Download Android Market

TBD Android Security and Privacy
#2
Prabhaker Mateti
TBD
• Mix of slides from various sources
• TBD Properly merge
Mateti
Android Security
2
Android Security Policy
• Android focuses on Inter Component
Communication (ICC)
• AndroidManifest.xml can define an access
control policy
– Each component can be assigned an access
permission label
– Each application requests a list of permission
labels (fixed at install)
Mateti
Android Security
3
Public and Private Components
• Components can be public or private. Default
is dependent on “intent-filter” rules.
• Components may unknowingly become
accessible to other applications.
• <activity android:name=“…”
android:exported=“false” />
Mateti
Android Security
4
Manifest
• If the manifest file does not specify an access
permission on a public component, any
component in any application can access it.
• Components without access permissions
should be exceptional cases, and inputs must
be scrutinized (consider splitting
components).
• <receiver … android:permission=…> …
</receiver>
Mateti
Android Security
5
Intent
• The code broadcasting an Intent can set an
access permission restricting which Broadcast
Receivers can access the Intent.
• Always specify an access permission on Intent
broadcasts (unless explicit destination).
Mateti
Android Security
6
• PendingIntent objects allow another application to
“finish” an operation for you via RPC. Execution occurs
in the originating application’s “process” space.
– Used in a number of system APIs (Alarm, Location,
Notification)
• Implication: The remote application can fill in
unspecified values. May influence the destination
and/or data integrity. Allows a form of delegation
• Best Practice: Only use Pending Intents as “delayed
callbacks” to private Broadcast Receivers/Activities and
always fully specify the Intent destination.
Mateti
Android Security
7
• Content Providers have two additional
security features
– Separate “read” and “write” access permission
labels
– URI permissions allow record level delegation
Mateti
Android Security
8
• A component (e.g., Service) may arbitrarily
invoke the checkPermission() method to
enforce ICC. You can add reference monitor
hooks
Mateti
Android Security
9
• The system uses permission labels to mediate
access to certain resource APIs.
– android.permission.INTERNET label
Mateti
Android Security
10
• Permission requests are not always granted.
–
–
–
–
normal - always granted
dangerous - requires user approval
signature - matching signature key
signature or system - same as signature, but also
system apps
• Users may not understand implications when
explicitly granting permissions.
• Use signature permissions for application “suites”
and dangerous permissions otherwise
– Include informative descriptions
Mateti
Android Security
11
• Relatively straightforward model with policy
defined in the manifest file ... but many
exceptions
• Some thought is needed to avoid ...
– “Spoofing” Intent messages (FriendReceiver)
– Privacy leaks (e.g., FRIEND_NEAR broadcast)
• The policy expands into the code
– Broadcast permissions, checkPermission(), etc
• Keeping malicious applications from acquiring
permissions is tricky
Mateti
Android Security
12
Install-time Verification
• Android does not have a way to holistically evaluate
system and application policy or specify security goals.
For example, to evaluate if the system and installed
applications fulfill some security requirement.
– Will granting a permission break the phone’s security?
• Kirin - enhanced installer http://siis.cse.psu.edu
– Extracts policy from the manifest files of all applications
– Uses Prolog to generate automated proofs of compliance
of provided “policy invariants”
– Evaluation performed at install-time, and therefore does
not impact runtime performance
Mateti
Android Security
13
Vulnerability Study
of the Android
Ryan Selley, Swapnil Shinde, Michael
Tanner, Madhura Tipnis, Colin Vinson
(Group 8)
Security Architecture - Overview
Mateti
Android Security
15
Scope of Vulnerabilities
• Refinements to MAC Model
–
–
–
–
Delegation
Public and Private Components
Provision - No Security Access to Public Elements
Permission Granting Using User's Confirmation
• Solutions ???
•
Precautions by Developers
• Special Tools for Users
Mateti
Android Security
16
Known Vulnerabilities
– Image Vulnerablities
• GIF
• PNG
• BMP
– Web Browser
Mateti
Android Security
17
GIF Image Vulnerability
– Decode function uses logical screen width and
height to allocate heap
– Data is calculated using actual screen width and
height
– Can overflow the heap buffer allowing hacker can
allow a hacker to control the phone
Mateti
Android Security
18
PNG Image Vulnerability
– Uses an old libpng file
– This file can allow hackers to cause a Denial of
Service (crash)
Mateti
Android Security
19
BMP Image Vulnerability
– Negative offset integer overflow
– Offset field in the image header used to allocate a
palette
– With a negative value carefully chosen you can
overwrite the address of a process redirecting
flow
Mateti
Android Security
20
Web Browser Vulnerability
– Vulnerability is in the multimedia subsystem made
by PacketVideo
– Due to insufficient boundary checking when
playing back an MP3 file, it is possible to corrupt
the process's heap and execute arbitrary code on
the device
– Can allow a hacker to see data saved on the phone
by the web browser and to peek at ongoing traffic
– Confined to the "sandbox"
Mateti
Android Security
21
General Mobile Phone Vulnerabilities
– GSM
• SMS
• MMS
– CDMA
– Bluetooth
– Wireless vulnerabilities
Mateti
Android Security
22
GSM Vulnerabilities
– GSM
• Largest Mobile network in the world
• 3.8 billion phones on network
– David Hulton and Steve Muller
• Developed method to quickly crack GSM encryption
• Can crack encryption in under 30 seconds
• Allows for undetectable evesdropping
– Similar exploits available for CDMA phones
Mateti
Android Security
23
SMS Vulnerabilities
– SMS
• Short Messaging System
• Very commonly used protocol
• Used to send "Text Messages"
– GSM uses 2 signal bands, 1 for "control", the other
for "data".
– SMS operates entirely on the "control" band.
– High volume text messaging can disable the
"control" band, which also disables voice calls.
– Can render entire city 911 services unresponsive.
Mateti
Android Security
24
MMS Vulnerabilities
– MMS
• Unsecure data protocol for GSM
• Extends SMS, allows for WAP connectivity
– Exploit of MMS can drain battery 22x faster
• Multiple UDP requests are sent concurrently, draining
the battery as it responds to request
– Does not expose data
– Does make phone useless
Mateti
Android Security
25
Bluetooth Vulnerabilities
– Bluetooth
• Short range wireless communication protocol
• Used in many personal electronic devices
• Requires no authentication
– An attack, if close enough, could take over
Bluetooth device.
– Attack would have access to all data on the
Bluetooth enabled device
– Practice known as bluesnarfing
Mateti
Android Security
26
Hackers for Android
– Hackers make Android stronger
– White hats want to plug holes
– Example
• Browser Threat reported by Independent Security
Evaluators
• Jailbreak hole fixed by Google over-the-air
•
•
•
Mateti
Android Security
27
Securing a mobile platform from
the ground up
Rich Cannings <[email protected]>
Alex Stamos <[email protected]>
Overview
• Why care about mobile security?
• What is Android?
• How do I develop on Android?
o Android Market
• What about Security?
o Cornerstones of Android security
 Prevention
 Minimization
 Detection
 Reaction
Mateti
Android Security
29
Overview
• Why care about mobile security?
• What is Android?
• How do I develop on Android?
o Android Market
• What about Security?
o Cornerstones of Android security
 Prevention
 Minimization
 Detection
 Reaction
Mateti
Android Security
30
Some Statistics
•
•
•
•
6.77 billion people
1.48 billion Internet enabled PCs
4.10 billion mobile phones
Mobile phone replacement rate
o 12-18 month average
o 1.1 billion mobile phones are purchased per year
o 13.5% of mobile phone sales are smartphones
• The number of smartphones will soon compare with the
number of Internet enabled PCs
[1]
[2]
[1]
[3]
[4]
[5]
[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook)
[2] http://www.itu.int/ITUD/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1
[3]
[4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp
Mateti
Android Security
[5] http://www.gartner.com/it/page.jsp?id=985912
31
Mobile Security is Getting Interesting
• Techniques for desktop analysis are more useful to smart
phones
• Mobile networks can now be easily manipulated
o From phones:
 Miller, Lackey, Miras at BlackHat 2009
o From false base stations:
 http://openbts.sourceforge.net/
Mateti
Android Security
32
Mobile Security Matures
We are now seeing attacks against all layers of mobile
infrastructure:
•
•
•
•
•
Applications
Platform
OS
Baseband
Network
Mateti
Android Security
33
Mobile Security Matures
We are now seeing attacks against all layers of mobile
infrastructure:
•
•
•
•
•
Applications
Platform
OS
Baseband
Network
Mobile devices must be treated as fully fledged computers.
Do not assume they are "special".
Mateti
Android Security
34
Overview
• Why care about mobile security?
• What is Android?
• How do I develop on Android?
o Android Market
• What about Security?
o Cornerstones of Android security
 Prevention
 Minimization
 Detection
 Reaction
Mateti
Android Security
35
The Android Platform
• Free, open source mobile platform
o Source code at http://source.android.com
• Any handset manufacturer or hobbyist can install
• Any developer can use
o SDK at http://developer.android.com
• Empower users and developers
Mateti
Android Security
36
The Android Technology Stack
• Linux kernel
• Relies upon 90+ open source libraries
o Integrated WebKit based browser
o SQLite for structured data storage
o OpenSSL
o BouncyCastle
o libc based on OpenBSD
o Apache Harmony
o Apache HttpClient
• Supports common sound, video and image codecs
• API support for handset I/O
o Bluetooth, EDGE, 3G, wifi
o Camera, Video, GPS, compass, accelerometer,
sound, vibrator
Mateti
Android Security
37
Overview
• Why care about mobile security?
• What is Android?
• How do I develop on Android?
o Android Market
• What about Security?
o Cornerstones of Android security
 Prevention
 Minimization
 Detection
 Reaction
Mateti
Android Security
38
Android Development
• Java applications are composed of:
o Activities
 Visual user interface for one focused endeavor
Mateti
Android Security
39
Android Development
• Java applications are composed of:
o Activities
 Visual user interface for one focused endeavor
o Services
 Runs in the background for an indefinite period of time
Mateti
Android Security
40
Android Development
• Java applications are composed of:
o Activities
 Visual user interface for one focused endeavor
o Services
 Runs in the background for an indefinite period of time
• Intents
o Asynchronous messaging
o URL dispatching on steroids
o Glues many Activities and Services together to make an
application
o Provides interactivity between applications
Mateti
Android Security
41
Example Email Application
Mateti
Android Security
42
Application Lifecycle
• Designed to protect battery life
Mateti
Android Security
43
Application Lifecycle
• Designed to protect battery life
• Activities live on a stack
Mateti
Android Security
44
Application Lifecycle
• Designed to protect battery life
• Activities live on a stack
Mateti
Android Security
45
Application Lifecycle
• Designed to protect battery life
• Activities live on a stack
• Background activities can be
killed at any moment
Mateti
Android Security
46
Application Lifecycle
• Designed to protect battery life
• Activities live on a stack
• Background activities can be
killed at any moment
• The platform makes it easy for
developers to code
applications that are killed at
any moment without losing
state
o Helps with DoS issues
Mateti
Android Security
47
Android Market
• Connects developers with users
• Darwinian environment
o Good applications excel
o Bad applications forgotten
• ~10,000 applications on Market
• Balance of openness and security
o Not the only way to install apps
o Not a walled garden
• Developers self-sign applications
o For updating
o Uses Java's keytool and jarsigner
Mateti
Android Security
48
Application Signing
Why self signing?
• Market ties identity to developer account
• CAs have had major problems with fidelity in the past
• No applications are trusted. No "magic key"
What does signing determine?
• Shared UID for shared keys
• Self-updates
Mateti
Android Security
49
Overview
• Why care about mobile security?
• What is Android?
• How do I develop on Android?
o Android Market
• What about Security?
o Cornerstones of Android security
 Prevention
 Minimization
 Detection
 Reaction
Mateti
Android Security
50
Security Philosophy
• Finite time and resources
• Humans have difficulty understanding risk
• Safer to assume that
o Most developers do not understand security
o Most users do not understand security
• Security philosophy cornerstones
o Need to prevent security breaches from occurring
o Need to minimize the impact of a security breach
o Need to detect vulnerabilities and security breaches
o Need to react to vulnerabilities and security breaches
swiftly
Mateti
Android Security
51
Prevent
•
•
•
•
5 million new lines of code
Uses almost 100 open source libraries
Android is open source ⇒ can't rely on obscurity
Teamed up with security experts from
o Google Security Team
o iSEC Partners
o n.runs
• Concentrated on high risk areas
o Remote attacks
o Media codecs
o New/custom security features
• Low-effort/high-benefit features
o ProPolice stack overflow protection
o Heap protection in dlmalloc
Mateti
Android Security
52
dlmalloc
• Heap consolidation attack
• Allocation meta-data is stored in
band
• Heap overflow can perform 2
arbitrary pointer overwrites
• To fix, check:
o b->fd->bk == b
o b->bk->fd == b
Mateti
Android Security
53
WebKit Heap Overflow
Mateti
Android Security
54
Minimize
• We cannot rely on prevention alone
o Vulnerabilities happen
• Users will install malware
• Code will be buggy
• How can we minimize the impact of a security issue?
• My webmail cannot access my banking web app
o Same origin policy
• Why can malware access my browser? my banking info?
• Extend the web security model to the OS
Mateti
Android Security
55
Minimize
• Traditional operating system security
o Host based
o User separation
• Mobile OSes are for single users
• User separation is like a "same user policy"
• Run each application in its own UID is like a "same
application policy"
o Privilege separation
• Make privilege separation relatively transparent to the
developer
Mateti
Android Security
56
Application Sandbox
• Each application runs within
its own UID and VM
• Default privilege separation
model
• Instant security features
o Resource sharing
 CPU, Memory
o Data protection
 FS permissions
o Authenticated IPC
 Unix domain sockets
• Place access controls close to
the resource, not in the VM
Mateti
Android Security
57
Application Sandbox
• Place access controls close to the resource
o Smaller perimeter ⇒ easier to protect
• Default Linux applications have too much power
• Lock down user access for a "default" application
• Fully locked down applications limit innovation
• Relying on users making correct security decisions is
tricky
Mateti
Android Security
58
Permissions
• Whitelist model
1.Allow minimal access by
default
2.Allow for user accepted
access to resources
• Ask users less questions
• Make questions more
understandable
• 194 permissions
o More ⇒ granularity
o Less ⇒ understandability
Mateti
Android Security
59
More Privilege Separation
• Media codecs are very complex ⇒ very insecure
• Won't find all the issues media libraries
• Banish OpenCore media library to a lesser privileged
process
o mediaserver
• Immediately paid off
o Charlie Miller reported a vulnerability in our MP3 parsing
o oCERT-2009-002
Mateti
Android Security
60
Detect
• A lesser-impact security issue is still a security
issue
• Internal detection processes
o Developer education
o Code audits
o Fuzzing
o Honeypot
• Everyone wants security ⇒ allow everyone to
detect issues
o Users
o Developers
o Security Researchers
Mateti
Android Security
61
External Reports
• Patrick McDaniel, William Enck, Machigar Ongtang
o
Applied formal methods to access SMS and Dialer
• Charlie Miller, John Hering
o
Outdated WebKit library with PCRE issue
• XDA Developers
o
Safe mode lock screen bypass
• Charlie Miller, Collin Mulliner
o
MP3, SMS fuzzing results
• Panasonic, Chris Palmer
o
Permission regression bugs
• If you find a security issue, please email [email protected]
Mateti
Android Security
62
User Reporting
Mateti
Android Security
63
A User Report
• MemoryUp: mobile RAM optimizer
o faster, more stable, more responsive, less waiting time
o not quite
Mateti
Android Security
64
React
• Autoupdaters are the best security tool since Diffie-Hellman
• Every modern operating system should be responsible for:
o Automatically updating itself
o Providing a central update system for third-party
applications
• Android's Over-The-Air update system (OTA)
o User interaction is optional
o No additional computer or cable is required
o Very high update rate
Mateti
Android Security
65
Shared UID Regression
• Shared UID feature
o Malware does not hurt computers, malware authors do
o Two applications are signed ⇒ can share UIDs
o More interactivity
• Panasonic reported that shared UID was broken
o If the user installs malware, then the attacker could share
UIDs with an existing installed app, like the browser
o Breaks Application Sandbox
Mateti
Android Security
66
Update Process
• 2009-05-14
o Panasonic reported the issue
o Patched the issue, wrote regression tests
• 2009-05-15
o Kicked off internal audit
o Built and tested every flavour of Android
o Coordinated a public response with the reporter, carriers,
PR and oCERT
• 2009-05-21
o Received critical-mass approval
• 2009-05-22
o OTAed users, rolled out patches to factories, SDK, and
open source
o Released advisory (oCERT-2009-006)
Mateti
Android Security
67
Not over yet!
• 2009-07-06
o Completed audit and tests
o Coordinated a public response with, carriers, PR and
oCERT
• 2009-07-15
o Received critical-mass approval
• 2009-07-16
o OTAed users, rolled out patches to factories, SDK, and
open source
• 2009-07-16
o Released advisory (oCERT-2009-011)
Mateti
Android Security
68
Conclusion
• Security
o an ongoing process
o not a checkbox
• Process
o Prevent
o Minimize
o Detect
o React
Mateti
Android Security
69
Questions?
• Want to contribute code?
o Visit http://source.android.com
o Add me as a code reviewer!
• Want to write an Android application?
o Visit http://developer.android.com
• Want to email us?
o Email [email protected] or [email protected]
o We are both hiring
Mateti
Android Security
70
References
• Found a security issue? Email [email protected]
• William Enck and Patrick McDaniel, Understanding
Android's Security Framework, 2010, siis.cse.psu.edu/
android-tutorial.html Source code: android-sectutorial-src.tar.gz
• Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura
Tipnis, Colin Vinson, Vulnerability Study of the Android
• Jesse Burns, Mobile Application Security On Android,
Black Hat 2009. www.isecpartners.com/ files/
iSEC_Securing_Android_Apps.pdf
• Rich Cannings, Alex Stamos, Securing a mobile platform
from the ground up
Mateti
Android Security
71