View
10
Download
0
Category
Preview:
Citation preview
Tutorial on Smartphone Security
Wenliang (Kevin) Du
Professor
wedu@syr.edu
Smartphone Usage
Smartphone Applications
Overview
» Built-in Protections (iOS and Android)
» Jailbreaking and Rooting
» Security Risks
» Malware
» Suggestions
Protections: Apple versus Google
» Approval Processes
» Access Control
» Data Protection
Approval Process
Apps
Apple
Code review, testing, etc.
Installation App Distribution
Apps
Other 3rd Party stores
Apple’s App Development Process
Registration Certificate
Accountability,
Code Integrity Issued by Apple
App development
App Developer
Public Key Encryption and PKI
» Traditional Encryption: Secret Key Encryption
> The same key is used for encryption and decryption
> The key must be secret
> Algorithms: AES, DES
» Public Key Encryption
> Public Key: public, used for encryption
> Private key: secret, used for decryption
> Algorithms: RSA
Public Key Encryption
Public Key: KeyPub
Private Key: KeyPriv
KeyPub
M1
M2
M3
Decryption using KeyPriv
Enc(M2)
Algorithm: RSA, ElGamal
Digital Signature using Public Key
Public Key: KeyPub
Private Key: KeyPriv
M, Signature
Verify M is
written by Alice.
Alice
(M, KeyPriv) Signature
KeyPub
KeyPub
M’, Signature Verify M’ is NOT
written by Alice.
Algorithm: RSA, ElGamal, DSA
Digital Signature using Public Key
Du’s Private Key Digital Signature S
Du’s Public Key
Du
Question: How do you know the public key is Du’s?
Everybody can
verify whether the
code is written by Du
or not.
Digital Certificate and PKI
Public Key
Name: Kevin Du M:
M, VeriSign’s Private Key
Example: VeriSign
Digital Signature S
VeriSign’s Public Key
Verification
By everybody
Digital Ceritificate:
Public Key
Name: Kevin Du
Some other information
VeriSign’s Signature
Usually preloaded in browsers and OS
M
The Whole Process
Weakness of PKI
» We trust CAs (Certificate Authority)
» CAs can be compromised
> July 10 – July 20, 2011: DigiNotar’s system was hacked
> 500 rogue certificates were issued by hackers
– Google, Skype, Mozilla, Microsoft
> Microsoft remove this CA from its OS
> Google and Mozilla block all DigiNotar’s digital certificate
> DigiNotar filed for bankruptcy in September 2011.
Apple’s App Development Process
Registration Certificate
Accountability,
Code Integrity Issued by Apple
App development
App Developer
Google’s App Development Process
Certificate
Accountability,
Code Integrity
Issued by a
trusted party
App development
Anonymous
Certificate
(self-signed)
No Accountability,
No Code Integrity
Only for Android Market,
Not for 3rd party market
App Developer
Access Control
» We’ve Learned: Downloaded programs are
dangerous
> Virus, Worms
> Trojan, Backdoors
» Apps are downloaded programs.
» Need to control their access.
Unix Security Basics: Users
» Normal Users
> uid: user ID
> Users are separated from each other
» Root Users (Administrator, Superuser)
> uid = 0
> Root has all the privileges
> if (uid ==0) do privileged operations
Unix File Permission
-rwxr-x--- 2 richard staff 12040 Aug 20 1996 mydata.txt
owner group others
Access Control
System Resources
Isolations - Isolations among Apps
- Isolation between App and System
GPS
Isolation among Apps
Uid = 6001 Uid = 6009 Uid = 7003
• Each App runs as a separate user (normal user)
• Access control is enforced by the underlying Linux
File permission: rw-rw----
Break The Isolation among Apps
Uid = 1020 Uid = 6009
Se
cu
rity
Ch
ec
k
• Data sharing among apps
• Use the functionalities of other apps
Isolation Between App and System
System Resources
• Each app runs as a normal user
• Only root can directly access
system resources
GPS
OS Kernel
Hardware
Allow Apps to Access System Resources
System Resources
GPS
OS Kernel
Hardware Privileged
Deputy
(e.g. system
services)
Se
cu
rity
Ch
ec
k
Access Control
System Resources
Permissions Controlled
How to cross the isolation
boundary?
- Between Apps
- Between App and System
GPS
Permission-Based Access Control
Execution Installation
User
A B C C B A
Declare Permissions
(Android defines 100+ permissions)
Can only use
GPS, Internet Alert: Ask once
SMS, Email, Call: Ask every time
Many Others: Granted
Permission Examples in Android
ACCESS_FINE_LOCATION Access GPS
BLUETOOTH Connect to Bluetooth device
CALL_PHONE Directly make phone calls
CAMERA Use camera
INTERNET Access to the Internet
READ_CONTACTS Read user’s contacts data
WRITE_CONTACTS Write contacts data
READ_CALENDAR Read user’s calendar data
READ_SMS Read SMS messages
SEND_SMS Send SMS messages
Android’s Permission System
I need: INTERNET
Device ID
Accept ! Wireless fraud
This is where the
problem is.
Malware: Malicious Software
» Malware: Malicious Software
> Information Stealer (spyware)
> Money Stealer (e.g. make phone calls)
> Control the phone (e.g. bot)
» How do malware attack?
Malicious web sites
How Malware Attacks Systems
Privilege Escalation
(Jailbreaking/Rooting)
Malicious Apps
Abusing the given privileges
• Stealing personal info.
• Making expensive phone call
Suggestion: patch your system, read reviews,
check developer’s reputation.
Malicious PDF files
Example: Attacks Through Browser
» The user visits a malicious or infected website
» Code in the page exploit a vulnerability in WebKit,
the engine of browsers (CVE-2010-1807)
» The attack then exploits a Skype vulnerability
(CVE-2011-1717)
> allows local users to read sensitive files including
contacts, conversation transcripts, voicemail, and so on.
Jailbreaking and Rooting
Apple’s Control
Jailbreak
Unappro
ved
Apps
Google’s Control
Rooting
Apps w
ith
More
pow
er
More control Custom
OS
They are legal, but they bring more security risks.
Custom
OS
Suggestion: don’t do it if you don’t have to.
A Typical Attack on Android
Legitimate Developer
Malicious Developer
Android Market, or
3rd-Party Markets Cases:
MYOURNET (21 apps)
Droid Dream (>58 apps)
Suggestions:
Read reviews
Check developers
Check permissions
Install virus scan
Victim
Example: Fake Angry Birds Space
» Faked one available on various Android app marketplaces,
not Google’s market
» Trojan Horse: Andr/KongFu-L
» Use GingerBreak exploit to gain root access
» Install malicious code
Attack on Web: A Design Flaw
3rd Party App: Not by FB
Malicious App Contents
Damage:
- Delete Friends
- Steal info. In Facebook
- Post messages
Affect most systems
- iOS, Android, Windows Phone
Suggestion:
Use 1st party or trusted 3rd party
apps to access Web accounts
WebV
iew
Data Protection
Recent Studies (March 2012)
» American lost $30B worth of smartphones.
» Only 50% lost phones are returned.
» Nearly all who found the lost phones tried to
access the information on the phone.
» 22% of the respondents lost their phones.
» 70% didn’t use password protection.
Consequence of Device Loss
Email Facebook
Other
Accounts
Online
Banking
Company
WiFi Amazon
Data
Lock the phone does not help much.
Cloud
Services
Remote wipe has limited power.
Data Encryption
iPhone 3GS
Encryption is useless
iPhone 4
Password,
PIN
PIN: easily crackable
4 digit PIN = 14 bits
Strong encryption: 128 bits
Suggestion: don’t lose your phone
Apple v.s. Google
» Tight Control: Apple
> Control on iOS code
> Code checking, accountability √
> Control on the app market √
» Loose Control: Google
> Open source: public scrutiny, contribution by others √
> No code checking, no accountability
> So far, Android has more malwares than iOS
Summary of Suggestions
» Don’t root/jailbreak if not necessary
» Be more careful when downloading Android Apps
» Avoid 3rd-party Android market
» Paid apps turned free: check the developers
» PIN doesn’t protect your data much
Questions?
Recommended