0
Fourteenforty Research Institute, Inc.
1
Fourteenforty Research Institute, Inc.
PacSec 2011 Tokyo
How Security Broken?
And...
Fourteenforty Research Institute, Inc.
• Increasing Share + Increasing Malware
– 3x malware increases in 2010(1)
– 2010/08...
Fourteenforty Research Institute, Inc.
Agenda
• Security in Low Layer
– Protection in Kernel level
• Android Internals
– P...
Fourteenforty Research Institute, Inc.
SECURITY IN LOW LAYER
Kernel-level Memory Protection and Android
4
Fourteenforty Research Institute, Inc.
-2.2 2.3-,3.0- 4.0- iOS
DEP (Stack) - (1) ✔ (1) ✔
Supported: 2.0-
DEP (Others) - (2...
Fourteenforty Research Institute, Inc.
Kernel-level Protection : DEP
• Distinguish between “data” and “code” in hardware l...
Fourteenforty Research Institute, Inc.
Android Internals : Zygote
7
ModuleModule Module
• All applications are forked from...
Fourteenforty Research Institute, Inc.
Kernel-level Protection : ASLR
• Randomize Memory Layout to prevent exploits
– Many...
Fourteenforty Research Institute, Inc.
Security Concerns : Prelinking
• Prelinking (user-mode mechanism)
– Locates system ...
Fourteenforty Research Institute, Inc.
• 2011/10 : Still no real Android 4.0 device...
– Android 4.0 SDK emulator image is...
Fourteenforty Research Institute, Inc.
Conclusion
• Kernel-level Protections are not so effective
– Possibility: Native Co...
Fourteenforty Research Institute, Inc.
APPLICATION LAYER
MECHANISMS
How Android system works?
12
Fourteenforty Research Institute, Inc.
Android Applications
• Quite different than other platforms
– Intent-based communic...
Fourteenforty Research Institute, Inc.
Android : How application work
• Applications are contained in the Package
• Regist...
Fourteenforty Research Institute, Inc.
Android : Package
• Package itself is only a ZIP archive
• AndroidManifest.xml (Man...
Fourteenforty Research Institute, Inc.
Android : Package (Permission)
• Abstract “Capability” in Android system
– More tha...
Fourteenforty Research Institute, Inc.
Android : Intent
• Intent
– Send/Receive Message containing action, target, ...
• I...
Fourteenforty Research Institute, Inc.
Android : Intent (Activity)
• Activity = Unit of “Action” with User Interface
– Spe...
Fourteenforty Research Institute, Inc.
Android : Intent (Broadcast)
• Broadcast : Feature to Receive system/app-generated ...
Fourteenforty Research Institute, Inc.
Android : Intent (Ordered Broadcast)
• Broadcast can have “Order”
– Few broadcasts ...
Fourteenforty Research Institute, Inc.
MIME Type : text/html
Action : SEND
Action:
INSUFFICIENT BATTERY
Protocol : http
Ho...
Fourteenforty Research Institute, Inc.
P=0P=100P=999
Android : Intent Filter (Priority)
• Priority in Intent Filter (assoc...
Fourteenforty Research Institute, Inc.
Summary
• Android System
– Package / Manifest
– Permission System
• Intent-based Fe...
Fourteenforty Research Institute, Inc.
SECURITY AND THREATS
Android Malware and Countermeasure Issues
24
Fourteenforty Research Institute, Inc.
• Many malwares and Many anti-virus software
– Malware impacts
– Is Anti-virus soft...
Fourteenforty Research Institute, Inc.
• Found on 13 Jan (McAfee)
– CallAccepter, Radiocutter, SilentMutter
– Targeting ro...
Fourteenforty Research Institute, Inc.
• Found on 10 Aug (Symantec) : FakePlayer.A
– First “real” Android threat
– Distrib...
Fourteenforty Research Institute, Inc.
• January : Repackaged Android Apps
– Redistribute “tainted” Android applications
•...
Fourteenforty Research Institute, Inc.
• Classification
– Spyware
– Backdoor
– Dialer (utilizing premium services)
• China...
Fourteenforty Research Institute, Inc.
• Paid SMS/telephone services
– Japan : “Dial Q2”
– Paid numbers/services have no b...
Fourteenforty Research Institute, Inc.
Android Malware : Utilizing Intent Filter
• Receive Broadcasts to (steal informatio...
Fourteenforty Research Institute, Inc.
Android Malware : Evolution
• Still no “real” obfuscation
– Easy to analyze
• Evolv...
Fourteenforty Research Institute, Inc.
Anti-virus : How it works?
• Utilizing *many* of Intent Filters and Broadcasts
– Re...
Fourteenforty Research Institute, Inc.
• Anti-virus software is working as a normal Android app
– Normally implemented as ...
Fourteenforty Research Institute, Inc.
• Android as a Sandbox
– Prevent Access to Other Processes
– Blocks Anti-Virus soft...
Fourteenforty Research Institute, Inc.
• Collecting Samples
– Vary in Security Vendors
– Android Market : Automated Crawle...
Fourteenforty Research Institute, Inc.
• Same Privilege : Malware and Anti-virus Software
– Can Neutralize each other
• Dy...
Fourteenforty Research Institute, Inc.
• Gaining Administrator Privileges (not available by default)
– Specially, utilizin...
Fourteenforty Research Institute, Inc.
• Logic Error in suid program
– Some Android Tablet: OS command injection
rooting :...
Fourteenforty Research Institute, Inc.
• Improper User-supplied buffer access
– Some Android smartphone: Sensor Device
roo...
Fourteenforty Research Institute, Inc.
rooting : The Real Problem
• Malware can Exploit same Vulnerability
– Malware could...
Fourteenforty Research Institute, Inc.
• High priority Activity enables hooking
– Dangerous
– Reserved for System Applicat...
Fourteenforty Research Institute, Inc.
• If malicious package is installed in the System Partition,
malware can utilize hi...
Fourteenforty Research Institute, Inc.
Broken Security : Permission (1)
• Reserved Permissions
– Only available to Vendor ...
Fourteenforty Research Institute, Inc.
Broken Security : Permission (2)
• In root process, all Permissions are granted
– N...
Fourteenforty Research Institute, Inc.
rooting : Countermeasures and Issues (1)
• Remove found vulnerabilities
– Not so ea...
Fourteenforty Research Institute, Inc.
rooting : Countermeasures and Issues (2)
• Limiting root user is not enough
– Permi...
Fourteenforty Research Institute, Inc.
Conclusion
• Malware and Anti-virus software is evolving
– But, we cannot protect w...
Fourteenforty Research Institute, Inc.
BOTTOM LINE
Can Android be protected?
49
Fourteenforty Research Institute, Inc.
Is Android Protected? (1)
• Vulnerability Attacks
– Android depends on many of Nati...
Fourteenforty Research Institute, Inc.
Is Android Protected? (2)
• Malware vs. Anti-virus software
– Malware (as a Trojan ...
Fourteenforty Research Institute, Inc.
What to do (1)
• Technical Responsibility : Android Project (AOSP et al.)
– Make se...
Fourteenforty Research Institute, Inc.
What to do (2)
• Technical Responsibility : Device Vendor
– Fix existing vulnerabil...
Fourteenforty Research Institute, Inc.
Conclusion
• Protection for Android is not enough, but not impossible to solve
– Cu...
Fourteenforty Research Institute, Inc.
55
Thank you
Fourteenforty Research Institute, Inc.
http://www.fourteenforty.jp
Res...
Upcoming SlideShare
Loading in...5
×

How security broken? - Android internals and malware infection possibilities

660

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
660
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
22
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "How security broken? - Android internals and malware infection possibilities"

  1. 1. Fourteenforty Research Institute, Inc. 1 Fourteenforty Research Institute, Inc. PacSec 2011 Tokyo How Security Broken? Android Internals and Malware Infection Possibilities Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI
  2. 2. Fourteenforty Research Institute, Inc. • Increasing Share + Increasing Malware – 3x malware increases in 2010(1) – 2010/08 : SMS malware identified (FakePlayer.A) – 2011/03 : “Undeletable” malware found (DroidDream) • Vulnerabilities and Exploits – 2003- : Implementation to prevent exploits (DEP, ASLR...) – Mobile devices also can be exploited • 2007- : JailbreakMe (payload for iOS) • 2011/03 : DroidDream (utilizing two rooting exploits) • Countermeasure : Anti-virus Software for Android – Android should be protected like PC 2 Background: Android and Threats (1) http://www.adaptivemobile.com/
  3. 3. Fourteenforty Research Institute, Inc. Agenda • Security in Low Layer – Protection in Kernel level • Android Internals – Packages / Permissions – Intent / Activity / Broadcast • Threats and Countermeasures – Malware Infection and Impact – rooting issues – Anti-virus software issues 3
  4. 4. Fourteenforty Research Institute, Inc. SECURITY IN LOW LAYER Kernel-level Memory Protection and Android 4
  5. 5. Fourteenforty Research Institute, Inc. -2.2 2.3-,3.0- 4.0- iOS DEP (Stack) - (1) ✔ (1) ✔ Supported: 2.0- DEP (Others) - (2) ✔ ✔ ASLR (Stack) ✔ ✔ ✔ Supported: 4.3- ASLR (Heap) - - ? / - (3) ASLR (Modules) - - ✔ / - (3) Partially supported: 4.3-(4) Kernel-level Protection : Implementation 5 (1) May vary in compiler flags for native applications. (2) Allocation in portable way (3) According to the Release note / Result in Android 4.0 emulator image (4) Only if application supports ASLR
  6. 6. Fourteenforty Research Institute, Inc. Kernel-level Protection : DEP • Distinguish between “data” and “code” in hardware level and Prevent “data” to be executed • Need a Compiler Flag to enable DEP – Not enabled until Android 2.2 – Kernel *disables* DEP for compatibility • Solved in Android 2.3 6 Memory Code Data Code Data OK ExecuteExecute
  7. 7. Fourteenforty Research Institute, Inc. Android Internals : Zygote 7 ModuleModule Module • All applications are forked from Zygote – To reduce memory footprint – Security parameter in Zygote is *very* important – All applications had “weakness” until Android 2.2 (DEP is disabled)
  8. 8. Fourteenforty Research Institute, Inc. Kernel-level Protection : ASLR • Randomize Memory Layout to prevent exploits – Many of recent exploits utilize *specific* address • Kernel settings : Randomize everything except heap (OK) – But actually, modules (libraries) are not randomized (no good) – Because of Prelinking 8 Target Target Memory Target TargetTarget TargetTarget ? ? ? ?
  9. 9. Fourteenforty Research Institute, Inc. Security Concerns : Prelinking • Prelinking (user-mode mechanism) – Locates system libraries to fixed addresses – ASLR is effectively *neutralized* because of Prelinking • Makes exploitation very easy 9 Module Memory Module Module
  10. 10. Fourteenforty Research Institute, Inc. • 2011/10 : Still no real Android 4.0 device... – Android 4.0 SDK emulator image is available now • Google have announced ASLR is introduced in Android 4.0 (1) – Still no ASLR in the emulator image... – I expect “proper” ASLR is implemented! Kernel-level Protection : ASLR in Android 4.0? 10 (1) http://developer.android.com/sdk/android-4.0-highlights.html
  11. 11. Fourteenforty Research Institute, Inc. Conclusion • Kernel-level Protections are not so effective – Possibility: Native Code exploitation • Improper build settings can be fixed – Fixed by default in Android 2.3 • Prelinking can weaken kernel-level protection – CPU performance increasing – Could be fixed! (Android 4.0) 11
  12. 12. Fourteenforty Research Institute, Inc. APPLICATION LAYER MECHANISMS How Android system works? 12
  13. 13. Fourteenforty Research Institute, Inc. Android Applications • Quite different than other platforms – Intent-based communication • Android Internals – Package and Manifest – Permission system – Intent • Activity • Broadcast and BroadcastReceiver • ... 13
  14. 14. Fourteenforty Research Institute, Inc. Android : How application work • Applications are contained in the Package • Register how “classes” are invoked using Manifest – System calls application “classes” if requested – Activity, Broadcast, ... 14 Package.apk Activity Broadcast Receiver Invoke Application Callback on Event AndroidManifest.xml Android System Install
  15. 15. Fourteenforty Research Institute, Inc. Android : Package • Package itself is only a ZIP archive • AndroidManifest.xml (Manifest) – Application information, permissions – How classes can be called (Activity, BroadcastReceiver...) • Immutable on installation – Can be “updated” along with whole package 15 APK File (ZIP format) AndroidManifest.xml (Manifest) classes.dex (Program) lib/armeabi/* (Native code) ...
  16. 16. Fourteenforty Research Institute, Inc. Android : Package (Permission) • Abstract “Capability” in Android system – More than 100 (internet connection, retrieve phone number...) • No permission, No operation – Permission is the key of Capability 16 App1 App2 Permission: INTERNET The Internet
  17. 17. Fourteenforty Research Institute, Inc. Android : Intent • Intent – Send/Receive Message containing action, target, ... • Intent are used in many form – Inter-Application Communication – Event Notification 17 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  18. 18. Fourteenforty Research Institute, Inc. Android : Intent (Activity) • Activity = Unit of “Action” with User Interface – Specifying object type (target) and action, Activity is called by the system automatically 18 “Memo” App (Choose Apps) “Mail” App “Twitter” App Post to Twitter Intent and multiple applications (Activities) startActivity
  19. 19. Fourteenforty Research Institute, Inc. Android : Intent (Broadcast) • Broadcast : Feature to Receive system/app-generated Events – All associated (and registered) BroadcastReceiver classes are invoked 19 System Intent and Broadcast (Battery Event Notification) sendBroadcast Receiver ... Receiver ... Show Warning Receiver
  20. 20. Fourteenforty Research Institute, Inc. Android : Intent (Ordered Broadcast) • Broadcast can have “Order” – Few broadcasts are sent “Ordered” • Ordered Broadcast – BroadcastReceiver class is invoked in order of Priority (later) – Abort Processing Broadcast using “abortBroadcast” method 20 P=999 P=100 P=0 Normal: sendBroadcast P=0P=100P=999 Ordered: sendOrderedBroadcast Receiver Receiver Receiver O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
  21. 21. Fourteenforty Research Institute, Inc. MIME Type : text/html Action : SEND Action: INSUFFICIENT BATTERY Protocol : http Host : mypict.com Action : VIEW Android : Intent Filter • Similar to File/Protocol Association in Windows – Action (what to do), Category (how to do) – File Type (MIME), Location, Protocol... • Specify in the Manifest (AndroidManifest.xml) – Android System manages all Intent Filters 21 Activity A Broadcast Receiver Activity B e.g. Application to upload text e.g. Application for specific website e.g. Battery-related service
  22. 22. Fourteenforty Research Institute, Inc. P=0P=100P=999 Android : Intent Filter (Priority) • Priority in Intent Filter (associated with Activity / Broadcast) – Higher Value = Higher Priority – Ordered Broadcast – Activity 22 ActivityActivityActivity P=0P=100P=999 Ordered: sendOrderedBroadcast O. ReceiverO. Receiver O. Receiver abortBroadcast High Priority Low
  23. 23. Fourteenforty Research Institute, Inc. Summary • Android System – Package / Manifest – Permission System • Intent-based Features – Activity – Broadcast • Ordered or not • Intent Filter to help inter-application communication – Flexibleness – Priority 23
  24. 24. Fourteenforty Research Institute, Inc. SECURITY AND THREATS Android Malware and Countermeasure Issues 24
  25. 25. Fourteenforty Research Institute, Inc. • Many malwares and Many anti-virus software – Malware impacts – Is Anti-virus software effective? • Malware – Trends and Characteristics • How Anti-virus software work? – Issue: Insufficient Privileges • rooting issues – How security has broken? – Countermeasure, and problems still left Android Security and Threats 25
  26. 26. Fourteenforty Research Institute, Inc. • Found on 13 Jan (McAfee) – CallAccepter, Radiocutter, SilentMutter – Targeting rooted Android 1.0 devices – Denial of Service • Released on 26 Oct : Mobile Spy – Paid Spyware (Record SMS, GPS, incoming/outgoing calls) – Similar to “Karelog” (2011) in many ways • Different Type of Attack – Not so related to Cybercrime Android Malware : 2009 26
  27. 27. Fourteenforty Research Institute, Inc. • Found on 10 Aug (Symantec) : FakePlayer.A – First “real” Android threat – Distributed in Russian website masquerading as a harmless movie player – Making money utilizing Premium SMS • Checkpoint : Modern Cybercrime and Android – Thereafter, Android malware became more “malicious” Android Malware : 2010 27
  28. 28. Fourteenforty Research Institute, Inc. • January : Repackaged Android Apps – Redistribute “tainted” Android applications • March : Undeletable Malware – Install code to the System Partition • June : Self-updating Malware – Download and Execute the code dynamically (DexClassLoader) • July, October : Malware utilizing Application Updates – Updated application include malicious code Android Malware : 2011 28
  29. 29. Fourteenforty Research Institute, Inc. • Classification – Spyware – Backdoor – Dialer (utilizing premium services) • China, Russia... – APN/telephone number in specific country – String resources • Messaging Channel – HTTP – SMS Android Malware : Characteristics 29
  30. 30. Fourteenforty Research Institute, Inc. • Paid SMS/telephone services – Japan : “Dial Q2” – Paid numbers/services have no borders • Utilizing Premium Services : Dialer – Dial Premium Services and Make Money *directly* – Dialers Reborn – Android Smartphones Android Malware : Characteristics (Premium Services) 30
  31. 31. Fourteenforty Research Institute, Inc. Android Malware : Utilizing Intent Filter • Receive Broadcasts to (steal information | run automatically | ...) – 39/44 malware samples • “Receiving SMS” is a Ordered Broadcast event – BroadcastReceiver with higher priority can *hide* SMS message (hidden from preinstalled SMS application) – Can hide malicious commands – 14/44 malware samples 31
  32. 32. Fourteenforty Research Institute, Inc. Android Malware : Evolution • Still no “real” obfuscation – Easy to analyze • Evolving Rapidly – DroidDream Use exploits to gain root privilege and install malicious packages silently – Plankton Download DEX file (Dalvik byte code) and Execute it dynamically using class loader • Refined Android malwares will cause problems (specially, the one utilizing rooting techniques) 32
  33. 33. Fourteenforty Research Institute, Inc. Anti-virus : How it works? • Utilizing *many* of Intent Filters and Broadcasts – Real-time scan (partially) – Scan Downloaded Files / Applications – Scan SMS messages 33 Anti-Virus Mount SD card Receive SMS Boot the Device ... Install Package Open some Files
  34. 34. Fourteenforty Research Institute, Inc. • Anti-virus software is working as a normal Android app – Normally implemented as a driver (PC) Anti-virus : Issue by Android Security Design 34 System Anti-Virus Driver App1 App2 Anti-Virus
  35. 35. Fourteenforty Research Institute, Inc. • Android as a Sandbox – Prevent Access to Other Processes – Blocks Anti-Virus software access as well – No driver can be installed Anti-virus : Issue by Android Security Design 35 System Anti-Virus Driver App1 App2 Anti-Virus
  36. 36. Fourteenforty Research Institute, Inc. • Collecting Samples – Vary in Security Vendors – Android Market : Automated Crawler is Prohibited Anti-Virus : Issues 36
  37. 37. Fourteenforty Research Institute, Inc. • Same Privilege : Malware and Anti-virus Software – Can Neutralize each other • Dynamic Heuristics is not easy – No way to intercept system calls – Signature issues – Protect partially • Still, normal existing malware can be detected and warn to the user • If malware can gain higher privilege... – Gaining root privilege = rooting Anti-virus : Same Privilege 37
  38. 38. Fourteenforty Research Institute, Inc. • Gaining Administrator Privileges (not available by default) – Specially, utilizing local vulnerabilities • rooting vulnerabilities – CVE-2009-1185 (exploid) – [no CVE number] (rage against the cage) – CVE-2011-1149 (psneuter) – CVE-2011-1823 (Gingerbreak) – [no CVE number] (zergRush) • Chip/Vendor-specific vulnerabilities! rooting 38
  39. 39. Fourteenforty Research Institute, Inc. • Logic Error in suid program – Some Android Tablet: OS command injection rooting : Vulnerabilities (1) 39 Can invoke arbitrary command in root privileges. [not available in public slides]
  40. 40. Fourteenforty Research Institute, Inc. • Improper User-supplied buffer access – Some Android smartphone: Sensor Device rooting : Vulnerabilities (2) 40 Can write [not available] to arbitrary user memory, bypassing copy-on-write. Destroying setuid function can generate root-privilege process. [not available in public slides]
  41. 41. Fourteenforty Research Institute, Inc. rooting : The Real Problem • Malware can Exploit same Vulnerability – Malware could gain higher privileges – Avoid Anti-virus software • rooting breaks some security mechanisms – Intent Filter priority value (associated with Activity) – Permission System • Security software may be neutralized 41
  42. 42. Fourteenforty Research Institute, Inc. • High priority Activity enables hooking – Dangerous – Reserved for System Applications Broken Security : Activity Priority (1) 42 P=0P=100P=999 User ActivitySystem ActivityUser Activity P=0P=999 0P=100 User ActivityUser ActivitySystem Activity High Priority Low
  43. 43. Fourteenforty Research Institute, Inc. • If malicious package is installed in the System Partition, malware can utilize higher priority of Activity – Hook implicit Intents – e.g. Hook web browser-related Intents for phishing • Does not work since Android 3.0 (because of Browser application changes) Broken Security : Activity Priority (2) 43 P=0P=0P=999 User ActivitySystem ActivitySYSTEM Activity Browser Hooks Real Web Browser High Priority Low
  44. 44. Fourteenforty Research Institute, Inc. Broken Security : Permission (1) • Reserved Permissions – Only available to Vendor Packages or Preinstalled Packages – Bypassing : There’s a way other than modifying System Partition... 44 User App System App INSTALL_PACKAGES permission INSTALL_PACKAGES INSTALL_PACKAGES
  45. 45. Fourteenforty Research Institute, Inc. Broken Security : Permission (2) • In root process, all Permissions are granted – No additional security checks (not even manifest checks) – Enables silent installation for example • GingerMaster utilizes this behavior (indirectly) 45 User App System App INSTALL_PACKAGES permission UID=0 (root) INSTALL_PACKAGES
  46. 46. Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (1) • Remove found vulnerabilities – Not so easy to patch... (http://www.ipa.go.jp/about/technicalwatch/pdf/110622report.pdf) • Limit root user : Linux Security Modules (LSM) – SHARP Corp. : Deckard / Miyabi • /system partition is prohibited (cannot be re-written) • ptrace (Debugging) is prohibited • Prevents DroidDream / DroidKungFu infection – Prevent root user to be utilized • Current LSMs are not enough though... • Black Hat Abu Dhabi 2011 46
  47. 47. Fourteenforty Research Institute, Inc. rooting : Countermeasures and Issues (2) • Limiting root user is not enough – Permission checks – Making secure OS policy is difficult – Anti-virus software privilege is left weak • Protection specific to Android • Enabling Privilege Escalation for Security is needed! 47
  48. 48. Fourteenforty Research Institute, Inc. Conclusion • Malware and Anti-virus software is evolving – But, we cannot protect whole system. • rooting breaks security and neutralize Anti-virus software – Even if malware could be found, it could be undeletable. – To encounter, we need privilege improvement and whole new protection system. 48
  49. 49. Fourteenforty Research Institute, Inc. BOTTOM LINE Can Android be protected? 49
  50. 50. Fourteenforty Research Institute, Inc. Is Android Protected? (1) • Vulnerability Attacks – Android depends on many of Native Code (e.g. WebKit) – Kernel-level protection is currently not so effective • Compiler Flag (DEP) • Prelinking (disabling ASLR) – If vulnerability is found in Android, it is not difficult to exploit. – It could possibly change in Android 4.0 50
  51. 51. Fourteenforty Research Institute, Inc. Is Android Protected? (2) • Malware vs. Anti-virus software – Malware (as a Trojan horse) works as a spyware, backdoor or dialer utilizing Android features – rooting can make Anti-virus software completely useless • Currently, it is Difficult to protect Android devices 51
  52. 52. Fourteenforty Research Institute, Inc. What to do (1) • Technical Responsibility : Android Project (AOSP et al.) – Make security mechanism Strict • System Call-Level Protection (LSM) • Secure Android Framework – Help making Security Software • e.g. Giving higher privileges for specific software – Make Kernel-level Protection Better • Removing Prelinking, ... • ... it seems to be done! 52
  53. 53. Fourteenforty Research Institute, Inc. What to do (2) • Technical Responsibility : Device Vendor – Fix existing vulnerabilities (prevent existing malware) – Verify vendor customization • Not to break Android security mechanisms (and not to prevent user rights) 53
  54. 54. Fourteenforty Research Institute, Inc. Conclusion • Protection for Android is not enough, but not impossible to solve – Currently, Users must be aware of threats – Possibly, need to take resolute steps • Work together to improve Android security whilst keeping platform open 54
  55. 55. Fourteenforty Research Institute, Inc. 55 Thank you Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp Research Engineer – Tsukasa OI <oi@fourteenforty.jp>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×