Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Security and Privacy #2

Published byKaren Randall Modified over 6 years ago

Similar presentations

Presentation on theme: "Android Security and Privacy #2"— Presentation transcript:

1 Android Security and Privacy #2
Prabhaker Mateti 1

2 Android Security Policy
Android focuses on Inter Component Communication (ICC) AndroidManifest.xml can define an access control policy Each component can be assigned an access permission label Each application requests a list of permission labels (fixed at install) Mateti Android Security 2 2

3 Public and Private Components
Components can be public or private. Default is dependent on “intent-filter” rules. Components may unknowingly become accessible to other applications. <activity android:name=“…” android:exported=“false” /> Mateti Android Security 3 3

4 Manifest If the manifest file does not specify an access permission on a public component, any component in any application can access it. Components without access permissions should be exceptional cases, and inputs must be scrutinized (consider splitting components). <receiver … android:permission=…> … </receiver> Mateti Android Security 4 4

5 Intent The code broadcasting an Intent can set an access permission restricting which Broadcast Receivers can access the Intent. Always specify an access permission on Intent broadcasts (unless explicit destination). Mateti Android Security 5 5

6 PendingIntent objects allow another application to “finish” an operation for you via RPC. Execution occurs in the originating application’s “process” space. Used in a number of system APIs (Alarm, Location, Notification) Implication: The remote application can fill in unspecified values. May influence the destination and/or data integrity. Allows a form of delegation Best Practice: Only use Pending Intents as “delayed callbacks” to private Broadcast Receivers/Activities and always fully specify the Intent destination. Mateti Android Security 6 6

7 Content Providers have two additional security features
Separate “read” and “write” access permission labels URI permissions allow record level delegation Mateti Android Security 7 7

8 A component (e.g., Service) may arbitrarily invoke the checkPermission() method to enforce ICC. You can add reference monitor hooks Mateti Android Security 8 8

9 The system uses permission labels to mediate access to certain resource APIs.
android.permission.INTERNET label Mateti Android Security 9 9

10 Permission requests are not always granted.
normal - always granted dangerous - requires user approval signature - matching signature key signature or system - same as signature, but also system apps Users may not understand implications when explicitly granting permissions. Use signature permissions for application “suites” and dangerous permissions otherwise Include informative descriptions Mateti Android Security 10 10

11 Some thought is needed to avoid ...
Relatively straightforward model with policy defined in the manifest file ... but many exceptions Some thought is needed to avoid ... “Spoofing” Intent messages (FriendReceiver) Privacy leaks (e.g., FRIEND_NEAR broadcast) The policy expands into the code Broadcast permissions, checkPermission(), etc Keeping malicious applications from acquiring permissions is tricky Mateti Android Security 11 11

12 Install-time Verification
Android does not have a way to holistically evaluate system and application policy or specify security goals. For example, to evaluate if the system and installed applications fulfill some security requirement. Will granting a permission break the phone’s security? Kirin - enhanced installer Extracts policy from the manifest files of all applications Uses Prolog to generate automated proofs of compliance of provided “policy invariants” Evaluation performed at install-time, and therefore does not impact runtime performance Mateti Android Security 12 12

13 Vulnerability Study of the Android
Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson (Group 8) 13

14 Security Architecture - Overview
Question - Have you ever thought of how security is implemented in OS? 2 levels Describe figure and MAC model Mateti Android Security 14 14

15 Scope of Vulnerabilities
Refinements to MAC Model Delegation Public and Private Components Provision - No Security Access to Public Elements Permission Granting Using User's Confirmation    Solutions ???           Precautions by Developers  Special Tools for Users Mateti Android Security 15 15

16 Known Vulnerabilities
Image Vulnerablities GIF PNG BMP Web Browser Mateti Android Security 16 16

17 GIF Image Vulnerability
Decode function uses logical screen width and height to allocate heap Data is calculated using actual screen width and height Can overflow the heap buffer allowing hacker can allow a hacker to control the phone Mateti Android Security 17 17

18 PNG Image Vulnerability
Uses an old libpng file This file can allow hackers to cause a Denial of Service (crash) Mateti Android Security 18 18

19 BMP Image Vulnerability
Negative offset integer overflow Offset field in the image header used to allocate a palette With a negative value carefully chosen you can overwrite the address of a process redirecting flow Mateti Android Security 19 19

20 Web Browser Vulnerability
Vulnerability is in the multimedia subsystem made by PacketVideo Due to insufficient boundary checking when playing back an MP3 file, it is possible to corrupt the process's heap and execute arbitrary code on the device Can allow a hacker to see data saved on the phone by the web browser and to peek at ongoing traffic Confined to the "sandbox" Mateti Android Security 20 20

21 General Mobile Phone Vulnerabilities
GSM SMS MMS CDMA Bluetooth Wireless vulnerabilities Mateti Android Security 21 21

22 GSM Vulnerabilities GSM David Hulton and Steve Muller
Largest Mobile network in the world 3.8 billion phones on network David Hulton and Steve Muller Developed method to quickly crack GSM encryption Can crack encryption in under 30 seconds Allows for undetectable evesdropping Similar exploits available for CDMA phones Mateti Android Security 22 22

23 SMS Vulnerabilities SMS
Short Messaging System Very commonly used protocol Used to send "Text Messages" GSM uses 2 signal bands, 1 for "control", the other for "data". SMS operates entirely on the "control" band. High volume text messaging can disable the "control" band, which also disables voice calls. Can render entire city 911 services unresponsive. Mateti Android Security 23 23

24 MMS Vulnerabilities MMS Exploit of MMS can drain battery 22x faster
Unsecure data protocol for GSM Extends SMS, allows for WAP connectivity Exploit of MMS can drain battery 22x faster Multiple UDP requests are sent concurrently, draining the battery as it responds to request Does not expose data Does make phone useless Mateti Android Security 24 24

25 Bluetooth Vulnerabilities
Short range wireless communication protocol Used in many personal electronic devices Requires no authentication An attack, if close enough, could take over Bluetooth device. Attack would have access to all data on the Bluetooth enabled device Practice known as bluesnarfing Mateti Android Security 25 25

26 Hackers for Android Hackers make Android stronger
White hats want to plug holes Example Browser Threat reported by Independent Security Evaluators Jailbreak hole fixed by Google over-the-air Mateti Android Security 26 26

27 Securing a mobile platform from the ground up
Rich Cannings Alex Stamos 27

28 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction richc speaks Mateti Android Security 28 28

29 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction Mateti Android Security 29 29

30 Some Statistics 6.77 billion people[1]
1.48 billion Internet enabled PCs[2] 4.10 billion mobile phones[1] Mobile phone replacement rate 12-18 month average[3] 1.1 billion mobile phones are purchased per year[4] 13.5% of mobile phone sales are smartphones[5] The number of smartphones will soon compare with the number of Internet enabled PCs stamosa speaks [1] on The World Factbook) [2] [3]  [4] [5] Mateti Android Security 30 30

31 Mobile Security is Getting Interesting
Techniques for desktop analysis are more useful to smart phones Mobile networks can now be easily manipulated  From phones: Miller, Lackey, Miras at BlackHat 2009 From false base stations:   [stamosa] Mateti Android Security 31 31

32 Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure: Applications Platform OS Baseband Network Mateti Android Security 32 32

33 Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure: Applications Platform OS Baseband Network Mobile devices must be treated as fully fledged computers. Do not assume they are "special". Mateti Android Security 33 33

34 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction Mateti Android Security 34 34

35 The Android Platform Free, open source mobile platform
Source code at  Any handset manufacturer or hobbyist can install Any developer can use SDK at Empower users and developers richc speaks Mateti Android Security 35 35

36 The Android Technology Stack
Linux kernel Relies upon 90+ open source libraries Integrated WebKit based browser SQLite for structured data storage OpenSSL BouncyCastle libc based on OpenBSD Apache Harmony Apache HttpClient Supports common sound, video and image codecs API support for handset I/O Bluetooth, EDGE, 3G, wifi Camera, Video, GPS, compass, accelerometer,            sound, vibrator Mateti Android Security 36 36

37 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction Mateti Android Security 37 37

38 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor stamosa speaks Mateti Android Security 38 38

39 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor Services Runs in the background for an indefinite period of time Mateti Android Security 39 39

40 Android Development Java applications are composed of: Activities
Visual user interface for one focused endeavor Services Runs in the background for an indefinite period of time Intents Asynchronous messaging URL dispatching on steroids Glues many Activities and Services together to make an application Provides interactivity between applications Mateti Android Security 40 40

41 Example Email Application
Mateti Android Security 41 41

42 Application Lifecycle
Designed to protect battery life Mateti Android Security 42 42

43 Application Lifecycle
Designed to protect battery life Activities live on a stack Mateti Android Security 43 43

44 Application Lifecycle
Designed to protect battery life Activities live on a stack Mateti Android Security 44 44

45 Application Lifecycle
Designed to protect battery life Activities live on a stack Background activities can be killed at any moment Mateti Android Security 45 45

46 Application Lifecycle
Designed to protect battery life Activities live on a stack Background activities can be killed at any moment The platform makes it easy for developers to code applications that are killed at any moment without losing state Helps with DoS issues Mateti Android Security 46 46

47 Android Market Connects developers with users Darwinian environment
Good applications excel  Bad applications forgotten ~10,000 applications on Market Balance of openness and security Not the only way to install apps Not a walled garden Developers self-sign applications For updating Uses Java's keytool and jarsigner stamosa expand self-signing discussion Mateti Android Security 47 47

48 Application Signing Why self signing?
Market ties identity to developer account CAs have had major problems with fidelity in the past No applications are trusted.  No "magic key" What does signing determine? Shared UID for shared keys Self-updates Mateti Android Security 48 48

49 Overview Why care about mobile security? What is Android?
How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention Minimization Detection Reaction Mateti Android Security 49 49

50 Security Philosophy Finite time and resources
Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to prevent security breaches from occurring Need to minimize the impact of a security breach Need to detect vulnerabilities and security breaches Need to react to vulnerabilities and security breaches swiftly richc Mateti Android Security 50 50

51 Prevent 5 million new lines of code
Uses almost 100 open source libraries Android is open source ⇒ can't rely on obscurity Teamed up with security experts from Google Security Team iSEC Partners n.runs Concentrated on high risk areas Remote attacks Media codecs New/custom security features Low-effort/high-benefit features ProPolice stack overflow protection Heap protection in dlmalloc stamosa Mateti Android Security 51 51

52 dlmalloc Heap consolidation attack
Allocation meta-data is stored in band Heap overflow can perform 2 arbitrary pointer overwrites To fix, check: b->fd->bk == b b->bk->fd == b Mateti Android Security 52 52

53 WebKit Heap Overflow Mateti Android Security 53 53

54 Minimize We cannot rely on prevention alone Vulnerabilities happen
Users will install malware Code will be buggy How can we minimize the impact of a security issue? My webmail cannot access my banking web app Same origin policy Why can malware access my browser? my banking info? Extend the web security model to the OS richc Mateti Android Security 54 54

55 Minimize Traditional operating system security Host based
User separation Mobile OSes are for single users User separation is like a "same user policy" Run each application in its own UID is like a "same application policy"  Privilege separation Make privilege separation relatively transparent to the developer richc Mateti Android Security 55 55

56 Application Sandbox Each application runs within its own UID and VM
Default privilege separation model Instant security features Resource sharing CPU, Memory Data protection FS permissions Authenticated IPC Unix domain sockets Place access controls close to the resource, not in the VM richc Mateti Android Security 56 56

57 Application Sandbox Place access controls close to the resource
Smaller perimeter ⇒ easier to protect Default Linux applications have too much power Lock down user access for a "default" application Fully locked down applications limit innovation Relying on users making correct security decisions is tricky richc Mateti Android Security 57 57

58 Permissions Whitelist model Allow minimal access by default
Allow for user accepted access to resources Ask users less questions Make questions more understandable 194 permissions More ⇒ granularity Less ⇒ understandability richc Mateti Android Security 58 58

59 More Privilege Separation
Media codecs are very complex ⇒ very insecure Won't find all the issues media libraries Banish OpenCore media library to a lesser privileged process mediaserver Immediately paid off Charlie Miller reported a vulnerability in our MP3 parsing oCERT richc Mateti Android Security 59 59

60 Detect A lesser-impact security issue is still a security issue
Internal detection processes Developer education Code audits Fuzzing Honeypot Everyone wants security ⇒ allow everyone to detect issues Users Developers Security Researchers stamosa Mateti Android Security 60 60

61 External Reports Applied formal methods to access SMS and Dialer
Patrick McDaniel, William Enck, Machigar Ongtang Applied formal methods to access SMS and Dialer Charlie Miller, John Hering Outdated WebKit library with PCRE issue XDA Developers Safe mode lock screen bypass Charlie Miller, Collin Mulliner MP3, SMS fuzzing results Panasonic, Chris Palmer Permission regression bugs If you find a security issue, please stamosa Mateti Android Security 61 61

62 User Reporting stamosa Mateti Android Security 62 62

63 A User Report MemoryUp: mobile RAM optimizer
faster, more stable, more responsive, less waiting time not quite stamosa Mateti Android Security 63 63

64 React Autoupdaters are the best security tool since Diffie-Hellman
Every modern operating system should be responsible for: Automatically updating itself Providing a central update system for third-party applications Android's Over-The-Air update system (OTA) User interaction is optional No additional computer or cable is required Very high update rate richc Mateti Android Security 64 64

65 Shared UID Regression Shared UID feature
Malware does not hurt computers, malware authors do Two applications are signed ⇒ can share UIDs More interactivity Panasonic reported that shared UID was broken If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser Breaks Application Sandbox richc Mateti Android Security 65 65

66 Update Process 2009-05-14 Panasonic reported the issue
Patched the issue, wrote regression tests Kicked off internal audit Built and tested every flavour of Android Coordinated a public response with the reporter, carriers, PR and oCERT Received critical-mass approval OTAed users, rolled out patches to factories, SDK, and open source Released advisory (oCERT ) richc Mateti Android Security 66 66

67 Not over yet! 2009-07-06 Completed audit and tests
Coordinated a public response with, carriers, PR and oCERT Received critical-mass approval OTAed users, rolled out patches to factories, SDK, and open source Released advisory (oCERT ) richc Mateti Android Security 67 67

68 Conclusion Security an ongoing process not a checkbox Process Prevent
Minimize Detect React richc Mateti Android Security 68 68

69 Questions? Want to contribute code? Visit http://source.android.com
Add me as a code reviewer! Want to write an Android application? Visit Want to us? We are both hiring Mateti Android Security 69 69

70 References Found a security issue? Email security@android.com
William Enck and Patrick McDaniel, Understanding Android's Security Framework, 2010, siis.cse.psu.edu/ android-tutorial.html Source code: android-sec-tutorial-src.tar.gz Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson, Vulnerability Study of the Android Jesse Burns, Mobile Application Security On Android, Black Hat files/ iSEC_Securing_Android_Apps.pdf Rich Cannings, Alex Stamos, Securing a mobile platform from the ground up Mateti Android Security 70 70

Download ppt "Android Security and Privacy #2"

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Securing a mobile platform from the ground up

Securing a mobile platform from the ground up
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.

UNDERSTANDING JAVA APIS FOR MOBILE DEVICES v0.01.
Android Security CEG436: Mobile Computing Prabhaker Mateti.

Android Security CEG436: Mobile Computing Prabhaker Mateti.
DEPARTMENT OF COMPUTER ENGINEERING

DEPARTMENT OF COMPUTER ENGINEERING
ANDROID OPERATING SYSTEM Guided By,Presented By, Ajay B.N Somashekar B.T Asst Professor MTech 2 nd Sem (CE)Dept of CS & E.

ANDROID OPERATING SYSTEM Guided By,Presented By, Ajay B.N Somashekar B.T Asst Professor MTech 2 nd Sem (CE)Dept of CS & E.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Mobile Application Development

Mobile Application Development
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.

ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
Mobile Security Overview. Mobile is everywhere: Mobile is about transacting 1 96% year to year increase in mobile cyber Monday sales between 2012 and.

Mobile Security Overview. Mobile is everywhere: Mobile is about transacting 1 96% year to year increase in mobile cyber Monday sales between 2012 and.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Mobile Application Development with ANDROID. Agenda Mobile Application Development (MAD) Intro to Android platform Platform architecture Application building.

Mobile Application Development with ANDROID. Agenda Mobile Application Development (MAD) Intro to Android platform Platform architecture Application building.

Similar presentations

Ads by Google