D e s ig n in g S e c u r it y -A w a r eA n d r o id A p p lic a t io n s f o r t h eJean-Pierre SeifertE n t e r p r i s...
Agenda1.   Introduction2.   Some reasons for Access Control in Phones        mTAN, Signalling based attacks, Premium Rate...
Introduction
Cell Phone Security   A cellular phone is only one part of a much larger system        Other parts of the system are eve...
Cellphone OS Security vs. OS Security   W hy is cellphone OS security different than ordinary OS security?        Connec...
Cellular Networks   Cellular networks are complex systems made up of many components and    defined by thousands of pages...
Stakeholders   A cellphone stakeholder is an entity with valued interests in    proper phone functioning and something to...
Basic Phone Architecture   T he hardware and software configuration dictates what sorts of    policy is possible.   Each...
Some reasons for Access Control inPhones
Example: mTAN – mobile TAN   TAN → Transaction Authentication Number    – secure online banking   mTAN generated individ...
Example: mTAN – mobile TAN               Deutsche Telekom Laboratories   17.06.2011   11
Attacks against mTAN   Prerequisite    – Attacker has the credentials for the victims online banking    account   Attack...
Man-in-the-Mobile Attack against mTAN   Attacker installs malware on victims phone     – Malware reads and forwards mTAN ...
Example: Eavesdropping on SMS Traffic   Attacker needs to be close to victim    – Unlikely but possible   GSM can be eas...
Example: Cellular Signaling   Signaling traffic generated by theMobile Equipment (ME) is sent to the    MSC and HLR in ca...
Example: Cellular Signaling Threats   Fast PDP context activation and de-activation lead to high network load    on the G...
Example: Premium Rate SMS Trojans   Fraud caused by SMS Trojans such as FakePlayer-A is a    long standing problem in the...
Example: WAC Operator Billing                                                           Pay via Operator bill •   WAC allo...
WAC is an alliance of some of the biggestcompanies in the mobile industry.                                      WAC Board ...
WAC has two focus areas.Network APIs and Operator Billing to be focus.    W A C W id g e t R u n t im e                   ...
Using the WAC solution subscribers can pay forcontent securely with just a few clicks on themobile.                Deutsch...
Non-mobile devices can also be addressed withconvenient mobile TAN approach.  Illu s t r a t iv e p a y m e n t f lo w s h...
Access Control in Android
Android   One of the most anticipated smartphone operating    systems -- led by Google      Complete software stack     ...
Android Phones   An Android contains a number of    “applications”        Android comes installed with a         number ...
Security Enforcement   Android protects application at system level and at the Inter-component    communication (ICC) lev...
Security Enforcement•   Core idea of Android security enforcement    • label assignment to applications and components•   ...
Access permission logic  The Android middleware implements a reference monitor  providing mandatory access control (MAC) e...
Enforcement Conclusion   Assigning permission labels to an application    specifies its protection domain.   Assigning p...
Security Refinements --- Public vs. PrivateComponents   Applications often contain components that another    application...
Security Refinements --- Protected APIs   Not all system resources (for example, network) are    accessed through compone...
Security Refinements --- PermissionProtection Levels   The permission protection levels provide a means of    controlling...
Lessons in Defining Policy   Android security policy begins with a relatively easy-    to-understand MAC enforcement mode...
MILS/Seperation Kernel approach for Androidphones
Deutsche Telekom Laboratories   17.06.2011   35
SiMKo 3          Deutsche Telekom Laboratories   36
Simplified overall SiMKo3 system architecture – MILS approach  Open Compartment Secure Compartment Network Compartment Cry...
Network hardening of SiMKo3                Deutsche Telekom Laboratories
Modem Virtualization                Deutsche Telekom Laboratories
Modem Virtualization                Deutsche Telekom Laboratories
SoC of Galaxy S II                 Deutsche Telekom Laboratories
Early Prototypes                   Deutsche Telekom Laboratories   42
SiMKo3 is based upon the L4 micro-kernel and the                           Samsung Galaxy S II,and …                Deutsc...
L4Android – www.l4android.org•   L4Android is derived from the L4Linux project,    which is developed at the Technische Un...
Agenda              Thank you for your attention!1.   Introduction2.   Three reasons for Access Control in SmartPhones    ...
Questions?Deutsche Telekom Laboratories   46
Upcoming SlideShare
Loading in...5
×

J.-P. Seifert; Security-Aware Android Applications for the Enterprise

1,111

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,111
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation 23.11.2009 – streng vertraulich, vertraulich, intern, öffentlich– Stenzel
  • 16.04.2009 Autor / Thema der Präsentation 28.12.2010 – streng vertraulich– Matthias Broll
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation 28.12.2010 – streng vertraulich– Matthias Broll
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation 28.12.2010 – streng vertraulich– Matthias Broll
  • 16.04.2009 Autor / Thema der Präsentation
  • 16.04.2009 Autor / Thema der Präsentation
  • J.-P. Seifert; Security-Aware Android Applications for the Enterprise

    1. 1. D e s ig n in g S e c u r it y -A w a r eA n d r o id A p p lic a t io n s f o r t h eJean-Pierre SeifertE n t e r p r i s e Telekom Laboratories, Berlin, GermanyTU Berlin & Deutschejpseifert@sec.t-labs.tu-berlin.de
    2. 2. Agenda1. Introduction2. Some reasons for Access Control in Phones  mTAN, Signalling based attacks, Premium Rate SMS Trojan, WAC Operator Billing3. Access Control in Android4. The MILS/Seperation Kernel approach for Android phones  SE C T ad for L4Android (simko3)5. Q&A Deutsche Telekom Laboratories 17.06.2011 2
    3. 3. Introduction
    4. 4. Cell Phone Security A cellular phone is only one part of a much larger system  Other parts of the system are even more complex  Historically, both network and devices were closed (started to open)  Provided some level of protection 17.5% of American homes had only wireless telephones in year 2008.  What about Europe?  Myself I only have one single phone – a cell phone What happens to the network and devices when interfaces open? What happens when we start relying on cell phones for general computing needs? Deutsche Telekom Laboratories 17.06.2011 4
    5. 5. Cellphone OS Security vs. OS Security W hy is cellphone OS security different than ordinary OS security?  Connected to critical infrastructure - warnings of phone botnets  Connected to people - attacks can cross into the physical world Multiple Stakeholders - there is a lot of money at risk Network provider, OEM, enterprise, 3rd-party app developer, content owner, end user, etc. Who has control? Who is the adversary? Specific usage scenarios  Always with you  Only want to carry one (for business and personal) Deutsche Telekom Laboratories 17.06.2011 5
    6. 6. Cellular Networks Cellular networks are complex systems made up of many components and defined by thousands of pages of standards documents  3GPP aka GSM, and 3GPP2 aka CDMA ... leads to alphabet soup There are many non-security concerns (most of them are non-security)  Interconnectivity with “landline” phone network  Efficient radio spectrum deployment  Maximizing number of active of subscribers  Low latency call-setup and in-call  Mobility and roaming (which tower?)  Handset power consumption (sleep periods)  Customer databases and billing mechanisms  and many more ... Deutsche Telekom Laboratories 17.06.2011 6
    7. 7. Stakeholders A cellphone stakeholder is an entity with valued interests in proper phone functioning and something to loose from malfeasance.  Variety of stakeholders, and each has its own goals and concerns A stakeholder can be identified by its presence on a phone 1. Provides a means of communication with the outside world 2 .Uses the handset to deliver information (e.g., news, music, etc) 3. Provides software or hardware to facilitate 1 and 2 4. An end user of the phone Deutsche Telekom Laboratories 17.06.2011 7
    8. 8. Basic Phone Architecture T he hardware and software configuration dictates what sorts of policy is possible. Each phone has implementation specific details, but some general trends Application processor and Baseband processors (most often single chip)  Separate firmwares and execution environments Example Chips (SoC) -- often bundle hardware features like GPS, bluetooth, etc.  Qualcomm Mobile Station Modem (MSM 7x, e.g., MSM 7201a) - single chip  TI Open Multimedia Application Platform (OMAP 1xxxx, OMAP 3xxxx) - only app  Broadcom baseband processors (e.g., ML2011)  Marvell (PXA series) Deutsche Telekom Laboratories 17.06.2011 8
    9. 9. Some reasons for Access Control inPhones
    10. 10. Example: mTAN – mobile TAN TAN → Transaction Authentication Number – secure online banking mTAN generated individually for each transaction – mTAN send via text SMS – Limited life time – Includes: destination account and amount (with these values customer can verify his transaction) Example: Die mobileTAN für Ihre Überweisung über 11123,45 Euro auf das Konto 123456789 lautet: 73KXCM Deutsche Telekom Laboratories 17.06.2011 10
    11. 11. Example: mTAN – mobile TAN Deutsche Telekom Laboratories 17.06.2011 11
    12. 12. Attacks against mTAN Prerequisite – Attacker has the credentials for the victims online banking account Attackers goal – Successfully complete online bank transfer from victims account to attacker account Requirement – Attacker needs to get mTAN from the users phone (remember mTAN is send via text SMS) Deutsche Telekom Laboratories 17.06.2011 12
    13. 13. Man-in-the-Mobile Attack against mTAN Attacker installs malware on victims phone – Malware reads and forwards mTAN SMS to attacker This is easy since: – All mobile OSes provide an API to read incoming SMS • Users always grant all capability requests! – Malware just registers, read and forward SMS messages Already happening in the field! – ZITMO (Symbian & Windows Mobile) Deutsche Telekom Laboratories 17.06.2011 13
    14. 14. Example: Eavesdropping on SMS Traffic Attacker needs to be close to victim – Unlikely but possible GSM can be easily recorded and decoded (A5/1 and A5/2) – Public research available including ready to use tools Femtocell based attacks can “sniff” 3G traffic – SecT lab setup → non public yet – Will be easy to reproduce once published Deutsche Telekom Laboratories 17.06.2011 14
    15. 15. Example: Cellular Signaling Signaling traffic generated by theMobile Equipment (ME) is sent to the MSC and HLR in case of voice calls, SMS, and updating account settings (such as call-forwarding). Packetdata related signaling is mainly directed towards the SGSN, the GGSN, and of course the HLR. Packet Data Protocol (PDP) connection setup is a complex process.  When ME wishes to establish a PDP context it sends a GPRS-attach message to the SGSN.  The SGSN authenticates the ME using the HLR.  Next, the PDP context is established and stored at the SGSN and GGSN.  This includes records and parameters for billing, quality of service information, and the IP address assigned to the specific PDP context.  Maintenance and distribution of the PDP context information across the different network components is a costly process as it involves many components across the cellular network. Deutsche Telekom Laboratories 17.06.2011 15
    16. 16. Example: Cellular Signaling Threats Fast PDP context activation and de-activation lead to high network load on the GGSN and SGSN infrastructure of cellular network operators. This is performed by either malicious applications or badly configured mobile phones. This is possible because on smartphone platforms such as Android any application has access to the network configuration and thus is able to change the packet-data and APN settings. On Android it is possible to force an PDP context change every 2 seconds. This will result in roughly 43,200 PDP activations per day (24 hours).  If it is installed on enough devices, a rouge application can easily carry out a Denial-of-Service attack against an operator’s packet-data infrastructure. GSMA. Network Efficiency Threats v0.4a, May 2010. Deutsche Telekom Laboratories 17.06.2011 16
    17. 17. Example: Premium Rate SMS Trojans Fraud caused by SMS Trojans such as FakePlayer-A is a long standing problem in the mobile phone world  Costing consumers a considerable amount of money ever year. This kind of fraud is possible since on modern smartphones any application has access to the cellular API and is thus able to send SMS messages.  Same problem applies to voice calls to premium numbers. Trojan-SMS.AndroidOS.FakePlayer-A. http://www.fortiguard.com/encyclopedia/virus/android_fakeplayer.a! tr.html, August 2010. Deutsche Telekom Laboratories 17.06.2011 17
    18. 18. Example: WAC Operator Billing Pay via Operator bill • WAC allows to bill consumers buying virtual and digital content quickly, easily and safely using their m o b i l e p h o n e numbe r • It is available for W e b s i t e s , m o b i l e A p p s a n d W i d g e t s running on M o b i l e s , T a b l e t s , P C s o r 18 e ve n TVs . Deutsche Telekom Laboratories 17.06.2011 18
    19. 19. WAC is an alliance of some of the biggestcompanies in the mobile industry. WAC Board of Directors OperatorBoard Observers Sponsor Members Associate Members Members Accenture America Movil Fujitsu Aepona Limo Foundation Ericsson Bell Mobility IBM Alcatel Lucent Neustar Huawei China Unicom NEC ASPire-tech NTT Data Intel Hutchison 3 group Borqs Obigo Nokia KDDI Cambertech Inc Opera Qualcomm LG UPlus Capgemini Oracle Samsung MTS Eyeline Panasonic Orascom GD RIM Rogers HP Sandisk SFR HTC SAP Vimpelcom IMImobile Sharp Incross Co. Sony Ericsson Infraware WiPro KT Innotz ZTE LG Electronics Deutsche Telekom Laboratories 17.06.2011 19
    20. 20. WAC has two focus areas.Network APIs and Operator Billing to be focus. W A C W id g e t R u n t im e O p e r a t o r N e t w o r ko c F us A P Is• Increase the overall market for mobile applications • Exposure of valuable operator network• Encourage open standardized capabilities to the developer technologies • Allowing developers to enhance their• Enable distribution of WAC widgets applications through multiple channels • Reducing technical and commercial complexity by offering APIs in a unified, technology agnostic way • O p e r a t o r B illin g is t h e f ir s t A P I Web: www.wacapps.net/payment-api YouTube http://bit.ly/nObOd2 Deutsche Telekom Laboratories 17.06.2011 20
    21. 21. Using the WAC solution subscribers can pay forcontent securely with just a few clicks on themobile. Deutsche Telekom Laboratories 17.06.2011 21
    22. 22. Non-mobile devices can also be addressed withconvenient mobile TAN approach. Illu s t r a t iv e p a y m e n t f lo w s h o w n o n m o b ile d e v ic e – h o w e v e r t h is a p p lie s f o r o t h e r d e v ic e s a s w e ll, e . g . T a b le t s o r D e s k t o p s Deutsche Telekom Laboratories 17.06.2011 22
    23. 23. Access Control in Android
    24. 24. Android One of the most anticipated smartphone operating systems -- led by Google  Complete software stack  Open source (Apache v2 license) ... mostly Open Handset Alliance  ... 30+ industrial partners  Google, T-Mobile, Sprint, HTC, LG, Motorola, Samsung, Broadcom, Intent, NVIDIA, Qualcomm, … . Deutsche Telekom Laboratories 17.06.2011 24
    25. 25. Android Phones An Android contains a number of “applications”  Android comes installed with a number of basic systems tools, e.g., dialer, address book, etc.  Developers use the Android API to construct applications. All apps are written in Java and executed within a custom Java virtual machine.  Each application package is contained in a jar file (.apk) Applications are installed by the user  No “app store” required, just build and go.  Open access to data and voice Deutsche Telekom Laboratories services 17.06.2011 25
    26. 26. Security Enforcement Android protects application at system level and at the Inter-component communication (ICC) level. Each application runs as a unique user identity, which lets Android limit the potential damage of programming flaws. Deutsche Telekom Laboratories 17.06.2011 26
    27. 27. Security Enforcement• Core idea of Android security enforcement • label assignment to applications and components• A reference monitor provides mandatory access control (MAC) enforcement of how applications access components.• Access to each component is restricted by assigning it an access permission label; applications are assigned collections of permission labels.• When a component initiates ICC, the reference monitor looks at the permission labels assigned to its containing application and • if the target component’s access permission label is in that collection— allows ICC establishment to proceed. Deutsche Telekom Laboratories 17.06.2011 27
    28. 28. Access permission logic The Android middleware implements a reference monitor providing mandatory access control (MAC) enforcement about how applications access components. The basic enforcement model is the same for all component types. Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application 1. Deutsche Telekom Laboratories 17.06.2011 28
    29. 29. Enforcement Conclusion Assigning permission labels to an application specifies its protection domain. Assigning permissions to the components in an application specifies an access policy to protect its resources. Android’s policy enforcement is mandatory, all permission labels are set at install time and can’t change until the application is reinstalled. Android’s permission label model only restricts access to components and doesn’t currently provide information flow guarantees. Deutsche Telekom Laboratories 17.06.2011 29
    30. 30. Security Refinements --- Public vs. PrivateComponents Applications often contain components that another application should never access.  For example, component related to password storing. The solution is to define private component. This significantly reduces the attack surface for many applications. Deutsche Telekom Laboratories
    31. 31. Security Refinements --- Protected APIs Not all system resources (for example, network) are accessed through components — instead, Android provides direct API access. Android protects these sensitive APIs with additional permission label checks:  an application must declare a corresponding permission label in its manifest file to use them. Deutsche Telekom Laboratories
    32. 32. Security Refinements --- PermissionProtection Levels The permission protection levels provide a means of controlling how developers assign permission labels. Signature permissions ensure that only the framework developer can use the specific functionality (only Google applications can directly interface the telephony API, for example). Deutsche Telekom Laboratories
    33. 33. Lessons in Defining Policy Android security policy begins with a relatively easy- to-understand MAC enforcement model,  but the number and subtlety of refinements make it difficult to discover an application’s policy. The label itself is merely a text string,  but its assignment to an application provides access to potentially limitless resources. Deutsche Telekom Laboratories
    34. 34. MILS/Seperation Kernel approach for Androidphones
    35. 35. Deutsche Telekom Laboratories 17.06.2011 35
    36. 36. SiMKo 3 Deutsche Telekom Laboratories 36
    37. 37. Simplified overall SiMKo3 system architecture – MILS approach Open Compartment Secure Compartment Network Compartment Crypto Compartment Applications Secure-Applications Genua En-/Decrypter Office Adobe CitrixVMWare Privacy Store S/MIMEDialer BackOffice VPN FirewallCustomer-App-Store Secure Android Connector S/MIME Android L4Linux + Google patches L4OpenBSDL4Linux + Google patches PM-Drv Video-Drv Network-Drv Modem-Drv L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Network, PM, Voice SNS Net, Storage, Touch, Crypt Net, Storage, Touch, Crypt SmartCard Secure Environment GUI Video-Drv Touch-Drv OTA Storage-Drive En-/DecryptionSmartCard-Drv PowerMgmnt-Drv IO Memory L4Re Microkernel Boot-Loader Key Storage Hardware Deutsche Telekom Laboratories 37
    38. 38. Network hardening of SiMKo3 Deutsche Telekom Laboratories
    39. 39. Modem Virtualization Deutsche Telekom Laboratories
    40. 40. Modem Virtualization Deutsche Telekom Laboratories
    41. 41. SoC of Galaxy S II Deutsche Telekom Laboratories
    42. 42. Early Prototypes Deutsche Telekom Laboratories 42
    43. 43. SiMKo3 is based upon the L4 micro-kernel and the Samsung Galaxy S II,and … Deutsche Telekom Laboratories 43
    44. 44. L4Android – www.l4android.org• L4Android is derived from the L4Linux project, which is developed at the Technische Universität Dresden.• L4Linux is a modified Linux kernel, which runs on top of the Fiasco.OC microkernel. • It is binary compatible with the normal Linux kernel.• L4Android combines both the L4Linux and Google modifications of the Linux kernel and thus enables us to run Android on top of a microkernel. Deutsche Telekom Laboratories 44
    45. 45. Agenda Thank you for your attention!1. Introduction2. Three reasons for Access Control in SmartPhones  mTAN, Signalling based attacks, Android Trojan(s)3. So? Access Control in three Linux based SmartPhones!  LiMo, MeeGo, Android4. Problems with MAC for “responsible devices“5. The MILS/Seperation Kernel approach for Android phones  SECT ad for L4Android6. Conclusion Deutsche Telekom Laboratories 17.06.2011 45
    46. 46. Questions?Deutsche Telekom Laboratories 46

    ×