Android Security - Black Hat

Android SecurityStuart O. AndersonJune 23, 2011

Stuart O. Anderson- Background in robotics and applied math- Fellow at the Institute for Disruptive Studies- Co-founded Whisper Systems with MoxieMarlinspike

Stuart O. Anderson

Stuart O. Anderson

What this talk coversThe Android SystemAndroid's security modelMalware and exploit examplesBest practices for improving security

The Android System: OverviewAndroid is– A system architecture– A business and legal frameworkSecurity is affected by both aspects

Android: Embedded and ConsumerAndroid's design is driven by– Resource constraints Memory Battery– Consumer market iPhone competition

Android System Architecture

Android KernelModified for resource constrained environments– Binder– Ashmem and Pmem– Logger– Wakelocks– Out-Of-Memory Handler

Android UserspaceDriven by resource and legal constraints– Bionic (Non-POSIX libc)– Prelinked system libraries– Dalvik VM– Native Libraries

Bionic: Android libcBSD License– No GPL in userspaceSmall– About 200KFast– Especially pthreads

Apriori: Android PrelinkerSystem libraries are internally pre-linkedMust be loaded at specific vaddrLook in /build/core/prelink*.map

DalkvikVirtual Machine runs most appsDEX byte code compiles from JavaRegister and not stack based– i.e. trying real hard not to be a JVM

Native LibrariesWebkitMediaSQLiteSurfaceManager.

Android FrameworkComponents– Activities– Services– Receivers– ContentProviders

Android FrameworkIntents connect components through Binder– Action– Data– Categories– Extras– Flags – can grant permissions.

Android: Business RelationshipsGoogle – Develops platformChipset vendors – Broad marketOEMs – Shorter time to marketCarriers – Easier to customizeDevelopers – Easy to publish, free SDK

OEMsChipset vendors are limited– Qualcomm, TI (OMAP3), Ericsson,Broadcomm– Faster development cycle (9-12months) for OEMs– Budget goes to differentiation

CarriersSlow updates– Known webkit bugs linger M.J. Keith at Alert Logic

Google's Points of Control-Access to latest source codeControl of review processProprietary apps (Market, Maps, )TrademarkAFA, CTS/CDD

Orphaned DevicesLast Google I/O– 18 months support for new devices– Verizon, HTC, Samsung, Sprint,Sony Ericsson, LG, T-Mobile,Vodafone, Motorola, and AT&T

Android: Future DirectionsNew Devices– Tablets– Readers– PCs / Dockables

Android's Security ModelLinux Kernel– Process separation– Access to resources by UID/GIDAndroid Framework– Signed packages– Per-package Permissions

Android UID and GIDMost packages have their own UIDSome share a UIDGID is used for Kernel level resources– Camera, bluetooth, display, .

Android UID and GIDapp 49app 37app 10app 8app 27app 48app 26app 36app 41app 18app 12app pdatercom.whispersys.monitor

Android Framework SecurityCode Signing– Links a package to a developerPermissions– Grants a package a capability

Code SigningPackages are signed when published– You trust the publisher with the securityof their private key– If the keys don't match, app must bemanually removed and reinstalled– Packages that share keys can shareUIDs

Remote Pull and PushGoogle can add and remove packages– GtalkService– Malware may attempt to disablethese features

PermissionsEvery UID has an associated set ofpermissions it has been grantedandroid.permission.SEND SMSandroid.permission.WRITE CALENDARandroid.permission.READ PHONE STATE

PermissionsPackages request permissions in theirmanifestUser is prompted to approve thesepermissions as a single block– Only once, at install time– Permissions not marked 'dangerous'are not displayed

PermissionsMost permissions declared in– /core/res/AndroidManifest.xmlNot all permissions require user approval– Signature– SignatureOrSystem

Permissions: GranularityGranularity in the permissions themselves– Internet is a single permissionGranularity in user control– Can't approve a subset of therequested permissions

Permissions: GranularityToo fine granularity overloads usersOverloaded users stop paying attention

Permissions: EnforcementPermission checks are performed inPackageManagerServicepublic int checkUidPermission(String permName, int uid) {synchronized (mPackages) {Object obj mSettings.getUserIdLP(uid);if (obj ! null) {GrantedPermissions gp (GrantedPermissions)obj;if (gp.grantedPermissions.contains(permName)) {return PackageManager.PERMISSION GRANTED;}} else {HashSet String perms mSystemPermissions.get(uid);if (perms ! null && perms.contains(permName)) {return PackageManager.PERMISSION GRANTED;}}}return PackageManager.PERMISSION DENIED;}

Permissions: ServicesServices must explicitly check permissionsat IPC entry pointspublic void call(String number) {// This is just a wrapper around the ACTION CALL intent, but we still// need to do a permission check since we're calling startActivity()// from the context of the phone app.enforceCallPermission();String url createTelUrl(number);if (url null) {return;}Intent intent new Intent(Intent.ACTION CALL, Uri.parse(url));intent.addFlags(Intent.FLAG ACTIVITY NEW TASK);intent.setClassName(mApp, ity(intent);}

Permissions: ContentProvidersRead and Write permissions handled bysystemMust implement per-URI permissiongranting

Malware and Exploit ExamplesGetting rootRemote exploitsProtocol weaknessesMaking money

Leaky AppsContent Providers, SD/CardNetwork communication– Spoofed http responses– AuthtokensUnreliable deputies

GSM WeaknessesWell publicized attacks on GSM– See Karsten NohlThe cost of intercept equipment is marginal

Privilege ElevationSend an Intent or Binder data to anotherapp that causes unexpected behavior– Some critical services have verycomplicated interfacesChange your own uid or gid– Kernel, zygote, etc

Android Exploit ExamplesSebastian Krahmer (stealth)– Zimperlich Forkbomb to process limit Zygote will fail to change uid fromroot on fork– Gingerbreak Unchecked array index in vold Rewrite GOT entry for strcmp()

Android Remote Exploit ExamplesColin Mulliner– NFC remote application crash– NFC remote NFC service crashCharlie Miller– PacketVideo media library

Malware ThreatsJon Oberheide– Rootstrap– Download and execute exploits asthey become available

Malware ThreatsUntargeted Monetization– Premium SMS– 1-900 NumbersPersistence– Remount /system r/w– Turn off AV tools

Solutions and Best PracticesSystem Level ChangesSecurity ApplicationsAuditing Applications

System Level ChangesFull disk encryptionDynamic egress filteringSelective permissionsExtended code signing

Disk EncryptionHoneycomb– MTD devices only– Tied to screen lockWhisperCore– yaffs variant supports MTD and blockdevices– Enhanced screenlock

Dynamic Information Flow TrackingDIFT inside the Dalvik VMTaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring onSmartphones–William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung,Patrick McDaniel, and Anmol N. Sheth. In Proc. of the USENIXSymposium on Operating Systems Design and Implementation (OSDI),October 2010 in Vancouver

Dynamic Information Flow TrackingVariable tracking in DalvikMessage tracking in BinderMethod tracking in system librariesFile tracking via file-system extension

Dynamic Egress FilteringMonitor outgoing networkconnections.Filter connections by:– Initiating app.– Destination.– Network type and location.Prompts when connections areinitiated

Selective PermissionsRemove specific permissionsCreate temporary and isolatedcopies of requested resources

Selective PermissionsRemove specific permissionsCreate temporary and isolatedcopies of requested resources

Exploit MitigationAddress Space Randomization for Mobile Devices– Hristo Bojinov, Dan Boneh, Rich Cannings,Iliyan Malchev – WiSec 2011– Randomizes addresses Even with prelinked libraries– Android moving to ld.so– Still forking zygote?

Extended Code SigningManagement of which apps can run– Whitelist or blacklist– Installed apps can be blockedLets administrators sign, update, install,and remove apps remotely

Security ApplicationsSecure backupSecure communicationsSecure storage

Secure BackupSecure incremental backupCloud or backend storageRemote image managementRemote wipe

Secure CommunicationVoice calls– VoIP solutions: RedPhone, PrivateWave,CellcryptMessaging– SMS/MMS/IMEmail– Good, MobileIron, TouchDown

Malware DetectionGoogle– Can remove malware from Market– Can remotely disable and updateLookout– At the endpoint, limited access– Can be disabled by malware

Auditing an ApplicationExamine the ManifestDecompilersOther Tools

Auditing an ApplicationISEC'sManifest ExplorerAuthor: Jesse Burns

Auditing an ApplicationUse adb to pull the apk from the phoneadb pull /data/app/packagename.apkadb pull /system/app/packagename.apk

Auditing an ApplicationUse dedex (Nathan Keynes) and jd-gui toinspect DEX codeunzip package.apkdedex classes.dexjd-gui classes.jar

JD-GUI

Other Audit Tools– Dynamic Information Flow Tracking TaintDroid– Mandatory Access Control TOMOYO Linux– Emulator Scott Dunlop's JDWP- JDP method– Network Monitoring WhisperMonitor Wireshark

Summary: Android SecurityEmbedded and consumerTradeoffs made against securityDivided responsibility for securitySystem and application layer solutions

The Android System Android's security model Malware and exploit examples Best practices for improving security. The Android System: Overview Android is . Wireshark. Summary: Android Security Embedded and consumer Tradeoffs made against security Divided responsibi