1. Securing a mobile platform from the ground up
Rich Cannings
Alex Stamos

2. Overview Why care about mobile security? What is Android?
How do I develop on Android?
Android Market
What about Security?
Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
richc speaks

3. Overview Why care about mobile security? What is Android?
How do I develop on Android?
Android Market
What about Security?
Cornerstones of Android security
Prevention
Minimization
Detection
Reaction

4. Some Statistics 6.77 billion people[1]
1.48 billion Internet enabled PCs[2]
4.10 billion mobile phones[1]
Mobile phone replacement rate
12-18 month average[3]
1.1 billion mobile phones are purchased per year[4]
13.5% of mobile phone sales are smartphones[5]
The number of smartphones will soon compare with the number of Internet enabled PCs
stamosa speaks
[1] on The World Factbook)
[2]
[3] 
[4]
[5]

5. Mobile Security is Getting Interesting
Techniques for desktop analysis are more useful to smart phones
Mobile networks can now be easily manipulated
 From phones:
Miller, Lackey, Miras at BlackHat 2009
From false base stations:  
[stamosa]

6. Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
Applications
Platform OS
Baseband
Network

7. Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
Applications
Platform OS
Baseband
Network
Mobile devices must be treated as fully fledged computers.
Do not assume they are "special".

8. Overview Why care about mobile security? What is Android?
How do I develop on Android?
Android Market
What about Security?
Cornerstones of Android security
Prevention
Minimization
Detection
Reaction

9. The Android Platform Free, open source mobile platform
Source code at 
Any handset manufacturer or hobbyist can install
Any developer can use
SDK at
Empower users and developers
richc speaks

10. The Android Technology Stack
Linux kernel
Relies upon 90+ open source libraries
Integrated WebKit based browser
SQLite for structured data storage
OpenSSL
BouncyCastle
libc based on OpenBSD
Apache Harmony
Apache HttpClient
Supports common sound, video and image codecs
API support for handset I/O
Bluetooth, EDGE, 3G, wifi
Camera, Video, GPS, compass, accelerometer, 
          sound, vibrator

11. Overview Why care about mobile security? What is Android?
How do I develop on Android?
Android Market
What about Security?
Cornerstones of Android security
Prevention
Minimization
Detection
Reaction

12. Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor
stamosa speaks

13. Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor
Services
Runs in the background for an indefinite period of time

14. Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor
Services
Runs in the background for an indefinite period of time
Intents
Asynchronous messaging
URL dispatching on steroids
Glues many Activities and Services together to make an application
Provides interactivity between applications

15. Example Email Application

16. Application Lifecycle
Designed to protect battery life

17. Application Lifecycle
Designed to protect battery life
Activities live on a stack

18. Application Lifecycle
Designed to protect battery life
Activities live on a stack

19. Application Lifecycle
Designed to protect battery life
Activities live on a stack
Background activities can be killed at any moment

20. Application Lifecycle
Designed to protect battery life
Activities live on a stack
Background activities can be killed at any moment
The platform makes it easy for developers to code applications that are killed at any moment without losing state
Helps with DoS issues

21. Android Market Connects developers with users Darwinian environment
Good applications excel 
Bad applications forgotten
~10,000 applications on Market
Balance of openness and security
Not the only way to install apps
Not a walled garden
Developers self-sign applications
For updating
Uses Java's keytool and jarsigner
stamosa
expand self-signing discussion

22. Application Signing Why self signing?
Market ties identity to developer account
CAs have had major problems with fidelity in the past
No applications are trusted.  No "magic key"
What does signing determine?
Shared UID for shared keys
Self-updates

23. Overview Why care about mobile security? What is Android?
How do I develop on Android?
Android Market
What about Security?
Cornerstones of Android security
Prevention
Minimization
Detection
Reaction

24. Security Philosophy Finite time and resources
Humans have difficulty understanding risk
Safer to assume that
Most developers do not understand security
Most users do not understand security
Security philosophy cornerstones
Need to prevent security breaches from occurring
Need to minimize the impact of a security breach
Need to detect vulnerabilities and security breaches
Need to react to vulnerabilities and security breaches swiftly
richc

25. Prevent 5 million new lines of code
Uses almost 100 open source libraries
Android is open source ⇒ can't rely on obscurity
Teamed up with security experts from
Google Security Team
iSEC Partners
n.runs
Concentrated on high risk areas
Remote attacks
Media codecs
New/custom security features
Low-effort/high-benefit features
ProPolice stack overflow protection
Heap protection in dlmalloc
stamosa

26. dlmalloc Heap consolidation attack
Allocation meta-data is stored in band
Heap overflow can perform 2 arbitrary pointer overwrites
To fix, check:
b->fd->bk == b
b->bk->fd == b

27. WebKit Heap Overflow

28. Minimize We cannot rely on prevention alone Vulnerabilities happen
Users will install malware
Code will be buggy
How can we minimize the impact of a security issue?
My webmail cannot access my banking web app
Same origin policy
Why can malware access my browser? my banking info?
Extend the web security model to the OS
richc

29. Minimize Traditional operating system security Host based
User separation
Mobile OSes are for single users
User separation is like a "same user policy"
Run each application in its own UID is like a "same application policy" 
Privilege separation
Make privilege separation relatively transparent to the developer
richc

30. Application Sandbox Each application runs within its own UID and VM
Default privilege separation model
Instant security features
Resource sharing
CPU, Memory
Data protection
FS permissions
Authenticated IPC
Unix domain sockets
Place access controls close to the resource, not in the VM
richc

31. Application Sandbox Place access controls close to the resource
Smaller perimeter ⇒ easier to protect
Default Linux applications have too much power
Lock down user access for a "default" application
Fully locked down applications limit innovation
Relying on users making correct security decisions is tricky
richc

32. Permissions Whitelist model Allow minimal access by default
Allow for user accepted access to resources
Ask users less questions
Make questions more understandable
194 permissions
More ⇒ granularity
Less ⇒ understandability
richc

33. More Privilege Separation
Media codecs are very complex ⇒ very insecure
Won't find all the issues media libraries
Banish OpenCore media library to a lesser privileged process
mediaserver
Immediately paid off
Charlie Miller reported a vulnerability in our MP3 parsing
oCERT
richc

34. Detect A lesser-impact security issue is still a security issue
Internal detection processes
Developer education
Code audits
Fuzzing
Honeypot
Everyone wants security ⇒ allow everyone to detect issues
Users
Developers
Security Researchers
stamosa

35. External Reports Patrick McDaniel, William Enck, Machigar Ongtang
Applied formal methods to access SMS and Dialer
Charlie Miller, John Hering
Outdated WebKit library with PCRE issue
XDA Developers
Safe mode lock screen bypass
Charlie Miller, Collin Mulliner
MP3, SMS fuzzing results
Panasonic, Chris Palmer
Permission regression bugs
If you find a security issue, please
stamosa

36. User Reporting
stamosa

37. A User Report MemoryUp: mobile RAM optimizer
faster, more stable, more responsive, less waiting time
not quite
stamosa

38. React Autoupdaters are the best security tool since Diffie-Hellman
Every modern operating system should be responsible for:
Automatically updating itself
Providing a central update system for third-party applications
Android's Over-The-Air update system (OTA)
User interaction is optional
No additional computer or cable is required
Very high update rate
richc

39. Shared UID Regression Shared UID feature
Malware does not hurt computers, malware authors do
Two applications are signed ⇒ can share UIDs
More interactivity
Panasonic reported that shared UID was broken
If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser
Breaks Application Sandbox
richc

40. Update Process 2009-05-14 Panasonic reported the issue
Patched the issue, wrote regression tests
Kicked off internal audit
Built and tested every flavour of Android
Coordinated a public response with the reporter, carriers, PR and oCERT
Received critical-mass approval
OTAed users, rolled out patches to factories, SDK, and open source
Released advisory (oCERT )
richc

41. Not over yet! 2009-07-06 Completed audit and tests
Coordinated a public response with, carriers, PR and oCERT
Received critical-mass approval
OTAed users, rolled out patches to factories, SDK, and open source
Released advisory (oCERT )
richc

42. Conclusion Security an ongoing process not a checkbox Process Prevent
Minimize
Detect
React
richc

43. Questions? Find a security issue? Email security@android.com
Want to contribute code?
Visit 
Add me as a code reviewer!
Want to write an Android application?
Visit
Want to us?
We are both hiring