Android's security architecture

Ofer Rivlin
Hamakor, Penguin, August, 2015
Confidential

© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2Confidential
About me & why I love security
Senior Development and Security Architect at SAP Labs Israel
Why I love security ?
 Be at the front edge of technology
 Know the internals of the technology – how things really work
 Analyze the logic & behavior of the solution
 Rethink assumptions, think like a hacker

Mobile App Threat Model Diagram

Mobile Security Architecture – partial list of security measures
Access Control
Application Sandbox
Securing network connections
Permissions
Protecting data on the device
 Data in runtime, when app in background, etc
Secure Storage
 Confidential data, SQLite databases
Protecting secrets (Keychain)
App code signing
Interprocess Communication (IPC)

Agenda
Android Access Control
Android Application Sandbox
Android rooting

Android Application
Sandboxing

Application Sandbox structure – targets
Application Sandbox target
 Limit app’s access to the minimum required
 jailed environment
Why Sandbox is necessary
 app is compromised (due to a vulnerability in the app or frameworks/libraries it uses)
 app is a Trojan
https://source.android.com/devices/tech/security/#the-application-sandbox

Application Sandbox structure - HOW
Android security model - based on Linux user-based protection
 App runs with UID - identified as a unique Linux user
 App belongs to permission groups
 system processes run as ‘system’ user
Android Package (apk)
 apps are packaged - archive file that contains all the app’s resources
App data and access
 saved under its own app folder
 can be accessed only by its owner, the app, or by system
https://source.android.com/devices/tech/security/#the-application-sandbox

What is Android rooting?
What is Rooting?
 Gain system-level permissions
What is it good for?
 perform operations that are inaccessible to a normal user
Like what?
 Full access to files under applications’ sandbox
 Full access to System files
 Etc.
Example
 Deleting apps that are installed by your telephony company

How Android rooting is done?
Exploiting a vulnerability in the Android OS!
What type of vulnerabilities?
Android code vulnerabilities
Android design vulnerabilities
Linux vulnerabilities
Etc.

Example of Linux vulnerabilities exploited on Android
udev Netlink Message Validation Local Privilege Escalation Vulnerability (CVE-2009-1185)
Allows local users on Linux systems (2.6 kernels) to gain root privileges
This exploit was ported to Android and was used in rooting devices
* Udev is the device manager for the Linux 2.6 kernel that creates/removes device nodes in the
/dev directory dynamically. listens to events about device state change through Netlink
http://www.securityfocus.com/bid/34536/info
full disclosure exploit: http://seclists.org/fulldisclosure/2009/Apr/att-198/udev.txt

The Rooting industry!
Normal cooperation of Security researchers with the vendors
to fix major security issues
What is being different with rooting?
Vulnerabilities and their rooting exploits are not reveal to vendors
The rational behind the legitimately of rooting
It is your device - you should have full access and its full power

Target and attack surface
Target: get super user rights on a device shell
Attack surface carrier – adb (Android Debug Bridge)
 Daemon
obackground process runs on the device
 Client
oShell, runs on a connected PC
 Server
oManages the communication between the client and the daemon
obackground process runs on the connected PC

The adb daemon
The adb daemon (adbd)
 creates a shell instance on the device and redirect its output to the client
 When starts, it has multiple tasks to accomplish as root
 Then it lowers its privileges to AID_SHELL (a normal shell user)

The adbd code… Have an idea?
Some code
Perform tasks as root
Drop user to shell
Some more code
executed as shell-user
https://android.googlesource.com/platform/system/core/+/android-1.6_r2/adb/adb.c

adb setuid exhaustion attack (slide 1)
UID has a RLIMIT_NPROC – limit number of running processes
The exploit forks off processes on the AID_SHELL UID until fork() fails
Max number of processes for this UID is reached
Restart adbd
When adbd restarts, it runs as root

adb setuid exhaustion attack (slide 2)
adbd drops its privileges to ‘shell user’ using setuid()
setuid() increments the number of shell user processes
shell’s process count is at its max and setuid() fails!
the process remains with its current user
The adbd code doesn’t check for setuid() success
Drop to shell-user fails, the process continues as root!
The vulnerability:
The adbd code doesn’t check for setuid() success

The adbd code vulnerability
The vulnerability 

RageAgainstTheCage exploit run
 adb shell client starts as normal user
So far, a normal shell run.
 Execute the exploit binary
 Max number of processes for this user is
limit to 3301
 adb PID is 77 – to be killed later
 Exploit done!
 Max number of processes have been
reached, and adbd is killed
 Restarting adb, starts adbd
 adbd fails to drop from root to user
 adb client connects with adbd that has
root access!

limit to 3301
 Exploit done!
root access!

RageAgainstTheCage exploit
Released by Sebastian Krahmer
A binary called rageagainstthecage-arm5.bin with no source code
The exploit was reversed-engineered by Google
The vulnerability was fixed

The Android version code after the fix
The version with the fixed code
https://android.googlesource.com/platform/system/core/+/froyo/adb/adb.c

From temporary root to permanent root
We run shell as root. What’s next?
How to get permanent root?
How to enable apps root permissions?
Gaining a permanent root
Usually: install the SU binary and the Superuser app under the system partition
Hackers develop tools that:
 Gain a temporary root by exploiting a vulnerability in Android
 Use the temporary root permissions to install SU & Superuser under System
* More about the SU binary and the Superuser app - next

Summary of Android root exploits
1. Experienced hackers find vulnerabilities
2. Hide the vulnerabilities from the OS developer & device
manufactures
3. Develop exploits and package them in easy to use tools
4. Publish those tools on the internet (in blogs or forums like XDA)
5. Users (and hackers) download those tools & root their (or
others’) devices

shell is requesting superuser access

Rooting of an encrypted and
locked device

“Industrial Espionage” Demo, revealing the Lock Pattern

What is Android Recovery
Bootable partition that has the recovery console
Set of tools to
help repair (recover) the installation
install OS updates

Android Update mechanism
To install updates locally through the recovery
Offline – no OTA-updates required
Secured with a signature
* In later devices this mechanism’s security has been strengthened

How to grant root when the screen is locked?
Gain root by exploiting the Android ‘Update’ mechanism
Copied my SU binary to the System partition

How can we grant root with a locked screen?
But how to access the Superuser prompt with a locked screen?

My solution – rewrite SU
I rewrote the SU binary
Re-lunch any requesting processes
No check for granted root access
no need Superuser app
 even stealthier!

Before the demo – why my su is so dangerous?
Malware requests root access: the user gets prompt
With my su this malware gets root without the user’s consent!
The Trojan hides its malware as a rootkit
Then it downloads and installs other malware
* https://blog.lookout.com/blog/2011/10/20/security-alert-legacy-makes-a-another-appearance-on-android-market-meet-legacy-native-lena/

Demo – rooting an encrypted and locked device
* Adi Shamir: ’post-crypto world'
http://m.theregister.co.uk/2013/03/01/post_cryptography_security_shamir/

Android's security architecture

More Related Content

What's hot

Similar to Android's security architecture

More from Ofer Rivlin, CISSP

Recently uploaded

Android's security architecture