Android Security
-
Upload
robin-de-croon -
Category
Technology
-
view
424 -
download
3
description
Transcript of Android Security
ANDROID SECURITYRobin De Croon
Lars Jacobs
|H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege
prof. dr. Ir. Bart Preneel
Content
• Introduction
• System and Kernel Level Security
• User Security Features
• Android Application Security
• Recent Security Problems
• Demo
May 8, 2013 2
http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
INTRODUCTIONIntroduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 3
Introduction
• All data located on your smartphone• Passwords• Photos• (Text) messages• Medical records• …
• Smartphone cannot trust anyone
• Android secure?• Open Source Safer (Hoepman et al.)
May 8, 2013 4
Distribution of mobile malware byplatform in 2012
May 8, 2013 5
Mobile threats motivated by profitby year
May 8, 2013 6
Android Versions
May 8, 2013 7
Android Software Stack
May 8, 2013 8
SYSTEM AND KERNEL LEVEL
SECURITYIntroduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 9
Apps & Processes
• Own Linux Process + user ID Sandbox!• Data is protected from other apps• Secure IPC
• API calls are authorized according to permissions
• Hardware access is authorized by Group Membership
• Java, Native, WebKit
May 8, 2013 10
Bootloader
• Bootloader is locked by default
• Boot process
• Signature check
May 8, 2013 11
Memory management
• A lot of memory corruption bugs
Attacker can control the program
• Improvements• No eXecute (NX) (since Android 2.3)• Address Space Layout Randomization (since Android
4.0)• Position Independent Executables
(since Android 4.1)• FORTIFY_SOURCE (since Android 4.2)
May 8, 2013 12
Randomization in Android 2.3
May 8, 2013 13
Randomization in Android 4.0
May 8, 2013 14
Randomization in Android 4.1
May 8, 2013 15
Rooting
•Default no root access
•Possible through ‘su’ binary
Bootloader unsafe
Root apps can do ANYTHING
Latest versions of AndroidMay 8, 2013 16
http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
USER SECURITY FEATURES
Introduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 17
Device protection
• Screen lock• Face unlock, Pattern, PIN, Passcode, …
• File Encryption• 128 AES with CBC and ESSIV:SHA256
• Master key encrypted with 128 bit AES via openssl library
May 8, 2013 18
Passwords are hashed
•Salt saved on device• /data/data/com.android.providers.settings.databases
• /data/system/locksettings.db
•‘Easily’ brute forced with salt
•Keys are stored in software!
May 8, 2013 20
Android source code
May 8, 2013 21
ANDROID APPLICATION
SECURITYIntroduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 22
Android Permissions
• Accessing protected APIs•Location (GPS), Camera, Bluetooth, Telephony,
SMS/MMS, Network/data
• Defined in AndroidManifest.xml
May 8, 2013 23
Play Store security
• App is self signed
• Bouncer• Online version• Local version (since Android 4.2)
• App encryption• Introduced in Android 4.1• Shutdown due to bugs
May 8, 2013 24
Cryptographic APIs
• Primitives• AES, DSA, RSA, SHA
• Higher level • SSL, HTTPS
• Virtual Private Network• IPsec
May 8, 2013 25
RECENT SECURITY PROBLEMS
Introduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 26
SMS problems
• Smishing• http://www.youtube.com/watch?v=baWeMbGatfs
• SMS to premium services• F-secure Mobile Threat Report Q4 2012
• Kaspersky Security Bulletin 2012
May 8, 2013 27
Exynos Exploit
• Exynos 4210 and 4412 processor• Sprint Galaxy S II, Galaxy S II, Galaxy S3, Galaxy Note, Galaxy
Note 2, Galaxy Tab 2, Galaxy Note 10.1, Galaxy Camera
•Kernel: /dev/exynos-mem R/W by all users access to all physical memory
• ExynosAbuse.apk
May 8, 2013 28
DEMOIntroduction
System and Kernel Level SecurityUser Security Features
Android Application Security
Recent Security ProblemsDemo
May 8, 2013 29
References (I)
• F-secure Mobile Threat Report Q4 2012, http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf
• Google, “Android Platform Versions.”, http://developer.android.com/about/dashboards/index.html#Platform
• Google, “Android Security Overview”, http://source.android.com/tech/security/#android-application-security
• S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, (New York, New York,USA), p. 50, ACM Press, 2012.
May 8, 2013 30
References (II)
• J.-H. Hoepman and B. Jacobs, “Increased security through open source”, Communications of the ACM, vol. 50, pp. 79–83, Jan. 2007.
• Matthias Lange, “State of the Union: Android security overview – Is Android the new XP?, http://de.droidcon.com/2013/sessnio/state-union-android-security-overview-android-new-xp
• Xuxian Jiang, “Smishing Vulnerability in Multiple Android Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html
• A. Shabtai, “Google Android: A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010
May 8, 2013 31
References (III)
• A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY
• Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012
May 8, 2013 32
http://2.bp.blogspot.com/-gZjNR3XVULs/T_ZOVgE-5lI/AAAAAAAAAg8/6YVmd5Q064o/s1600/questions11.jpg
May 8, 2013 33