Securing a mobile platform from the ground up Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>
Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><l...
Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><l...
Some Statistics <ul><ul><li>6.77 billion people [1] </li></ul></ul><ul><ul><li>1.48 billion Internet enabled PCs [2] </li>...
Mobile Security is Getting Interesting <ul><ul><li>Techniques for desktop analysis are more useful to smart phones </li></...
Mobile Security Matures <ul><li>We are now seeing attacks against all layers of mobile infrastructure: </li></ul><ul><ul><...
Mobile Security Matures <ul><li>We are now seeing attacks against all layers of mobile infrastructure: </li></ul><ul><ul><...
Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><l...
<ul><ul><li>Free, open source mobile platform </li></ul></ul><ul><ul><ul><li>Source code at  http://source.android.com </l...
The Android Technology Stack <ul><ul><li>Linux kernel </li></ul></ul><ul><ul><li>Relies upon 90+ open source libraries </l...
Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><l...
Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></u...
Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></u...
Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></u...
Example Email Application
Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul>
Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack <...
Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack <...
Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack <...
Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack <...
Android Market <ul><ul><li>Connects developers with users </li></ul></ul><ul><ul><li>Darwinian environment </li></ul></ul>...
Application Signing <ul><li>Why self signing? </li></ul><ul><ul><li>Market ties identity to developer account </li></ul></...
Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><l...
Security Philosophy <ul><ul><li>Finite time and resources </li></ul></ul><ul><ul><li>Humans have difficulty understanding ...
Prevent <ul><ul><li>5 million new lines of code </li></ul></ul><ul><ul><li>Uses almost 100 open source libraries </li></ul...
dlmalloc   <ul><ul><li>Heap consolidation attack </li></ul></ul><ul><ul><li>Allocation meta-data is stored in band </li></...
WebKit Heap Overflow
Minimize <ul><ul><li>We cannot rely on prevention alone </li></ul></ul><ul><ul><ul><li>Vulnerabilities happen </li></ul></...
Minimize <ul><ul><li>Traditional operating system security </li></ul></ul><ul><ul><ul><li>Host based </li></ul></ul></ul><...
Application Sandbox <ul><ul><li>Each application runs within its own UID and VM </li></ul></ul><ul><ul><li>Default privile...
Application Sandbox <ul><ul><li>Place access controls close to the resource </li></ul></ul><ul><ul><ul><li>Smaller perimet...
Permissions <ul><ul><li>Whitelist model </li></ul></ul><ul><ul><ul><li>Allow minimal access by default </li></ul></ul></ul...
More Privilege Separation <ul><ul><li>Media codecs are very complex ⇒ very insecure </li></ul></ul><ul><ul><li>Won't find ...
Detect <ul><ul><li>A lesser-impact security issue is still a security issue </li></ul></ul><ul><ul><li>Internal detection ...
External Reports <ul><ul><li>Patrick McDaniel, William Enck, Machigar Ongtang </li></ul></ul><ul><ul><ul><li>Applied forma...
User Reporting
A User Report <ul><ul><li>MemoryUp: mobile RAM optimizer </li></ul></ul><ul><ul><ul><li>faster, more stable, more responsi...
React <ul><ul><li>Autoupdaters are the best security tool since Diffie-Hellman </li></ul></ul><ul><ul><li>Every modern ope...
Shared UID Regression <ul><ul><li>Shared UID feature </li></ul></ul><ul><ul><ul><li>Malware does not hurt computers, malwa...
Update Process <ul><ul><li>2009-05-14 </li></ul></ul><ul><ul><ul><li>Panasonic reported the issue </li></ul></ul></ul><ul>...
Not over yet! <ul><ul><li>2009-07-06 </li></ul></ul><ul><ul><ul><li>Completed audit and tests </li></ul></ul></ul><ul><ul>...
Conclusion <ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>an ongoing process </li></ul></ul></ul><ul><ul><ul><li>not ...
Questions? <ul><ul><li>Find a security issue? </li></ul></ul><ul><ul><ul><li>Email  [email_address] </li></ul></ul></ul><u...
Upcoming SlideShare
Loading in …5
×

PacSec_Talk_Slides_A..

479 views
435 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
479
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • richc speaks
  • stamosa speaks
  • [stamosa]
  • richc speaks
  • stamosa speaks
  • stamosa expand self-signing discussion
  • richc
  • stamosa
  • richc
  • richc
  • richc
  • richc
  • richc
  • richc
  • stamosa
  • stamosa
  • stamosa
  • stamosa
  • richc
  • richc
  • richc
  • richc
  • richc
  • PacSec_Talk_Slides_A..

    1. 1. Securing a mobile platform from the ground up Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>
    2. 2. Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><li>How do I develop on Android? </li></ul></ul><ul><ul><ul><li>Android Market </li></ul></ul></ul><ul><ul><li>What about Security? </li></ul></ul><ul><ul><ul><li>Cornerstones of Android security </li></ul></ul></ul><ul><ul><ul><ul><li>Prevention </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Minimization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reaction </li></ul></ul></ul></ul>
    3. 3. Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><li>How do I develop on Android? </li></ul></ul><ul><ul><ul><li>Android Market </li></ul></ul></ul><ul><ul><li>What about Security? </li></ul></ul><ul><ul><ul><li>Cornerstones of Android security </li></ul></ul></ul><ul><ul><ul><ul><li>Prevention </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Minimization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reaction </li></ul></ul></ul></ul>
    4. 4. Some Statistics <ul><ul><li>6.77 billion people [1] </li></ul></ul><ul><ul><li>1.48 billion Internet enabled PCs [2] </li></ul></ul><ul><ul><li>4.10 billion mobile phones [1] </li></ul></ul><ul><ul><li>Mobile phone replacement rate </li></ul></ul><ul><ul><ul><li>12-18 month average [3] </li></ul></ul></ul><ul><ul><ul><li>1.1 billion mobile phones are purchased per year [4] </li></ul></ul></ul><ul><ul><ul><li>13.5% of mobile phone sales are smartphones [5] </li></ul></ul></ul><ul><ul><li>The number of smartphones will soon compare with the number of Internet enabled PCs </li></ul></ul>[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use  (based on The World Factbook) [2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1   [3]  [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp [5] http://www.gartner.com/it/page.jsp?id=985912
    5. 5. Mobile Security is Getting Interesting <ul><ul><li>Techniques for desktop analysis are more useful to smart phones </li></ul></ul><ul><ul><li>Mobile networks can now be easily manipulated </li></ul></ul><ul><ul><ul><li>  From phones: </li></ul></ul></ul><ul><ul><ul><ul><li>Miller, Lackey, Miras at BlackHat 2009 </li></ul></ul></ul></ul><ul><ul><ul><li>From false base stations: </li></ul></ul></ul><ul><ul><ul><ul><li>  http://openbts.sourceforge.net/ </li></ul></ul></ul></ul>
    6. 6. Mobile Security Matures <ul><li>We are now seeing attacks against all layers of mobile infrastructure: </li></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Platform </li></ul></ul><ul><ul><li>OS </li></ul></ul><ul><ul><li>Baseband </li></ul></ul><ul><ul><li>Network </li></ul></ul>
    7. 7. Mobile Security Matures <ul><li>We are now seeing attacks against all layers of mobile infrastructure: </li></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Platform </li></ul></ul><ul><ul><li>OS </li></ul></ul><ul><ul><li>Baseband </li></ul></ul><ul><ul><li>Network </li></ul></ul><ul><li>Mobile devices must be treated as fully fledged computers. </li></ul><ul><li>Do not assume they are &quot;special&quot;. </li></ul>
    8. 8. Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><li>How do I develop on Android? </li></ul></ul><ul><ul><ul><li>Android Market </li></ul></ul></ul><ul><ul><li>What about Security? </li></ul></ul><ul><ul><ul><li>Cornerstones of Android security </li></ul></ul></ul><ul><ul><ul><ul><li>Prevention </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Minimization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reaction </li></ul></ul></ul></ul>
    9. 9. <ul><ul><li>Free, open source mobile platform </li></ul></ul><ul><ul><ul><li>Source code at  http://source.android.com </li></ul></ul></ul><ul><ul><li>Any handset manufacturer or hobbyist can install </li></ul></ul><ul><ul><li>Any developer can use </li></ul></ul><ul><ul><ul><li>SDK at http://developer.android.com </li></ul></ul></ul><ul><ul><li>Empower users and developers </li></ul></ul>The Android Platform  
    10. 10. The Android Technology Stack <ul><ul><li>Linux kernel </li></ul></ul><ul><ul><li>Relies upon 90+ open source libraries </li></ul></ul><ul><ul><ul><li>Integrated WebKit based browser </li></ul></ul></ul><ul><ul><ul><li>SQLite for structured data storage </li></ul></ul></ul><ul><ul><ul><li>OpenSSL </li></ul></ul></ul><ul><ul><ul><li>BouncyCastle </li></ul></ul></ul><ul><ul><ul><li>libc based on OpenBSD </li></ul></ul></ul><ul><ul><ul><li>Apache Harmony </li></ul></ul></ul><ul><ul><ul><li>Apache HttpClient </li></ul></ul></ul><ul><ul><li>Supports common sound, video and image codecs </li></ul></ul><ul><ul><li>API support for handset I/O </li></ul></ul><ul><ul><ul><li>Bluetooth, EDGE, 3G, wifi </li></ul></ul></ul><ul><ul><ul><li>Camera, Video, GPS, compass, accelerometer,  </li></ul></ul></ul><ul><li>           sound, vibrator </li></ul>
    11. 11. Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><li>How do I develop on Android? </li></ul></ul><ul><ul><ul><li>Android Market </li></ul></ul></ul><ul><ul><li>What about Security? </li></ul></ul><ul><ul><ul><li>Cornerstones of Android security </li></ul></ul></ul><ul><ul><ul><ul><li>Prevention </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Minimization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reaction </li></ul></ul></ul></ul>
    12. 12. Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></ul></ul><ul><ul><ul><ul><li>Visual user interface for one focused endeavor </li></ul></ul></ul></ul>
    13. 13. Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></ul></ul><ul><ul><ul><ul><li>Visual user interface for one focused endeavor </li></ul></ul></ul></ul><ul><ul><ul><li>Services </li></ul></ul></ul><ul><ul><ul><ul><li>Runs in the background for an indefinite period of time </li></ul></ul></ul></ul>
    14. 14. Android Development <ul><ul><li>Java applications are composed of: </li></ul></ul><ul><ul><ul><li>Activities </li></ul></ul></ul><ul><ul><ul><ul><li>Visual user interface for one focused endeavor </li></ul></ul></ul></ul><ul><ul><ul><li>Services </li></ul></ul></ul><ul><ul><ul><ul><li>Runs in the background for an indefinite period of time </li></ul></ul></ul></ul><ul><ul><li>Intents </li></ul></ul><ul><ul><ul><li>Asynchronous messaging </li></ul></ul></ul><ul><ul><ul><li>URL dispatching on steroids </li></ul></ul></ul><ul><ul><ul><li>Glues many Activities and Services together to make an application </li></ul></ul></ul><ul><ul><ul><li>Provides interactivity between applications </li></ul></ul></ul>
    15. 15. Example Email Application
    16. 16. Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul>
    17. 17. Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack </li></ul></ul>
    18. 18. Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack </li></ul></ul>
    19. 19. Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack </li></ul></ul><ul><ul><li>Background activities can be killed at any moment </li></ul></ul>
    20. 20. Application Lifecycle <ul><ul><li>Designed to protect battery life </li></ul></ul><ul><ul><li>Activities live on a stack </li></ul></ul><ul><ul><li>Background activities can be killed at any moment </li></ul></ul><ul><ul><li>The platform makes it easy for developers to code applications that are killed at any moment without losing state </li></ul></ul><ul><ul><ul><li>Helps with DoS issues </li></ul></ul></ul>
    21. 21. Android Market <ul><ul><li>Connects developers with users </li></ul></ul><ul><ul><li>Darwinian environment </li></ul></ul><ul><ul><ul><li>Good applications excel  </li></ul></ul></ul><ul><ul><ul><li>Bad applications forgotten </li></ul></ul></ul><ul><ul><li>~10,000 applications on Market </li></ul></ul><ul><ul><li>Balance of openness and security </li></ul></ul><ul><ul><ul><li>Not the only way to install apps </li></ul></ul></ul><ul><ul><ul><li>Not a walled garden </li></ul></ul></ul><ul><ul><li>Developers self-sign applications </li></ul></ul><ul><ul><ul><li>For updating </li></ul></ul></ul><ul><ul><ul><li>Uses Java's keytool and jarsigner </li></ul></ul></ul>
    22. 22. Application Signing <ul><li>Why self signing? </li></ul><ul><ul><li>Market ties identity to developer account </li></ul></ul><ul><ul><li>CAs have had major problems with fidelity in the past </li></ul></ul><ul><ul><li>No applications are trusted.  No &quot;magic key&quot; </li></ul></ul><ul><li>What does signing determine? </li></ul><ul><ul><li>Shared UID for shared keys </li></ul></ul><ul><ul><li>Self-updates </li></ul></ul>
    23. 23. Overview <ul><ul><li>Why care about mobile security? </li></ul></ul><ul><ul><li>What is Android? </li></ul></ul><ul><ul><li>How do I develop on Android? </li></ul></ul><ul><ul><ul><li>Android Market </li></ul></ul></ul><ul><ul><li>What about Security? </li></ul></ul><ul><ul><ul><li>Cornerstones of Android security </li></ul></ul></ul><ul><ul><ul><ul><li>Prevention </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Minimization </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Reaction </li></ul></ul></ul></ul>
    24. 24. Security Philosophy <ul><ul><li>Finite time and resources </li></ul></ul><ul><ul><li>Humans have difficulty understanding risk </li></ul></ul><ul><ul><li>Safer to assume that </li></ul></ul><ul><ul><ul><li>Most developers do not understand security </li></ul></ul></ul><ul><ul><ul><li>Most users do not understand security </li></ul></ul></ul><ul><ul><li>Security philosophy cornerstones </li></ul></ul><ul><ul><ul><li>Need to prevent security breaches from occurring </li></ul></ul></ul><ul><ul><ul><li>Need to minimize the impact of a security breach </li></ul></ul></ul><ul><ul><ul><li>Need to detect vulnerabilities and security breaches </li></ul></ul></ul><ul><ul><ul><li>Need to react to vulnerabilities and security breaches swiftly </li></ul></ul></ul>
    25. 25. Prevent <ul><ul><li>5 million new lines of code </li></ul></ul><ul><ul><li>Uses almost 100 open source libraries </li></ul></ul><ul><ul><li>Android is open source ⇒ can't rely on obscurity </li></ul></ul><ul><ul><li>Teamed up with security experts from </li></ul></ul><ul><ul><ul><li>Google Security Team </li></ul></ul></ul><ul><ul><ul><li>iSEC Partners </li></ul></ul></ul><ul><ul><ul><li>n.runs </li></ul></ul></ul><ul><ul><li>Concentrated on high risk areas </li></ul></ul><ul><ul><ul><li>Remote attacks </li></ul></ul></ul><ul><ul><ul><li>Media codecs </li></ul></ul></ul><ul><ul><ul><li>New/custom security features </li></ul></ul></ul><ul><ul><li>Low-effort/high-benefit features </li></ul></ul><ul><ul><ul><li>ProPolice stack overflow protection </li></ul></ul></ul><ul><ul><ul><li>Heap protection in dlmalloc </li></ul></ul></ul>
    26. 26. dlmalloc   <ul><ul><li>Heap consolidation attack </li></ul></ul><ul><ul><li>Allocation meta-data is stored in band </li></ul></ul><ul><ul><li>Heap overflow can perform 2 arbitrary pointer overwrites </li></ul></ul><ul><ul><li>To fix, check: </li></ul></ul><ul><ul><ul><li>b->fd->bk == b </li></ul></ul></ul><ul><ul><ul><li>b->bk->fd == b </li></ul></ul></ul>
    27. 27. WebKit Heap Overflow
    28. 28. Minimize <ul><ul><li>We cannot rely on prevention alone </li></ul></ul><ul><ul><ul><li>Vulnerabilities happen </li></ul></ul></ul><ul><ul><li>Users will install malware </li></ul></ul><ul><ul><li>Code will be buggy </li></ul></ul><ul><ul><li>How can we minimize the impact of a security issue? </li></ul></ul><ul><ul><li>My webmail cannot access my banking web app </li></ul></ul><ul><ul><ul><li>Same origin policy </li></ul></ul></ul><ul><ul><li>Why can malware access my browser? my banking info? </li></ul></ul><ul><ul><li>Extend the web security model to the OS </li></ul></ul>
    29. 29. Minimize <ul><ul><li>Traditional operating system security </li></ul></ul><ul><ul><ul><li>Host based </li></ul></ul></ul><ul><ul><ul><li>User separation </li></ul></ul></ul><ul><ul><li>Mobile OSes are for single users </li></ul></ul><ul><ul><li>User separation is like a &quot;same user policy&quot; </li></ul></ul><ul><ul><li>Run each application in its own UID is like a &quot;same application policy&quot;  </li></ul></ul><ul><ul><ul><li>Privilege separation </li></ul></ul></ul><ul><ul><li>Make privilege separation relatively transparent to the developer </li></ul></ul>
    30. 30. Application Sandbox <ul><ul><li>Each application runs within its own UID and VM </li></ul></ul><ul><ul><li>Default privilege separation model </li></ul></ul><ul><ul><li>Instant security features </li></ul></ul><ul><ul><ul><li>Resource sharing </li></ul></ul></ul><ul><ul><ul><ul><li>CPU, Memory </li></ul></ul></ul></ul><ul><ul><ul><li>Data protection </li></ul></ul></ul><ul><ul><ul><ul><li>FS permissions </li></ul></ul></ul></ul><ul><ul><ul><li>Authenticated IPC </li></ul></ul></ul><ul><ul><ul><ul><li>Unix domain sockets </li></ul></ul></ul></ul><ul><ul><li>Place access controls close to the resource, not in the VM </li></ul></ul>
    31. 31. Application Sandbox <ul><ul><li>Place access controls close to the resource </li></ul></ul><ul><ul><ul><li>Smaller perimeter ⇒ easier to protect </li></ul></ul></ul><ul><ul><li>Default Linux applications have too much power </li></ul></ul><ul><ul><li>Lock down user access for a &quot;default&quot; application </li></ul></ul><ul><ul><li>Fully locked down applications limit innovation </li></ul></ul><ul><ul><li>Relying on users making correct security decisions is tricky </li></ul></ul>
    32. 32. Permissions <ul><ul><li>Whitelist model </li></ul></ul><ul><ul><ul><li>Allow minimal access by default </li></ul></ul></ul><ul><ul><ul><li>Allow for user accepted access to resources </li></ul></ul></ul><ul><ul><li>Ask users less questions </li></ul></ul><ul><ul><li>Make questions more understandable </li></ul></ul><ul><ul><li>194 permissions </li></ul></ul><ul><ul><ul><li>More ⇒ granularity </li></ul></ul></ul><ul><ul><ul><li>Less ⇒ understandability </li></ul></ul></ul>
    33. 33. More Privilege Separation <ul><ul><li>Media codecs are very complex ⇒ very insecure </li></ul></ul><ul><ul><li>Won't find all the issues media libraries </li></ul></ul><ul><ul><li>Banish OpenCore media library to a lesser privileged process </li></ul></ul><ul><ul><ul><li>mediaserver </li></ul></ul></ul><ul><ul><li>Immediately paid off </li></ul></ul><ul><ul><ul><li>Charlie Miller reported a vulnerability in our MP3 parsing </li></ul></ul></ul><ul><ul><ul><li>oCERT-2009-002 </li></ul></ul></ul>
    34. 34. Detect <ul><ul><li>A lesser-impact security issue is still a security issue </li></ul></ul><ul><ul><li>Internal detection processes </li></ul></ul><ul><ul><ul><li>Developer education </li></ul></ul></ul><ul><ul><ul><li>Code audits </li></ul></ul></ul><ul><ul><ul><li>Fuzzing </li></ul></ul></ul><ul><ul><ul><li>Honeypot </li></ul></ul></ul><ul><ul><li>Everyone wants security ⇒ allow everyone to detect issues </li></ul></ul><ul><ul><ul><li>Users </li></ul></ul></ul><ul><ul><ul><li>Developers </li></ul></ul></ul><ul><ul><ul><li>Security Researchers </li></ul></ul></ul>
    35. 35. External Reports <ul><ul><li>Patrick McDaniel, William Enck, Machigar Ongtang </li></ul></ul><ul><ul><ul><li>Applied formal methods to access SMS and Dialer </li></ul></ul></ul><ul><ul><li>Charlie Miller, John Hering </li></ul></ul><ul><ul><ul><li>Outdated WebKit library with PCRE issue </li></ul></ul></ul><ul><ul><li>XDA Developers </li></ul></ul><ul><ul><ul><li>Safe mode lock screen bypass </li></ul></ul></ul><ul><ul><li>Charlie Miller, Collin Mulliner </li></ul></ul><ul><ul><ul><li>MP3, SMS fuzzing results </li></ul></ul></ul><ul><ul><li>Panasonic, Chris Palmer </li></ul></ul><ul><ul><ul><li>Permission regression bugs </li></ul></ul></ul><ul><ul><li>If you find a security issue, please email [email_address] </li></ul></ul>
    36. 36. User Reporting
    37. 37. A User Report <ul><ul><li>MemoryUp: mobile RAM optimizer </li></ul></ul><ul><ul><ul><li>faster, more stable, more responsive, less waiting time </li></ul></ul></ul><ul><ul><ul><li>not quite </li></ul></ul></ul>
    38. 38. React <ul><ul><li>Autoupdaters are the best security tool since Diffie-Hellman </li></ul></ul><ul><ul><li>Every modern operating system should be responsible for: </li></ul></ul><ul><ul><ul><li>Automatically updating itself </li></ul></ul></ul><ul><ul><ul><li>Providing a central update system for third-party applications </li></ul></ul></ul><ul><ul><li>Android's Over-The-Air update system (OTA) </li></ul></ul><ul><ul><ul><li>User interaction is optional </li></ul></ul></ul><ul><ul><ul><li>No additional computer or cable is required </li></ul></ul></ul><ul><ul><ul><li>Very high update rate </li></ul></ul></ul>
    39. 39. Shared UID Regression <ul><ul><li>Shared UID feature </li></ul></ul><ul><ul><ul><li>Malware does not hurt computers, malware authors do </li></ul></ul></ul><ul><ul><ul><li>Two applications are signed ⇒ can share UIDs </li></ul></ul></ul><ul><ul><ul><li>More interactivity </li></ul></ul></ul><ul><ul><li>Panasonic reported that shared UID was broken </li></ul></ul><ul><ul><ul><li>If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser </li></ul></ul></ul><ul><ul><ul><li>Breaks Application Sandbox </li></ul></ul></ul>
    40. 40. Update Process <ul><ul><li>2009-05-14 </li></ul></ul><ul><ul><ul><li>Panasonic reported the issue </li></ul></ul></ul><ul><ul><ul><li>Patched the issue, wrote regression tests </li></ul></ul></ul><ul><ul><li>2009-05-15 </li></ul></ul><ul><ul><ul><li>Kicked off internal audit </li></ul></ul></ul><ul><ul><ul><li>Built and tested every flavour of Android </li></ul></ul></ul><ul><ul><ul><li>Coordinated a public response with the reporter, carriers, PR and oCERT </li></ul></ul></ul><ul><ul><li>2009-05-21 </li></ul></ul><ul><ul><ul><li>Received critical-mass approval </li></ul></ul></ul><ul><ul><li>2009-05-22 </li></ul></ul><ul><ul><ul><li>OTAed users, rolled out patches to factories, SDK, and open source </li></ul></ul></ul><ul><ul><ul><li>Released advisory (oCERT-2009-006) </li></ul></ul></ul>
    41. 41. Not over yet! <ul><ul><li>2009-07-06 </li></ul></ul><ul><ul><ul><li>Completed audit and tests </li></ul></ul></ul><ul><ul><ul><li>Coordinated a public response with, carriers, PR and oCERT </li></ul></ul></ul><ul><ul><li>2009-07-15 </li></ul></ul><ul><ul><ul><li>Received critical-mass approval </li></ul></ul></ul><ul><ul><li>2009-07-16 </li></ul></ul><ul><ul><ul><li>OTAed users, rolled out patches to factories, SDK, and open source </li></ul></ul></ul><ul><ul><li>2009-07-16 </li></ul></ul><ul><ul><ul><li>Released advisory (oCERT-2009-011) </li></ul></ul></ul>
    42. 42. Conclusion <ul><ul><li>Security </li></ul></ul><ul><ul><ul><li>an ongoing process </li></ul></ul></ul><ul><ul><ul><li>not a checkbox </li></ul></ul></ul><ul><ul><li>Process </li></ul></ul><ul><ul><ul><li>Prevent </li></ul></ul></ul><ul><ul><ul><li>Minimize </li></ul></ul></ul><ul><ul><ul><li>Detect </li></ul></ul></ul><ul><ul><ul><li>React </li></ul></ul></ul>
    43. 43. Questions? <ul><ul><li>Find a security issue? </li></ul></ul><ul><ul><ul><li>Email  [email_address] </li></ul></ul></ul><ul><ul><li>Want to contribute code? </li></ul></ul><ul><ul><ul><li>Visit  http://source.android.com </li></ul></ul></ul><ul><ul><ul><li>Add me as a code reviewer! </li></ul></ul></ul><ul><ul><li>Want to write an Android application? </li></ul></ul><ul><ul><ul><li>Visit http://developer.android.com </li></ul></ul></ul><ul><ul><li>Want to email us? </li></ul></ul><ul><ul><ul><li>Email [email_address]  or [email_address] </li></ul></ul></ul><ul><ul><ul><li>We are both hiring </li></ul></ul></ul>

    ×