Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security of Mobile Applications Vitaly Shmatikov CS 6431.

Published byIsabella Dickerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Security of Mobile Applications Vitaly Shmatikov CS 6431."— Presentation transcript:

1 Security of Mobile Applications Vitaly Shmatikov CS 6431

2 Structure of Android Applications  This is a very brief and incomplete summary See Enck et al. “Understanding Android Security”  Applications include multiple components Activities: user interface Services: background processing Content providers: data storage Broadcast receivers for messages from other apps  Intent: primary messaging mechanism for interaction between components slide 2

3 Explicit Intents slide 3 Yelp Map App Name: MapActivity To: MapActivity Only the specified destination receives this message

4 Implicit Intents slide 4 Yelp Map App Handles Action: VIEW Implicit Intent Action: VIEW Browser App Handles Action: VIEW

5 Android Security Model  Based on permission labels assigned to applications and components  Every app runs as a separate user Underlying Unix OS provides system-level isolation  Reference monitor in Android middleware mediates inter-component communication slide 5 Access permitted if labels assigned to the invoked component are in the collection of invoking component

6 Mandatory Access Control  Permission labels are set (via manifest) when app is installed and cannot be changed  Permission labels only restrict access to components, they do not control information flow – means what?  Apps may contain “private” components that should never be accessed by another app (example?)  If a public component doesn’t have explicit permissions listed, it can be accessed by any app slide 6

7 System API Access  System functionality (eg, camera, networking) is accessed via Android API, not system components  App must declare the corresponding permission label in its manifest + user must approve at the time of app installation  Signature permissions are used to restrict access only to certain developers Ex: Only Google apps can directly use telephony API slide 7

8 Refinements  Permission labels on broadcast intents Prevents unauthorized apps from receiving these intents – why is this important?  Pending intents Instead of directly performing an action via intent, create an object that can be passed to another app, thus enabling it to execute the action Invocation involves RPC to the original app Introduces delegation into Android’s MAC system slide 8

9 Unique Action Strings slide 9 Common developer pattern Showtime Search Results UI IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes

10 Eavesdropping slide 10 [Felt et al. “Analyzing Inter-Application Communication in Android”. Mobisys 2011] Showtime Search Malicious Receiver IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Implicit Intent Action: willUpdateShowtimes Eavesdropping App

11 Intent Spoofing slide 11 [Felt et al.] Malicious Component Results UI IMDb App Handles Action: willUpdateShowtimes, showtimesNoLocationError Action: showtimesNoLocationError Malicious Injection App Also man-in-the-middle

12 System Broadcast slide 12 [Felt et al.] Component App 1 Handles Action: BootCompleted Component App 2 Handles Action: BootCompleted Component App 3 System Notifier Action: BootCompleted Event notifications broadcast by the system (can’t be spoofed) Broadcast receivers make components publicly accessible

13 Exploiting Broadcast Receivers slide 13 [Felt et al.] Handles Action: BootCompleted Malicious Component Malicious App Component App 1 To: App1.Component

14 Real World Example: ICE slide 14 [Felt et al.] Allows doctors access to medical information on phones Contains a component that listens for the BootCompleted system broadcast On receipt of this intent, exits the app and locks the screen

15 Permissions: Not Just Android slide 15 All mobile OSes, HTML5 apps, browser extensions…

16 Permission Re-Delegation  An application with a permission performs a privileged task on behalf of an application without permission slide 16 [Felt et al. “Permission Re-Delegation: Attacks and Defenses”. USENIX Security 2011] API Malware Settings app TurnOnWifi() Permission System turnOnWifi() API Permission System Public service for receiving UI messages pressButton(0) Malware Settings app turnOnWifi() User pressed button

17 Examples of Re-Delegation  Permission re-delegation is an example of a “confused deputy” problem  The “deputy” app may accidentally expose privileged functionality…  … or intentionally expose it, but the attacker invokes it in a surprising context Example: broadcast receivers in Android  … or intentionally expose it and attempt to reduce the invoker’s authority, but do it incorrectly Remember postMessage origin checks? slide 17 [Felt et al.]

18 Mobile Apps in Web Languages slide 18

19 Hybrid App Development slide 19

20 WebView  Embedded browser in smartphone apps  Basic same origin policy inside the browser + holes in the browser sandbox allowing Web code to invoke native functionality Camera, contacts, file system, etc.  Multiple “bridges” between Web and local code JavaScript interfaces to local objects Interception of browser events (eg, special URLs) Other custom and ad-hoc schemes slide 20 [Luo et al. “Attacks on WebView in the Android System”. ACSAC 2011]

21 Invoking Java from JavaScript slide 21 [Luo et al.]

22 Invoking JavaScript from Java slide 22 [Luo et al.]

23 The Hybrid Security Model slide 23

24 Attacks from Malicious App slide 24 [Luo et al.] JavaScript injection Event sniffing and hijacking

25 Attack from Malicious Web Content slide 25 [Luo et al.]

26 Frame Confusion slide 26 [Luo et al.] What is the origin of this JavaScript object?

27 Android Java code It Gets Worse slide 27 [Luo et al.] Java Reflection API… accessible from Web side

28 Showing this content is Ok, only native access should be blocked Simple Fixes Don’t Work  Most hybrid frameworks don’t even attempt to verify whether access request comes from an authorized Web origin  PhoneGap attempts to filter based on developer-provided whitelist Mediation either incomplete (does not catch iframe loads) or too strict (prohibits even loading of content from other origins, breaks look-and-feel) Incorrect origin checks –Broken regexes bite again – anchoring bugs, etc. slide 28 [Georgiev et al. “Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks”. NDSS 2014]

29 State of the Union  Convergence of Web and mobile programming  Complex, poorly understood software stacks with badly fitting security policies  New classes of vulnerabilities Worst case: Web advertiser gets to inject arbitrary code into mobile apps running on your phone!%#$!  Evolving defenses Our capability-based NoFrak defense is being integrated into PhoneGap, but that’s just the first step… slide 29

Download ppt "Security of Mobile Applications Vitaly Shmatikov CS 6431."

Similar presentations

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Software Security Goes Mobile Jacob.

©2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Software Security Goes Mobile Jacob.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Android 101 Application Fundamentals January 29, 2010.

Android 101 Application Fundamentals January 29, 2010.
Mobile Application Development

Mobile Application Development
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Android Overview Android (Google) is a widely anticipated open source operating system for mobile devices, Supporting Bluetooth ( wireless for short distance)

Android Overview Android (Google) is a widely anticipated open source operating system for mobile devices, Supporting Bluetooth ( wireless for short distance)
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
Android Middleware Bo Pang Bpang@cc.hut.fi.

Android Middleware Bo Pang
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
2015. 4. 28 박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.

Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.
Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.

Similar presentations

Ads by Google