Cellrox's Oren Laadan's talk on MobSecCon, September 3rd, 2015. A PDF is available in: http://thepscg.com/events/MobSecCon

1. Oren Laadan, CTO
orenl@cellrox.com
www.cellrox.com
Containerization Spells
Security Threats for Mobile
aprilzosia

2. MobSecCon 20152
Vulnerabilities Quiz

3. MobSecCon 20153
Common denominator?
• Vulnerabilities affect core Android
• Allow taking over powerful services
• Rely on malicious/untrusted payload

4. MobSecCon 20154
Mitigations?
• Fix vulnerabilities
• Detect attacks and take action
• Contain successful intrusions

5. MobSecCon 20155
Mitigations?
• Fix vulnerabilities  Yeah, right.
• Detect attacks and take action
• Contain successful intrusions

6. MobSecCon 20156
Android Containerization
• Protect some work-related assets (data
and network) in a separate “container”
• Examples: App wrappers and SDKs
Android’s user profiles
Samsung’s Knox
• Makes business apps “safe” because
they run inside a “container”

7. MobSecCon 20157
Kernel
Device
hardware
Personal Business
applications applications
Android environment:
framework, services
Data Data
Android Containerization

8. MobSecCon 20158
Android Containerization
• Protect work-related assets (data and
network) in a separate “container”
• Examples: App wrappers and SDKs
Android’s user profiles
Samsung’s Knox
• Makes business apps “safe” because
they run inside a “container”  does it?

9. MobSecCon 20159
Android Containerization Achilles Heel
• Separates data storage, - and -
• Separates network connections, - but -
• Share service and logic to decide on
each such access per (app) context
• Share single runtime environment
• Share one set of Android services

10. MobSecCon 201510
Case #1: Stagefright, Matroska
• Bunch of flaws in media library
• Malformed input can lead to arbitrary
code execution
• Attack vector via MMS, app, or payload
• Can take over MediaService

11. MobSecCon 201511
Case #1: Stagefright, Matroska
• Bunch of flaws in media library
• Malformed input can lead to arbitrary
code execution
• Attack vector via MMS, app, or payload
• Can take over MediaService
• Containerization helps? NO
• Virtualization helps? YES

12. MobSecCon 201512
Case #2: Fingerprint
• Careless handling of fingerprint images
• Stores unencrypted and world-readable
in a shared-directory
• Attack vector via an app, file browser, or
naughty user

13. MobSecCon 201513
Case #2: Fingerprint
• Careless handling of fingerprint images
• Stores unencrypted and world-readable
in a shared-directory
• Attack vector via an app, file browser, or
naughty user
• Containerization helps? NO
• Virtualization helps? YES

14. MobSecCon 201514
Case #3: De-serialize
• Inspired by de-serialization vulnerability in
ObjectInputStream class (fixed)
• Tricky use of serializable objects with a
sensitive member controlled by attacker
• Can take over system_server

15. MobSecCon 201515
Case #3: De-serialize
• Inspired by de-serialization vulnerability in
ObjectInputStream class (fixed)
• Tricky use of serializable objects with a
sensitive member controlled by attacker
• Can take over system_server
• Containerization helps? NO
• Virtualization helps? YES

16. MobSecCon 201516
Case #4: Hardware channels
• Use covert (side) hardware channels to
steal information of other apps
• Calibrate and then use accelerometer or
gyroscope in background to infer input

17. MobSecCon 201517
Case #4: Hardware channels
• Use covert (side) hardware channels to
steal information of other apps
• Calibrate and then use accelerometer or
gyroscope in background to infer input
• Containerization helps? NO
• Virtualization helps? YES

18. MobSecCon 201518
Case #5: Hardware Abstractions
• Exploit a flaw related to shared hardware
resource, e.g. network interface
• Intercept I/O of other contexts with that
resource, e.g. in-Android MITM attack

19. MobSecCon 201519
Case #5: Hardware Abstractions
• Exploit a flaw related to shared hardware
resource, e.g. network interface
• Intercept I/O of other contexts with that
resource, e.g. in-Android MITM attack
• Containerization helps? NO
• Virtualization helps? YES

20. MobSecCon 201520
Solution: Mobile Virtualization
• Protect all work-related assets in a
separate instance of Android
• Replicate entire Android stack for each
instance, do not share framework
• Makes business apps safe because they
run in a separate runtime environment

21. MobSecCon 201521
Android InstanceAndroid Instance
Android
applications
Android environment:
framework, services
Data
Linux
kernel
Device
hardware
Mobile Virtualization
Android
applications
Android environment:
framework, services
Data
Thinvisor

22. MobSecCon 201522
How Does Virtualization Work?
• Block primary attack vectors in the
business instance
• Securely isolate the business instance
from the personal one
• Multiplex hardware resources between
instances in “foreground” usage model

23. MobSecCon 201523
Mobile Virtualization
“Server virtualization is all about cost saving
Mobile virtualization is all about usability …
while protecting your privacy, securing your
information, increasing your performance,
and catering to your needs.”

24. MobSecCon 201524
Case #1-#5: Recap
• Stagefright, Matroska 
• Fingerprint 
• De-serialize 
• Hardware channels 
• Hardware abstractions 

25. MobSecCon 201525
Case #1-#5: Recap
• Stagefright, Matroska 
• Fingerprint 
• De-serialize 
• Hardware channels 
• Hardware abstractions 
• Next exploit …. 

26. MobSecCon 201526
Mobile Virtualization