Tutorial on Smartphone Security

Transcription

1 Tutorial on Smartphone Security Wenliang (Kevin) Du Professor

2 Smartphone Usage

3 Smartphone Applications

4 Overview» Built-in Protections (ios and Android)» Jailbreaking and Rooting» Security Risks» Malware» Suggestions

5 Protections: Apple versus Google» Approval Processes» Access Control» Data Protection

6 Approval Process Apps Code review, testing, etc. Apple App Distribution Installation Apps Other 3 rd Party stores

7 Apple s App Development Process App Developer Registration Issued by Apple Certificate Accountability, Code Integrity App development

8 Public Key Encryption and PKI» Traditional Encryption: Secret Key Encryption > The same key is used for encryption and decryption > The key must be secret > Algorithms: AES, DES» Public Key Encryption > Public Key: public, used for encryption > Private key: secret, used for decryption > Algorithms: RSA

9 Public Key Encryption M1 Public Key: KeyPub Private Key: KeyPriv KeyPub Enc(M2) M2 Decryption using KeyPriv M3 Algorithm: RSA, ElGamal

10 Digital Signature using Public Key Verify M is written by Alice. Public Key: KeyPub Private Key: KeyPriv KeyPub Alice M, Signature M, Signature Verify M is NOT written by Alice. (M, KeyPriv) Signature KeyPub Algorithm: RSA, ElGamal, DSA

11 Digital Signature using Public Key Du Du s Private Key Digital Signature S Du s Public Key Everybody can verify whether the code is written by Du or not. Question: How do you know the public key is Du s?

12 Digital Certificate and PKI M: Public Key Name: Kevin Du Example: VeriSign M, VeriSign s Private Key Digital Signature S M Verification By everybody VeriSign s Public Key Usually preloaded in browsers and OS Digital Ceritificate: Public Key Name: Kevin Du Some other information VeriSign s Signature

13 The Whole Process

14 Weakness of PKI» We trust CAs (Certificate Authority)» CAs can be compromised > July 10 July 20, 2011: DigiNotar s system was hacked > 500 rogue certificates were issued by hackers Google, Skype, Mozilla, Microsoft > Microsoft remove this CA from its OS > Google and Mozilla block all DigiNotar s digital certificate > DigiNotar filed for bankruptcy in September 2011.

15 Apple s App Development Process App Developer Registration Issued by Apple Certificate Accountability, Code Integrity App development

16 Google s App Development Process Issued by a trusted party Certificate Accountability, Code Integrity App Developer App development Anonymous Certificate (self-signed) No Accountability, No Code Integrity Only for Android Market, Not for 3 rd party market

17 Access Control» We ve Learned: Downloaded programs are dangerous > Virus, Worms > Trojan, Backdoors» Apps are downloaded programs.» Need to control their access.

18 Unix Security Basics: Users» Normal Users > uid: user ID > Users are separated from each other» Root Users (Administrator, Superuser) > uid = 0 > Root has all the privileges > if (uid ==0) do privileged operations

19 Unix File Permission -rwxr-x--- 2 richard staff Aug mydata.txt owner group others

20 Access Control GPS System Resources Isolations - Isolations among Apps - Isolation between App and System

21 Isolation among Apps Uid = 6001 Uid = 6009 Uid = 7003 File permission: rw-rw---- Each App runs as a separate user (normal user) Access control is enforced by the underlying Linux

22 Security Check Break The Isolation among Apps Uid = 1020 Uid = 6009 Data sharing among apps Use the functionalities of other apps

23 Isolation Between App and System GPS Hardware OS Kernel Each app runs as a normal user Only root can directly access system resources System Resources

24 Security Check Allow Apps to Access System Resources GPS Hardware OS Kernel System Resources Privileged Deputy (e.g. system services)

25 Access Control GPS System Resources How to cross the isolation boundary? - Between Apps - Between App and System Permissions Controlled

26 Permission-Based Access Control GPS, Internet Alert: Ask once SMS, , Call: Ask every time Many Others: Granted Installation Execution Can only use A B C User A B C Declare Permissions (Android defines 100+ permissions)

27 Permission Examples in Android ACCESS_FINE_LOCATION BLUETOOTH CALL_PHONE CAMERA INTERNET READ_CONTACTS WRITE_CONTACTS READ_CALENDAR READ_SMS SEND_SMS Access GPS Connect to Bluetooth device Directly make phone calls Use camera Access to the Internet Read user s contacts data Write contacts data Read user s calendar data Read SMS messages Send SMS messages

28 Android s Permission System This is where the problem is. I need: INTERNET Device ID Wireless fraud Accept!

29 Malware: Malicious Software» Malware: Malicious Software > Information Stealer (spyware) > Money Stealer (e.g. make phone calls) > Control the phone (e.g. bot)» How do malware attack?

30 How Malware Attacks Systems Privilege Escalation (Jailbreaking/Rooting) Malicious Apps Abusing the given privileges Stealing personal info. Making expensive phone call Malicious web sites Malicious PDF files Suggestion: patch your system, read reviews, check developer s reputation.

31 Example: Attacks Through Browser» The user visits a malicious or infected website» Code in the page exploit a vulnerability in WebKit, the engine of browsers (CVE )» The attack then exploits a Skype vulnerability (CVE ) > allows local users to read sensitive files including contacts, conversation transcripts, voic , and so on.

32 Unapproved Apps Apps with More power Jailbreaking and Rooting Custom OS More control Custom OS Jailbreak Rooting Apple s Control Google s Control They are legal, but they bring more security risks. Suggestion: don t do it if you don t have to.

33 A Typical Attack on Android Legitimate Developer Android Market, or 3 rd -Party Markets Cases: MYOURNET (21 apps) Droid Dream (>58 apps) Suggestions: Read reviews Check developers Check permissions Install virus scan Malicious Developer Victim

34 Example: Fake Angry Birds Space» Faked one available on various Android app marketplaces, not Google s market» Trojan Horse: Andr/KongFu-L» Use GingerBreak exploit to gain root access» Install malicious code

35 WebView Attack on Web: A Design Flaw 3 rd Party App: Not by FB Malicious App Contents Damage: - Delete Friends - Steal info. In Facebook - Post messages Affect most systems - ios, Android, Windows Phone Suggestion: Use 1 st party or trusted 3 rd party apps to access Web accounts

36 Data Protection

37 Recent Studies (March 2012)» American lost $30B worth of smartphones.» Only 50% lost phones are returned.» Nearly all who found the lost phones tried to access the information on the phone.» 22% of the respondents lost their phones.» 70% didn t use password protection.

38 Consequence of Device Loss Cloud Services Facebook Company WiFi Amazon Online Banking Data Other Accounts Lock the phone does not help much. Remote wipe has limited power.

39 Data Encryption iphone 3GS iphone 4 Password, PIN Encryption is useless PIN: easily crackable 4 digit PIN = 14 bits Strong encryption: 128 bits Suggestion: don t lose your phone

40 Apple v.s. Google» Tight Control: Apple > Control on ios code > Code checking, accountability > Control on the app market» Loose Control: Google > Open source: public scrutiny, contribution by others > No code checking, no accountability > So far, Android has more malwares than ios

41 Summary of Suggestions» Don t root/jailbreak if not necessary» Be more careful when downloading Android Apps» Avoid 3 rd -party Android market» Paid apps turned free: check the developers» PIN doesn t protect your data much

42 Questions?