Download Architectural Issue in Practice

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
Document related concepts
no text concepts found
Transcript 
Architectural Issues in Practice:
Android Security
Sam Malek
Software Architecture
INF 221
Fall 2016
Android Security Model
• Based on Linux OS: stable and secure kernel trusted by many corporations
and security professionals.
• Linux kernel supports:
•
•
•
•
A user-based permissions model
Process isolation
Extensible mechanism for secure IPC
The ability to remove unnecessary and potentially insecure parts of the kernel
• The Application Sandbox
• Each App runs in a separate Linux process with a unique user ID (UID)
• Application Signing
• Every app must be signed by its developer
• Developer can specify in the manifest file that an App will share a UID with other
similarly-signed APKs – in this case, apps share a process
2
Android Security Model
• By default, applications cannot interact with each other and have
limited access to system resources
• Android provides
• Inter-Component Communication (ICC) mechanism
• Permission System
•
•
•
•
System permission
Custom permission
Permission guards in the code
Broadcast Intent permission
• Each permission has its own protection level
•
•
•
•
Normal: just ask
Dangerous: user must grant it to the app
Signature: granted only to apps with the same certificate
SignatureOrSystem: granted to the apps with the same certificate or the system apps
3
Android Permission System
• An app must request the permissions it needs to access the protected
features in the device (resources or protected components)
• For example, if an app needs to monitor incoming SMS messages, it
should specify that in the AndroidManifest.xml file as follows:
<uses-permission android:name="android.permission.RECEIVE_SMS"/>
• In Android 5 (API 22) or lower, the system asks the user to grant all
permissions at install time
• Starting from Android 6 (API 23) an app requests the permissions at
runtime, and the user can grant/revoke the permission at any time
4
Android Permission System
Install time permission system
Runtime permission system
5
Security implications of Android’s
architectural design
• Android grants permission at the app level
• Developers tend to ask for more permissions than required
• Previous study shows that 33% of the studied apps are over-privileged with 1 to 4 extra
permissions [3]
• Android advocates component-based development
• However, the current Android system is incapable of granting/revoking permission(s) at the
component level
• Thereby, almost all components are over-privileged
6
Security Attacks
• ICC Attacks
• Permission Re-Delegation Attack
• Attacks through Hidden Code
7
Security Attacks
• ICC Attacks
• Permission Re-Delegation Attack
• Attacks through Hidden Code
8
ICC Attacks
• ICC is a powerful mechanism that promotes collaboration and code
reuse among apps
• ICC is also an application attack surface
Intent-Based Attack
Unauthorized Intent Receipt
Broadcast
Theft
Activity
Hijacking
Service
Hijacking
Intent Spoofing
Pending
Intents
Malicious
Broadcast
Injection
Malicious
Activity
Launch
Malicious
Service
Launch
9
Vulnerable Android System
• We will use this vulnerable Android system to explain various ICC
attacks
Texting
MyWeather
MainActivity
LocUpdater
MsgComposer
SendMsg
Attacker
MainActivity
LocLeaker
Implicit Message-Based
Broadcast
Receiver
Content
Provider
Service
Activity
Android
App
Connector
Provided
Port
Required
Port
10
Vulnerable Android System
• The system is available on GitHub (https://github.com/mhammad2)
• You can “git” the apps and learn more about the various ICC attacks
11
Unauthorized Intent ICC Attack
• There are no guarantees that an implicit Intent will be received by the
intended recipient
• A malicious component can intercept the Intent by declaring an Intent filter
• The malicious component can then gain access to all the data in the
intercepted Intent
Intent-Based Attack
Unauthorized Intent Receipt
Broadcast
Theft
Activity
Hijacking
Service
Hijacking
Intent Spoofing
Pending
Intents
Malicious
Broadcast
Injection
Malicious
Activity
Launch
Malicious
Service
Launch
12
Unauthorized Intent Receipt
Broadcast Theft
• Broadcasts are vulnerable to passive eavesdropping and active denial
of service attack
• A malicious broadcast receiver intercepts an Intent or prevents it from
reaching other broadcast receivers
• 12% of apps are vulnerable to this attack [1]
13
Unauthorized Intent Receipt
Broadcast Theft – Passive Eavesdropping
• When a component, firstActivity in this example, sends an
unprotected broadcast Intent, the system sends the Intent to all
registered receivers
• An eavesdropper, receiver2 in this example, silently receives the
broadcast Intent
receiver1
firstActivity
sendBroadcast
<receiver
android:name=".receiver1"
android:enabled="true"
android:exported="true">
<intent-filter>
<action android:name="some_action"/>
</intent-filter>
</receiver>
System
receiver2
<receiver
android:name=".receiver2"
android:enabled="true"
android:exported="true">
<intent-filter>
<action android:name="some_action"/>
</intent-filter>
</receiver>
14
Unauthorized Intent Receipt
Broadcast Theft – DOS Attack
• An active attacker could launch a denial of service attack or data injection
attacks on a broadcast receiver
• Non-ordered broadcast Intents are sent to all registered receivers at the
same time
• One receiver cannot prevent others from receiving it, e.g., BATTERY_LOW
• Ordered broadcast Intents are delivered serially to broadcast receivers in
order of descending priority
• One receiver can prevent another receiver from receiving the Intent, e.g.,
ACTION_NEW_OUTGOING_CALL
15
Unauthorized Intent Receipt
Broadcast Theft – DOS Attack Example
callerActivity
sendOrderedBroadcast
<receiver
android:name=".receiver1"
android:enabled="true"
android:exported="true">
<intent-filter android:priority="100" >
<action android:name="some_action"/>
</intent-filter>
<receiver
android:name=”.parentingControl"
android:enabled="true"
android:exported="true">
<intent-filter android:priority=”1" >
<action android:name="some_action"/>
</intent-filter>
</receiver>
</receiver>
System
parenting
Control
receiver1
setResultData(null);
• setResultData is an API in the BroadcastReceiver class that allows the receiver to change the result data in the Intent before
forwarding it to the next receiver.
• Passing a null value to this API stops the Intent from being forwarded to the next receiver
16
Unauthorized Intent Receipt
Activity Hijacking
• Malicious Activity registers to receive another component’s implicit
Intent
• Malicious Activity is launched in place of the intended Activity
• The malicious Activity could:
• Read the data sent to another Activity
• The hijacker could spoof the expected Activity’s user interface to steal usersupplied data (i.e., phishing attack)
• 57% of apps are vulnerable to this attack [1]
17
Unauthorized Intent Receipt
Activity Hijacking - Example
• maliciousActivity listens to the same action that secondActivity listens to
• The system prompts the user to choose an app that can handle the
Intent
• If firstActivity is expecting a result, then maliciousActivity can return a
malicious response value (i.e., false response attack)
secondActivity
firstActivity
malicious
Activity
18
Unauthorized Intent Receipt
Service Hijacking
• Service hijacking occurs when a malicious Service receives an implicit
Intent intended for a legitimate Service
• When multiple Services can handle an Intent, Android selects one at
random
• Unlike Activity hijacking, Service hijacking is not apparent to the user
because no user interface is involved
• If the calling app binds to a malicious Service, then it can return
malicious data (i.e., false response attack)
• 3 % of apps are vulnerable to this attack [1]
19
Unauthorized Intent Receipt
Service Hijacking - Example
Attacker
MyWeather
Android System
Location
Service
MainActivity
LocUpdater
Service
Explicit
Intent
Implicit
Intent
Callback
LocLeaker
Activity
Transaction
20
Unauthorized Intent Receipt
Service Hijacking - Code
public class MainActivity extends AppCompatActivity implements LocationListener {
@Override
protected void onCreate(Bundle savedInstanceState) {
//register a callback
LocationManager locationManager = (LocationManager) getSystemService(Context.LOCATION_SERVICE);
locationManager.requestLocationUpdates(LocationManager.GPS_PROVIDER, 4000, 0, this);
}
@Override
public void onLocationChanged(Location location) {
Log.i("MyWeather", "start service with "+location.getLongitude());
Intent intent = new Intent();
intent.setAction(“UPDATE_LOCATION");
intent.putExtra("LONG", location.getLongitude());
intent.putExtra("LAT", location.getLatitude());
startService(intent);
}
…
public class LocationUpdater extends Service {
public int onStartCommand(Intent intent, int flags, int startId){
double longitude = intent.getDoubleExtra("LONG", 0);
double latitude = intent.getDoubleExtra("LAT", 0);
//fetch the weather forecast for this location
//update the database and/or the widget with the new location
Log.i("MyWEATHER", "location "+longitude+" "+latitude);
return START_STICKY;
}
public class LocationLeaker extends Service {
@Override
public int onStartCommand(Intent intent, int flags, int startId) {
//get the location from the intent
double longitude = intent.getDoubleExtra("LONG", 0);
double latitude = intent.getDoubleExtra("LAT", 0);
Log.i("Attacker", "received the location "+longitude+" "
+latitude+" Thank you!");
…
21
Unauthorized Intent Receipt
Pending Intent Delegation Attack
• PendingIntent is a type of Intent with a target action that can be
performed at a later time by the holder of that Intent
• One App can send a PendingIntent to another app to perform the
action on behalf of the sender at a later time
• By giving a PendingIntent to another application, you are granting it
the right to perform the operation you have specified as if the other
application was yourself (with the same permissions and identity)
• CVE-2014-8609: in Android 4, addAccount method in the Settings app
does not properly create a PendingIntent, which allows an attacker to
use the System UID for broadcasting sensitive intents
22
Unauthorized Intent Receipt
Pending Intent Delegation Attack - Example
• firstActivity sends a PendingIntent
• maliciousService receives the
implicit Intent
• maliciousService uses the
PendingIntent to interact with the
SecondActivity, a protected
component with a custom
permission
Malicious App
Benign App
first
Activity
Explicit
Intent
malicious
Service
second
Activity
Pending
Intent
Transaction
Protected
Component
23
Insecure PendingIntent in the Settings app
private void addAccount(String accountType) {
Bundle addAccountOptions = new Bundle();
mPendingIntent = PendingIntent.getBroadcast(this, 0, new Intent(), 0);
addAccountOptions.putParcelable(KEY_CALLER_IDENTITY, mPendingIntent);
addAccountOptions.putBoolean(EXTRA_HAS_MULTIPLE_USERS,
Utils.hasMultipleUsers(this));
AccountManager.get(this).addAccount(
accountType,
null, /* authTokenType */
null, /* requiredFeatures */
addAccountOptions,
null,
mCallback,
null /* handler */);
mAddAccountCalled = true;
}
//AccountManager sends the PendingIntent to another app
Any app can register as account authenticator using this Intent filter. No
permission is required.
<intent-filter>
<action android:name="android.accounts.AccountAuthenticator" />
</intent-filter>
Malicious app can use the PendingIntent to send a phishing SMS message
public Bundle addAccount(…,Bundle options){
PendingIntent pendingIntent = (PendingIntent)options.getParcelable("pendingIntent");
Intent newIntent = new Intent();
newIntent.setAction("android.provider.Telephony.SMS_RECEIVED");
//filling phishing sms data
pendingIntent.send(mContext, 0, newIntent, null, null);
24
Intent Spoofing
Intent Spoofing ICC Attack
• A malicious attacker can launch an Intent spoofing attack by sending
an Intent to an exported component that is not expecting the Intent
from the sender component
• If the receiver takes an action with the received Intent, the attacker
can trigger a malicious action
Intent-Based Attack
Unauthorized Intent Receipt
Broadcast
Theft
Activity
Hijacking
Service
Hijacking
Intent Spoofing
Pending
Intents
Malicious
Broadcast
Injection
Malicious
Activity
Launch
Malicious
Service
25
Launch
Intent Spoofing
Malicious Broadcast Injection
• Malicious component sends an Intent, either explicit or implicit, to an
exported Broadcast Receiver
• The Broadcast Receiver blindly trusts an incoming broadcast Intent,
without checking the authenticity of the sender
• Broadcast Receivers that listen to system broadcast Intents are
particularly at risk
• These broadcast receivers operate in response to system actions without
checking to see if the system has sent the Intent
• 14% of apps are vulnerable to this attack [1]
26
Intent Spoofing
Malicious Broadcast Injection - Example
• packageInstalledReceiver receives a broadcast Intent from the system
whenever a new app installed
• Once packageInstalledReceiver receives the Intent, it starts
newPackageService to scan that app from viruses
• maliciousActivity can start packageInstalledReceiver using an explicit
Intent and provide a fake app’s name
malicious
Activity
packageInstalled
Receiver
newPackageServ
ice
27
Intent Spoofing
Malicious Activity Launch
• This attack is analogous to cross-site request forgeries (CSRF)
• Android App comprises many entry points. Any component can start
any exported Activity using explicit or implicit Intent
• The system loads the launched Activity’s user interface
• In addition to disrupting/annoying the user, the launched Activity
might:
• Update a stored data and change the app’s state
• Return sensitive data to the called component
• 12% of apps are vulnerable to this attack [1]
Malicious
Service
firstActivity
28
Intent Spoofing
Malicious Service Launch
• Similar to the previous attack, a malicious component can start or
bind to any exported Service and not protected with a permission
• The started/bound Service might leak sensitive information or corrupt
the app’s state
• 1% of apps are vulnerable to this attack [1]
29
Security Attacks
• ICC Attacks
• Permission Re-Delegation Attack
• Attacks through Hidden Code
30
Permission Re-Delegation Attack
(aka, confused deputy, privilege escalation)
• Application with permission(s) performs a privileged task for an application without
permission(s)
• SendMsg component (deputy) executes a privileged task (sends an SMS message) on behalf
of an unprivileged component, LocLeaker
• This attack allows the LocLeaker to leak location information to a premium number
Attacker
LocLeaker
Texting
SendMsg
Service
Explicit
Intent
Implicit
Intent
Callback
Transaction
Activity
31
Permission Re-Delegation Attack - Example
Intent i = new Intent();
i.setAction(“SEND_SMS");
i.putExtra("PHONE_NUMBER", premiumNumber);
i.putExtra("TEXT_MSG", "longitude:"+longitude+", latitude:"+latitude);
startService(i);
public class SendMsg extends Service {
@Override
public int onStartCommand(Intent intent, int flags, int startId){
//if (checkCallingPermission("edu.uci.seal.action.SEND_SMS")== //
PackageManager.PERMISSION_GRANTED) {
String phoneNumber = intent.getStringExtra("PHONE_NUMBER");
String areaCode = phoneNumber.substring(0,3);
String msg = intent.getStringExtra("TEXT_MSG");
Log.i("TEXTING", "Send a message to "+phoneNumber+" text: "+msg);
SmsManager smsManager = SmsManager.getDefault();
smsManager.sendTextMessage(phoneNumber, null, msg, null, null);
//}
return START_STICKY;
}
}
32
Security Attacks
• ICC Attacks
• Permission Re-Delegation Attack
• Attacks through Hidden Code
33
Attacks through Hidden Code
• Malware authors tend to hide their malicious code to:
• Prevent automated analysis tools from properly vetting apps
• Bypass the antivirus products
• There are many ways to hide the code
• Code encryption
• Reflection
• Dynamic class loading
34
Dynamic class loading
• Android framework allows apps to load code from external sources at
runtime
• Developers of benign apps use this feature for legitimate reasons
• Instrumentation to collect data during beta testing from users
• Common library: multiple apps use the same library which can be installed on the
device as a separate APK file to reduce storage space
• Library update: many apps bundle various libraries for additional functionality, e.g.
ad libraries. Libraries use this feature for self-updating.
• Loading add-ons in the app: SMS apps that load design themes or game apps that
install additional levels
35
Attacks using dynamic class loading
1. Code injection attacks against benign apps
•
•
•
•
Android system does not check the integrity of the downloaded class files
Oftentimes developers don’t check the integrity of the installed codes
Attackers can inject a malicious code and replace the expected legitimate code
16% of the top apps are using this feature in an insecure way [1]
2. Executing another app’s code
• createPackageContext(pkg, flags) API is an Android API that returns a lightweight
context object for a given app’s package name
• Apps built from the same developer use this feature
• Malicious app can use the class loader from the returned Context object to execute
another app’s code
• For this attack to work you need to disable the security checking by passing
CONTEXT_INCLUDE_CODE and CONTEXT_IGNORE_SECURITY flags
3. Hiding malicious behavior
36
Hiding malicious behavior
• Malware authors use this feature to bypass Google Bouncer, an
internal Google testing tool for vetting apps
• DexClassLoader API is an Android API that loads classes from JAR or
APK file
• The JAR or APK files should contain a classes.dex file
• The JAR or APK files can be downloaded from any source including SD card
and internet
• A malicious app can use this API to dynamically load code at runtime
37
Dynamic class loading - Example
Android System
System
Service
Explicit
Intent
Implicit
Intent
ClassLoader classLoader = context.getClassLoader();
DexClassLoader dcl = new DexClassLoader(dexPath,
libraryPath, classLoader);
Class c = dcl.loadClass("className");
Method m = c.getMethod("methodName", params);
FunGame
LevelUp
Transaction
Loaded
Service
Dynamically
Loaded
Dynamic
Broadcast
Receiver
Dynamic
Receiver
Service
optimizedDir,
m.invoke(object, args);
BroadcastReceiver dynamicReceiver(){
BroadcastReceiver receiver = new BroadcastReceiver() {
@Override
public void onReceive(Context context, Intent intent) {
//forward the action and the intent's payload
}
};
IntentFilter iFilter = new IntentFilter();
iFilter.addAction("android.intent.action.BATTERY_LOW");
iFilter.addAction("android.intent.action.ACTION_POWER_CONNECTED");
iFilter.addAction("android.intent.action.PACKAGE_ADDED");
iFilter.addAction("android.intent.action.PACKAGE_REMOVED");
iFilter.addAction("android.intent.action.NEW_OUTGOING_CALL");
iFilter.addAction("android.intent.action.SCREEN_OFF");
iFilter.addAction("android.intent.action.SCREEN_ON");
iFilter.addAction("android.provider.Telephony.SMS_RECEIVED");
iFilter.addAction("android.net.wifi.WIFI_STATE_CHANGED");
registerReceiver(receiver, iFilter);
return receiver;
}
38
Security Guidelines
• Use explicit Intents when possible
• Protect any sensitive component with a permission
• Limit the exposure of the component
• Use LocalBroadcastManager API to send broadcast Intents within an app
• Use broadcast Intent permission, sendBroadcast(intent, receiverPermission)
• Validate the received Intent before using it
• Check the permission/identity of the caller’s component
39
References
• [1] Chin, et al. Analyzing Inter-Application Communication in
Android (Links to an external site.). International Conference on
Mobile Systems, Applications, and Services, Washington DC, June
2011
• [2] Hardy, Norm. "The Confused Deputy:(or why capabilities might
have been invented)." ACM SIGOPS Operating Systems Review 22.4
(1988): 36-38
• [3] Felt, Adrienne Porter, et al. "Android permissions
demystified." Proceedings of the 18th ACM conference on Computer
and communications security. ACM, 2011.
40
Related documents
Role of Development Marketing Intent in Corporate Social Responsibility:An Exploratory Investigation in the Indian Context
Role of Development Marketing Intent in Corporate Social Responsibility:An Exploratory Investigation in the Indian Context
When Intent Does Not Match Outcome - Esi
When Intent Does Not Match Outcome - Esi
INTENTS
INTENTS
Slides - NUS Security Research
Slides - NUS Security Research
powerpoint
powerpoint
[intro.pptx]
[intro.pptx]
CS378 - Mobile Computing
CS378 - Mobile Computing
I - E
I - E
Activities, Intents, and User Interface
Activities, Intents, and User Interface
notifications and broadcast receiver
notifications and broadcast receiver
Android Development Tutorial
Android Development Tutorial
Artis Mobility and GIS
Artis Mobility and GIS
Mobile Apps
Mobile Apps
Building a Simple User Interface Android App - Dei-Isep
Building a Simple User Interface Android App - Dei-Isep
Communication and its barriers
Communication and its barriers
Android Intents - Cleveland State University
Android Intents - Cleveland State University
Topic 13 - Personal Web Pages
Topic 13 - Personal Web Pages
4.GUI
4.GUI
mc-android-storage - Homepages | The University of Aberdeen
mc-android-storage - Homepages | The University of Aberdeen