This document provides a brief overview of Android security. It discusses how Android uses a combination of mandatory application sandboxing, secure inter-process communication, application signing, and permission models to isolate applications and protect the operating system and user data. It also describes some key aspects of the Android security architecture including protections built into the Linux kernel, techniques for preventing and minimizing the impact of security breaches, and mechanisms for automatically updating applications. Finally, it discusses some common Android security threats and how projects like TaintDroid aim to track and prevent privacy leaks on Android devices.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
Presentation describing the best practices concerning Android Offline Storage.
Examples included on manual encryption of files, SQLCipher, and tamper detection
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completly exhaustive but it brings out basic necessities as expected from any smart user.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
Presentation describing the best practices concerning Android Offline Storage.
Examples included on manual encryption of files, SQLCipher, and tamper detection
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
This presentation brings out few basic steps that every android phone user should configure to harden his/her device.Although the list is not completly exhaustive but it brings out basic necessities as expected from any smart user.
This presentation covers the working model about Process, Thread, system call, Memory operations, Binder IPC, and interactions with Android frameworks.
These slides were presented at GDG MeetUp in Bangalore which was held on 21st September 2013. Uploading the slides to help the people who wanted the slide Deck
Firebase database is no SQL database. Firebase service base on node js so it’s response will be fast compare to web services. If you want to planning fast development of the application then firebase will be a good option for you
Application Explosion How to Manage Productivity vs SecurityLumension
Windows users today are more application oriented than ever, but that hunger often leads them to unsafe choices. In this presentation you’ll learn about the attributes of both free and commercial application security tools. You’ll also learn the key steps you need to follow to effectively accommodate user application needs without giving malefactors a foot in the door to your enterprise.
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
How to Test Security and Vulnerability of Your Android and iOS AppsBitbar
Watch a live presentation at http://offer.bitbar.com/how-to-test-security-and-vulnerability-of-your-android-and-ios-apps
Majority of today’s mobile apps consist of third-party code/libraries. This is a prudent and well-accepted development practice that offloads the task of developing code for non-core functions of your mobile app – or game. Identifying third-party code, its vulnerabilities and its license restrictions, is highly critical in order to understand your security exposure and your liability.
Stay tuned and join our upcoming webinars at http://bitbar.com/testing/webinars/
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
This presentation contains multiple pointers to academic research pertaining to Android and its security model. I presented these works to a weekly Security and Privacy reading group.
The academic proceeding can be found here:
www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
Introduction to the Android OS. the Android Developers Kit, Android Emulators, Rooting Android devices, de-compiling Android Apps. Dex2jar, Java JD_GUI and so on. During the presentation I will pull an App apart and show how to bypass a login screen.
What better way to express the Zombie Apocalypse then with mobile devices. They are ubiquitous. they are carried everywhere, they go everywhere. Having a decent understanding of the Operating System and it’s vulnerabilities can go a long way towards keeping your device protected.
Grab the Secure Mobile Application Development Reference here - http://www.denimgroup.com/know_artic_secure_mobile_application_development_reference.html
Are you looking to build a program to ensure maximum mobile security coverage?
If you are tasked with putting together a security testing program to address risk with internally developed mobile applications, there is no shortage of technical and process factors to consider. It is also critical to balance the security with a positive end-user experience, helping propel the overall brand forward - safely. Without proper mobile security, one significant loss can quickly destroy the trust foundation your company has worked years to craft.
This webinar will provide the security leader an overview of the challenges associated with mobile testing, certain technologies that one can use to identify mobile application vulnerabilities, and repeatable process strategies that will help build the foundation for a recurring testing program.
The session will provide attendees a broad understanding of mobile technologies, as well as a mobile testing launch checklist that will help your organization go from ground floor to a fully-functioning testing program in 30 days.
The session will also include:
An overview of the major mobile technologies and their defining attributes
An overview of how iOS and Android handle certain security issues differently via the Denim Group Mobile Development Reference Guide
An overview of a typical mobile application architecture and how it differs from a web application environment
How important web services are to a typical mobile architecture
The limitations of automated testing and how to augment security reviews to overcome testing gaps
How to make a program repeatable and economically feasible without disrupting the software development process
Presentation (OWASP Pune Meetup June 2019) covers how application development and deployment scenarios have evolved rapidly with DevOpsSec. It covers modern security tools and techniques to address the challenges posed by changes.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
The promise of the IoT won’t be fulfilled until integrated
software platforms are available that allow software
developers to develop these devices efficiently and in
the most cost-effective manner possible.
This presentation introduces F9 microkernel, new open source
implementation built from scratch, which deploys
modern kernel techniques dedicated to deeply
embedded devices.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
This presentation covers the general concepts about real-time systems, how Linux kernel works for preemption, the latency in Linux, rt-preempt, and Xenomai, the real-time extension as the dual kernel approach.
* Know the reasons why various operating systems exist and how they are functioned for dedicated purposes
* Understand the basic concepts while building system software from scratch
• How can we benefit from cheap ARM boards and the related open source tools?
- Raspberry Pi & STM32F4-Discovery
Introduce F9 microkernel, new open source implementation built from scratch, which deploys modern kernel techniques, derived from L4 microkernel designs, to deep embedded devices.
:: https://github.com/f9micro
Characteristics of F9 microkernel
– Efficiency: performance + power consumption
– Security: memory protection + isolated execution
– Flexible development environment
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
6. Mobile Devices
• Mobile computers:
– Mainly smartphones, tablets
– Sensors: GPS, camera,
accelerometer, etc.
– Computation: powerful
CPUs (≥ 1 GHz, multi-core)
– Communication: cellular/4G,
Wi-Fi, near field
communication (NFC), etc.
• Many connect to cellular
networks: billing system Organization
7. Mobile Threats and Attacks
• Mobile devices make attractive targets:
– People store much personal info on them: email, calendars,
contacts, pictures, etc.
– Sensitive organizational info too…
– Can fit in pockets, easily lost/stolen
– Built-in billing system: SMS/MMS (mobile operator), in-app
purchases (credit card), etc.
• Many new devices have near field communications
(NFC), used for contactless payments, etc.
• Your device becomes your credit card
• Much Android malware, much less for iOS
• NFC-based billing system vulnerabilities
8. Android: DroidDream Malware
• Infected 58 apps on Android
Market, March 2011
• 260,000 downloads in 4 days
• How it worked:
– Rooted phone via Android
Debug Bridge (adb) vulnerability
– Sent premium-rate SMS
messages at night ($$$)
• Google removed apps 4 days
after release, banned 3
developers from Market
• More malware found since
9. Android: Fake Angry Birds Space
• Bot, Trojan
• Masquerades as game
• Roots Android 2.3 devices
using “Gingerbreak” exploit
• Device joins botnet
10. Security Philosophy
• Finite time and resources
• Humans are hard to understand risk
• Safer to assume that
– Most developers do not understand security
– Most users do not understand security
• Security philosophy cornerstones need to...
– prevent security breaches from occurring
– minimize the impact of a security breach
– detect vulnerabilities and security breaches
– react to vulnerabilities and security breaches swiftly
11. Prevent
• 5 million new lines of code
• Uses almost 100 open source libraries
• Android is open source ⇒ can't rely on obscurity
• Concentrated on high risk areas
– Remote attacks
– Media codecs
– New/custom security features
• Low-effort/high-benefit features
– ProPolice stack overflow protection
– Heap protection in dlmalloc
12. Minimize
• We cannot rely on prevention alone
– Vulnerabilities happen
• Users will install malware
• Code will be buggy
• How can we minimize the impact of a security issue?
• My webmail cannot access my banking web app
– Same origin policy
• Why can malware access my browser? my banking
info?
• Extend the web security model to the OS
13. Detect
• A lesser-impact security issue is still a security issue
• Internal detection processes
– Developer education
– Code audits
– Fuzzing
– Honeypot
• Everyone wants security ⇒ allow everyone to detect
issues
– Users
– Developers
– Security Researchers
14. React
• Autoupdaters are the best security tool since
Diffie-Hellman
• Every modern operating system should be responsible
for:
– Automatically updating itself
– Providing a central update system for third-party
applications
• Android's Over-The-Air update system (OTA)
– User interaction is optional
– No additional computer or cable is required
– Very high update rate
16. Android Platform Security Architecture
• Android re-purposes traditional operating system
security controls to
– Protect data
– Protect system resources (including network)
– Provide Application isolation
• Mandatory application sandbox
• Secure interprocess communication
• Application signing
• Application-defined and user-granted permissions
17. Linux Security
• Linux is used in millions of security-sensitive
environments.
– constantly being researched, attacked, and fixed by
thousands of developers,
– Linux has become trusted by many
• A user-ID-based permissions model
• Process isolation
• Extensible mechanism for secure IPC
• The ability to remove unnecessary and potentially
insecure parts of the kernel
18. Android Security Bascis
• Applications, by default, have no permissions
• Permissions list: Manifest.permission
• Applications statically declare the permissions they
require
– Android system prompts the user for consent at the time the
application is installed
– no mechanism for granting permissions dynamically (at
run-time)
– in AndroidManifest.xml, add one or more <uses-permission>
tags
<uses-permission android:name=
"android.permission.RECEIVE_SMS" />
19. Security Enforcement
• Android protect application at system level and at the
Inter-component communication (ICC) level. This
article focus on the ICC level enforcement.
• Each application runs as a unique user identity, which
lets Android limit the potential damage of programming
flaws.
20. Security Enforcement
• Core idea : labels assignment to applications and
components
• A reference monitor provides mandatory access
control (MAC) enforcement of how applications access
components.
• Access to each component is restricted by assigning it
an access permission label; applications are assigned
collections of permission labels.
21. Android Security Extra
• Hardware-based No eXecute (NX) to prevent code
execution on the stack and heap
• ProPolice canaries to prevent stack buffer overruns
• safe-iop safe integer op lib for C
• Extensions to dlmalloc to prevent double free()
vulnerabilities and to prevent heap exploits
• OpenBSD calloc to prevent integer overflows during
memory allocation
• Linux mmap_min_addr() to mitigate null pointer
dereference privilege escalation
22. dlmalloc
(written by Doug Lea)
• Heap consolidation attack
• Allocation meta-data is stored in
band
• Heap overflow can perform 2
arbitrary pointer overwrites
• To fix, check:
– b->fd->bk == b
– b->bk->fd == b
23. System Files
• The system partition
– Android's kernel as well as the OS libraries,
application runtime, application framework, and
applications.
– set to read-only
• When a user boots the device into Safe Mode
– only core Android applications are available.
– free of third-party software.
24. OS Protected APIs
• Cost-Sensitive APIs
– Telephony
– SMS/MMS
– Network/Data connections
– In-App Billing
– NFC Access
• Sensitive Data Input Devices
– Location data (GPS)
– Camera functions
– microphone
• Bluetooth functions
• Personal Information
25. IPC
• Standard IPC
– file system, local sockets, or signals.
– Linux permissions still apply.
• new IPC mechanisms:
• Binder: RPC mechanism for in-process and
cross-process calls. Via a custom Linux driver.
• Services: interfaces directly accessible using binder.
• Intents: A message object that represents an
"intention" to do something.
• ContentProviders: A data storehouse
26. Application Signing
• Why self signing?
– Market ties identity to developer account
– CAs have had major problems with fidelity in the past
– No applications are trusted. No "magic key"
• What does signing determine?
– Shared UID for shared keys
– Self-updates
27. Application Signing
• All .apk files must be signed with a certificate
– identifies the author of the application.
– does not need to be signed by a certificate authority
• allows the system to grant or deny applications
– access to signature-level permissions
– request to be given the same Linux identity as another
application.
• If the public key matches the key used to sign any
other APK, the new APK may request to share a UID
with the other APK.
28. Device Administration
• Since Android 3.0
• Remote wipe
• Require strong password
• Full device encryption
• Disable camera
29. Permissions
• Whitelist model
– Allow minimal access by default
– User accepted access
• Ask users fewer questions
• Make questions more understandable
• 194 permissions
PERMISSION_GRANTED or PERMISSION_DENIED
Context.checkCallingPermission() Arbitrarily
fine-grained permissions
Context.checkPermission(String, pid, uid)
30. Android Sandbox
• The sandbox is based on separation of
– Processes
– file permissions
– Authenticated IPC
• Each application
– is a different “user”; its own UID
– runs in its own Linux process
– its own Dalvik VM
• Sandboxes native code and sys applications
31. Android Sandbox
• Place access controls close to the resource, not in the
VM
– Smaller perimeter ⇒ easier to protect
• Default Linux applications have too much power
• Lock down user access for a "default" application
• Fully locked down applications limit innovation
• Relying on users making correct security decisions is
tricky
32. File-system Encryption
• full file system encryption
• Android 3.0 and later
• AES128
• Password + random salt
34. Rooting of Android Devices
• root
– uid == 0 as in Linux
– has full access to all
– applications and all application data
– System
– the kernel and a few core applications
• Boot Loaders
– embedded system boot techniques
– “Locked”: Check a signature of the OS files being booted, or
installed.
35. SIM Card Access
• Low level access to the SIM card is not available to
third-party apps.
• The OS handles all communications with the SIM card
including access to personal information (contacts) on
the SIM card memory.
• Applications also cannot access AT commands, as
these are managed exclusively by the Radio Interface
Layer (RIL). The RIL provides no high level APIs for
these commands.
36. GSM Vulnerabilities
• GSM
– Largest Mobile network in the world
– 3.8 billion phones on network
• David Hulton and Steve Muller developed method to
quickly crack GSM encryption
– Can crack encryption in under 30 seconds
– Allows for undetectable evesdropping
• Similar exploits available for CDMA phones
37. SMS Vulnerabilities
• Short Messaging System
– Very commonly used protocol
– Used to send "Text Messages"
• GSM uses 2 signal bands, 1 for "control", the other for
"data".
– SMS operates entirely on the "control" band.
• High volume text messaging can disable the "control"
band, which also disables voice calls.
• Can render entire city 911 services unresponsive.
38. MMS Vulnerabilities
• Unsecure data protocol for GSM
• Extends SMS, allows for WAP connectivity
• Exploit of MMS can drain battery 22x faster
• Multiple UDP requests are sent concurrently, draining
the battery as it responds to request
• Does not expose data
• Does make phone useless
39. Case Study: Android SMS worm
• Worm spreads to all contacts via social engineering,
sideloading, etc.
• Logger stored/forwarded all received SMS messages
• Only needed SEND_SMS, RECEIVE_SMS,
READ_SMS permissions
• Can send 100 SMS messages/hour
• One group put SMS logger on Google Play
40. Bluetooth Vulnerabilities
• Short range wireless communication protocol
• Used in many personal electronic devices
• Requires no authentication
• An attack, if close enough, could take over Bluetooth
device.
• Attack would have access to all data on the Bluetooth
enabled device
• Practice known as bluesnarfing
41. Case Study: Google Wallet
• Google Wallet enables smartphone payments
– Uses NFC technology
• credit card info stored securely in secure element
– Separate chip, SD card, SIM card
– Unfortunately, other data are not stored as securely
42. Case Study: Google Wallet
• Some information can be recovered from databases
on phone:
– Name on credit card
– Expiration date
– Recent transactions
• Google Analytics tracking can reveal customer
behavior from non-SSL HTTP GET requests
• NFC alone does not guarantee security
– Radio eavesdropping, data modification possible
– Relay attacks, spoofing possible with libnfc
43. Sophisticated NFC Attack in Android
• Charlie Miller’s Black Hat 2012 presentation: Android
phones can be hijacked via NFC
– NFC/Android Beam on by default on Android 2.3+, Android
4.0+
– Place phone 3–4 cm away from NFC tag, other
NFC-enabled phone
– Attacker-controlled phone sends data to tag/device, can
crash NFC daemon, Android OS
– For Android 4.0–4.0.1, can remotely open device browser to
attacker-controlled webpage
44. Information Misuse by Apps
• phone identifiers: phone number, IMEI (device
identifier), IMSI (subscriber identifier), and ICC-ID
(SIM card serial number).
• Phone identifiers are frequently leaked through
plaintext requests.
• Phone identifiers are used as device fingerprints.
• Phone identifiers, specifically the IMEI, are used to
track individual users.
• Not all phone identifier use leads to exfiltration.
• Phone identifiers are sent to advertisement and
analytics servers.
46. Information Leaking in Mobile Device
• Types of mobile device information sources:
– Internal to device (e.g., GPS location, IMEI, etc.)
– External sources (e.g., CNN, Chase Bank, etc.)
• Third-party mobile apps can leak info to external
sources
– Send out device ID (IMEI/EID), contacts, location, etc.
– Apps ask permissions to access such info; users can ignore!
– Apps can intercept info sent to a source, send to different
destination!
• Motives:
– Monitor employees’ activity using accelerometers
– Ads, market research (user location, behavior, etc.)
47. Information Tracking Flow (ITF)
• IFT tracks each information flow among internal,
external sources
– Each flow is tagged, e.g., “untrusted”
– Tag propagated as information flows among internal,
external sources
– Sound alarm if data sent to third party
• Challenges
– Reasonable runtime,
space overhead
– Many information sources
48. TaintDroid
• IFT system on Android 2.1
• System firmware (not app)
• Modifies Android’s Dalvik VM, tracks info flows across
methods, classes, files
TaintDroid
• Tracks the following info:
– Sensors: GPS, camera, accelerometer, microphone of taint
• TaintDroid is a system-wide integration
tracking into the Android platform
– Internal info: contacts, phone #, IMEI, IMSI, Google acct
‣ Variable tracking throughout Dalvik VM environment
– External info: network, Patches state after native method invocation
‣ SMS
‣ Extends tracking between applications and to storage
• Notifies user of info leakage M e s s a g e -le v e l tra c k in g
Application Code Msg Application Code
Virtual Virtual V a ria b le -le v e l
Machine Machine tra c k in g
Native System Libraries M e th o d -le v e l
tra c k in g
F ile -le v e l
Network Interface Secondary Storage
tra c k in g
49. Bit #
TaintDroid
Tracks
• Use a 32-bit tag structure 31– Unused
• Set bit indicates an information flow 16
15 History sent out
(or sensor in use)
14 Google account sent out
• Tested 30 popular Android apps (Internet 13 Device serial # sent out
permission) 12 ICCID (SIM card ID) sent
out
• 37/105 flagged network connections were 11 IMSI (subscriber ID) sent
legitimate out
Application S tudy 10 IMEI (device ID) sent out
• 15/30 apps leaked data to ad/market 9 SMS sent out
• Selected 30 applications with bias on popularity and
research firms, (admob.com, flurry.com, 8 Accelerometer in use
access to Internet, location,user
etc.); not obvious to microphone, and camera 7 Camera in use
6 “Last” location sent out
applications # permissions 5 Data sent out over network
The Weather C hannel, C etos, Solitarie, Movies, Babble, 4 GPS location sent out
Manga Browser 6
3 Phone # sent out
Bump,Wertago, Antivirus, ABC --- Animals,Traffic Jam,
Hearts, Blackjack, Horoscope, 3001 W isdom Quotes Lite, 2 Microphone in use
Yellow Pages, Datelefonbuch, Astrid, BBC News Live 14 1 Contacts sent out
Stream, Ringtones
0 Location sent out
Layer, Knocking, C oupons,Trapster, Spongebot Slide,
ProBasketBall 6
MySpace, Barcode Scanner, ixMAT 3
Evernote 1
50. Realtime Protection
• Apps developed to monitor other applications
– Lookout Security & Antivirus
– Also monitors for privacy leaks
• Have the ability to monitor the inter process
communication
• Monitor for malicious activity
51. Pre-installation Detection
• Kirin security tool
• Analyze security configuration from the package
manifest before app installation
• Every application has a security configuration which
tells the OS what inter-process communication (IPC)
are going to be used