Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing a mobile platform from the ground up

Similar presentations


Presentation on theme: "Securing a mobile platform from the ground up"— Presentation transcript:

1 Securing a mobile platform from the ground up
Rich Cannings Alex Stamos

2 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction richc speaks

3 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction

4 Some Statistics 6.77 billion people[1]
1.48 billion Internet enabled PCs[2] 4.10 billion mobile phones[1] Mobile phone replacement rate 12-18 month average[3] 1.1 billion mobile phones are purchased per year[4] 13.5% of mobile phone sales are smartphones[5] The number of smartphones will soon compare with the number of Internet enabled PCs stamosa speaks [1] on The World Factbook) [2] [3]  [4] [5]

5 Mobile Security is Getting Interesting
Techniques for desktop analysis are more useful to smart phones Mobile networks can now be easily manipulated  From phones: Miller, Lackey, Miras at BlackHat 2009 From false base stations:  http://openbts.sourceforge.net/ [stamosa]

6 Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure: Applications Platform OS Baseband Network

7 Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure: Applications Platform OS Baseband Network Mobile devices must be treated as fully fledged computers. Do not assume they are "special".

8 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction

9 The Android Platform Free, open source mobile platform
Source code at http://source.android.com Any handset manufacturer or hobbyist can install Any developer can use SDK at Empower users and developers richc speaks

10 The Android Technology Stack
Linux kernel Relies upon 90+ open source libraries Integrated WebKit based browser SQLite for structured data storage OpenSSL BouncyCastle libc based on OpenBSD Apache Harmony Apache HttpClient Supports common sound, video and image codecs API support for handset I/O Bluetooth, EDGE, 3G, wifi Camera, Video, GPS, compass, accelerometer,            sound, vibrator

11 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction

12 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor stamosa speaks

13 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor Services Runs in the background for an indefinite period of time

14 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor Services Runs in the background for an indefinite period of time Intents Asynchronous messaging URL dispatching on steroids Glues many Activities and Services together to make an application Provides interactivity between applications

15 Example Email Application

16 Application Lifecycle
Designed to protect battery life

17 Application Lifecycle
Designed to protect battery life Activities live on a stack

18 Application Lifecycle
Designed to protect battery life Activities live on a stack

19 Application Lifecycle
Designed to protect battery life Activities live on a stack Background activities can be killed at any moment

20 Application Lifecycle
Designed to protect battery life Activities live on a stack Background activities can be killed at any moment The platform makes it easy for developers to code applications that are killed at any moment without losing state Helps with DoS issues

21 Android Market Connects developers with users Darwinian environment
Good applications excel  Bad applications forgotten ~10,000 applications on Market Balance of openness and security Not the only way to install apps Not a walled garden Developers self-sign applications For updating Uses Java's keytool and jarsigner stamosa expand self-signing discussion

22 Application Signing Why self signing?
Market ties identity to developer account CAs have had major problems with fidelity in the past No applications are trusted.  No "magic key" What does signing determine? Shared UID for shared keys Self-updates

23 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction

24 Security Philosophy Finite time and resources
Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to prevent security breaches from occurring Need to minimize the impact of a security breach Need to detect vulnerabilities and security breaches Need to react to vulnerabilities and security breaches swiftly richc

25 Prevent 5 million new lines of code
Uses almost 100 open source libraries Android is open source ⇒ can't rely on obscurity Teamed up with security experts from Google Security Team iSEC Partners n.runs Concentrated on high risk areas Remote attacks Media codecs New/custom security features Low-effort/high-benefit features ProPolice stack overflow protection Heap protection in dlmalloc stamosa

26 dlmalloc Heap consolidation attack
Allocation meta-data is stored in band Heap overflow can perform 2 arbitrary pointer overwrites To fix, check: b->fd->bk == b b->bk->fd == b

27 WebKit Heap Overflow

28 Minimize We cannot rely on prevention alone Vulnerabilities happen
Users will install malware Code will be buggy How can we minimize the impact of a security issue? My webmail cannot access my banking web app Same origin policy Why can malware access my browser? my banking info? Extend the web security model to the OS richc

29 Minimize Traditional operating system security Host based
User separation Mobile OSes are for single users User separation is like a "same user policy" Run each application in its own UID is like a "same application policy"  Privilege separation Make privilege separation relatively transparent to the developer richc

30 Application Sandbox Each application runs within its own UID and VM
Default privilege separation model Instant security features Resource sharing CPU, Memory Data protection FS permissions Authenticated IPC Unix domain sockets Place access controls close to the resource, not in the VM richc

31 Application Sandbox Place access controls close to the resource
Smaller perimeter ⇒ easier to protect Default Linux applications have too much power Lock down user access for a "default" application Fully locked down applications limit innovation Relying on users making correct security decisions is tricky richc

32 Permissions Whitelist model Allow minimal access by default
Allow for user accepted access to resources Ask users less questions Make questions more understandable 194 permissions More ⇒ granularity Less ⇒ understandability richc

33 More Privilege Separation
Media codecs are very complex ⇒ very insecure Won't find all the issues media libraries Banish OpenCore media library to a lesser privileged process mediaserver Immediately paid off Charlie Miller reported a vulnerability in our MP3 parsing oCERT richc

34 Detect A lesser-impact security issue is still a security issue
Internal detection processes Developer education Code audits Fuzzing Honeypot Everyone wants security ⇒ allow everyone to detect issues Users Developers Security Researchers stamosa

35 External Reports Patrick McDaniel, William Enck, Machigar Ongtang
Applied formal methods to access SMS and Dialer Charlie Miller, John Hering Outdated WebKit library with PCRE issue XDA Developers Safe mode lock screen bypass Charlie Miller, Collin Mulliner MP3, SMS fuzzing results Panasonic, Chris Palmer Permission regression bugs If you find a security issue, please stamosa

36 User Reporting stamosa

37 A User Report MemoryUp: mobile RAM optimizer
faster, more stable, more responsive, less waiting time not quite stamosa

38 React Autoupdaters are the best security tool since Diffie-Hellman
Every modern operating system should be responsible for: Automatically updating itself Providing a central update system for third-party applications Android's Over-The-Air update system (OTA) User interaction is optional No additional computer or cable is required Very high update rate richc

39 Shared UID Regression Shared UID feature
Malware does not hurt computers, malware authors do Two applications are signed ⇒ can share UIDs More interactivity Panasonic reported that shared UID was broken If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser Breaks Application Sandbox richc

40 Update Process 2009-05-14 Panasonic reported the issue
Patched the issue, wrote regression tests Kicked off internal audit Built and tested every flavour of Android Coordinated a public response with the reporter, carriers, PR and oCERT Received critical-mass approval OTAed users, rolled out patches to factories, SDK, and open source Released advisory (oCERT ) richc

41 Not over yet! 2009-07-06 Completed audit and tests
Coordinated a public response with, carriers, PR and oCERT Received critical-mass approval OTAed users, rolled out patches to factories, SDK, and open source Released advisory (oCERT ) richc

42 Conclusion Security an ongoing process not a checkbox Process Prevent
Minimize Detect React richc

43 Questions? Find a security issue? Email security@android.com
Want to contribute code? Visit http://source.android.com Add me as a code reviewer! Want to write an Android application? Visit Want to us? We are both hiring


Download ppt "Securing a mobile platform from the ground up"

Similar presentations


Ads by Google