Android Security

613 views

Published on

This is a presentation given for a course on Cryptography at the KU Leuven on May 8 with Lars Jacobs.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
613
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
41
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Android Security

  1. 1. ANDROID SECURITYRobin De CroonLars Jacobs|H05D9a| Cryptografie en netwerkbeveiliging: hoorcollegeprof. dr. Ir. Bart Preneel
  2. 2. Content• Introduction• System and Kernel Level Security• User Security Features• Android Application Security• Recent Security Problems• DemoMay 8, 2013 2http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
  3. 3. INTRODUCTIONIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroidApplication SecurityRecent Security ProblemsDemoMay 8, 2013 3
  4. 4. Introduction• All data located on your smartphone• Passwords• Photos• (Text) messages• Medical records• …• Smartphone cannot trust anyone• Android secure?• Open Source  Safer (Hoepman et al.)May 8, 2013 4
  5. 5. Distribution of mobile malware byplatform in 2012May 8, 2013 5
  6. 6. Mobile threats motivated by profitby yearMay 8, 2013 6
  7. 7. AndroidVersionsMay 8, 2013 7
  8. 8. Android Software StackMay 8, 2013 8
  9. 9. SYSTEM ANDKERNEL LEVELSECURITYIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroidApplication SecurityRecent Security ProblemsDemoMay 8, 2013 9
  10. 10. Apps & Processes• Own Linux Process + user ID  Sandbox!•Data is protected from other apps•Secure IPC• API calls are authorized according to permissions• Hardware access is authorized by Group Membership• Java, Native,WebKitMay 8, 2013 10
  11. 11. Bootloader• Bootloader is locked by default• Boot process• Signature checkMay 8, 2013 11
  12. 12. Memory management• A lot of memory corruption bugs Attacker can control the program• Improvements•No eXecute (NX) (since Android 2.3)•Address Space Layout Randomization (since Android4.0)•Position Independent Executables(since Android 4.1)•FORTIFY_SOURCE (since Android 4.2)May 8, 2013 12
  13. 13. Randomization in Android 2.3May 8, 2013 13
  14. 14. Randomization in Android 4.0May 8, 2013 14
  15. 15. Randomization in Android 4.1May 8, 2013 15
  16. 16. Rooting•Default no root access•Possible through ‘su’ binaryBootloader unsafeRoot apps can do ANYTHINGLatest versions of AndroidMay 8, 2013 16http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
  17. 17. USER SECURITYFEATURESIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroidApplication SecurityRecent Security ProblemsDemoMay 8, 2013 17
  18. 18. Device protection• Screen lock•Face unlock, Pattern, PIN, Passcode, …• File Encryption• 128 AES with CBC and ESSIV:SHA256• Master key encrypted with 128 bit AES via openssl libraryMay 8, 2013 18
  19. 19. Passwords are hashed•Salt saved on device•/data/data/com.android.providers.settings.databases•/data/system/locksettings.db•‘Easily’ brute forced with salt•Keys are stored in software!May 8, 2013 20
  20. 20. Android source codeMay 8, 2013 21
  21. 21. ANDROIDAPPLICATIONSECURITYIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroid Application SecurityRecent Security ProblemsDemoMay 8, 2013 22
  22. 22. Android Permissions• Accessing protected APIs•Location (GPS), Camera, Bluetooth,Telephony,SMS/MMS, Network/data• Defined in AndroidManifest.xmlMay 8, 2013 23
  23. 23. Play Store security• App is self signed• Bouncer•Online version•Local version (since Android 4.2)• App encryption•Introduced in Android 4.1•Shutdown due to bugsMay 8, 2013 24
  24. 24. CryptographicAPIs• Primitives•AES, DSA, RSA, SHA• Higher level•SSL, HTTPS• Virtual Private Network•IPsecMay 8, 2013 25
  25. 25. RECENT SECURITYPROBLEMSIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroidApplication SecurityRecent Security ProblemsDemoMay 8, 2013 26
  26. 26. SMS problems• Smishing•http://www.youtube.com/watch?v=baWeMbGatfs• SMS to premium services•F-secure MobileThreat Report Q4 2012•Kaspersky Security Bulletin 2012May 8, 2013 27
  27. 27. Exynos Exploit• Exynos 4210 and 4412 processor•Sprint Galaxy S II,Galaxy S II,Galaxy S3, Galaxy Note, GalaxyNote 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera•Kernel: /dev/exynos-mem R/W by all users  access to all physical memory• ExynosAbuse.apkMay 8, 2013 28
  28. 28. DEMOIntroductionSystem and Kernel Level SecurityUser Security FeaturesAndroidApplication SecurityRecent Security ProblemsDemoMay 8, 2013 29
  29. 29. References (I)• F-secure MobileThreat Report Q4 2012, http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf• Google, “Android PlatformVersions.”,http://developer.android.com/about/dashboards/index.html#Platform• Google, “Android SecurityOverview”,http://source.android.com/tech/security/#android-application-security• S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner,and B. Freisleben, “Why eve and mallory love android,” inProceedings of the 2012ACM conference on Computer andcommunications security - CCS ’12, (NewYork, NewYork,USA), p. 50,ACM Press, 2012.May 8, 2013 30
  30. 30. References (II)• J.-H. Hoepman and B. Jacobs, “Increased security throughopen source”,Communications of the ACM, vol. 50, pp. 79–83, Jan. 2007.• Matthias Lange, “State of the Union:Android securityoverview – IsAndroid the newXP?,http://de.droidcon.com/2013/sessnio/state-union-android-security-overview-android-new-xp• Xuxian Jiang, “SmishingVulnerability in MultipleAndroidPlatforms”,http://www.cs.ncsu.edu/faculty/jiang/smishing.html• A. Shabtai, “Google Android:A Comprehensive SecurityAssessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44,March-April 2010May 8, 2013 31
  31. 31. References (III)• A. Barresi and P. Somogyvari, “Android Security – AnIntroduction”,www.youtube.com/watch?v=OOFzu2J3EBY•Kaspersky Security Bulletin 2012,https://www.securelist.com/en/analysis/204792255/Kaspersky_Security_Bulletin_2012_The_overall_statistics_for_2012May 8, 2013 32
  32. 32. http://2.bp.blogspot.com/-gZjNR3XVULs/T_ZOVgE-5lI/AAAAAAAAAg8/6YVmd5Q064o/s1600/questions11.jpgMay 8, 2013 33

×