4 Introduction to Android Security FeaturesProcess IsolationLinux user/group permissionApp requests permission to OS functionalitiesMost checked in remote end i.e. system servicesA few (Internet, Camera) checked in Kernel, as special user group
6 Malicious Android Apps Abuse permissions:Permissions are granted for as long as an App is installed on a deviceNo restrictions on how often resources and data are accessedAccess and transmit private dataAccess to malicious remote serversapplication-level privilege escalationConfused deputy attacksGain root privilege
7 Alternative Approaches App vetting: Google’s Bouncer40% decrease in malwareIneffective once App installed on the deviceAV products:ScanningHave no visibility into the runtime of an AppFine grain permissions checkingRequire modifications to the OSVirtualizationRequire modification to the OS
8 Related work Existing Work Limitations TaintDroid (OSDI 10) CRePE (ISC 10)AppFence (CCS 11)Quire (USENIX Security 2011)SELinux on AndroidTaming Privilege-Escalation (NDSS 2012)LimitationsModify OS – requires rooting and flashing firmware.
9 Related Approaches Android Middleware Linux kernel Hardware Quire Information flowAccess controlCall chain IPCAndroid MiddlewareQuireSELinuxTainDroidAppFenceCRePELinux kernelHardware
10 X X Solution: Aurasium Android Middleware Linux kernel Hardware Repackage Apps to intercept allInteractions with the OSInformation flowAccess controlCall chain IPCand many more!XAndroid MiddlewareXLinux kernelHardware
11 Aurasium Internals Two Problems to Solve Introducing alien code to arbitrary application packageReliably intercepting application interaction with the OS
12 Aurasium Internals How to add code to existing applications Android application building and packaging processjavacJava Source Code.class filesdxClasses.dexApplication ResourceZip & SignCompiled ResourcesApplication Package (.apk)aaptAndroidManifest.xmlOther Files
19 Aurasium Internals How to Intercept Look closer at library calls - dynamic linkinglibbinder.solibc.soControl flow transferIndirect memory reference
20 Aurasium Internals X How to Intercept Key: Dynamically linked shared object fileEssence: Redo dynamic linking with pointers to our detour code.Monitoring Codesomelib.solibc.soX
21 Aurasium Internals How to Intercept Implemented in native code Almost non-bypassableJava code cannot modify arbitrary memoryJava code cannot issue syscall directlyAttempts to load native code is monitoreddlopen()
22 What can you do with Aurasium? Total visibility into the interactions of an App with the OS and other AppsInternet connectionsconnect()IPC Binder communicationsioctl()File system manipulationswrite(), read()Access to resourcesIoctl(), read, write()Linux system callsfork(), execvp()
23 Aurasium Internals How to add code to existing applications Inevitably destroy original signatureIn Android, signature = authorshipIndividual app not a problem
30 Evaluation Tested on Real-world Apps 3491 apps from third-party application store.1260 malware corpus from Android Genome.ResultsRepackaging:3476/1258 succeed (99.6%/99.8%)Failure mode: apktool/baksmali assembly crashesDevice runsNexus S under Monkey – UI Exerciser in SDKIntercept calls from all of 3189 runnable application.
31 Limitations99.9% is not 100%Rely on robustness of apktoolManual edit of Apps as a workaroundNative code can potentially bypass Aurasium:Already seen examples of native code in the wild that is capable of doing soSome mitigation techniques exist
32 Conclusion New approach to Android security/privacy Per-app basis, no need to root phoneTested against many real world appsHave certain limitations