Tutorial on Smartphone Security

Wenliang (Kevin) Du

Professor

wedu@syr.edu

Smartphone Usage

Smartphone Applications

Overview

» Built-in Protections (iOS and Android)

» Jailbreaking and Rooting

» Security Risks

» Malware

» Suggestions

Protections: Apple versus Google

» Approval Processes

» Access Control

» Data Protection

Approval Process

Apps

Apple

Code review, testing, etc.

Installation App Distribution

Apps

Other 3rd Party stores

Apple’s App Development Process

Registration Certificate

Accountability,

Code Integrity Issued by Apple

App development

App Developer

Public Key Encryption and PKI

» Traditional Encryption: Secret Key Encryption

> The same key is used for encryption and decryption

> The key must be secret

> Algorithms: AES, DES

» Public Key Encryption

> Public Key: public, used for encryption

> Private key: secret, used for decryption

> Algorithms: RSA

Public Key Encryption

Public Key: KeyPub

Private Key: KeyPriv

KeyPub

M1

M2

M3

Decryption using KeyPriv

Enc(M2)

Algorithm: RSA, ElGamal

Digital Signature using Public Key

Public Key: KeyPub

Private Key: KeyPriv

M, Signature

Verify M is

written by Alice.

Alice

(M, KeyPriv) Signature

KeyPub

KeyPub

M’, Signature Verify M’ is NOT

written by Alice.

Algorithm: RSA, ElGamal, DSA

Digital Signature using Public Key

Du’s Private Key Digital Signature S

Du’s Public Key

Du

Question: How do you know the public key is Du’s?

Everybody can

verify whether the

code is written by Du

or not.

Digital Certificate and PKI

Public Key

Name: Kevin Du M:

M, VeriSign’s Private Key

Example: VeriSign

Digital Signature S

VeriSign’s Public Key

Verification

By everybody

Digital Ceritificate:

Public Key

Name: Kevin Du

Some other information

VeriSign’s Signature

Usually preloaded in browsers and OS

M

The Whole Process

Weakness of PKI

» We trust CAs (Certificate Authority)

» CAs can be compromised

> July 10 – July 20, 2011: DigiNotar’s system was hacked

> 500 rogue certificates were issued by hackers

– Google, Skype, Mozilla, Microsoft

> Microsoft remove this CA from its OS

> Google and Mozilla block all DigiNotar’s digital certificate

> DigiNotar filed for bankruptcy in September 2011.

Apple’s App Development Process

Registration Certificate

Accountability,

Code Integrity Issued by Apple

App development

App Developer

Google’s App Development Process

Certificate

Accountability,

Code Integrity

Issued by a

trusted party

App development

Anonymous

Certificate

(self-signed)

No Accountability,

No Code Integrity

Only for Android Market,

Not for 3rd party market

App Developer

Access Control

» We’ve Learned: Downloaded programs are

dangerous

> Virus, Worms

> Trojan, Backdoors

» Apps are downloaded programs.

» Need to control their access.

Unix Security Basics: Users

» Normal Users

> uid: user ID

> Users are separated from each other

» Root Users (Administrator, Superuser)

> uid = 0

> Root has all the privileges

> if (uid ==0) do privileged operations

Unix File Permission

-rwxr-x--- 2 richard staff 12040 Aug 20 1996 mydata.txt

owner group others

Access Control

System Resources

Isolations - Isolations among Apps

- Isolation between App and System

GPS

Isolation among Apps

Uid = 6001 Uid = 6009 Uid = 7003

• Each App runs as a separate user (normal user)

• Access control is enforced by the underlying Linux

File permission: rw-rw----

Break The Isolation among Apps

Uid = 1020 Uid = 6009

Se

cu

rity

Ch

ec

k

• Data sharing among apps

• Use the functionalities of other apps

Isolation Between App and System

System Resources

• Each app runs as a normal user

• Only root can directly access

system resources

GPS

OS Kernel

Hardware

Allow Apps to Access System Resources

System Resources

GPS

OS Kernel

Hardware Privileged

Deputy

(e.g. system

services)

Se

cu

rity

Ch

ec

k

Access Control

System Resources

Permissions Controlled

How to cross the isolation

boundary?

- Between Apps

- Between App and System

GPS

Permission-Based Access Control

Execution Installation

User

A B C C B A

Declare Permissions

(Android defines 100+ permissions)

Can only use

GPS, Internet Alert: Ask once

SMS, Email, Call: Ask every time

Many Others: Granted

Permission Examples in Android

ACCESS_FINE_LOCATION Access GPS

BLUETOOTH Connect to Bluetooth device

CALL_PHONE Directly make phone calls

CAMERA Use camera

INTERNET Access to the Internet

READ_CONTACTS Read user’s contacts data

WRITE_CONTACTS Write contacts data

READ_CALENDAR Read user’s calendar data

READ_SMS Read SMS messages

SEND_SMS Send SMS messages

Android’s Permission System

I need: INTERNET

Device ID

Accept ! Wireless fraud

This is where the

problem is.

Malware: Malicious Software

» Malware: Malicious Software

> Information Stealer (spyware)

> Money Stealer (e.g. make phone calls)

> Control the phone (e.g. bot)

» How do malware attack?

Malicious web sites

How Malware Attacks Systems

Privilege Escalation

(Jailbreaking/Rooting)

Malicious Apps

Abusing the given privileges

• Stealing personal info.

• Making expensive phone call

Suggestion: patch your system, read reviews,

check developer’s reputation.

Malicious PDF files

Example: Attacks Through Browser

» The user visits a malicious or infected website

» Code in the page exploit a vulnerability in WebKit,

the engine of browsers (CVE-2010-1807)

» The attack then exploits a Skype vulnerability

(CVE-2011-1717)

> allows local users to read sensitive files including

contacts, conversation transcripts, voicemail, and so on.

Jailbreaking and Rooting

Apple’s Control

Jailbreak

Unappro

ved

Apps

Google’s Control

Rooting

Apps w

ith

More

pow

er

More control Custom

OS

They are legal, but they bring more security risks.

Custom

OS

Suggestion: don’t do it if you don’t have to.

A Typical Attack on Android

Legitimate Developer

Malicious Developer

Android Market, or

3rd-Party Markets Cases:

MYOURNET (21 apps)

Droid Dream (>58 apps)

Suggestions:

Read reviews

Check developers

Check permissions

Install virus scan

Victim

Example: Fake Angry Birds Space

» Faked one available on various Android app marketplaces,

not Google’s market

» Trojan Horse: Andr/KongFu-L

» Use GingerBreak exploit to gain root access

» Install malicious code

Attack on Web: A Design Flaw

3rd Party App: Not by FB

Malicious App Contents

Damage:

- Delete Friends

- Steal info. In Facebook

- Post messages

Affect most systems

- iOS, Android, Windows Phone

Suggestion:

Use 1st party or trusted 3rd party

apps to access Web accounts

WebV

iew

Data Protection

Recent Studies (March 2012)

» American lost $30B worth of smartphones.

» Only 50% lost phones are returned.

» Nearly all who found the lost phones tried to

access the information on the phone.

» 22% of the respondents lost their phones.

» 70% didn’t use password protection.

Consequence of Device Loss

Email Facebook

Other

Accounts

Online

Banking

Company

WiFi Amazon

Data

Lock the phone does not help much.

Cloud

Services

Remote wipe has limited power.

Data Encryption

iPhone 3GS

Encryption is useless

iPhone 4

Password,

PIN

PIN: easily crackable

4 digit PIN = 14 bits

Strong encryption: 128 bits

Suggestion: don’t lose your phone

Apple v.s. Google

» Tight Control: Apple

> Control on iOS code

> Code checking, accountability √

> Control on the app market √

» Loose Control: Google

> Open source: public scrutiny, contribution by others √

> No code checking, no accountability

> So far, Android has more malwares than iOS

Summary of Suggestions

» Don’t root/jailbreak if not necessary

» Be more careful when downloading Android Apps

» Avoid 3rd-party Android market

» Paid apps turned free: check the developers

» PIN doesn’t protect your data much

Questions?