Android Security Joshua Hodosh and Tim Leek This work is sponsored under Air Force contract FA8721-05-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by United States Government.!
Android is Middleware Object-Oriented OS API IOCTLs fread,etc. VK - 2
Android is Middleware Object-Oriented OS API IOCTLs fread,etc. VK - 3
Android is Middleware Apache+Proprietary User-Space Drivers GPL VK - 4
Android as a Linux System Dalvik Process Native Process Zygote forks into Dalvik apps; COW memory includes all Dalvik classes VK - 5
How does it make calls? In the Goldfish emulated device, RIL and rild communicate over a socket VK - 6
Android Package Zip File (.APK extension) XML Manifest Security info Activities (windows) Intent filters (event handler registration) Dalvik bytecode Native code Anything else VK - 7
Android Package: IPC Android apps are highly multithreaded and componentized There is no main, just event listeners Intent objects contain data and/or metadata URI, action text, and possibly other data http://foo.com, mailto://bar@example, vending://com.app, The intent resolver routes them to the app component(s) they need to be delivered to VK - 8
Android Security Model Capability based Apps request permission to use a set of capabilities which the user approves at install Eg. install apps, send text messages, make phone calls, read GPS, talk to internet Only dangerous permissions are even shown to the user, other are silently approved Mix of coarse- and fine-grained permissions All network traffic is one permission GPS and cell-triangulation are different permissions Mostly enforced at the Java API layer Each app runs as a separate user Some APIs check user s permissions list Some enforcement is by UNIX file permissions VK - 9
Android Security Model: Custom Permissions Apps can define and export their own permissions/capabilities Eg. A PGP app can let any email client request an email be signed Permissions can be protected by author private key All apps signed with the same private key can use them Apps by the same author can be merged Can load classes from each other (not scary) Can request to run as the same user (scary! union of perms) This also changes the installed app s permissions Since signature -level permissions are auto-granted, this just makes analysis more difficult Google Key 57:88 : Gmail Access Google Key A6:00 VK - 10
Android Security Model: Capability Leaks Lots of implicit permissions for internal communications App components can be fed arbitrary input Intents can directly target a component (like Authenticator2 did), bypassing the resolver Google has a warning on their developer portal Woodpecker academic software detects issues North Carolina State University Eg Samsung phones could be factory reset with a single broadcast message Android Reset Button Broadcast Intent: SELECTIVE_RESET Samsung Confirmation Screen NO AUTHENTICATION Broadcast Intent: SELECTIVE_RESET_DONE Android Reset Service VK - 11
Android Security Model: Dynamic Loading Apps can load any readable Dalvik bytecode file or Linux shared library.so files don t evade the sandbox Either thunk back to Java through JNI and get checked, or Do all the work themselves and file permission checks in /dev can stop them VK - 12
Android Security Model: Permission Coverage of APIs Paraphrasing of Google s advice to app developers: Add permissions until the API call succeeds Two academic efforts to map permissions to protected APIs Android-permissions.org instruments the package manager s permission checker and runs through the Android API dynamically (Dawn Song, UC Berkeley) PScout analyzes the Android OS statically (University of Toronto) Especially complex because of conjunctions and disjunctions VK - 13
Android Security Model: Files Files are either private to an application or world-readable, determined by their location Private files can be shared or made available with IPC VK - 14
Android Security Model: Google Phones with Google apps like to talk to Google Constant Google Talk connection for notifications Play Store (web or app) pushes app install commands over Google Talk That s why the PackageManagerService dialog doesn t pop up for them, but does for all apps with Install packages permission Google has demonstrated an ability to push delete app commands Used to exterminate any malware found spreading through the Play Store Used sparingly Not part of open-source Android Presumably able to delete any app, not just ones installed through Play VK - 15
Android Malware Mostly ask the user for permission to do stuff Most of it sends SMSs to premium numbers Some are sophisticated trojans with standard remote control These usually just ask for permission Users want their pr0n and pirated w@r3z and will click anything they have to Very few use vulnerabilities in Android All known rooting malware used exploits previously used for jailbreaking 0-days may be used by commercial law enforcement tools FinFisher/FinSpy (British/German?) Remote Control System (hackingteam.it, Milan) VK - 16
Reverse Engineering Tools AndroGuard Python, open source Fully scriptable/extensible, depends on understanding of internal code Focused on identifying variants and creating signatures JEB Pair-wise analysis Commercial ($1000/seat) IDA for Android With a decompiler Has some issues saving notes Scripting API v1 is limited VK - 17
VK - 18 Questions?