History of Android Security – from linux to jelly bean
1.
2. About Me
2000 AT&T Wireless: OODB/CORBA
2001Cellvic(JTEL): CellvicOS/JVM
2003 Samsung: JVM for DTV/SimpleJIT
2007 Aromasoft: JVM for Mobile/JIT Optimization/Dalvik
2011 GE korea: Smart appliance/Linux
2012 SK플래닛: Android/T-Store ARM/Security
– jungpil.@sk.com 또는 lifeisliving@naver.com
3.
4.
5. • 개인정보가 인터넷으로 빠져나간다
• 앱이 허락받지 않은 인터넷을 사용한다
• 앱이 허락받지 않은 동작(?)을 한다
• 앱이 스스로 루팅을 한다
• 앱이 코드를 스스로 변경한다
• 앱이 Dalvik VM의 정보를 변경한다
• 안드로이드앱이 Dalvik VM이 아닌 다른 VM을 실행시킨다
6.
7. • 5억대 판매된, 하루에 130만대씩
개통되는 단말?
• A Java platform?
– 역사상 자바가 표준 개발언어인 첫
번째 디바이스? RIM? NDK?
• A forked Linux?
– Why linux?
• Andy Rubin: was a Apple Employee
• 대안이 없어서?
– 역사상 가장 많이 팔린 linux device?
8. • Linux: Open Source
– ‘mkdir android ; cd android ; repo init -u
git://android.git.kernel.org/platform/manifest.git ; repo sync ;
make’
• Java: easy to learn, many developers
– but an easy language for reverse-enigneering
• dex2jar, APKTool, JD-GUI, APKInspector, Smali, Dedexer,,,
• 환상의 커플!!!
9. • Just a linux application
– following Google guides
10. • Linux Process
• Dalvik VM
• Bionic
• JNI
• Is that all???
– Missing something…
– PackageManager, ActivityManager,,,
11. • Java?
• No more on Android!!!
• Dalvik VM is not a security boundary!!!
– But Linux Process
12. • Linux UID/Group ID:
– a unique id based on its signature assigned when it starts
• Linux DAC: all or nothing
– old style
– root can do everything
– RWX
13. • Permission
– Need to be described on
AndroidMeanifest.xml
• Binder
• Kernel Enforcement
– group ID
<permission name="android.permission.INTERNET" >
•
<group gid="inet" />
</permission>
– Patch
• Internet
14. • You can do everything in your process
• You can use Reflection/JNI
– To call hidden/private methods
– To get/set private fields
• But High return, High risk!!!
ex) Unity3D: Using Mono VM
15.
16. Distribution (Se
API leve
Version Release date ptember 4, 201
l
2)
4.1.x Jelly Bean July 9, 2012 16 1.2%
4.0.x Ice Cream Sandwich October 19, 2011 14-15 20.9%
3.x.x Honeycomb February 22, 2011 11-13 2.1%
2.3.x Gingerbread December 6, 2010 9-10 57.5%
2.2 Froyo May 20, 2010 8 14%
2.0, 2.1 Eclair October 26, 2009 7 3.7%
1.6 Donut September 15, 2009 4 0.4%
1.5 Cupcake April 30, 2009 3 0.2%
17. • NX bit(No eXecute):
– to prevent code execution on heap and stack(2.3+)
• Prelink: Used to speed up boot process
– removed to prevent return-to-libc attacks(4.0+)
• Address Space Layout Randomization(4.0+)
– randomize key locations in memory
• PIE (Position Independent Executable)
– supports (4.1+)
18. • FileSystem Encryption
– 3.0+ provides full filesystem encryption. 128bit AES
key derived from user password
• Credential Storage
– 1.6+ restricted for only system
– 4.0+ provides public API
21. • ODEX File: optimized dex file
dex file
Dalvik Virtual
odex file Machine
Storage (JIT Compiler)
(reuse)
decompile hijacking
• 4.0+ provides a raw dex loading API
– Without ODEX!!!
22. • Applying SELinux in Android by NSA
• Linux Security Modules
– Standard Linux Security (Hooking) Framework from v2.6
task management (creation, signaling, waiting), program loading (execve), file system management (superblock,
inode, and filehooks), IPC (message queues, shared memory, and semaphore operations), module hooks
(insertion and removal), and network hooks (covering sockets, netlink, network devices, and other protocol
interfaces) security.h
23. • 2012/1 AOSP master branch added(HAVE_SELINUX)
– in external/libselinux and external/sepolicy
– in core/java and core/jni
• SELinux.java, AndroidRuntime.cpp, android_os_SELinux.cpp
• Slow and incremental applying expected
– not enforcing mode but permissive mode
– Android 5.0?
• Need to consider it!
24. • ARM’s HW solution
• Virtualized processors on a ARM chip
• Secure World can read Normal World
– But Normal World can’t read Secure World
• Already on Galaxy S3!!!
25.
26. • Use Obfuscator
• Use Native Code
• Keep data on your server
• Sorry, Find your own solutions!
– 2011 Google I/O Evading Pirates and Stopping Vampires using License
Verification Library, In-App Billing, and App Engine
– 2012.4 Code Obfuscation for the Amazon In-App
27. • Even Android has many security problems, it is an open,
de-facto platform now
• It’s getting better but you need to keep your data/code by
your own ways
• Its openness and flexibility could give some chances to
creative developers
• T-Store promises to help you soon!