Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Smartphone Security (R13) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net) Slide Credit: Eran.

Published byArchibald Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Smartphone Security (R13) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net) Slide Credit: Eran."— Presentation transcript:

1 Introduction to InfoSec – Smartphone Security (R13) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net) Slide Credit: Eran Tromer/TAU, Dan Boneh/Stanford, Roei Schuster/TAU

2 Smartphone Motivation Attack vectors and examples from the wild Application Stores Updates regime Security models

3 Capabilities Sensors: o Microphone o Camera o Touch screen (capacitance sensor array) o Fingerprint sensor o GPS o Accelerometer o Digital compass o Power o Proximity sensor

4 Data Phone calls SMSs Contacts Pictures & videos taken E-mails Credentials (social networks, email accounts) More credentials (password reminders) Calendar (events, meetings…) Bank accounts, stock exchange... Browser history Location history Phone number, IMEI …

5 Attack vectors Physical o Lunchtime o Intrusive Connectivity o Cellular Data SMS Low-level GSM o Bluetooth o WiFi o Wired o NFC

6 iPhone Charger Exploit Blackhat ’13 Billy Lau, Yeongjin Jang, Chengyu Song / Georgia Tech They were able to uninstall Facebook, and then install a fake Facebook application instead asking for Facebook credentials Similar malware installation was shown on CSI Cyber S01E09

7 SMS Fuzzing By fuzzing various fields (including application ports, DCS, PID, etc…) researchers managed to: o Crash/DoS iPhone o Disconnect iPhone o Lock your SIM card on Android "Fuzzing the Phone in your Phone", BH USA '09, Mulliner

8 Bluetooth/OBEX Vulnerability (‘09, Alberto Moreno Talbado) Applies to HTC Smartphones running Windows Mobile 6/6.1 Bluetooth attack enables full file system access o directory traversal o download files (incl. contacts, mail…) o upload files (“trojan.exe” to \Windows\Startup)

9 Bluetooth Vulnerability (cont.) “Users worried about the vulnerability should avoid pairing their phones with an untrusted handset or computer. They may also want to delete any devices that are already paired with their phones” In July 2011, published again about OBEX vulnerability this time in HTC Android device.

10 301 Permanent Redirect ’13 Adi Sharabani / Skycure

11 301 Permanent Redirect

12 WifiGate + Permanent Redirection ’13 Adi Sharabani / Skycure Mobile phones automatically reconnect to Wifi networks they already know by SSID. Mobile Network Carriers include their own Wifi Configurations for offloading traffic from the cell towers to local wifi when possible. Applying the 301 Permanent Redirect. Now redirects users traffic even when not in close proximity.

13 Physical o Lunchtime o Intrusive Connectivity o Cellular Data SMS Low-level GSM o WiFi o Bluetooth o Wired o NFC More Attack vectors Content o Files o Applications o Software updates Cloud Storage

14 Who owns our information? Government’s powers o Any data transmitted over the mobile network exposes this data to the government via LI mechanisms. Phone provider’s powers o iOS updates delete data for jailbroken phones o iOS and Android’s location recording scandal o Legal issues, technical non-issues Carrier/phone store o Carrier IQ analytics software collected data from over 140 million devices.

15

16 Android Security Updates From the Android Security FAQ: o “The manufacturer of each device is responsible for distributing software upgrades for it, including security fixes. Many devices will update themselves automatically with software downloaded "over the air", while some devices require the user to upgrade them manually.” o De facto updates? o Long Term Support ?

17 “App Attack” Apps may need to have access to sensitive information (call history, bank account, etc..). Some apps don’t need it (e.g. Angry Birds). Calls for a special security mechanism – or does it? You needn’t be Microsoft/Adobe to build one that people will use o New, unexploited, easy-to-implement ideas. o App Stores – more equal exposure, easy to access. "App Attack", Mahhaffey & Herring

18 Advertisement SDKs 3 rd party (Actually, 4 th party) components piggy- backed on an application. Developers don’t know the code inside their own application. SDKs will always want to perform targeted marketing…

19 Application Security Models Sandboxing o Permissions o Isolation App stores verification o Open or disclosed source o Apps must prove themselves secure It’s no longer enough to just be secure o Vendors must prove themselves trustworthy o Sometimes signed (BB/Symbian/iOS/Android..) o Some automated review o Some manual review

20 Example: iOS App Store To use an application on your own iOS device you must have a special Developer Account o You yourself have to be approved Costs 99$ Takes time o Still does not mean you can get it on the App Store.

21 Apple developer program enrollment Dear Troy Hakala, We are currently in the process of reviewing your iPhone Developer Program enrollment information. Please fax one of the following forms of identity for your business based on your company form. To assist with this process, please ensure your business documents match your Enrollment information. … Please include your main company corporate telephone number with your faxed documents. … Articles of incorporation Business license Certificate of Formation DBA (Doing Business As…) Fictitious name statement Registration of trademark Charter documents Partnership papers Reseller or vendor license … Thank you, iPhone Developer Program

22 Example: iOS App Store (cont.) “Let us see for ourselves”. o Can’t get an app on App Store without verifying it. o Not 100% effective. Pulled back: Flashlight kid Aurora Faint – contact list, 20M downloads MogoRoad – Sent phone numbers, customers got commercial calls o “Polymorphic” apps (change at runtime) o 10K apps submitted per week, 10% of rejections related to malware "iPhone Privacy", Seriot

23 App Store review process (guessed) Static analysis looking for particular strings, API calls etc.. Dynamic analysis o Sniffing o Monitor I/O, API calls o “Fuzzing” Lots of innocent apps punished

24 Malware Survey [Felt Finifter Chin Hanna Wagner 2011] Analyzed 48 malware pieces (Android, iOS, Symbian), 4 root exploits 61% collect info 52% send premium SMS Credential theft, SEO, SMS spam, ransom mobilemalware.pdf

25 Android Application Security Model Applications run in a virtual machine called Dalvik o Java  Java Byte Code  Dalvik Byte Code Dalvik itself is no sandbox o Sandboxing at process level o Each app process has a distinct UID, GID, and belongs to some groups. “Permissions” declared statically

26 Android app permissions: example (Example by David William Wood) List of permissions in Android API: https://developer.android.com/reference/android/Manifest.permission.html https://developer.android.com/reference/android/Manifest.permission.html

27 Android Security User Experience First, obvious problem: users treat permission prompting similar to browser pop-up warnings. o They just don’t care. “Want to get hello kitty wallpapers now.”

28 Android Application Security Model (cont.) How does Android enforce permissions? Enforcement mechanisms: o OS kernel level (files, I/O…) Some behavior inherited from Linux The kernel is patched in some places so that process group list is checked in some system calls. This is similar to Linux capabilities (only for non-root processes, and with no one reference monitor). o Inter-Component Communication level Google’s own implementation o Recently: SELinux (Mandatory Access Controls) “Understanding Android Security” Enck, Ongtang & McDaniel

29 Security Expressiveness Microphone AND web access == permission to record you and send it home? User can’t add/remove permissions after install o Permissions are absolute upon granting. An app can’t request one-time permission for specific operations.

30 Analyzing Inter-process Communication in Android [Chin Felt Greenwood Wagner 2011 ] Characterize types of IPC vulnerabilities: o Unauthorized Intent Receipt: Broadcast Theft Activity Hijacking Service Hijacking o Intent Spoofing: Malicious Broadcast Injection Malicious Activity Launch Malicious Service Launch For each – specify how it can happen, how to avoid it. o Avoidance complexity varies. intents-mobisys11.pdf

31 Analyzing Inter-process Communication in Android [Chin Felt Greenwood Wagner 2011 ] ComDroid: Analyzed 100 applications to identify suspicious IPC implementation (e.g. not declaring permissions to use a broadcast receiver..). Outputted warnings. Manually examined 20 applications for: o Vulnerabilities (e.g. sensitive information exposure) o Spoofing Vulnerabilities (security depends on user’s choices in activity intent-resolution dialog) o Unintentional bugs (ignoring good code convention)

32 Results Results show that the Android permission system is confusing to developers, and they misuse it.

33 Jailbreaking / rooting Give application “root” permissions Method: o Flash firmware o Exploit vulnerability Needed for o Backups o Copying apps o Various advanced features Less effective with SELinux o E.g., Samsung Knox o … so users disable SELinux too Vendors detect and: o Void warranty o Prevent security updates

34 Android Application Security Model - Conclusions IPC and shared resources (logs, internet) are a major security issue. Protection of application and user is the developer’s responsibility o Any form of ICC/shared resources should be carefully examined. o In real life, this does not happen. Many apps expose their (and your) secret information through these mechanisms. This includes Android’s built-in applications (e.g. browser).

35 Android’s Application Security Model – Conclusions (cont.) Protection of user’s data is his own responsibility o Security vs. Usability o Users don’t understand security concerns What does CLEAR_APP_CACHE permission mean? Android’s permission model lacks important expressiveness Android’s Open-Market App Security Model is an extreme and unique choice.

36 iOS Application Security Model Permissions: o No pre-install user prompting o Only one type of exercise-time prompting – “app wants to use your location” Every app is completely isolated from others o If an IPC hack exists, it will probably not be “Apple- Approved” Hidden APIs exist.

37 Caught by App Genome Project (cont.) Lots of simple apps (wallpaper/flashllight etc.) Accessing IMEI, IMSI, Phone number… AND internet… Some don’t hide that they do.

38 Easier: Remote control (uninstall) Jail Finer-grained permissions Single user More uniform hardware Biometrics “Clean slate” Mobile vs. PC Harder: Input Output Patience Sensitivity

39 What can the platform can do about it? Encryption Virtualization Fine-grained permissions Fine-grain protection domains Information flow control o Inadvertant (logs) o Hard to analyze (app interaction) o Malicious o Runtime: TaintDroid o Static (PiOS)

40

Download ppt "Introduction to InfoSec – Smartphone Security (R13) Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net) Slide Credit: Eran."

Similar presentations

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.

Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.
Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
1 Introduction to Information Security 0368-3065, Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.

1 Introduction to Information Security , Spring 2014 Lecture 10: Trusted computing architecture (cont.), Smartphone security Eran Tromer Slides.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Hidden Apps Carrier IQ and Privacy in Mobile Devices.

Hidden Apps Carrier IQ and Privacy in Mobile Devices.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Mobile Malware in the Wild Acknowledgement: Hiromu Enoki.

Mobile Malware in the Wild Acknowledgement: Hiromu Enoki.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Similar presentations

Ads by Google