Android system security

Android System Security

C.K.Chen 2014/09/02

Outline

•  Some news about android threat •  Android Threat Model – AAack from Computer – AAack from Firmware – NFC Security – Bluetooth Security

•  Malicious APP •  Summary

Vulnerability

Android Threat Model

AAack from Computer

•  Gaining root access – Official: simulate screen tap event to the oem unlock menu on selected devices.

– Universal: linux local root exploit (CVE-‐2009-‐1185 RLIMIT_NPROC exhausZon) send via USB

•  Insert malicious payload – Kernel: disassemble boot parZZon, replace kernel zimage with malicious

•  OpZonally unroot back to avoid detecZon

AAack from Computer

•  Kernel manipulaZon •  NaZve ARM ELF binary, bypassed Android framework permission checking.

•  In sum, a complete phone provisioning process fully automated with evil payload.

AAack from Firmware

•  Customize firmware –  Distributed by Network –  Pay to manufacturers for including the malware –  Some manufacturers used firmware image from internet

NFC Security

•  Near field communicaZon (NFC) is a set of standards – Smartphones and similar devices to establish radio communicaZon

– By touching them together or bringing them into proximity, usually no more than a few cenZmeters.

NFC Security

•  No link level security (wireless not encrypted) – Eavesdropping (sniffing) – Man-‐in-‐the-‐middle – Data: ModificaZon, CorrupZon, InserZon

•  Tamper with NFC/RFID tags – Modify original tag – Replace with malicious tag

Bluetooth Security

•  Bluetooth is a wireless technology standard for exchanging data over short distances

Bluetooth Security •  General so`ware vulnerabiliZes •  Eavesdropping

–  older Bluetooth devices use versions of the Bluetooth protocol that have more security holes

•  Denial of service •  Bluetooth range is greater than you think

–  Bluetooth is designed to be a “personal area network.” –  Hackers have been known to use direcZonal, high-‐gain antennae to successfully communicate over much greater distances.

–  For example, security researcher Joshua Wright demonstrated the use of such an antenna to hack a Bluetooth device in a Starbucks from across the street.

AAack Webkit

•  WebKit is a layout engine so`ware component for rendering web pages in web browsers.

•  Basic of web-‐based applicaZon

AAack Webkit

• 

1. connect

2. Send malicious content

Malicious Website

Do something bad

AAack Webkit

•  hAps://www.youtube.com/watch?v=czx_AKdj8ug

MMS

•  MulZmedia Messaging Service – A standard way to send messages that include mulZmedia content to and from mobile phones

–  It extends the core SMS (Short Message Service) capability that allowed exchange of text messages

MMS Flow (Intra-‐carrier)

• 

MMS AAack Vectors

•  MMS AAack Vectors – Message Headers – MMS uses many types of messages SMS, WAP, WSP

•  Message contents –  SMIL

•  Markup language to describe content – Rich content –  Images – Audio/Video

MMS Security •  Mobile phone messaging is unique aAack surface – Always on

•  FuncZonality becoming more feature rich –  Ringtones –  Videos –  Pictures

•  Technical hurdles for aAackers are dropping –  Easily modified phones

•  FuncZonality at higher layers

ImplementaZon Vulnerability

•  Android flaw in parsing UDH for concatenated messages – Concatenated messages have a sequence number. Valid range is 01-‐FF.

•  Selng sequence to 00 triggers an unhandled invalid array excepZon.

•  Impact: Crashed com.android.phone process on Android G1 – Disables all radio acZvity on the phone.

MMS AAack

• 

Malicious APP

•  Many aAack method must though malicious APP

APP Permission

•  Malicious app o`en declare more permissions

android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS /WRITE_HISTORY_BOOKMARKS

Confused Deputy AAack

Repackage APK

•  Fake app which clone the code from the original one – And add some malicious code – Change the ad library

Repackage APK

Privilege EscalaZon

•  Two or more malicious app – Has less permission and seem not harmful – With communicate though intent, these apps achieve malicious behaviors which require higher permission

MiZgate the Threat

•  For the user – Update to the newest version

•  Android •  APP

– Close unused service –  Install APP that you trust

MiZgate the Threat

•  For the Developer – Basic Security Concept – Code Review – PenetraZon Test – Keep up to the newest aAack

Summary

•  First, we share some security new in android •  With so many interface for communicaZon, the aAack vector is become more wide

•  The threat model of android is discuss •  Numerous aAack method is introduced •  Some easy guideline is proposed for user and developer

Q&A

The New AAack

•  While we already talk about some general aAack – But aAacker’s methods change with Zme, more special and more sophisZcated

– Current, numerous android security flaws are proposed in security conference

UI State Inference AAack

•  AAacker can guest what AcZvity is current viewed by user – Try to hijack the AcZvity – Do something bad

•  Demo video

Recognizing Speech From Gyroscope Signals

•  Gyroscope is the device is a device for measuring or maintaining orientaZon

Recognizing Speech From Gyroscope Signals

•  Gyroscope is low level permission for app – User may ignore it

•  While speech record is dangerous permission •  Researchers show that it is possible to recover the speech from Gyroscope informaZon

Exploit Update Mechanism

•  New OS version presumably fixes security loopholes and enhances the system’s security protecZon

•  AutomaZcally acquire significant capabiliZes without users’ consent once they upgrade to newer versions! –  automaZcally obtaining all new permissions added by the newer version OS

–  replacing system-‐level apps with malicious ones –  injecZng malicious scripts into arbitrary webpages

Exploit Update Mechanism •  It exploits the flaws in the updaZng mechanism of the “future” OS, which the current system will be upgraded to

•  Demo video

Security Risks in CustomizaZons

•  For each new Android version, Google first releases it to mobile phone vendors, allowing them to add their apps, device drivers and other new features to their corresponding Android branches.

•  Recent studies show that many pre-‐loaded apps on those images are vulnerable, leaking system capabiliZes or sensiZve user informaZon to unauthorized parZes.

2014/5/19 42


•  The security risks here, however, go much deeper than those on the app layer.

•  ParZcularly, they almost always need to modify a few device drivers (e.g., for camera, audio, etc.) and related system selngs to support their hardware.

2014/5/19 43


•  Device drivers work on the Linux layer and communicate with Android users through framework services.

•  Therefore, any customizaZon on an Android device needs to make sure that it remains well protected at both the Linux and framework layers.

•  However, vendors usually doesn't have the Zme to properly address such problems.

2014/5/19 44

The Peril of FragmentaZon

•  Android devices contain a large piece which is customize by vender – Kernel – Firmware

•  For ease of programming, some security policies are broken

•  DEMO Video

Engineering

Android system security