will also scan Apps from other stores Mobcom Annual Workshop February 5th, 2014

  24. Android Security for the User

  25. People are Curious Creatures From a 2011 study [McAfee, Ponemom Inst., 4] • 140,000 out of 3.3M (4.1%) of smart phones were lost or stolen in 1 year • 10,000 were recovered • 47% lost at home or hotel room, 29% while in transit Smartphone Honey Stick Project [Symantec, 2012, 5] • 50 `prepped’ smartphone intentionally ‘lost’ in various cities in US • 96% were accessed by the finders, about 85% checked data on phone • 43% opened the ‘online banking’ app • 53% opened the ‘salaries’ file • 60% checked personal mail • 72% opened photos Mobcom Annual Workshop February 5th, 2014

  26. Prevent Data Theft Your data is only protected against trivial methods when • screen lock is enabled (properly), and • ADB debugging is disabled, and • the bootloader is locked Unfortunately • Some phones come with an unlockedbootloader (e.g., Sprint Galaxy S4) • Screen lock used < 50% [4] • Screen lock has its limits Mobcom Annual Workshop February 5th, 2014

  27. Screen lock has its limits • Some Apps need bypass screen lock, bugs… • Phone App • Viber • Skype “Smudge attack” Some of sensor can be used as a “side channel” to capture PINs • The accelerometer • The front-facing camera FUTURE OF MOBILE PAYMENTS 2013

  28. But the Attacker has Physical Access… “Given physical access, your data is only as secure as your attacker is lazy or ignorant” “Not motivated”: • You are lucky, your data is safe. “Motivated but not very skilled”: • RIFF Box and others (pre-programmed JTAG debuggers) “Motivated and skilled”: • Nothing to prevent data theft… Mobcom Annual Workshop February 5th, 2014

  29. Android Disk Encryption Password or PIN Salt PBKDF2 KEK AES DEK AES /data > Android 4.0 (end 2011) supports disk encryption Based on dm-crypt • Only /data partition (not full disk) • aes-cbc-essiv:sha256 with 128-bit keys • Salt and E(DEK) stored on disk Weaknesses • Brute force short PINs [6] • “Frost” tool [7] Mobcom Annual Workshop February 5th, 2014

  30. FROST Can only be used with an unlocked bootloader! Mobcom Annual Workshop February 5th, 2014

  31. Physical Access Attack Tree Screenlock? No Yes  Unlocked bootloader? No Yes ADB enabled “Root” the phone and dump flash using ADBorInstall recovery image to dump flash No Yes No trivial attack vector Use tool like odin3 to unlock the bootloader File system encryption? Use JTAG or other means to dump flash No Yes  Brute force password Mobcom Annual Workshop February 5th, 2014

  32. Android 4.2 improvements Can be circumvented when using an unlocked bootloader! ADB white list • Upon installation, your Android SDK will generate a random RSA key Premium SMS confirmation Mobcom Annual Workshop February 5th, 2014

  33. Android Security for the Developer

  34. File Storage App’s files are private by default • Onwed by their own UID Unless developer choses otherwise • MODE_WORLD_WRITEABLE or MODE_WORLD_READABLE Apps signed with same key can run with same UID and access each other’s files /mnt/sdcard is world readable/writeable • Meaning your pictures... Mobcom Annual Workshop February 5th, 2014

  35. Avoid Leaking Permission-Protected Data Sandbox Weak App ACCESS_FINE_LOCATION Inter Process Call that does not require any permissions, e.g., ContentProvider Mobcom Annual Workshop February 5th, 2014

  36. Crypto Support Android uses custom version of Bouncy Castle • Prevents inclusion of official release in apps • Use Spongy Castle as work around Android includes openssl libs Android ICS 4.0 • adds VPN API • Adds Key Chain API Mobcom Annual Workshop February 5th, 2014

  37. Code Obfuscation package a;public class a{  static String a = "Hello"; static String b = "Wwlhkd16uqE3UT941ut57Xw8OP4"   static void a() {    System.out.println(a);  }  public static void main(String[] args) {    a();  }} Android build system includes support for ProGuard • removes unused code • renaming classes, fields, and methods Makes reverse engineering more difficult Smaller .apk files Why use it? Because .apk -> source is trivial.... Mobcom Annual Workshop February 5th, 2014

  38. Android App Reverse Engineering Get apk from phone (“root”) apk dex jar source unzip dex2jar JD-GUI Extract dex from apk package Translate dex to jar Decompile bytecode to source Tool chain to obtain code from any app in Android Mobcom Annual Workshop February 5th, 2014

  39. DRM [Android documentation] Android platform provides an extensible DRM framework Actual DRM mechanisms provided by third parties Hides details of DRM to app developers Mobcom Annual Workshop February 5th, 2014

  40. Android Security for the Enterprise

  41. Device Policy Admin > Android 2.2 Froyo: Android Device Admin API “Administrators” capabilities: • (Remotely) wipe the data • Request to change or set password (disable pattern lock) • Set password rules and expiration • Set max failed login attempts • Lock or erase the device • Lock the screen • Enable storage encryption • Disable the camera Mobcom Annual Workshop February 5th, 2014

  42. Better VPN support Pre Android ICS 4.0 • L2TP, L2TP/IPSec PSK, L2TP RSA and PPTP • Not useful for majority of enterprise VPNs ICS 4.0 adds support for pure IPSec VPNs for better compatibility New VPN API that allows SSL VPN clients to be deployed as Apps • E.g., Cisco Anyconnect requires a “rooted” device prior to ICS4.0 Mobcom Annual Workshop February 5th, 2014

  43. Hopefully in the near future.... [GlobalPlatform] TEE (Trusted Execution Environment) Hardware enforcedisolation from OS Runs on the main device chipset Has privileged access to device resources (Mostly) implemented using ARM Trustzone Example: Samsung KNOX Mobcom Annual Workshop February 5th, 2014

  44. TEE Positioning [GlobalPlatform] Mobcom Annual Workshop February 5th, 2014

  45. TEE functionality TEE has direct access to screen without OS involvement • Allows secure entry and verification of PINs, passwords, etc. Allow secure storage of cryptographic keys and their use in an isolated environment • Prevents exploits (remote or local) from stealing these keys Allows secure storage of server certificates • Prevents Man-in-the-Middle attacks Mobcom Annual Workshop February 5th, 2014

  46. Remaining Issues [Trusted Foundations] Further TEE standardisation Who can install Trusted Applications (TA)? Downloadable TA’s? TA certification? Users do not understand“security indicators” Mobcom Annual Workshop February 5th, 2014

  47. Questions Thank you! ? Mobcom Annual Workshop February 5th, 2014

  48. References International Course on Computer Security and Cryptography - 14th edition - 2013 [1] http://www.gartner.com/it/page.jsp?id=2237315 [2] Symantec Internet Security Threat Report 2013 [3] F-Secure Mobile Threat Report January-March 2013 [4] McAfee and the Ponemom Institute, The Lost Smartphone Problem: Benchmark study of U.S. organizations, Oct. 2011 [5] The Symantec Smartphone Honey Stick Project, Mar. 2012 [6] Cannon, T., and Bradford, S. Into the Droid: Gaining Access to Android User Data. In DefCon '12 (July 2012), VIA Forensics [7] TiloMuller, Michael Spreitzenbarth, and Felix C. Freiling, Frost: Forensic Recovery of Scrambled Telephones

More Related