Android Security Extensions

Transcription

1 Android Security Extensions

2 Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care until its too late But We do It needs a more advanced security mechanism

3 Who is in charge of Security? It depends on the device use Personal use: then the user is in charge Work use: the security admin of the company BYOD: both The user for the private/personal part The security admin for the work part Google: they are in charge They control the platform The App developers Not as much as you think

4 Able to change your mind? The authority that is in charge should be allowed to change security policies/settings This should be done By using the device Remotely No side effects on the apps installed With the current model it is not possible Most apps crash when operations are denied

5 Defining Malware Any software that can disrupt normal activities Any software that does not behave as declared Any software that compromises some properties Privacy Confidentiality Reliability

6 Poorly Designed Apps If not designed properly, apps can (unintentionally): Deplete your resources (battery, data, etc.) Expose resources (internet, location, etc.)

7 Over Privileged Apps Apps (developers) can ask for any combination of permissions Users can either install the apps (granting permissions) or not install at all Combinations of permissions such as Internet and Locations SMS Local Storage Can result in information leakage

8 Privilege Escalation Attacks An adversary tries to escalate privileges to get unauthorised access to protected resources Confused deputy attack Leverage the vulnerability of a benign application Colluding attacks More applications collaborate to get an objectionable set of permissions Android does not deal with transitive privilege usage Allows applications to bypass restrictions imposed by their sandboxes An application with less permissions (a non privileged caller) is not restricted to access components of a more privileged application (a privileged callee) by default.

9 Privilege Escalation Attacks Data from component CA1 can reach component CC1 indirectly, via the CB1 component CB1 is able to access CC1 component since the application B and consequently all its components are granted p1 permission

10 Privilege Escalation Attacks Application B must enforce additional checks on permissions to ensure that the application calling CB1 component is granted a permission p1 Reference monitor hooks included in the code of the component The task to perform these checks is delegated to application developers instead of being enforced by the system in a centralized way

11 Android Security Extensions

12 Fine grained Security Policy Saint (ACSAC 09) Allows app developers to protect their applications from being misused APEX (ASIACCS 10) Circumvent the All or Nothing approach of Android permission granting Porscha (ACSAC 10) Support for DRM like policies for phone data CRePE (ISC 10) Enforcement of context related policies

13 Data Filtering and Tainting MockDroid (HotMobile 11) Limiting the access to the data TISSA (Trust 11) Substituting the reply from content providers TaintDroid (OSDI 10) Labelling of data for preventing data leakage

14 Protection against Privilege Escalation QUIRE (USENIX Security Symposium 11) Effective against confused deputy attacks Tracing of IPC chain to check if all apps have the right to access a resource However It requires that apps have to use modified API It does not solve the problem of colluding apps

15 Protection against Privilege Escalation AppFence (TR 11 Uni Washington and MS Research) Based on TaintDroid for taint capability It supports data shadowing and protects from data exfiltration However Effective only against confused deputy attack

16 Protection against Privilege Escalation XManDroid (TR 11) Real time IPC monitoring System state of the app communications for potential spread of privileges However No control outside the IPC channels (i.e. Internet access)

17 What is missing? No modifications to Android API No trust on apps Control over IPC and system level calls (internet) Data filtering capabilities Tuneable

18 That is why they came up with Yet Another Android Security Extension

19 Readings Davi, Lucas, et al. "Privilege escalation attacks on android." Information Security. Springer Berlin Heidelberg,

20 Questions?