Android system security
-
Upload
- -
Category
Engineering
-
view
300 -
download
1
description
Transcript of Android system security
![Page 1: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/1.jpg)
Android System Security
C.K.Chen 2014/09/02
![Page 2: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/2.jpg)
Outline
• Some news about android threat • Android Threat Model – AAack from Computer – AAack from Firmware – NFC Security – Bluetooth Security
• Malicious APP • Summary
![Page 3: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/3.jpg)
![Page 4: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/4.jpg)
![Page 5: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/5.jpg)
![Page 6: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/6.jpg)
![Page 7: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/7.jpg)
![Page 8: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/8.jpg)
Vulnerability
![Page 9: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/9.jpg)
Android Threat Model
![Page 10: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/10.jpg)
AAack from Computer
• Gaining root access – Official: simulate screen tap event to the oem unlock menu on selected devices.
– Universal: linux local root exploit (CVE-‐2009-‐1185 RLIMIT_NPROC exhausZon) send via USB
• Insert malicious payload – Kernel: disassemble boot parZZon, replace kernel zimage with malicious
• OpZonally unroot back to avoid detecZon
![Page 11: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/11.jpg)
AAack from Computer
• Kernel manipulaZon • NaZve ARM ELF binary, bypassed Android framework permission checking.
• In sum, a complete phone provisioning process fully automated with evil payload.
![Page 12: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/12.jpg)
AAack from Firmware
• Customize firmware – Distributed by Network – Pay to manufacturers for including the malware – Some manufacturers used firmware image from internet
![Page 13: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/13.jpg)
NFC Security
• Near field communicaZon (NFC) is a set of standards – Smartphones and similar devices to establish radio communicaZon
– By touching them together or bringing them into proximity, usually no more than a few cenZmeters.
![Page 14: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/14.jpg)
NFC Security
• No link level security (wireless not encrypted) – Eavesdropping (sniffing) – Man-‐in-‐the-‐middle – Data: ModificaZon, CorrupZon, InserZon
• Tamper with NFC/RFID tags – Modify original tag – Replace with malicious tag
![Page 15: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/15.jpg)
Bluetooth Security
• Bluetooth is a wireless technology standard for exchanging data over short distances
![Page 16: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/16.jpg)
Bluetooth Security • General so`ware vulnerabiliZes • Eavesdropping
– older Bluetooth devices use versions of the Bluetooth protocol that have more security holes
• Denial of service • Bluetooth range is greater than you think
– Bluetooth is designed to be a “personal area network.” – Hackers have been known to use direcZonal, high-‐gain antennae to successfully communicate over much greater distances.
– For example, security researcher Joshua Wright demonstrated the use of such an antenna to hack a Bluetooth device in a Starbucks from across the street.
![Page 17: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/17.jpg)
AAack Webkit
• WebKit is a layout engine so`ware component for rendering web pages in web browsers.
• Basic of web-‐based applicaZon
![Page 18: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/18.jpg)
AAack Webkit
•
1. connect
2. Send malicious content
Malicious Website
Do something bad
![Page 19: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/19.jpg)
AAack Webkit
• hAps://www.youtube.com/watch?v=czx_AKdj8ug
![Page 20: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/20.jpg)
MMS
• MulZmedia Messaging Service – A standard way to send messages that include mulZmedia content to and from mobile phones
– It extends the core SMS (Short Message Service) capability that allowed exchange of text messages
![Page 21: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/21.jpg)
MMS Flow (Intra-‐carrier)
•
![Page 22: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/22.jpg)
MMS AAack Vectors
• MMS AAack Vectors – Message Headers – MMS uses many types of messages SMS, WAP, WSP
• Message contents – SMIL
• Markup language to describe content – Rich content – Images – Audio/Video
![Page 23: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/23.jpg)
MMS Security • Mobile phone messaging is unique aAack surface – Always on
• FuncZonality becoming more feature rich – Ringtones – Videos – Pictures
• Technical hurdles for aAackers are dropping – Easily modified phones
• FuncZonality at higher layers
![Page 24: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/24.jpg)
ImplementaZon Vulnerability
• Android flaw in parsing UDH for concatenated messages – Concatenated messages have a sequence number. Valid range is 01-‐FF.
• Selng sequence to 00 triggers an unhandled invalid array excepZon.
• Impact: Crashed com.android.phone process on Android G1 – Disables all radio acZvity on the phone.
![Page 25: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/25.jpg)
MMS AAack
•
![Page 26: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/26.jpg)
Malicious APP
• Many aAack method must though malicious APP
![Page 27: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/27.jpg)
APP Permission
• Malicious app o`en declare more permissions
android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS /WRITE_HISTORY_BOOKMARKS
![Page 28: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/28.jpg)
Confused Deputy AAack
![Page 29: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/29.jpg)
Repackage APK
• Fake app which clone the code from the original one – And add some malicious code – Change the ad library
![Page 30: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/30.jpg)
Repackage APK
![Page 31: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/31.jpg)
Privilege EscalaZon
• Two or more malicious app – Has less permission and seem not harmful – With communicate though intent, these apps achieve malicious behaviors which require higher permission
![Page 32: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/32.jpg)
MiZgate the Threat
• For the user – Update to the newest version
• Android • APP
– Close unused service – Install APP that you trust
![Page 33: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/33.jpg)
MiZgate the Threat
• For the Developer – Basic Security Concept – Code Review – PenetraZon Test – Keep up to the newest aAack
![Page 34: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/34.jpg)
Summary
• First, we share some security new in android • With so many interface for communicaZon, the aAack vector is become more wide
• The threat model of android is discuss • Numerous aAack method is introduced • Some easy guideline is proposed for user and developer
![Page 35: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/35.jpg)
Q&A
![Page 36: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/36.jpg)
The New AAack
• While we already talk about some general aAack – But aAacker’s methods change with Zme, more special and more sophisZcated
– Current, numerous android security flaws are proposed in security conference
![Page 37: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/37.jpg)
UI State Inference AAack
• AAacker can guest what AcZvity is current viewed by user – Try to hijack the AcZvity – Do something bad
• Demo video
![Page 38: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/38.jpg)
Recognizing Speech From Gyroscope Signals
• Gyroscope is the device is a device for measuring or maintaining orientaZon
![Page 39: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/39.jpg)
Recognizing Speech From Gyroscope Signals
• Gyroscope is low level permission for app – User may ignore it
• While speech record is dangerous permission • Researchers show that it is possible to recover the speech from Gyroscope informaZon
![Page 40: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/40.jpg)
Exploit Update Mechanism
• New OS version presumably fixes security loopholes and enhances the system’s security protecZon
• AutomaZcally acquire significant capabiliZes without users’ consent once they upgrade to newer versions! – automaZcally obtaining all new permissions added by the newer version OS
– replacing system-‐level apps with malicious ones – injecZng malicious scripts into arbitrary webpages
![Page 41: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/41.jpg)
Exploit Update Mechanism • It exploits the flaws in the updaZng mechanism of the “future” OS, which the current system will be upgraded to
• Demo video
![Page 42: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/42.jpg)
Security Risks in CustomizaZons
• For each new Android version, Google first releases it to mobile phone vendors, allowing them to add their apps, device drivers and other new features to their corresponding Android branches.
• Recent studies show that many pre-‐loaded apps on those images are vulnerable, leaking system capabiliZes or sensiZve user informaZon to unauthorized parZes.
2014/5/19 42
![Page 43: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/43.jpg)
Security Risks in CustomizaZons
• The security risks here, however, go much deeper than those on the app layer.
• ParZcularly, they almost always need to modify a few device drivers (e.g., for camera, audio, etc.) and related system selngs to support their hardware.
2014/5/19 43
![Page 44: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/44.jpg)
Security Risks in CustomizaZons
• Device drivers work on the Linux layer and communicate with Android users through framework services.
• Therefore, any customizaZon on an Android device needs to make sure that it remains well protected at both the Linux and framework layers.
• However, vendors usually doesn't have the Zme to properly address such problems.
2014/5/19 44
![Page 45: Android system security](https://reader034.fdocuments.net/reader034/viewer/2022052600/5584c537d8b42af1138b4761/html5/thumbnails/45.jpg)
The Peril of FragmentaZon
• Android devices contain a large piece which is customize by vender – Kernel – Firmware
• For ease of programming, some security policies are broken
• DEMO Video