Android security back to basics - ensiwiki.ensimag.fr · Android security back to basics! SecurIMAG...

•  Description: brief introduction to basic android security mechanisms

•  Speakers: •  Adrien Hamraoui •  Fabien Duchene

Android security back to basics!

SecurIMAG

2011-12-15

WARNING: SecurIMAG is a security club at Ensimag. Thoughts, ideas and opinions are not related to Ensimag. The authors assume no liability including for errors and omissions.

¡¡_ (in)security we trust _!!!

Grenoble INP Ensimag

Summary

2 SecurIMAG - Android security-back to basics - A. Hamraoui - F. Duchene - 2011-12-15

•  En-droeede? •  Android security mechanisms •  Droid, show your dark side! •  Practical demonstration: from trial to full version

1/ En-droeede?


•  History •  Android overview •  Dalvik •  Play with that robot?

1.1 History


•  2003: Android Inc, •  2005: Google •  2007: product release •  2010: ROI •  Different OS versions of Android market, in 2011:

Sécurité du système Android, Nicolas Ruff (EADS), SSTIC 2011

1.2 Android introduction


•  Linux kernel 2.6.xxxxx •  Some divergences

•  Smartphones •  ARM

1.2. Android overview


1.3. Dalvik?


•  Dalvik VM ~ Java VM … in a special flavor: •  Class: subset of the Apache_Harmony specifications

o  No JME, Swing, AWT

•  Just-in-time compiler •  No stack machine, but register-based

o  lower CPU frequency => for a similar performance

•  16 bit instruction set •  No swap •  Executables: DEX format

http://source.android.com/tech/dalvik/dex-format.html

1.3 How to play with that robot?


•  Phone: •  Debug .. then SDK •  Root it •  Obvious bugs in stupid

customized constructor GUI.. WTF!!

•  Virtualized: •  Same stuff expect SIM Card,

thus GSM ntw o  “Android Emulator” .. from Android

SDK o  VirtualBox compatible VM

2/ Android security mechanisms


•  Application •  permissions •  Signature •  updates

•  Physical access •  Encryption •  DEP, ASLR •  Rooting •  Anti-rooting protections

OS architecture


Android application


•  .apk ; JAR with .apk extensions •  Mime: application/vnd.android.package-archive •  Content:

•  Manifest.MF (JAR typical) •  CERT.RSA : certificate of the application •  CERT.SF (list of SHA-1 hashes of ressources) •  classes.dex •  res: dir. ressources used •  AndroidManifest.xml : application name,

permissions, referenced libraries

Application Permissions


•  Exposes permissions •  User is prompted when installing or updating

Manifest.permission – android developers

Application Signature


•  Application •  self-signed issuing certificate possible (difference with

iOS) •  Firmware

Updates


•  Automatic – if permissions do not change •  Over-the-air OS update (no crappy music/video/

podcast/photo/updater/contact syncer/reader/wtf needed ;)

Isolation, Sandboxing


•  Each application: •  own GID:UID •  own storage directory (could be on SD-card) •  DEX only able to instance classes:

o  Within exec o  Ressources (in APK) o  Defined in Manifest

Physical access


•  Authentication / Screen unlock •  PIN, Password •  Pattern: contiguous path within a 9-

nodes graph •  If too many errors, possibility to

reinitiate with Google ID security question

•  Cold boot attacks •  SD-card:

•  no permission (FAT volume) •  Out of the box no encryption

Encryption


•  Whole disk encryption: (Android >=3.0) •  Password screen lock •  /data

o  AES128 CBC + ESSIV:SHA256 (pwd,salt,SHA-1) –  Password change => re-encrypt

o  dm-crypt (linux kernel)

•  No HW acceleration •  Vuln: evil-maid, cold-boot

Deep Dive Android Security, Aleksandar Gargenta, AnDevConII, 2011

Memory security protection


Protec'on Against …

DEP (android >= 2.3) Code execu7on on the stack and heap

ProPolice Stack BOF

safe_iop() Reduce probability of Int OF

Dlmalloc() [OpenBSD] Double-‐free

Calloc() [OpenBSD] Integer OF during alloca7on

mmap_min_addr() [Linux] Null pointer dereference privilege escala7on

ASLR


•  Today : •  Prelinking (@ fixed, for performance)

o  Shared libs compiled Position Independent Code o  Base executables PIC, but not linked as PIE o  Dynamic linker fix address (not able to relocate itself, diff. ld.so) o  Return-to-libc possible

•  proposal: Address Space Randomization for Mobile Devices o  State of the art of ASLR (PAX, Windows, Mac OS X) o  Disable lib pre-linking: how does it affect compilation? o  Randomization during update o  Implemented in android 4.0 (haven’t check how)

3/ Droid, show your dark side!


•  Big Brogle is watching you •  Rooting •  Attack surface •  Permissions … SE •  Malwares

Big Brogle is watching you


•  Remote kill switch (Google) •  Have you looked at the WHOLE kernel and firmware to

check if a stolen gate does not exist?

Device administrator


Rooting


•  the good: •  Total control •  Remove system apps (or

operators eg: “Orange contact backup”)

•  Remove rootkit? ;) •  method:

o  Exploit vuln. of the current firmware o  Recovery partition->alternate OS o  .. Stored /sdcard already rooted

firmware o  Reboot in recovery, flash with rooted

fw o  Superuser.apk ; /system/bin/su

Bad rooting stuff..


•  Save the previous image •  If run a non-trusted app, the whole OS+data is ***ed up •  Sometimes disable protections

Attack surface


•  Webkit rendering engine •  http://www.exploit-db.com/exploits/15548/ •  http://www.exploit-db.com/exploits/16974/ •  …

•  OS: libc, adb •  Native flash player •  Communication interfaces:

•  Data, 3G, always connected •  Wifi

•  Data processing: •  SMS (eg: Charlie Miller, iOS, SMS fuzzing, crashed the SMS process

rendering everytime a specially crafter SMS was received, BlueHat 2011)

•  Voicemail

Permissions


•  Social-Engineering: •  Would a n0ob standard user do the right decision? •  Some “normal” permissions hidden •  When a lot of permission, do you really read? •  “App phishing”?

Android malwares


Funny attack: tap-jacking


•  Malicious app: •  Starts sensible activity (eg:

Application trust) •  Overlays part of the whole

screen •  Fool the user to click •  Click not handled by the

attacker layer

Random remarks


•  NO: •  Firewall •  HIDS •  Anti-Malware

4/ practical demonstration: from trial to …


•  Obtaining the .apk •  Extracting the DEX •  Visualizing the source code •  Modifying the bytecode •  Correct the signature •  Reinject the application

4.1/ Obtaining the application


•  First step : get the app from your phone

•  Use the adb shell to locate the package : •  Check at /data/app or /data/app-private

•  Download it with adb pull command

•  Now let’s have fun !

4.2/ Coffee time


•  Now let’s have a look at the source code !

•  Use dex2jar to convert your .apk file into a .jar

•  Use JDGUI to view the source code

•  Nice ! But can’t edit the code

4.3/ give me bytecode please !


•  Use apktool to reverse the apk into bytecode

•  By the way thanks google to maintain apktool !

•  Apktool extract all the ressources of the apk : AndroidManifest, layouts, values, pictures…

•  Use adb to download the preferences file of the application

4.4/ Let's see what you're made of, mister !


•  Find the entrance door in the AndroidManifest

•  Read the code from JDGUI and edit it in the smali files

4.5/ practical demonstration


•  Now it is time to recreate the apk ! •  Use apktools again to build your package •  Now sign your package with jarsigner (any key will work) •  Use adb to install the new package !

4.6/ Some tools


•  Useful softwares : •  Dex2Jar : https://code.google.com/p/dex2jar/

•  JDGUI : http://java.decompiler.free.fr/?q=jdgui

•  Apktool : https://code.google.com/p/android-apktool/

•  Jarsigner : http://docs.oracle.com/javase/1.3/docs/tooldocs/win32/jarsigner.html

•  Smali Wiki : https://code.google.com/p/smali/w/list

•  Where it all began : https://www.youtube.com/watch?v=m8fdbfjc8OU

Conclusion


•  A lot of people say “Android is to the mobile environment what Windows used to be in the 90’s”

•  Good basis: •  Various mitigation techniques (OpenBSD, Linux) •  BUT:

o  not all phones have NX/DEP in the OS o  most most deployed version lack: ASLR

•  Large attack surface •  Permissions: imperfect (SE vulnerable) •  Dalvik VM (similarities to Java) facilitates reverse

engineering process of DEX application

Android security back to basics - ensiwiki.ensimag.fr · Android security back to basics! SecurIMAG...

Documents

Transcript of Android security back to basics - ensiwiki.ensimag.fr · Android security back to basics! SecurIMAG...