Android SecurityStuart O. AndersonJune 23, 2011
Stuart O. Anderson- Background in robotics and applied math- Fellow at the Institute for Disruptive Studies- Co-founded Whisper Systems with MoxieMarlinspike
Stuart O. Anderson
Stuart O. Anderson
What this talk coversThe Android SystemAndroid's security modelMalware and exploit examplesBest practices for improving security
The Android System: OverviewAndroid is– A system architecture– A business and legal frameworkSecurity is affected by both aspects
Android: Embedded and ConsumerAndroid's design is driven by– Resource constraints Memory Battery– Consumer market iPhone competition
Android System Architecture
Android KernelModified for resource constrained environments– Binder– Ashmem and Pmem– Logger– Wakelocks– Out-Of-Memory Handler
Android UserspaceDriven by resource and legal constraints– Bionic (Non-POSIX libc)– Prelinked system libraries– Dalvik VM– Native Libraries
Bionic: Android libcBSD License– No GPL in userspaceSmall– About 200KFast– Especially pthreads
Apriori: Android PrelinkerSystem libraries are internally pre-linkedMust be loaded at specific vaddrLook in /build/core/prelink*.map
DalkvikVirtual Machine runs most appsDEX byte code compiles from JavaRegister and not stack based– i.e. trying real hard not to be a JVM
Native LibrariesWebkitMediaSQLiteSurfaceManager.
Android FrameworkComponents– Activities– Services– Receivers– ContentProviders
Android FrameworkIntents connect components through Binder– Action– Data– Categories– Extras– Flags – can grant permissions.
Android: Business RelationshipsGoogle – Develops platformChipset vendors – Broad marketOEMs – Shorter time to marketCarriers – Easier to customizeDevelopers – Easy to publish, free SDK
OEMsChipset vendors are limited– Qualcomm, TI (OMAP3), Ericsson,Broadcomm– Faster development cycle (9-12months) for OEMs– Budget goes to differentiation
CarriersSlow updates– Known webkit bugs linger M.J. Keith at Alert Logic
Google's Points of Control-Access to latest source codeControl of review processProprietary apps (Market, Maps, )TrademarkAFA, CTS/CDD
Orphaned DevicesLast Google I/O– 18 months support for new devices– Verizon, HTC, Samsung, Sprint,Sony Ericsson, LG, T-Mobile,Vodafone, Motorola, and AT&T
Android: Future DirectionsNew Devices– Tablets– Readers– PCs / Dockables
Android's Security ModelLinux Kernel– Process separation– Access to resources by UID/GIDAndroid Framework– Signed packages– Per-package Permissions
Android UID and GIDMost packages have their own UIDSome share a UIDGID is used for Kernel level resources– Camera, bluetooth, display, .
Android UID and GIDapp 49app 37app 10app 8app 27app 48app 26app 36app 41app 18app 12app pdatercom.whispersys.monitor
Android Framework SecurityCode Signing– Links a package to a developerPermissions– Grants a package a capability
Code SigningPackages are signed when published– You trust the publisher with the securityof their private key– If the keys don't match, app must bemanually removed and reinstalled– Packages that share keys can shareUIDs
Remote Pull and PushGoogle can add and remove packages– GtalkService– Malware may attempt to disablethese features
PermissionsEvery UID has an associated set ofpermissions it has been grantedandroid.permission.SEND SMSandroid.permission.WRITE CALENDARandroid.permission.READ PHONE STATE
PermissionsPackages request permissions in theirmanifestUser is prompted to approve thesepermissions as a single block– Only once, at install time– Permissions not marked 'dangerous'are not displayed
PermissionsMost permissions declared in– /core/res/AndroidManifest.xmlNot all permissions require user approval– Signature– SignatureOrSystem
Permissions: GranularityGranularity in the permissions themselves– Internet is a single permissionGranularity in user control– Can't approve a subset of therequested permissions
Permissions: GranularityToo fine granularity overloads usersOverloaded users stop paying attention
Permissions: EnforcementPermission checks are performed inPackageManagerServicepublic int checkUidPermission(String permName, int uid) {synchronized (mPackages) {Object obj mSettings.getUserIdLP(uid);if (obj ! null) {GrantedPermissions gp (GrantedPermissions)obj;if (gp.grantedPermissions.contains(permName)) {return PackageManager.PERMISSION GRANTED;}} else {HashSet String perms mSystemPermissions.get(uid);if (perms ! null && perms.contains(permName)) {return PackageManager.PERMISSION GRANTED;}}}return PackageManager.PERMISSION DENIED;}
Permissions: ServicesServices must explicitly check permissionsat IPC entry pointspublic void call(String number) {// This is just a wrapper around the ACTION CALL intent, but we still// need to do a permission check since we're calling startActivity()// from the context of the phone app.enforceCallPermission();String url createTelUrl(number);if (url null) {return;}Intent intent new Intent(Intent.ACTION CALL, Uri.parse(url));intent.addFlags(Intent.FLAG ACTIVITY NEW TASK);intent.setClassName(mApp, ity(intent);}
Permissions: ContentProvidersRead and Write permissions handled bysystemMust implement per-URI permissiongranting
Malware and Exploit ExamplesGetting rootRemote exploitsProtocol weaknessesMaking money
Leaky AppsContent Providers, SD/CardNetwork communication– Spoofed http responses– AuthtokensUnreliable deputies
GSM WeaknessesWell publicized attacks on GSM– See Karsten NohlThe cost of intercept equipment is marginal
Privilege ElevationSend an Intent or Binder data to anotherapp that causes unexpected behavior– Some critical services have verycomplicated interfacesChange your own uid or gid– Kernel, zygote, etc
Android Exploit ExamplesSebastian Krahmer (stealth)– Zimperlich Forkbomb to process limit Zygote will fail to change uid fromroot on fork– Gingerbreak Unchecked array index in vold Rewrite GOT entry for strcmp()
Android Remote Exploit ExamplesColin Mulliner– NFC remote application crash– NFC remote NFC service crashCharlie Miller– PacketVideo media library
Malware ThreatsJon Oberheide– Rootstrap– Download and execute exploits asthey become available
Malware ThreatsUntargeted Monetization– Premium SMS– 1-900 NumbersPersistence– Remount /system r/w– Turn off AV tools
Solutions and Best PracticesSystem Level ChangesSecurity ApplicationsAuditing Applications
System Level ChangesFull disk encryptionDynamic egress filteringSelective permissionsExtended code signing
Disk EncryptionHoneycomb– MTD devices only– Tied to screen lockWhisperCore– yaffs variant supports MTD and blockdevices– Enhanced screenlock
Dynamic Information Flow TrackingDIFT inside the Dalvik VMTaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring onSmartphones–William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung,Patrick McDaniel, and Anmol N. Sheth. In Proc. of the USENIXSymposium on Operating Systems Design and Implementation (OSDI),October 2010 in Vancouver
Dynamic Information Flow TrackingVariable tracking in DalvikMessage tracking in BinderMethod tracking in system librariesFile tracking via file-system extension
Dynamic Egress FilteringMonitor outgoing networkconnections.Filter connections by:– Initiating app.– Destination.– Network type and location.Prompts when connections areinitiated
Selective PermissionsRemove specific permissionsCreate temporary and isolatedcopies of requested resources
Selective PermissionsRemove specific permissionsCreate temporary and isolatedcopies of requested resources
Exploit MitigationAddress Space Randomization for Mobile Devices– Hristo Bojinov, Dan Boneh, Rich Cannings,Iliyan Malchev – WiSec 2011– Randomizes addresses Even with prelinked libraries– Android moving to ld.so– Still forking zygote?
Extended Code SigningManagement of which apps can run– Whitelist or blacklist– Installed apps can be blockedLets administrators sign, update, install,and remove apps remotely
Security ApplicationsSecure backupSecure communicationsSecure storage
Secure BackupSecure incremental backupCloud or backend storageRemote image managementRemote wipe
Secure CommunicationVoice calls– VoIP solutions: RedPhone, PrivateWave,CellcryptMessaging– SMS/MMS/IMEmail– Good, MobileIron, TouchDown
Malware DetectionGoogle– Can remove malware from Market– Can remotely disable and updateLookout– At the endpoint, limited access– Can be disabled by malware
Auditing an ApplicationExamine the ManifestDecompilersOther Tools
Auditing an ApplicationISEC'sManifest ExplorerAuthor: Jesse Burns
Auditing an ApplicationUse adb to pull the apk from the phoneadb pull /data/app/packagename.apkadb pull /system/app/packagename.apk
Auditing an ApplicationUse dedex (Nathan Keynes) and jd-gui toinspect DEX codeunzip package.apkdedex classes.dexjd-gui classes.jar
JD-GUI
Other Audit Tools– Dynamic Information Flow Tracking TaintDroid– Mandatory Access Control TOMOYO Linux– Emulator Scott Dunlop's JDWP- JDP method– Network Monitoring WhisperMonitor Wireshark
Summary: Android SecurityEmbedded and consumerTradeoffs made against securityDivided responsibility for securitySystem and application layer solutions
The Android System Android's security model Malware and exploit examples Best practices for improving security. The Android System: Overview Android is . Wireshark. Summary: Android Security Embedded and consumer Tradeoffs made against security Divided responsibi
Red Hat Enterprise Linux 6 Security Guide A Guide to Securing Red Hat Enterprise Linux Mirek Jahoda Red Hat Customer Content Services mjahoda@redhat.com Robert Krátký Red Hat Customer Content Services Martin Prpič Red Hat Customer Content Services Tomáš Čapek Red Hat Customer Content Services Stephen Wadeley Red Hat Customer Content Services Yoana Ruseva Red Hat Customer Content Services .
As 20 melhores certificações e cursos do Red Hat Linux Red Hat Certified System Administrator (RHCSA) Engenheiro Certificado Red Hat (RHCE) Red Hat Certified Enterprise Application Developer Red Hat Certified Architect (RHCA) Engenheiro certificado pela Red Hat no Red Hat OpenStack. Administração do Red Hat Enterprise Linux (EL) Desenvolvedor de microsserviços corporativos com .
Android Studio IDE Android SDK tool Latest Android API Platform - Android 6.0 (Marshmallow) Latest Android API emulator system image - Android 6.0 Android Studio is multi-platform Windows, MAC, Linux Advanced GUI preview panel See what your app looks like in different devices Development environment Android Studio 9
There are more than one billion Android devices in use today, each one a potential target. Unfortunately, many fundamental Android security features have been little more than a black box to all but the most elite security professionals—until now. In Android Security Internals, top Android security expert Nikolay Elenkov takes us
Red Hat Enterprise Linux 7 - IBM Power System PPC64LE (Little Endian) Red Hat Enterprise Linux 7 for IBM Power LE Supplementary (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE Optional (RPMs) Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) RHN Tools for Red Hat Enterprise Linux 7 for IBM Power LE (RPMs) Patch for Red Hat Enterprise Linux - User's Guide 1 - Overview 4 .
configuration and administration of Red Hat Enterprise Linux 5. For more information about Red Hat Cluster Suite for Red Hat Enterprise Linux 5, refer to the following resources: Configuring and Managing a Red Hat Cluster — Provides information about installing, configuring and managing Red Hat Cluster components.
Red Hat System Administration I RH124 · 5 days · Recommended Red Hat Certified System Administration exam EX200 · 2.5 hours · Required Red Hat System Administration II RH134 · 4 days · Recommended Red Hat Certified System Administrator Required for Red Hat Certified Engineer Red Hat System
Many community courts handle criminal cases only, but others are experimenting with a broader range of matters, including juvenile delinquency and housing code violations. Some community courts were initiated by courts, and some have been championed by a district attorney. These differences reflect a central aspect of community courts: they focus on neighborhoods and are designed to respond to .