Bringing Government and Enterprise Security Controls to the Android Endpoint

Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com.

Bringing Enterprise and Government Security Controls to the Android Endpoint

March 2016Dr. Hamilton Turner

Senior Director of Engineering & Research

CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.

About Me• Working with Android for ~7 years• Doctorate from Virginia Polytechnic with specialization in optimizing and securing mobile cloud computing systems• Senior Director of Engineering and Research

– Responsible for all research initiatives– Advisor on engineering initiatives in a planning and software quality control standpoint– Lead software developer on multiple projects

2


Presentation Overview• How should a smartphone be secured?• How are smartphones being secured?• Why are security controls on smartphones lagging behind security controls on laptops?• Our approach to improving Android security

3

CONFIDENTIAL. ALL RIGHTS RESERVED.CONFIDENTIAL. ALL RIGHTS RESERVED.6

How should a smartphone be secured?Android is a huge, complex codebase

– Changing code adds bugs– Changing code is costly– Too many code modifications will eventually cause project failure

Automation helps, but…– Often it just helps you break more in less time


Common Enterprise Smartphone Controls• App wrapping

– Proxy all app communication through a ‘security’ layer • Containerization

– Create one ‘secure sandbox’ shared by all enterprise apps• Device administration APIs

– Ask system to enforce security for you• Mobile Device Management

– A collection of these technologies (not actually a security technology)

7


Application Wrapping

8

• Goal: Intercept every method call the application could use to interact with the system– Add a ‘decision’ to each– Choose to block/allow/modify each interaction

• No system modifications Non-wrapped Android Apps



9

• Goal: Intercept every method call the application could use to interact with the system– Add a ‘decision’ to each– Choose to block/allow/modify each interaction

• No system modifications Wrapped Android Apps



10

• Large maintenance burden– Every single version – of every single app – must be wrapped

• “Escaping” is fairly easy– Exec / Java Reflection– Unprotected NDK interfaces– Symbolic links in filesystem– Internal components e.g. web views

• ‘Security feature’ is inside the sandbox – app can modify!• Offers no protection inside the OS

– Once data leaves sandbox, it’s gone


Containerization• Natural extension of app wrapping

– Most solutions today operate in app sandbox– Notable exceptions are Android For Work-based implementations

• Adds some shared information into the wrapping logic– Security keys for data de/encryption– Policy decision-making across entire phone– User accounts, single-sign on, etc

11


Containerization• Natural extension of app wrapping

– Inherits concerns about:• Large maintenance overhead• Escaping security is fairly easy• Security is not independent from apps being secured

• Increased maintenance overhead– Every version of every app must be wrapped with the correct container version

• Improvement: Does offer some protection from leaky OS

12


Device Administration APIs• Too simple to cover many use cases

– password length– screen lock– require encrypted filesystem

• No app-specific protections– Once app is installed to ‘managed’ phone, it has full access to managed data

• No protection from misbehaving system

13


How should a smartphone be secured?Android is a huge, complex codebase

– Changing code adds bugs– Changing code is costly– Too many code modifications will eventually cause project failure

Automation helps, but…– Often it just helps you break more in less time


How are smartphones being secured?

Device AdminAPI

App WrappingContainerization


Existing Smartphone Controls• Large market opportunity and multiple competing solutions, but existing solutions are all limited

– Not as reliable as traditional laptop controls– Not as powerful– Not as user-friendly

• Why?– Android systems are designed from the bottom-up to have excellent inter-application communication, and it is widely used

16


Data Flows: Android versus Laptop• Data flow on a laptop is strongly tied to the original application

– E.g. very few apps on the system understand “powerpoint” files• Data passing between apps goes through the system in a well-understood format

– E.g. files• Very few applications “cross-talk”

– E.g. the browser can download files for you, but it cannot specifically pass Spotify a message to “favorite this file I am downloading”

17


Data Flows: Android versus Laptop• Data on a mobile tends to ‘disperse’

– Android is designed to pass information and commands app-to-app– Multiple 3rd-party apps have built entire command/data pathways

• E.g. http://www.openintents.org/, custom URL schemes (whatsapp://), standard filesystem on shared external storage• Data passing between apps goes through the system in many formats

– “Standardized” Intents, non-standard intents, filesystem, network sockets, parent process sharing, broadcasts, content providers, tunneled data inside other formats • Most applications “cross-talk”

– Almost every application can “share” to a large number of other apps– With a few lines of code, apps can send data via Bluetooth, email, sms, clipboard, QR code, and multiple well-known network apps

18


Data flows inside Android• Even inside the OS• Protecting app-to-app communication is not enough!

– Must protect against leaks inside the system

19


How should Android be secured?• Intersection points of ‘few code changes’ and ‘big impact’

– Network access– Disk access– Inter-process communication

• The first two are already addressed• The underlying IPC system on Android is pervasively used

– By app-to-app communication– By app-to-system communication– By system-to-system communication

• Adding security to this mechanism is a win!

20


Benefits of securing Android IPC• Extremely powerful modification

– Almost all inter-application communication– Huge portion of communication between Android and apps

• Completely invisible to existing code• Very small impact on existing codebase

– No new bugs being introduced• Resistant to future changes

OptioCore


Example: Stagefright via MMS• Vector originates in system• Some MMS apps were vulnerable, some were not

– Auto-download MMSsettings• By blocking the dangerous IPC to vulnerable apps, we

– Prevent the immediate threat– Buy reaction time for an OTA– Protect users from a bug in the system itself

22

SMS

RIL

MediaServer

OMX


OptioCore


OptioInsighto Deep visibility into security threatso Cross-platform security analyticso Rapid, actionable threat responseo Agile security policy managemento Enterprise user managemento Security reporting

CONFIDENTIAL. ALL RIGHTS RESERVED.Optio is a subsidiary of Allied Minds, an innovative U.S. science and technology development and commercialization company. Operating since 2006, Allied Minds forms, funds, manages and builds products and businesses based on innovative technologies developed at leading U.S. universities and federal research institutions. Allied Minds serves as a diversified holding company that supports its businesses and product development with capital, central management and shared services. More information about the Boston-based company can be found at www.alliedminds.com.

Thanks!Come visit OptioLabs in Booth #5145


OptioLabsCompanyOptioLabs is a security insight platform for the mobile enterprise.

MissionSecure the mobile enterprise with solutions that adapt to threats in real time.

Bringing Government and Enterprise Security Controls to the Android Endpoint

Technology

Transcript of Bringing Government and Enterprise Security Controls to the Android Endpoint