History of Android Security – from linux to jelly bean
About Me2000 AT&T Wireless: OODB/CORBA2001Cellvic(JTEL): CellvicOS/JVM2003 Samsung: JVM for DTV/SimpleJIT2007 Aromasoft: JVM for Mobile/JIT Optimization/Dalvik2011 GE korea: Smart appliance/Linux2012 SK플래닛: Android/T-Store ARM/Security – jungpil.@sk.com 또는 email@example.com
• 개인정보가 인터넷으로 빠져나간다• 앱이 허락받지 않은 인터넷을 사용한다• 앱이 허락받지 않은 동작(?)을 한다• 앱이 스스로 루팅을 한다• 앱이 코드를 스스로 변경한다• 앱이 Dalvik VM의 정보를 변경한다• 안드로이드앱이 Dalvik VM이 아닌 다른 VM을 실행시킨다
• 5억대 판매된, 하루에 130만대씩 개통되는 단말?• A Java platform? – 역사상 자바가 표준 개발언어인 첫 번째 디바이스? RIM? NDK?• A forked Linux? – Why linux? • Andy Rubin: was a Apple Employee • 대안이 없어서? – 역사상 가장 많이 팔린 linux device?
• Linux: Open Source – ‘mkdir android ; cd android ; repo init -u git://android.git.kernel.org/platform/manifest.git ; repo sync ; make’• Java: easy to learn, many developers – but an easy language for reverse-enigneering • dex2jar, APKTool, JD-GUI, APKInspector, Smali, Dedexer,,,• 환상의 커플!!!
• Just a linux application – following Google guides
• Linux Process• Dalvik VM• Bionic• JNI• Is that all??? – Missing something… – PackageManager, ActivityManager,,,
• Java?• No more on Android!!!• Dalvik VM is not a security boundary!!! – But Linux Process
• Linux UID/Group ID: – a unique id based on its signature assigned when it starts• Linux DAC: all or nothing – old style – root can do everything – RWX
• Permission – Need to be described on AndroidMeanifest.xml• Binder• Kernel Enforcement – group ID<permission name="android.permission.INTERNET" > •<group gid="inet" /></permission> – Patch • Internet
• You can do everything in your process• You can use Reflection/JNI – To call hidden/private methods – To get/set private fields• But High return, High risk!!! ex) Unity3D: Using Mono VM
Distribution (Se API leve Version Release date ptember 4, 201 l 2)4.1.x Jelly Bean July 9, 2012 16 1.2%4.0.x Ice Cream Sandwich October 19, 2011 14-15 20.9%3.x.x Honeycomb February 22, 2011 11-13 2.1%2.3.x Gingerbread December 6, 2010 9-10 57.5%2.2 Froyo May 20, 2010 8 14%2.0, 2.1 Eclair October 26, 2009 7 3.7%1.6 Donut September 15, 2009 4 0.4%1.5 Cupcake April 30, 2009 3 0.2%
• NX bit(No eXecute): – to prevent code execution on heap and stack(2.3+)• Prelink: Used to speed up boot process – removed to prevent return-to-libc attacks(4.0+)• Address Space Layout Randomization(4.0+) – randomize key locations in memory• PIE (Position Independent Executable) – supports (4.1+)
• FileSystem Encryption – 3.0+ provides full filesystem encryption. 128bit AES key derived from user password• Credential Storage – 1.6+ restricted for only system – 4.0+ provides public API
• ODEX File: optimized dex file dex file Dalvik Virtual odex file Machine Storage (JIT Compiler) (reuse) decompile hijacking• 4.0+ provides a raw dex loading API – Without ODEX!!!
• Applying SELinux in Android by NSA• Linux Security Modules – Standard Linux Security (Hooking) Framework from v2.6 task management (creation, signaling, waiting), program loading (execve), file system management (superblock, inode, and filehooks), IPC (message queues, shared memory, and semaphore operations), module hooks (insertion and removal), and network hooks (covering sockets, netlink, network devices, and other protocol interfaces) security.h
• 2012/1 AOSP master branch added(HAVE_SELINUX) – in external/libselinux and external/sepolicy – in core/java and core/jni • SELinux.java, AndroidRuntime.cpp, android_os_SELinux.cpp• Slow and incremental applying expected – not enforcing mode but permissive mode – Android 5.0?• Need to consider it!
• ARM’s HW solution• Virtualized processors on a ARM chip• Secure World can read Normal World – But Normal World can’t read Secure World• Already on Galaxy S3!!!
• Use Obfuscator• Use Native Code• Keep data on your server• Sorry, Find your own solutions! – 2011 Google I/O Evading Pirates and Stopping Vampires using License Verification Library, In-App Billing, and App Engine – 2012.4 Code Obfuscation for the Amazon In-App
• Even Android has many security problems, it is an open, de-facto platform now• It’s getting better but you need to keep your data/code by your own ways• Its openness and flexibility could give some chances to creative developers• T-Store promises to help you soon!