Android SecurityWhat is out there?

Waqar Aziz

Android Market Share - I

2

Android Market Share - II

3

Android Market Share - III

4

Android App Market Security Model

• No formal application screening process.• Any developer can upload an application.• Android Market relies on community to identify and flag:

• Malfunctioning applications• Malicious applications

• Inherently, early adopters suffer if the application is malicious.

• Note: Unlike iPhone, Android application can be directly downloaded and installed from a third party as well.

5

Phishing App Example• Bank Phishing application:

• Advertised to do banking activities from phone.• User to give account information and credentials

for the app to facilitate banking activities.• In reality the app did only the following:

• Open the banking website in phone’s browser. That’s it!!

• A number of users were scammed before the application was taken out from Android Market.

6

Android Market Statistics

• About 20% of 48,000 apps in Android Marketplace allow a third-party application access to sensitive or private information.

• 5% apps can place calls to any number without user interaction.

• 2% apps can send text messages without user interaction.

• 29 apps require the exact same permissions as applications that are known to be spyware.

• 383 apps have the ability to read and use the authentication credentials from another app or service.

7

Android Security Apps - I

• Both apps are developed by Pittsburgh based security researcher and hacker who goes by Moxie Marlinspike.

• RedPhone• Uses ZRTP, Internet voice cryptography scheme.• It uses two users’ keys to create a passphrase, which

is later displayed at both ends for users to verify.• SecureText

• Encrypted text messages.• Both apps generate a new key for every

communication session.

8

Android Security Apps – II

• OI Safe• It saves password and other private data with

AES encryption.• No information is kept online.• It works with OI Notepad to encrypt notes,

and with Obscura to encrypt pictures.

• Other apps for content encryption:• B-folder + sync• Secrets-for-android

9

Android Manifest - I• Android Manifest does the following:

• Declares application’s components• Identifies any permissions that the application expects to

be granted:• Access the Internet, read phone contacts, access sensors, etc.

• Thus, what an application can and cannot do is constrained by the total set of permissions that can be granted in a Manifest file.• Currently, almost all user content and private data can be

accessed from phone’s internal phone and SD card.• However, no permission can be granted to do anything on

system level except for accessing some small number of settings.

10

Android Manifest - II

11

Anti-malware Apps - I

• Smobile Security Shield• It does permission-based malware detection.• Scans manifest files of apps installed on

phone, and flags them based on suspicious manifest permissions.• Maintains a database of manifest files of all apps

on Android Market & other 3rd party sources.• Scans application signatures.• Maintains a database of application signatures.

12

Anti-malware Apps - II

• WaveSecure• Remotely wipes out all user data.• Tracks and locates the phone.• Lock the phone as soon as SIM change is detected.• Protection again application uninstallation.• Backs up and restores private data – SMS,

contacts, etc.

• Other similar apps• Mobile Defense

13

What you see is what they get - I

• “Google’s Android OS grants access to sensors such as cameras and audio inputs only if their use is disclosed at installation time. At installation time, a user may not understand an application well enough to determine why it would need sensor data or guage its trustworthiness…”

• “…iPhone instead uses standardized OS interface to prompt the user user to approve access…”

14

What you see is what they get - II

• Sensor-access widget:• When an application requests access to a

sensor, runtime environment overlays a GUI widget on a portion of the screen, such as status bar, to notify user of a sensor access.

15

What you see is what they get - III

• SWAAID (Show Widget and Allow After Input & Delay):• Turn sensors from passive into active input

devices.• User intervention is required before sensor access.• User can also enable access without any intervention for

a while.• Then the waiting period (or delay) is intended to

give the user sufficient time to notice and respond to the sensor access.

• _• _

16

I am allowing what?

• A paper on Application Authority Disclosure by Microsoft Research

• “…the great majority of participants preferred designs that used images or icons to represent resources. This great majority also disliked designs that used paragraphs, the central design element of Facebook’s disclosures, and outlines, the central design element of Android’s disclosures.”

17

Rooting Android• Rooting Android: Gaining root access to

Android operating system.• It can be deemed as similar to iPhone

jailbreaking.• Why root Android?

• To gain full control over the system.• Modify system files: themes, core apps, boot

images, linux binaries, etc.• Run applications that require system level access• …

18

Other Findings…• Not a single application currently does user

authentication using accelerometer.• No application attempts to do anything on a

system level, such as access network packets.• Two main reasons for the above findings:

• Android Manifest does not permit anything on system level, such as, replacement of factory default user authentication mechanism or access to other applications’ traffic.

• An application written for rooted Android will not work on non-rooted Android phones.• Apps for rooted Android: Internet tethering, ad-hoc

network, …

19

Questions?

20

Sources1. http://developer.android.com/reference/android/

Manifest.permission.html2. http://threatcenter.smobilesystems.com/wp-content/plugins/download-

monitor/download.php?id=83. http://research.microsoft.com/pubs/131132/devices-camera-ready.pdf4. http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow-

wiretap-proof-cell-phone-calls/5. http://research.microsoft.com/pubs/131517/AppAuth.pdf6. http://www.openintents.org/en/node/205/7. http://www.openintents.org/en/node/2318. http://threatcenter.smobilesystems.com/?category_name=news9. http://portal.acm.org/citation.cfm?id=1613858.161387810. http://smarterware.org/3189/why-and-how-to-root-your-android-phone11. http://android-dls.com/wiki/index.php?title=Why_Root12. http://metrics.admob.com/

21