Droidcon it 2015: Android Lollipop for Enterprise

Android Lollipop
For Enterprise
DroidCon Italy
Torino 2015

Android Lollipop for Enterprise
● Senior Security Researcher - Mobile Security Lab
● Senior Security Analyst - Consulthink S.p.A.
DroidCon IT 2015 - Android Lollipop For Enterprise 2
Who are we
● r.piccirillo@mseclab.com
● @robpicone
● r.gassira@mseclab.com
● @robgas
@droidconit #droidconit

Android Lollipop For Enterprise
Enterprise Mobile Management
3

Enterprise Mobile Trends
Gartner Market Statistics Forecast:
PCs, Ultramobiles and Mobile Phones Worldwide, 2011-2018, 4Q14 Update

● Secure Environment
○ SELinux
● Device Protection
○ Smart Lock
○ "Kill Switch"
● Device Management
○ Device Administration API
○ Device Owner
● Security Container
○ Managed Profile
○ App Restrictions
● Data Encryption
Lollipop for Enteprise

SELinux
6

● Introduced in Android 4.3 to enforce the existing Discretionary
Access Control (DAC) for application sandboxing (UID,GID)
● Provides Mandatory Access Control (MAC) over all processes at kernel
level
● Allows to define fine-grained security policies
● Main security features:
○ Better system service restriction and protection
○ Improved access control to application data and system logs
○ Reduce effects of malicious software
○ User protection from potential flaws in mobile application
SELinux
Security-Enhanced Linux in Android
"This new layer provides additional protection against potential security vulnerabilities
by reducing exposure of system functionality to applications"
Google Report Android Security 2014 Year in Review

SELinux
● Three core elements:
○ Subject: Agent that perform actions on objects (processes or groups of processes
referred as domains)
○ Action: The operation to perform
○ Object: OS-level resources managed by the kernel (file, socket)
● Processes, Sockets and Files have a label or security context:
○ username:role:type:mls_level
■ username is always u
■ role is r for domains, object_r for objects
■ type refers to the domain or to the object logic type
■ mls_level is always s0
Concepts

SELinux
username:role:type:mls_level
○ username is always u
○ role is r for domains, object_r for objects
○ type refers to the domain or to the object logical type
○ mls_level is always s0
Concepts
SUBJECT
OBJECT

Lollipop Enhancements
SELinux
● SELinux mode:
○ Permissive: permission denials are logged but not enforced
○ Enforcing: permission denials are both logged and enforced
Android 4.3
Permissive
Android 4.4
Partial
Enforcing
Android 5.x
Full
Enforcing
... limited set of crucial domains
(installd, netd, vold and zygote)...
...to everything (more than
60 domains)...

Smart Lock
11

Smart Lock
● Disable device lockscreen in "trusted condition"
● Based on Trust Agent:
○ "A service that notifies the system about whether it
believes the environment of the device to be trusted"
○ Requires signatureOrSystem permission
○ Can be disabled by Device Administrator
[KEYGUARD_DISABLE_TRUST_AGENTS]
Trust Agent
http://nelenkov.
blogspot.
it/2014/12/dissecting
-lollipops-smart-
lock.html
lollipop/frameworks/base/core/res/AndroidManifest.xml

Smart Lock
● Trust Agent provided by Google Play Services
● Device Unlocked methods:
○ Trusted bluetooth connected devices
○ Trusted places
○ Trusted face
○ On Body Detection
● Temporary unlock is disabled:
○ After 4 hours of inactivity
○ Device Reboot/Shutdown
Some Details

Android Lollipop for Enterprise
Device Protection
Corso Poste
Sicurezza Android 14

Device Protection
● "You can set up your device to prevent other
people from using it if it's been reset to factory
settings without your permission"
● Introduced in Android 5.1
● Actually works only on Nexus 6 and Nexus 9
● Requires:
○ Screen Lock enabled
○ Default Google account
○ "OEM Unlocking" disabled in Settings ->
Developer Options
● Needs to wait 72 hours after changing
password to reset the device
"Kill Switch" Factory Reset

Device Protection
● PersistentDataBlockService write on the partition defined by ro.frp.pst:
○ The OEM Unlocking setting (bit)
○ Write Block Checksum (SHA-256)
OEM Unlocking
PersistentDataBlockService

Device Administration API
17

● Introduced in Android 2.2 Froyo (API 8)
● Allows to enforce security policy on
device
● Enterprise Oriented
● Vendor Customization
○ Samsung KNOX
○ LG Gate
● Used by Device Admin Application
Intro

● Must be explicitly enabled in
the device security settings
● Cannot be uninstalled if
active
● Could be controlled by a
remote server (agent)
● Several device admin
applications can be enabled
on a device (strictest policy
among all applications is
active)
Device Admin Application

Main Features
API 8 API 9 API 11 API 14 API 17 API 21 API 22
Enforce Password Policy
Watch User Login
Reset Password
Lock and Wipe Device
Set Max Failed Password For Wipe
Set Max Time To Lock Device
Wipe SDCard
Force Device
Encryption
Disable
Camera
Disable
Keyguard
Managed Profile
Global Settings
NFC Provisioning
Wipe Factory
Protection

How It Works...

● Main Admin Application component
DeviceAdminReceiver
Required to ensure that only the system can interact with the receiver
Primary ACTION that the receiver must handle
Policy
Declaration

Policy Declaration

● Callback functions triggered on particular ACTION
DeviceAdminReceiver
Method Action
onEnabled(Context context, Intent intent) ACTION_DEVICE_ADMIN_ENABLED
onDisabled(Context context, Intent intent) ACTION_DEVICE_ADMIN_DISABLED
onDisableRequested(Context context, Intent intent)
ACTION_DEVICE_ADMIN_DISABLE_R
EQUESTED
onPasswordSucceeded(Context context, Intent intent) ACTION_PASSWORD_SUCCEEDED
onPasswordFailed(Context context, Intent intent) ACTION_PASSWORD_FAILED
onPasswordChanged(Context context, Intent intent) ACTION_PASSWORD_CHANGED

● Public Interface for managing policies on device
● Requires Device Administration rights enabled
● Main methods:
○ isAdminActive(ComponentName who)
○ setPasswordQuality(ComponentName admin, int quality)
○ resetPassword(String password, int flags)
○ lockNow()
○ wipeData(int flags)
○ setCameraDisabled(ComponentName admin, boolean disabled)
○ setStorageEncryption(ComponentName admin, boolean encrypt)
DevicePolicyManager

Device Admin Activation
Implicit Intent for
the system Settings

● "Specialized type of device administrator" with
the additional ability to:
○ Add/Remove User
○ Modify Global settings
○ Set Application Restrictions
○ Wipe Factory Protection
● Typically used for company device
● Introduced in Android Lollipop (API 21)
● Only one device owner can be active at a time
● Cannot be disabled or removed
● Requires Device Encryption
● Deployed and activated via NFC
Device Owner

● Via NFC NDEF Record with MIME Type
MIME_TYPE_PROVISIONING_NFC and with properties:
Device Owner Deploy
REQUIRED
CHECKSUM
A String extra holding the SHA-1 checksum of the
file at download location specified in
EXTRA_PROVISIONING_DEVICE_ADMIN_PA
CKAGE_DOWNLOAD_LOCATION. If this
doesn't match the file at the download location an
error will be shown to the user and the user will
be asked to factory reset the device.
cat app-debug.apk | openssl dgst -binary -sha1 | openssl base64 | tr '+/' '-_' | tr -d '='

● Device should not be provisioned
Settings.Global.DEVICE_PROVISIONED = 0
● Encrypted phone required
● "If provisioning fails, the device is factory
reset"
Device Owner Activation

Managed Profile
30

Managed Profile
● New security feature for enterprise “managed profile”
● Available since Android Lollipop (API 21)
● Using managed profile the enterprise could define a controlled domain
on the user's device to run controlled application
● The application inside the new managed profile can be configured with
policy to interact or not with other apps on device
● Samsung KNOX functionality has been integrated into Android
Introduction

Managed Profile
● A Technology platform for:
○ Business protection, and
○ Personal Privacy
● Google and Samsung has
designed the new Enterprise API
around three major concepts:
○ Device and data security
○ Support for IT policies and
restrictions
○ Mobile application management
● It has been introduced into
Android Lollipop
KNOX Framework

Managed Profile
● A device administration component
○ A broadcast receiver that extends “DeviceAdminReceiver”
● AndroidManifest with a receiver:
○ The BIND_DEVICE_ADMIN permission
○ Respond, by intent-filetr, to the ACTION_DEVICE_ADMIN_ENABLED intent
○ A declaration of security policies used in metadata
● An intent to start the managed profile provisioning process:
○ ACTION_PROVISION_MANAGED_PROFILE action
○ An extra with the application package
● Override onProfileProvisioningComplete callback method to verify all is
OK
● Enable the new managed profile
Have to use...

Managed Profile
● BasicDeviceAdminReceiver component
Broadcast Receiver
BroadcastReceiver of our
provisioner application
Callback method will be
called when the system
send
ACTION_DEVICE_ADMI
N_ENABLED. The new
profile is installed but not
yet enabled

Managed Profile
● AndroidManifest.xml declaration
AndroidManifest
To avoid abuse by other
applications
Intercepted when the
Managed Profile has
successfully installed
Policy declaration

Managed Profile
Activation
Intent to start the setup
(Defined in the
DevicePolicyManager.java)
● Start the Managed Profile provisioning
The Application package
name as additional
information
Verify there is an activity that
resolves intent
(ManagedProvisonActivity)
Start activity by intent

● The new Managed profile has to be enabled
Managed Profile
Enable the new profile
Enable the managed
profile
Set name for new
profile

Managed Profile
Managed profile activated
● New Accounts associated to the new
managed profile (Settings->Accounts)
● The admin profile (Work) for the new
Managed Profile (Settings->Security-
>Device administrators)
● The applications into new Managed Profile
are badged

Managed Profile
WorkFlow of Provisioning

Managed Profile
Enable Application
● Add new application into Managed Profile
Add the application by
package name via
DevicePolicyManager
Get info
about app
Get reference at
packageManager and
DevicePolicyManager

Managed Profile
Hide Application
● During the life of Managed Profile the application could be hidden
specyfing the app package name
○ Only if the application is already installed
we can hide
application
true to hide and false to un-hide

Managed Profile
● Enable and disable Intent forwarding between private account and
managed profile
Cross Intent
Enable with and
disable intent
between profiles
Share some
content

Managed Profile
● Define Chrome restrictions
App Restriction
Define
restriction
Enable
restriction

Managed Profile
App restrictions
Configure some
bookmarks
Disable anonymous
navigation
Block www.example.
com
Configure search
engine

Managed Profile
● Application has to define a file restriction and declare it into Manifest file
Define App Restrictions
● Defines the restriction item into app_restriction.xml file
Declare external
resource for
restrictions
restriction
element with key
and type of value

Managed Profile
● Check current application’s restrictions
Check app restrictions
get current
restrictions
get reference to
RestrictionManager
search restriction
by key to take the
appropriate action

Managed Profile
● Set application restriction via DevicePolicyManager
Set app restrictions
Builds a bundle
with value for
restriction
Apply application restriction with
method setApplicationRestrictions

Data Encryption
48

Data Encryption
● Encryption is the process of encoding user data on an Android device
using an encrypted key
● New feature on Android 5.0:
○ Fast encryption (only used blocks are encrypted on data partition)
○ forceencrypt flag to encrypt on first boot (Mandatory encryption at first boot)
○ Support for encryption without password
○ Hardware-backed storage of encryption key using Trusted Execution Environment
● Android introduced Disk encryption in Android version 3.0 and it has
been available in all subsequent versions
● New key derivation function scrypt
Some info

Data Encryption
● Android disk encryption is based on dm-crypt (also
used in Linux)
● Use a randomly 128-bit key with AES in CBC mode
○ CBC requires an inizialization vector IV
○ Android uses the encrypted salt-sector initialization vector
(ESSIV) method with the SHA-256 hash algorithm (ESSIV:
SHA256)
○ SHA256 is used to derive a key s from disk encryption key
K called salt
○ Use the salt as encryption key to encrypt sector number
SN of each sector to produce a per-sector IV
○ IV(SN)=AES-s(SN) where s=SHA256(K)
How works

Data Encryption
● The master key is encrypted with 128-bit AES
● In Android 5.0 release, four encryption states:
○ default,PIN,Password,Pattern
● Upon first boot the device creates a randomly generated
128-bit master key and then hashes it with a default
password and stored salt (default_password)
● The hash is signed through a TEE, that uses hash to
encrypt the master key
● When the user sets the PIN/pass or password on the
device, only the 128-bit key is re-encrypted and stored
How works

Data Encryption
Securing disk encryption key
When user set
PIN/PASSWORD/P
ATTERN another
key K1 is choosen to
encrypt disk
encryption key K

Thanks! DroidCon Italy
Torino 2015www.mseclab.com
www.consulthink.it
research@mseclab.com

Droidcon it 2015: Android Lollipop for Enterprise

More Related Content

What's hot

Viewers also liked

Similar to Droidcon it 2015: Android Lollipop for Enterprise

More from Consulthinkspa

Recently uploaded

Droidcon it 2015: Android Lollipop for Enterprise