4. Introduction
• All data located on your smartphone
• Passwords
• Photos
• (Text) messages
• Medical records
• …
• Smartphone cannot trust anyone
• Android secure?
• Open Source Safer (Hoepman et al.)
May 8, 2013 4
10. Apps & Processes
• Own Linux Process + user ID Sandbox!
•Data is protected from other apps
•Secure IPC
• API calls are authorized according to permissions
• Hardware access is authorized by Group Membership
• Java, Native,WebKit
May 8, 2013 10
12. Memory management
• A lot of memory corruption bugs
Attacker can control the program
• Improvements
•No eXecute (NX) (since Android 2.3)
•Address Space Layout Randomization (since Android
4.0)
•Position Independent Executables
(since Android 4.1)
•FORTIFY_SOURCE (since Android 4.2)
May 8, 2013 12
16. Rooting
•Default no root access
•Possible through ‘su’ binary
Bootloader unsafe
Root apps can do ANYTHING
Latest versions of Android
May 8, 2013 16
http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
18. Device protection
• Screen lock
•Face unlock, Pattern, PIN, Passcode, …
• File Encryption
• 128AES with CBC and ESSIV:SHA256
• Master key encrypted with 128 bit AES via openssl library
May 8, 2013 18
19. Passwords are hashed
•Salt saved on device
•/data/data/com.android.providers.settings.databases
•/data/system/locksettings.db
•‘Easily’ brute forced with salt
•Keys are stored in software!
May 8, 2013 20
22. Android Permissions
• Accessing protected APIs
•Location (GPS), Camera, Bluetooth,Telephony,
SMS/MMS, Network/data
• Defined in AndroidManifest.xml
May 8, 2013 23
23. Play Store security
• App is self signed
• Bouncer
•Online version
•Local version (since Android 4.2)
• App encryption
•Introduced in Android 4.1
•Shutdown due to bugs
May 8, 2013 24
27. Exynos Exploit
• Exynos 4210 and 4412 processor
•Sprint Galaxy S II, Galaxy S II, Galaxy S3, Galaxy Note, Galaxy
Note 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera
•Kernel: /dev/exynos-mem
R/W by all users access to all physical memory
• ExynosAbuse.apk
May 8, 2013 28
28. DEMO
Introduction
System and Kernel Level Security
User Security Features
Android Application Security
Recent Security Problems
Demo
May 8, 2013 29
29. References (I)
• F-secure MobileThreat Report Q4 2012, http://www.f-
secure.com/static/doc/labs_global/Research/Mobile%20Thre
at%20Report%20Q4%202012.pdf
• Google, “Android PlatformVersions.”,
http://developer.android.com/about/dashboards/index.html
#Platform
• Google, “Android Security Overview”,
http://source.android.com/tech/security/#android-
application-security
• S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner,
and B. Freisleben, “Why eve and mallory love android,” in
Proceedings of the 2012 ACM conference on Computer and
communications security - CCS ’12, (NewYork, NewYork,
USA), p. 50, ACM Press, 2012.
May 8, 2013 30
30. References (II)
• J.-H. Hoepman and B. Jacobs, “Increased security through
open source”, Communications of the ACM, vol. 50, pp. 79–
83, Jan. 2007.
• Matthias Lange, “State of the Union: Android security
overview – Is Android the new XP?,
http://de.droidcon.com/2013/sessnio/state-union-android-
security-overview-android-new-xp
• Xuxian Jiang, “SmishingVulnerability in Multiple Android
Platforms”,
http://www.cs.ncsu.edu/faculty/jiang/smishing.html
• A. Shabtai, “Google Android: A Comprehensive Security
Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44,
March-April 2010
May 8, 2013 31
31. References (III)
• A. Barresi and P. Somogyvari, “Android Security – An
Introduction”,
www.youtube.com/watch?v=OOFzu2J3EBY
•Kaspersky Security Bulletin 2012,
https://www.securelist.com/en/analysis/204792255/Kas
persky_Security_Bulletin_2012_The_overall_statistics_f
or_2012
May 8, 2013 32