Android security back to basics - ensiwiki.ensimag.fr · Android security back to basics! SecurIMAG...
Transcript of Android security back to basics - ensiwiki.ensimag.fr · Android security back to basics! SecurIMAG...
• Description: brief introduction to basic android security mechanisms
• Speakers: • Adrien Hamraoui • Fabien Duchene
Android security back to basics!
SecurIMAG
2011-12-15
WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.
¡¡_ (in)security we trust _!!!
Grenoble INP Ensimag
Summary
2 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• En-droeede? • Android security mechanisms • Droid, show your dark side! • Practical demonstration: from trial to full version
1/ En-droeede?
3 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• History • Android overview • Dalvik • Play with that robot?
1.1 History
4 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• 2003: Android Inc, • 2005: Google • 2007: product release • 2010: ROI • Different OS versions of Android market, in 2011:
Sécurité du système Android, Nicolas Ruff (EADS), SSTIC 2011
5 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
1.2 Android introduction
6 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Linux kernel 2.6.xxxxx • Some divergences
• Smartphones • ARM
1.2. Android overview
7 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
1.3. Dalvik?
8 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Dalvik VM ~ Java VM … in a special flavor: • Class: subset of the Apache_Harmony specifications
o No JME, Swing, AWT
• Just-in-time compiler • No stack machine, but register-based
o lower CPU frequency => for a similar performance
• 16 bit instruction set • No swap • Executables: DEX format
http://source.android.com/tech/dalvik/dex-format.html
1.3 How to play with that robot?
9 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Phone: • Debug .. then SDK • Root it • Obvious bugs in stupid
customized constructor GUI.. WTF!!
• Virtualized: • Same stuff expect SIM Card,
thus GSM ntw o “Android Emulator” .. from Android
SDK o VirtualBox compatible VM
2/ Android security mechanisms
10 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Application • permissions • Signature • updates
• Physical access • Encryption • DEP, ASLR • Rooting • Anti-rooting protections
OS architecture
11 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
Android application
12 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• .apk ; JAR with .apk extensions • Mime: application/vnd.android.package-archive • Content:
• Manifest.MF (JAR typical) • CERT.RSA : certificate of the application • CERT.SF (list of SHA-1 hashes of ressources) • classes.dex • res: dir. ressources used • AndroidManifest.xml : application name,
permissions, referenced libraries
Application Permissions
13 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Exposes permissions • User is prompted when installing or updating
Manifest.permission – android developers
Application Signature
14 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Application • self-signed issuing certificate possible (difference with
iOS) • Firmware
Updates
15 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Automatic – if permissions do not change • Over-the-air OS update (no crappy music/video/
podcast/photo/updater/contact syncer/reader/wtf needed ;)
Isolation, Sandboxing
16 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Each application: • own GID:UID • own storage directory (could be on SD-card) • DEX only able to instance classes:
o Within exec o Ressources (in APK) o Defined in Manifest
Physical access
17 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Authentication / Screen unlock • PIN, Password • Pattern: contiguous path within a 9-
nodes graph • If too many errors, possibility to
reinitiate with Google ID security question
• Cold boot attacks • SD-card:
• no permission (FAT volume) • Out of the box no encryption
Encryption
18 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Whole disk encryption: (Android >=3.0) • Password screen lock • /data
o AES128 CBC + ESSIV:SHA256 (pwd,salt,SHA-1) – Password change => re-encrypt
o dm-crypt (linux kernel)
• No HW acceleration • Vuln: evil-maid, cold-boot
Deep Dive Android Security, Aleksandar Gargenta, AnDevConII, 2011
Memory security protection
19 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
Protec'on Against …
DEP (android >= 2.3) Code execu7on on the stack and heap
ProPolice Stack BOF
safe_iop() Reduce probability of Int OF
Dlmalloc() [OpenBSD] Double-‐free
Calloc() [OpenBSD] Integer OF during alloca7on
mmap_min_addr() [Linux] Null pointer dereference privilege escala7on
ASLR
20 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Today : • Prelinking (@ fixed, for performance)
o Shared libs compiled Position Independent Code o Base executables PIC, but not linked as PIE o Dynamic linker fix address (not able to relocate itself, diff. ld.so) o Return-to-libc possible
• proposal: Address Space Randomization for Mobile Devices o State of the art of ASLR (PAX, Windows, Mac OS X) o Disable lib pre-linking: how does it affect compilation? o Randomization during update o Implemented in android 4.0 (haven’t check how)
3/ Droid, show your dark side!
21 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Big Brogle is watching you • Rooting • Attack surface • Permissions … SE • Malwares
Big Brogle is watching you
22 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Remote kill switch (Google) • Have you looked at the WHOLE kernel and firmware to
check if a stolen gate does not exist?
Device administrator
23 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
Rooting
24 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• the good: • Total control • Remove system apps (or
operators eg: “Orange contact backup”)
• Remove rootkit? ;) • method:
o Exploit vuln. of the current firmware o Recovery partition->alternate OS o .. Stored /sdcard already rooted
firmware o Reboot in recovery, flash with rooted
fw o Superuser.apk ; /system/bin/su
Bad rooting stuff..
25 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Save the previous image • If run a non-trusted app, the whole OS+data is ***ed up • Sometimes disable protections
Attack surface
26 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Webkit rendering engine • http://www.exploit-db.com/exploits/15548/ • http://www.exploit-db.com/exploits/16974/ • …
• OS: libc, adb • Native flash player • Communication interfaces:
• Data, 3G, always connected • Wifi
• Data processing: • SMS (eg: Charlie Miller, iOS, SMS fuzzing, crashed the SMS process
rendering everytime a specially crafter SMS was received, BlueHat 2011)
• Voicemail
Permissions
27 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Social-Engineering: • Would a n0ob standard user do the right decision? • Some “normal” permissions hidden • When a lot of permission, do you really read? • “App phishing”?
Android malwares
28 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
Funny attack: tap-jacking
29 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Malicious app: • Starts sensible activity (eg:
Application trust) • Overlays part of the whole
screen • Fool the user to click • Click not handled by the
attacker layer
Random remarks
30 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• NO: • Firewall • HIDS • Anti-Malware
4/ practical demonstration: from trial to …
31 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Obtaining the .apk • Extracting the DEX • Visualizing the source code • Modifying the bytecode • Correct the signature • Reinject the application
4.1/ Obtaining the application
32 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• First step : get the app from your phone
• Use the adb shell to locate the package : • Check at /data/app or /data/app-private
• Download it with adb pull command
• Now let’s have fun !
4.2/ Coffee time
33 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Now let’s have a look at the source code !
• Use dex2jar to convert your .apk file into a .jar
• Use JDGUI to view the source code
• Nice ! But can’t edit the code
4.3/ give me bytecode please !
34 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Use apktool to reverse the apk into bytecode
• By the way thanks google to maintain apktool !
• Apktool extract all the ressources of the apk : AndroidManifest, layouts, values, pictures…
• Use adb to download the preferences file of the application
4.4/ Let's see what you're made of, mister !
35 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Find the entrance door in the AndroidManifest
• Read the code from JDGUI and edit it in the smali files
4.5/ practical demonstration
36 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Now it is time to recreate the apk ! • Use apktools again to build your package • Now sign your package with jarsigner (any key will work) • Use adb to install the new package !
4.6/ Some tools
37 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• Useful softwares : • Dex2Jar : https://code.google.com/p/dex2jar/
• JDGUI : http://java.decompiler.free.fr/?q=jdgui
• Apktool : https://code.google.com/p/android-apktool/
• Jarsigner : http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/jarsigner.html
• Smali Wiki : https://code.google.com/p/smali/w/list
• Where it all began : https://www.youtube.com/watch?v=m8fdbfjc8OU
Conclusion
38 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15
• A lot of people say “Android is to the mobile environment what Windows used to be in the 90’s”
• Good basis: • Various mitigation techniques (OpenBSD, Linux) • BUT:
o not all phones have NX/DEP in the OS o most most deployed version lack: ASLR
• Large attack surface • Permissions: imperfect (SE vulnerable) • Dalvik VM (similarities to Java) facilitates reverse
engineering process of DEX application