Android Security Device Management and Security by Stephan Linzner & Benjamin Reimold
Introducing Stephan Linzner Benjamin Reimold Consultant, Software Engineer Mobile Developer Founder of Stuttgart GTUG Bachelor-Thesis 2011 (DH Stuttgart) Mobile Developer Member of Stuttgart GTUG Contact: @onlythoughtwork XING, Facebook onlythoughtwork@gmail.com Contact: @elektrojunge XING benjamin.reimold@aformatik.de
Agenda Once upon a time... Attack vectors Security model Best practices 3rd party solutions and they lived happily ever after a conclusion.
BACKGROUND INFORMATION
consumerized IT Inversion of technology adaption Usage of private mobile devices to access corporate infrastructure Consumer market devices used as business devices
Once upon a time Until 2007
Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007
Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007 iphone Today Various mobile platforms for businesses
Once upon a time Until 2007 Blackberry OS, Windows Mobile OS & Symbian OS In 2007 iphone Today Various mobile platforms for businesses Future!?
Once upon a time
Why android matters 300,000 activated devices per day (Google 12/2010) Strong growth in the last year and still growing Likely one of the future dominant mobile platforms (Gartner, Nielsen, Comscore) Lots of different devices with different form factors and in different price segments (smartphones, tablets, ruggedized devices) Open source (Apache 2.0) & free
Usage scenarios Mobile interface to enterprise communication backends PIM (Lotus Notes, MS Outlook) CRM (Salesforce, Google Apps) VPN Remote desktop on mobile devices (Parallels mobile for iphone/android) Custom B2B solutions Sales force applications Mobile assistance systems
ATTACK VECTORS
General threats Private/Corperate data stored on the device Log Files stored on the device Continuous data collection (ie. geolocation tracking) Synchronization Contacts Calendar Data theft 3rd party Code
Attack vectors Technical vectors Standard malicious software (viruses, trojans) Unpatched mobile browsers Usage of open wi-fi Rooting the device (jailbreak) Bluetooth, radio vulnerabilities
Attack vectors Social vectors Loosing the device Apps (access to corporate/private data, location) (Your) kids!
Attack vectors Android specific vectors Log-cat output Attack on application messaging framework Sniffing, Fuzzing, Exploiting of Intents, Content providers Steal certificate and roll out malicious update (in theory) NDK code can bypass Android security model!?
ANDROID S SECURITY CONCEPT
Coarse-grained security model Process isolation enforced by underlying linux kernel UID Group ID Sandboxing Ressources can only be accessed by the owner application Each application running in it s own VM Explicitly sharing of resources to relax strict process boundaries (Broadcast-) Intents, Services, Content Providers, AIDL interfaces to exchange data
Fine-grained security model Permissions "A permission is a mechanism that enforces restrictions on the specific operations that a particular process can perform" End-user model
System permissions
Declaring permissions
Enforce permissions
Enforce permissions
Enforce permissions
Criticism of the security model Sandboxing & permissions are nice, but Permissions not granular enough No permission transparency Partial permissions not possible Granted permissions can t be changed (unless re-installation of the app) No approval process in android market Possibility to install apps without android market App certification
BEST PRACTICES
Managing android phones with Google Apps Restrict synchronization (with Google account) Password policies (strength, length, require password) Automatically lock the device Number of invalid passwords allowed before wipe Perform remote wipe
Microsoft Exchange? Very basic Full support with BES All (Windows Mobile) or fewer than ios (Windows Phone 7) Fewer than ios 14 policies Introduction Attack Vectors Security Model Best Practices 3rd Party Solutions Conclusion
The device management API Introduced with Android 2.2 (Froyo) Enforce password policies quality (alphabetic, numeric, alpha-numeric) length reset passwort maximum failed passwords until wipe Lock screen (maximum time to lock device) Lock screen password Wipe phone
New policies in Android 3.0 (Honeycomb) New policies DeviceAdminInfo.USES_ENCRYPTED_STORAGE DeviceAdminInfo.USES_POLICY_FORCE_LOCK DeviceAdminInfo.USES_POLICY_SETS_GLOBAL_PROXY Encrypted storage system getstorageencryptionstatus() setstorageencryption(componentname admin, boolean encrypt)
New policies in Android 3.0 (Honeycomb) Proxy support setglobalproxy(componentname admin, Proxy proxyspec, List<String> exclusionlist) Immediately lock locknow() The password policies were also beefed up, e.g. setpasswordexpirationtimeout()
Techniques Use a custom ROM Use alternative browsers from other vendors (Opera, Firefox, Dolphin) as standard browser will be patched with OS updates only Store your data in the cloud with HTTPS Prevent all logging output Educate your employees! Define policies for usage (application/permission whitelist agreements, usage agreements) Don t allow installation from unknown sources (nonandroid market sources)
Use encryption No encrypted preferences by default No encrypted application data on SD card Encrypt ALL Data Databases Preferences SD card Obfuscate
3rd party solutions Companies start to provide security solutions
and they lived happily ever after - a conclusion.
and they lived happily ever after - a conclusion. Android will be one of the major mobile platforms in the future "Don t take kindness for weakness"- Android s openness might be its biggest drawback but as well as its biggest strength Custom builds are very powerful, you can tailor the platform to your very own business needs Android already has security features but they do not come out of the box, you have to use them in your implementation! Android 3.0 (Honeycomb) is a big improvement Administration and policy management has to be improved Google Apps and 3rd party products to secure the devices are already available
Q & A???? Any Questions?????????? Introduction Attack Vectors Security Model Solutions Best Practices Other Solutions Conclusion
THX!