SlideShare a Scribd company logo

Android's security architecture

Ofer Rivlin, CISSP
Ofer Rivlin, CISSP

How Android utilizes its Linux core in the heart of its security architecture Presented at August-Penguin 2015, Israel Open-Source organization conference http://ap.hamakor.org.il/2015

1 of 49
Download to read offline
Ofer Rivlin Hamakor, Penguin, August, 2015 Confidential
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 2Confidential About me & why I love security Senior Development and Security Architect at SAP Labs Israel Why I love security ?  Be at the front edge of technology  Know the internals of the technology – how things really work  Analyze the logic & behavior of the solution  Rethink assumptions, think like a hacker
Mobile apps Threats Model
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 4Confidential Mobile App Threat Model Diagram
Mobile Security
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 6Confidential Mobile Security Architecture – partial list of security measures Access Control Application Sandbox Securing network connections Permissions Protecting data on the device  Data in runtime, when app in background, etc Secure Storage  Confidential data, SQLite databases Protecting secrets (Keychain) App code signing Interprocess Communication (IPC)
Android Security
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 8Confidential Agenda Android Access Control Android Application Sandbox Android rooting
Android is a Linux based OS!
Android Application Sandboxing
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 11Confidential Application Sandbox structure – targets Application Sandbox target  Limit app’s access to the minimum required  jailed environment Why Sandbox is necessary  app is compromised (due to a vulnerability in the app or frameworks/libraries it uses)  app is a Trojan https://source.android.com/devices/tech/security/#the-application-sandbox
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 12Confidential Application Sandbox structure - HOW Android security model - based on Linux user-based protection  App runs with UID - identified as a unique Linux user  App belongs to permission groups  system processes run as ‘system’ user Android Package (apk)  apps are packaged - archive file that contains all the app’s resources App data and access  saved under its own app folder  can be accessed only by its owner, the app, or by system https://source.android.com/devices/tech/security/#the-application-sandbox
Rooting
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 14Confidential What is Android rooting? What is Rooting?  Gain system-level permissions What is it good for?  perform operations that are inaccessible to a normal user Like what?  Full access to files under applications’ sandbox  Full access to System files  Etc. Example  Deleting apps that are installed by your telephony company
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 15Confidential How Android rooting is done? Exploiting a vulnerability in the Android OS! What type of vulnerabilities? Android code vulnerabilities Android design vulnerabilities Linux vulnerabilities Etc.
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 16Confidential Example of Linux vulnerabilities exploited on Android udev Netlink Message Validation Local Privilege Escalation Vulnerability (CVE-2009-1185) Allows local users on Linux systems (2.6 kernels) to gain root privileges This exploit was ported to Android and was used in rooting devices * Udev is the device manager for the Linux 2.6 kernel that creates/removes device nodes in the /dev directory dynamically. listens to events about device state change through Netlink http://www.securityfocus.com/bid/34536/info full disclosure exploit: http://seclists.org/fulldisclosure/2009/Apr/att-198/udev.txt
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 17Confidential The Rooting industry! Normal cooperation of Security researchers with the vendors to fix major security issues What is being different with rooting? Vulnerabilities and their rooting exploits are not reveal to vendors The rational behind the legitimately of rooting It is your device - you should have full access and its full power
Rooting example
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 19Confidential Target and attack surface Target: get super user rights on a device shell Attack surface carrier – adb (Android Debug Bridge)  Daemon obackground process runs on the device  Client oShell, runs on a connected PC  Server oManages the communication between the client and the daemon obackground process runs on the connected PC
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 20Confidential The adb daemon The adb daemon (adbd)  creates a shell instance on the device and redirect its output to the client  When starts, it has multiple tasks to accomplish as root  Then it lowers its privileges to AID_SHELL (a normal shell user)
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 21Confidential The adbd code… Have an idea? Some code Perform tasks as root Drop user to shell Some more code executed as shell-user https://android.googlesource.com/platform/system/core/+/android-1.6_r2/adb/adb.c
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 22Confidential adb setuid exhaustion attack (slide 1) UID has a RLIMIT_NPROC – limit number of running processes The exploit forks off processes on the AID_SHELL UID until fork() fails Max number of processes for this UID is reached Restart adbd When adbd restarts, it runs as root
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 23Confidential adb setuid exhaustion attack (slide 2) adbd drops its privileges to ‘shell user’ using setuid() setuid() increments the number of shell user processes shell’s process count is at its max and setuid() fails! the process remains with its current user The adbd code doesn’t check for setuid() success Drop to shell-user fails, the process continues as root! The vulnerability: The adbd code doesn’t check for setuid() success
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 24Confidential The adbd code vulnerability The vulnerability 
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 25Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 26Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 27Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 28Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 29Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 30Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 31Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 32Confidential RageAgainstTheCage exploit Released by Sebastian Krahmer A binary called rageagainstthecage-arm5.bin with no source code The exploit was reversed-engineered by Google The vulnerability was fixed
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 33Confidential The Android version code after the fix The version with the fixed code https://android.googlesource.com/platform/system/core/+/froyo/adb/adb.c
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 34Confidential The Android version code after the fix The version with the fixed code https://android.googlesource.com/platform/system/core/+/froyo/adb/adb.c
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 35Confidential From temporary root to permanent root We run shell as root. What’s next? How to get permanent root? How to enable apps root permissions? Gaining a permanent root Usually: install the SU binary and the Superuser app under the system partition Hackers develop tools that:  Gain a temporary root by exploiting a vulnerability in Android  Use the temporary root permissions to install SU & Superuser under System * More about the SU binary and the Superuser app - next
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 36Confidential Summary of Android root exploits 1. Experienced hackers find vulnerabilities 2. Hide the vulnerabilities from the OS developer & device manufactures 3. Develop exploits and package them in easy to use tools 4. Publish those tools on the internet (in blogs or forums like XDA) 5. Users (and hackers) download those tools & root their (or others’) devices
Rooting solution behavior
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 39Confidential shell is requesting superuser access
Rooting of an encrypted and locked device
Background
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 42Confidential “Industrial Espionage” Demo, revealing the Lock Pattern
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 43Confidential What is Android Recovery Bootable partition that has the recovery console Set of tools to help repair (recover) the installation install OS updates
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 44Confidential Android Update mechanism To install updates locally through the recovery Offline – no OTA-updates required Secured with a signature * In later devices this mechanism’s security has been strengthened
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 45Confidential How to grant root when the screen is locked? Gain root by exploiting the Android ‘Update’ mechanism Copied my SU binary to the System partition
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 46Confidential How can we grant root with a locked screen? But how to access the Superuser prompt with a locked screen?
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 47Confidential My solution – rewrite SU I rewrote the SU binary Re-lunch any requesting processes No check for granted root access no need Superuser app  even stealthier!
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 48Confidential Before the demo – why my su is so dangerous? Malware requests root access: the user gets prompt With my su this malware gets root without the user’s consent! The Trojan hides its malware as a rootkit Then it downloads and installs other malware * https://blog.lookout.com/blog/2011/10/20/security-alert-legacy-makes-a-another-appearance-on-android-market-meet-legacy-native-lena/
© 2014 SAP AG or an SAP affiliate company. All rights reserved. 49Confidential Demo – rooting an encrypted and locked device * Adi Shamir: ’post-crypto world' http://m.theregister.co.uk/2013/03/01/post_cryptography_security_shamir/
© 2014 SAP AG or an SAP affiliate company. All rights reserved. Thank you Contact information: Ofer Rivlin SAP Labs Israel ofer.rivlin@sap.com

Recommended

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Applications mobiles et sécurité
Applications mobiles et sécuritéApplications mobiles et sécurité
Applications mobiles et sécurité
Bitdefender en France
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 

Recommended

mobile application security
mobile application securitymobile application security
mobile application security
-jyothish kumar sirigidi
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
anupriti
 
Applications mobiles et sécurité
Applications mobiles et sécuritéApplications mobiles et sécurité
Applications mobiles et sécurité
Bitdefender en France
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
Prakashchand Suthar
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
Napier University
 
Android malware presentation
Android malware presentationAndroid malware presentation
Android malware presentation
Sandeep Joshi
 
What is malware
What is malwareWhat is malware
What is malware
Malcolm York
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
Nikunj Thakkar
 
Ransomware
RansomwareRansomware
Ransomware
Nick Miller
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer System
Faruk_Hossen
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
Imran Khan
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Malware hunting with the sysinternals tools
Malware hunting with the sysinternals toolsMalware hunting with the sysinternals tools
Malware hunting with the sysinternals tools
Ali Asad Sahu
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 

More Related Content

What's hot

Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Dirk Nicol
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
Nikunj Thakkar
 
Ransomware
RansomwareRansomware
Ransomware
Nick Miller
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
bartblaze
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer System
Faruk_Hossen
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
Novizul Evendi
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Edureka!
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
Imran Khan
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
Mohammad Yahya
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
Santhosh Kumar
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
Quick Heal Technologies Ltd.
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
cclark_isec
 
Malware hunting with the sysinternals tools
Malware hunting with the sysinternals toolsMalware hunting with the sysinternals tools
Malware hunting with the sysinternals tools
Ali Asad Sahu
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
Yogesh Ojha
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
Ryan G. Murphy
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
Apurv Singh Gautam
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
sadique_ghitm
 

What's hot (20)

Bug bounty
Bug bountyBug bounty
Bug bounty
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Ransomware
RansomwareRansomware
Ransomware
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 
Threats and Security Tips of Computer System
Threats and Security Tips of Computer SystemThreats and Security Tips of Computer System
Threats and Security Tips of Computer System
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | EdurekaComputer Security | Types of Computer Security | Cybersecurity Course | Edureka
Computer Security | Types of Computer Security | Cybersecurity Course | Edureka
 
Mobile device privacy and security
Mobile device privacy and securityMobile device privacy and security
Mobile device privacy and security
 
Ransomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, PreventionRansomware - Impact, Evolution, Prevention
Ransomware - Impact, Evolution, Prevention
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Ensuring Mobile Device Security
Ensuring Mobile Device SecurityEnsuring Mobile Device Security
Ensuring Mobile Device Security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Malware hunting with the sysinternals tools
Malware hunting with the sysinternals toolsMalware hunting with the sysinternals tools
Malware hunting with the sysinternals tools
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
What is Next-Generation Antivirus?
What is Next-Generation Antivirus?What is Next-Generation Antivirus?
What is Next-Generation Antivirus?
 
Intro to Network Vapt
Intro to Network VaptIntro to Network Vapt
Intro to Network Vapt
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 

Similar to Android's security architecture

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Romansh Yadav
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
Chandrapal Badshah
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
Rupesh Kumar
 
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
Hafez Kamal
 
Max flash based code quality is there a canary in your coal mine-
Max flash based code quality is there a canary in your coal mine-Max flash based code quality is there a canary in your coal mine-
Max flash based code quality is there a canary in your coal mine-
Xavier Agnetti
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
Virtual Forge
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
Ron Munitz
 
Online gas booking project in java
Online gas booking project in javaOnline gas booking project in java
Online gas booking project in java
s4al_com
 
Analyse de la composition logicielle à l’aide d’outils open source
Analyse de la composition logicielle à l’aide d’outils open sourceAnalyse de la composition logicielle à l’aide d’outils open source
Analyse de la composition logicielle à l’aide d’outils open source
Open Source Experience
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
ColdFusionConference
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
Tunde Ogunkoya
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Romansh Yadav
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
CodeOps Technologies LLP
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
Tony Thomas
 
Introduction to Marketing Cloud UI, Adobe Summit 2014
Introduction to Marketing Cloud UI, Adobe Summit 2014Introduction to Marketing Cloud UI, Adobe Summit 2014
Introduction to Marketing Cloud UI, Adobe Summit 2014
Damien Antipa
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
Positive Hack Days
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
Abraham Aranguren
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014
Paolo Mottadelli
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
lior mazor
 

Similar to Android's security architecture (20)

Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)Pentesting Android Apps using Frida (Beginners)
Pentesting Android Apps using Frida (Beginners)
 
ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013ColdFusion 11 Overview - CFSummit 2013
ColdFusion 11 Overview - CFSummit 2013
 
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
CODE BLUE 2014 : Persisted: The active use and exploitation of Microsoft's Ap...
 
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
NanoSec Conference 2019: Code Execution Analysis in Mobile Apps - Abdullah Jo...
 
Max flash based code quality is there a canary in your coal mine-
Max flash based code quality is there a canary in your coal mine-Max flash based code quality is there a canary in your coal mine-
Max flash based code quality is there a canary in your coal mine-
 
Risks of Hosted SAP Environments
Risks of Hosted SAP EnvironmentsRisks of Hosted SAP Environments
Risks of Hosted SAP Environments
 
MobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android AppsMobSecCon 2015 - Dynamic Analysis of Android Apps
MobSecCon 2015 - Dynamic Analysis of Android Apps
 
Online gas booking project in java
Online gas booking project in javaOnline gas booking project in java
Online gas booking project in java
 
Analyse de la composition logicielle à l’aide d’outils open source
Analyse de la composition logicielle à l’aide d’outils open sourceAnalyse de la composition logicielle à l’aide d’outils open source
Analyse de la composition logicielle à l’aide d’outils open source
 
Where is cold fusion headed
Where is cold fusion headedWhere is cold fusion headed
Where is cold fusion headed
 
(Isc)² secure johannesburg
(Isc)² secure johannesburg (Isc)² secure johannesburg
(Isc)² secure johannesburg
 
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadavMobile security part 1(Android Apps Pentesting)- Romansh yadav
Mobile security part 1(Android Apps Pentesting)- Romansh yadav
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
FRIDA 101 Android
FRIDA 101 AndroidFRIDA 101 Android
FRIDA 101 Android
 
Introduction to Marketing Cloud UI, Adobe Summit 2014
Introduction to Marketing Cloud UI, Adobe Summit 2014Introduction to Marketing Cloud UI, Adobe Summit 2014
Introduction to Marketing Cloud UI, Adobe Summit 2014
 
Manish Chasta - Securing Android Applications
Manish Chasta - Securing Android ApplicationsManish Chasta - Securing Android Applications
Manish Chasta - Securing Android Applications
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014Integrating with Adobe Marketing Cloud - Summit 2014
Integrating with Adobe Marketing Cloud - Summit 2014
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 

More from Ofer Rivlin, CISSP

Zk bug bounty
Zk bug bountyZk bug bounty
Zk bug bounty
Ofer Rivlin, CISSP
 
Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
Ofer Rivlin, CISSP
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlin
Ofer Rivlin, CISSP
 
Connected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & ProtocolsConnected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & Protocols
Ofer Rivlin, CISSP
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secrets
Ofer Rivlin, CISSP
 
How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
Ofer Rivlin, CISSP
 

More from Ofer Rivlin, CISSP (6)

Zk bug bounty
Zk bug bountyZk bug bounty
Zk bug bounty
 
Ofer rivlin BGU - department seminar
Ofer rivlin BGU - department seminarOfer rivlin BGU - department seminar
Ofer rivlin BGU - department seminar
 
Security architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlinSecurity architecture design patterns iltam 2018 - ofer rivlin
Security architecture design patterns iltam 2018 - ofer rivlin
 
Connected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & ProtocolsConnected cars - the security challenge: Vehicles, Networks & Protocols
Connected cars - the security challenge: Vehicles, Networks & Protocols
 
Bleeding secrets
Bleeding secretsBleeding secrets
Bleeding secrets
 
How to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal MethodsHow to hack cryptographic protocols with Formal Methods
How to hack cryptographic protocols with Formal Methods
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Zilliz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
Pixlogix Infotech
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...Building RAG with self-deployed Milvus vector database and Snowpark Container...
Building RAG with self-deployed Milvus vector database and Snowpark Container...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website20 Comprehensive Checklist of Designing and Developing a Website
20 Comprehensive Checklist of Designing and Developing a Website
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 

Android's security architecture

  • 1. Ofer Rivlin Hamakor, Penguin, August, 2015 Confidential
  • 2. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 2Confidential About me & why I love security Senior Development and Security Architect at SAP Labs Israel Why I love security ?  Be at the front edge of technology  Know the internals of the technology – how things really work  Analyze the logic & behavior of the solution  Rethink assumptions, think like a hacker
  • 4. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 4Confidential Mobile App Threat Model Diagram
  • 6. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 6Confidential Mobile Security Architecture – partial list of security measures Access Control Application Sandbox Securing network connections Permissions Protecting data on the device  Data in runtime, when app in background, etc Secure Storage  Confidential data, SQLite databases Protecting secrets (Keychain) App code signing Interprocess Communication (IPC)
  • 8. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 8Confidential Agenda Android Access Control Android Application Sandbox Android rooting
  • 9. Android is a Linux based OS!
  • 11. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 11Confidential Application Sandbox structure – targets Application Sandbox target  Limit app’s access to the minimum required  jailed environment Why Sandbox is necessary  app is compromised (due to a vulnerability in the app or frameworks/libraries it uses)  app is a Trojan https://source.android.com/devices/tech/security/#the-application-sandbox
  • 12. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 12Confidential Application Sandbox structure - HOW Android security model - based on Linux user-based protection  App runs with UID - identified as a unique Linux user  App belongs to permission groups  system processes run as ‘system’ user Android Package (apk)  apps are packaged - archive file that contains all the app’s resources App data and access  saved under its own app folder  can be accessed only by its owner, the app, or by system https://source.android.com/devices/tech/security/#the-application-sandbox
  • 14. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 14Confidential What is Android rooting? What is Rooting?  Gain system-level permissions What is it good for?  perform operations that are inaccessible to a normal user Like what?  Full access to files under applications’ sandbox  Full access to System files  Etc. Example  Deleting apps that are installed by your telephony company
  • 15. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 15Confidential How Android rooting is done? Exploiting a vulnerability in the Android OS! What type of vulnerabilities? Android code vulnerabilities Android design vulnerabilities Linux vulnerabilities Etc.
  • 16. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 16Confidential Example of Linux vulnerabilities exploited on Android udev Netlink Message Validation Local Privilege Escalation Vulnerability (CVE-2009-1185) Allows local users on Linux systems (2.6 kernels) to gain root privileges This exploit was ported to Android and was used in rooting devices * Udev is the device manager for the Linux 2.6 kernel that creates/removes device nodes in the /dev directory dynamically. listens to events about device state change through Netlink http://www.securityfocus.com/bid/34536/info full disclosure exploit: http://seclists.org/fulldisclosure/2009/Apr/att-198/udev.txt
  • 17. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 17Confidential The Rooting industry! Normal cooperation of Security researchers with the vendors to fix major security issues What is being different with rooting? Vulnerabilities and their rooting exploits are not reveal to vendors The rational behind the legitimately of rooting It is your device - you should have full access and its full power
  • 19. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 19Confidential Target and attack surface Target: get super user rights on a device shell Attack surface carrier – adb (Android Debug Bridge)  Daemon obackground process runs on the device  Client oShell, runs on a connected PC  Server oManages the communication between the client and the daemon obackground process runs on the connected PC
  • 20. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 20Confidential The adb daemon The adb daemon (adbd)  creates a shell instance on the device and redirect its output to the client  When starts, it has multiple tasks to accomplish as root  Then it lowers its privileges to AID_SHELL (a normal shell user)
  • 21. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 21Confidential The adbd code… Have an idea? Some code Perform tasks as root Drop user to shell Some more code executed as shell-user https://android.googlesource.com/platform/system/core/+/android-1.6_r2/adb/adb.c
  • 22. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 22Confidential adb setuid exhaustion attack (slide 1) UID has a RLIMIT_NPROC – limit number of running processes The exploit forks off processes on the AID_SHELL UID until fork() fails Max number of processes for this UID is reached Restart adbd When adbd restarts, it runs as root
  • 23. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 23Confidential adb setuid exhaustion attack (slide 2) adbd drops its privileges to ‘shell user’ using setuid() setuid() increments the number of shell user processes shell’s process count is at its max and setuid() fails! the process remains with its current user The adbd code doesn’t check for setuid() success Drop to shell-user fails, the process continues as root! The vulnerability: The adbd code doesn’t check for setuid() success
  • 24. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 24Confidential The adbd code vulnerability The vulnerability 
  • 25. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 25Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 26. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 26Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 27. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 27Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 28. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 28Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 29. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 29Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 30. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 30Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 31. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 31Confidential RageAgainstTheCage exploit run  adb shell client starts as normal user So far, a normal shell run.  Execute the exploit binary  Max number of processes for this user is limit to 3301  adb PID is 77 – to be killed later  Exploit done!  Max number of processes have been reached, and adbd is killed  Restarting adb, starts adbd  adbd fails to drop from root to user  adb client connects with adbd that has root access!
  • 32. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 32Confidential RageAgainstTheCage exploit Released by Sebastian Krahmer A binary called rageagainstthecage-arm5.bin with no source code The exploit was reversed-engineered by Google The vulnerability was fixed
  • 33. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 33Confidential The Android version code after the fix The version with the fixed code https://android.googlesource.com/platform/system/core/+/froyo/adb/adb.c
  • 34. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 34Confidential The Android version code after the fix The version with the fixed code https://android.googlesource.com/platform/system/core/+/froyo/adb/adb.c
  • 35. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 35Confidential From temporary root to permanent root We run shell as root. What’s next? How to get permanent root? How to enable apps root permissions? Gaining a permanent root Usually: install the SU binary and the Superuser app under the system partition Hackers develop tools that:  Gain a temporary root by exploiting a vulnerability in Android  Use the temporary root permissions to install SU & Superuser under System * More about the SU binary and the Superuser app - next
  • 36. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 36Confidential Summary of Android root exploits 1. Experienced hackers find vulnerabilities 2. Hide the vulnerabilities from the OS developer & device manufactures 3. Develop exploits and package them in easy to use tools 4. Publish those tools on the internet (in blogs or forums like XDA) 5. Users (and hackers) download those tools & root their (or others’) devices
  • 38. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 39Confidential shell is requesting superuser access
  • 39. Rooting of an encrypted and locked device
  • 41. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 42Confidential “Industrial Espionage” Demo, revealing the Lock Pattern
  • 42. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 43Confidential What is Android Recovery Bootable partition that has the recovery console Set of tools to help repair (recover) the installation install OS updates
  • 43. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 44Confidential Android Update mechanism To install updates locally through the recovery Offline – no OTA-updates required Secured with a signature * In later devices this mechanism’s security has been strengthened
  • 44. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 45Confidential How to grant root when the screen is locked? Gain root by exploiting the Android ‘Update’ mechanism Copied my SU binary to the System partition
  • 45. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 46Confidential How can we grant root with a locked screen? But how to access the Superuser prompt with a locked screen?
  • 46. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 47Confidential My solution – rewrite SU I rewrote the SU binary Re-lunch any requesting processes No check for granted root access no need Superuser app  even stealthier!
  • 47. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 48Confidential Before the demo – why my su is so dangerous? Malware requests root access: the user gets prompt With my su this malware gets root without the user’s consent! The Trojan hides its malware as a rootkit Then it downloads and installs other malware * https://blog.lookout.com/blog/2011/10/20/security-alert-legacy-makes-a-another-appearance-on-android-market-meet-legacy-native-lena/
  • 48. © 2014 SAP AG or an SAP affiliate company. All rights reserved. 49Confidential Demo – rooting an encrypted and locked device * Adi Shamir: ’post-crypto world' http://m.theregister.co.uk/2013/03/01/post_cryptography_security_shamir/
  • 49. © 2014 SAP AG or an SAP affiliate company. All rights reserved. Thank you Contact information: Ofer Rivlin SAP Labs Israel ofer.rivlin@sap.com