SlideShare a Scribd company logo

Android system security

Chong-Kuan Chen
Chong-Kuan Chen

This document summarizes security threats and attacks on the Android system. It outlines the Android threat model and discusses attacks from computers, firmware, NFC, Bluetooth, and malicious apps. Specific attack vectors are described, such as exploiting update mechanisms, customization vulnerabilities, and speech recognition from gyroscope data. Countermeasures like updating apps and closing unused services are recommended for users. Developers are advised to follow basic security practices like code reviews and penetration testing.

Related slideshows

Android Security
Android SecurityAndroid Security
Android Security
 
Android security
Android securityAndroid security
Android security
 
Android Security
Android SecurityAndroid Security
Android Security
 
1 of 45
Download to read offline
Android System Security C.K.Chen 2014/09/02
Outline • Some news about android threat • Android Threat Model – AAack from Computer – AAack from Firmware – NFC Security – Bluetooth Security • Malicious APP • Summary
Android system security
Android system security
Android system security
Android system security
Android system security
Vulnerability
Android Threat Model
AAack from Computer • Gaining root access – Official: simulate screen tap event to the oem unlock menu on selected devices. – Universal: linux local root exploit (CVE-­‐2009-­‐1185 RLIMIT_NPROC exhausZon) send via USB • Insert malicious payload – Kernel: disassemble boot parZZon, replace kernel zimage with malicious • OpZonally unroot back to avoid detecZon
AAack from Computer • Kernel manipulaZon • NaZve ARM ELF binary, bypassed Android framework permission checking. • In sum, a complete phone provisioning process fully automated with evil payload.
AAack from Firmware • Customize firmware – Distributed by Network – Pay to manufacturers for including the malware – Some manufacturers used firmware image from internet
NFC Security • Near field communicaZon (NFC) is a set of standards – Smartphones and similar devices to establish radio communicaZon – By touching them together or bringing them into proximity, usually no more than a few cenZmeters.
NFC Security • No link level security (wireless not encrypted) – Eavesdropping (sniffing) – Man-­‐in-­‐the-­‐middle – Data: ModificaZon, CorrupZon, InserZon • Tamper with NFC/RFID tags – Modify original tag – Replace with malicious tag
Bluetooth Security • Bluetooth is a wireless technology standard for exchanging data over short distances
Bluetooth Security • General so`ware vulnerabiliZes • Eavesdropping – older Bluetooth devices use versions of the Bluetooth protocol that have more security holes • Denial of service • Bluetooth range is greater than you think – Bluetooth is designed to be a “personal area network.” – Hackers have been known to use direcZonal, high-­‐gain antennae to successfully communicate over much greater distances. – For example, security researcher Joshua Wright demonstrated the use of such an antenna to hack a Bluetooth device in a Starbucks from across the street.
AAack Webkit • WebKit is a layout engine so`ware component for rendering web pages in web browsers. • Basic of web-­‐based applicaZon
AAack Webkit • 1. connect 2. Send malicious content Malicious Website Do something bad
AAack Webkit • hAps://www.youtube.com/watch? v=czx_AKdj8ug
MMS • MulZmedia Messaging Service – A standard way to send messages that include mulZmedia content to and from mobile phones – It extends the core SMS (Short Message Service) capability that allowed exchange of text messages
MMS Flow (Intra-­‐carrier) •
MMS AAack Vectors • MMS AAack Vectors – Message Headers – MMS uses many types of messages SMS, WAP, WSP • Message contents – SMIL • Markup language to describe content – Rich content – Images – Audio/Video
MMS Security • Mobile phone messaging is unique aAack surface – Always on • FuncZonality becoming more feature rich – Ringtones – Videos – Pictures • Technical hurdles for aAackers are dropping – Easily modified phones • FuncZonality at higher layers
ImplementaZon Vulnerability • Android flaw in parsing UDH for concatenated messages – Concatenated messages have a sequence number. Valid range is 01-­‐FF. • Selng sequence to 00 triggers an unhandled invalid array excepZon. • Impact: Crashed com.android.phone process on Android G1 – Disables all radio acZvity on the phone.
MMS AAack •
Malicious APP • Many aAack method must though malicious APP
APP Permission • Malicious app o`en declare more permissions android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS
Confused Deputy AAack
Repackage APK • Fake app which clone the code from the original one – And add some malicious code – Change the ad library
Repackage APK
Privilege EscalaZon • Two or more malicious app – Has less permission and seem not harmful – With communicate though intent, these apps achieve malicious behaviors which require higher permission
MiZgate the Threat • For the user – Update to the newest version • Android • APP – Close unused service – Install APP that you trust
MiZgate the Threat • For the Developer – Basic Security Concept – Code Review – PenetraZon Test – Keep up to the newest aAack
Summary • First, we share some security new in android • With so many interface for communicaZon, the aAack vector is become more wide • The threat model of android is discuss • Numerous aAack method is introduced • Some easy guideline is proposed for user and developer
Q&A
The New AAack • While we already talk about some general aAack – But aAacker’s methods change with Zme, more special and more sophisZcated – Current, numerous android security flaws are proposed in security conference
UI State Inference AAack • AAacker can guest what AcZvity is current viewed by user – Try to hijack the AcZvity – Do something bad • Demo video
Recognizing Speech From Gyroscope Signals • Gyroscope is the device is a device for measuring or maintaining orientaZon
Recognizing Speech From Gyroscope Signals • Gyroscope is low level permission for app – User may ignore it • While speech record is dangerous permission • Researchers show that it is possible to recover the speech from Gyroscope informaZon
Exploit Update Mechanism • New OS version presumably fixes security loopholes and enhances the system’s security protecZon • AutomaZcally acquire significant capabiliZes without users’ consent once they upgrade to newer versions! – automaZcally obtaining all new permissions added by the newer version OS – replacing system-­‐level apps with malicious ones – injecZng malicious scripts into arbitrary webpages
Exploit Update Mechanism • It exploits the flaws in the updaZng mechanism of the “future” OS, which the current system will be upgraded to • Demo video
Security Risks in CustomizaZons • For each new Android version, Google first releases it to mobile phone vendors, allowing them to add their apps, device drivers and other new features to their corresponding Android branches. • Recent studies show that many pre-­‐loaded apps on those images are vulnerable, leaking system capabiliZes or sensiZve user informaZon to unauthorized parZes. 2014/5/19 42
Security Risks in CustomizaZons • The security risks here, however, go much deeper than those on the app layer. • ParZcularly, they almost always need to modify a few device drivers (e.g., for camera, audio, etc.) and related system selngs to support their hardware. 2014/5/19 43
Security Risks in CustomizaZons • Device drivers work on the Linux layer and communicate with Android users through framework services. • Therefore, any customizaZon on an Android device needs to make sure that it remains well protected at both the Linux and framework layers. • However, vendors usually doesn't have the Zme to properly address such problems. 2014/5/19 44
The Peril of FragmentaZon • Android devices contain a large piece which is customize by vender – Kernel – Firmware • For ease of programming, some security policies are broken • DEMO Video

More Related Content

Android system security

  • 1. Android System Security C.K.Chen 2014/09/02
  • 2. Outline • Some news about android threat • Android Threat Model – AAack from Computer – AAack from Firmware – NFC Security – Bluetooth Security • Malicious APP • Summary
  • 10. AAack from Computer • Gaining root access – Official: simulate screen tap event to the oem unlock menu on selected devices. – Universal: linux local root exploit (CVE-­‐2009-­‐1185 RLIMIT_NPROC exhausZon) send via USB • Insert malicious payload – Kernel: disassemble boot parZZon, replace kernel zimage with malicious • OpZonally unroot back to avoid detecZon
  • 11. AAack from Computer • Kernel manipulaZon • NaZve ARM ELF binary, bypassed Android framework permission checking. • In sum, a complete phone provisioning process fully automated with evil payload.
  • 12. AAack from Firmware • Customize firmware – Distributed by Network – Pay to manufacturers for including the malware – Some manufacturers used firmware image from internet
  • 13. NFC Security • Near field communicaZon (NFC) is a set of standards – Smartphones and similar devices to establish radio communicaZon – By touching them together or bringing them into proximity, usually no more than a few cenZmeters.
  • 14. NFC Security • No link level security (wireless not encrypted) – Eavesdropping (sniffing) – Man-­‐in-­‐the-­‐middle – Data: ModificaZon, CorrupZon, InserZon • Tamper with NFC/RFID tags – Modify original tag – Replace with malicious tag
  • 15. Bluetooth Security • Bluetooth is a wireless technology standard for exchanging data over short distances
  • 16. Bluetooth Security • General so`ware vulnerabiliZes • Eavesdropping – older Bluetooth devices use versions of the Bluetooth protocol that have more security holes • Denial of service • Bluetooth range is greater than you think – Bluetooth is designed to be a “personal area network.” – Hackers have been known to use direcZonal, high-­‐gain antennae to successfully communicate over much greater distances. – For example, security researcher Joshua Wright demonstrated the use of such an antenna to hack a Bluetooth device in a Starbucks from across the street.
  • 17. AAack Webkit • WebKit is a layout engine so`ware component for rendering web pages in web browsers. • Basic of web-­‐based applicaZon
  • 18. AAack Webkit • 1. connect 2. Send malicious content Malicious Website Do something bad
  • 19. AAack Webkit • hAps://www.youtube.com/watch? v=czx_AKdj8ug
  • 20. MMS • MulZmedia Messaging Service – A standard way to send messages that include mulZmedia content to and from mobile phones – It extends the core SMS (Short Message Service) capability that allowed exchange of text messages
  • 22. MMS AAack Vectors • MMS AAack Vectors – Message Headers – MMS uses many types of messages SMS, WAP, WSP • Message contents – SMIL • Markup language to describe content – Rich content – Images – Audio/Video
  • 23. MMS Security • Mobile phone messaging is unique aAack surface – Always on • FuncZonality becoming more feature rich – Ringtones – Videos – Pictures • Technical hurdles for aAackers are dropping – Easily modified phones • FuncZonality at higher layers
  • 24. ImplementaZon Vulnerability • Android flaw in parsing UDH for concatenated messages – Concatenated messages have a sequence number. Valid range is 01-­‐FF. • Selng sequence to 00 triggers an unhandled invalid array excepZon. • Impact: Crashed com.android.phone process on Android G1 – Disables all radio acZvity on the phone.
  • 26. Malicious APP • Many aAack method must though malicious APP
  • 27. APP Permission • Malicious app o`en declare more permissions android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOW android.permission.READ_CONTACTS / WRITE_CONTACTS android. permission.READ_CALENDAR / WRITE_CALENDAR android.permission.CALL_PHONE android.permission.READ_LOGS android.permission.ACCESS_FINE_LOCATION android.permission.GET_TASKS android.permission.RECEIVE_BOOT_COMPLETED android.permission.CHANGE_WIFI_STATE com.android.browser.permission.READ_HISTORY_BOOKMARKS / WRITE_HISTORY_BOOKMARKS
  • 29. Repackage APK • Fake app which clone the code from the original one – And add some malicious code – Change the ad library
  • 31. Privilege EscalaZon • Two or more malicious app – Has less permission and seem not harmful – With communicate though intent, these apps achieve malicious behaviors which require higher permission
  • 32. MiZgate the Threat • For the user – Update to the newest version • Android • APP – Close unused service – Install APP that you trust
  • 33. MiZgate the Threat • For the Developer – Basic Security Concept – Code Review – PenetraZon Test – Keep up to the newest aAack
  • 34. Summary • First, we share some security new in android • With so many interface for communicaZon, the aAack vector is become more wide • The threat model of android is discuss • Numerous aAack method is introduced • Some easy guideline is proposed for user and developer
  • 35. Q&A
  • 36. The New AAack • While we already talk about some general aAack – But aAacker’s methods change with Zme, more special and more sophisZcated – Current, numerous android security flaws are proposed in security conference
  • 37. UI State Inference AAack • AAacker can guest what AcZvity is current viewed by user – Try to hijack the AcZvity – Do something bad • Demo video
  • 38. Recognizing Speech From Gyroscope Signals • Gyroscope is the device is a device for measuring or maintaining orientaZon
  • 39. Recognizing Speech From Gyroscope Signals • Gyroscope is low level permission for app – User may ignore it • While speech record is dangerous permission • Researchers show that it is possible to recover the speech from Gyroscope informaZon
  • 40. Exploit Update Mechanism • New OS version presumably fixes security loopholes and enhances the system’s security protecZon • AutomaZcally acquire significant capabiliZes without users’ consent once they upgrade to newer versions! – automaZcally obtaining all new permissions added by the newer version OS – replacing system-­‐level apps with malicious ones – injecZng malicious scripts into arbitrary webpages
  • 41. Exploit Update Mechanism • It exploits the flaws in the updaZng mechanism of the “future” OS, which the current system will be upgraded to • Demo video
  • 42. Security Risks in CustomizaZons • For each new Android version, Google first releases it to mobile phone vendors, allowing them to add their apps, device drivers and other new features to their corresponding Android branches. • Recent studies show that many pre-­‐loaded apps on those images are vulnerable, leaking system capabiliZes or sensiZve user informaZon to unauthorized parZes. 2014/5/19 42
  • 43. Security Risks in CustomizaZons • The security risks here, however, go much deeper than those on the app layer. • ParZcularly, they almost always need to modify a few device drivers (e.g., for camera, audio, etc.) and related system selngs to support their hardware. 2014/5/19 43
  • 44. Security Risks in CustomizaZons • Device drivers work on the Linux layer and communicate with Android users through framework services. • Therefore, any customizaZon on an Android device needs to make sure that it remains well protected at both the Linux and framework layers. • However, vendors usually doesn't have the Zme to properly address such problems. 2014/5/19 44
  • 45. The Peril of FragmentaZon • Android devices contain a large piece which is customize by vender – Kernel – Firmware • For ease of programming, some security policies are broken • DEMO Video