Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Faux Disk Encryption - Realities of Secure Storage on Mobile Devices

Faux Disk Encryption - Realities of Secure Storage on Mobile Devices

The number of mobile users has recently surpassed the number of desktop users, emphasizing the importance of mobile device security. In traditional browser-server applications, data tends to be stored on the server side where tight controls can be enforced. In contrast, many mobile applications cache data locally on the device thus exposing it to a number of new attack vectors. Moreover, locally stored data often includes authentication tokens that are, compared to browser applications, typically long-lived. One main concern is the loss or theft of a device which grants an attacker physical access which may be used to bypass security controls in order to gain access to application data. Depending on the application's data, this can result in a loss of privacy (e.g., healthcare data, personal pictures and messages) or loss of intellectual property in the case of sensitive corporate data.

In this talk, we discuss the challenges mobile app developers face in securing data stored on devices including mobility, accessibility, and usability requirements. Given these challenges, we first debunk common misconceptions about full-disk encryption and show why it is not sufficient for most attack scenarios. We then systematically introduce the more sophisticated secure storage techniques that are available for iOS and Android respectively. For each platform, we discuss in-depth which mechanisms are available, how they technically operate, and whether they fulfill the practical security and usability requirements. We conclude the talk with an analysis of what still can go wrong even when current best-practices are followed and what the security and mobile device community can do to address these shortcomings.

At the end of our talk, attendees will understand the significant challenges involved in storing data on an always-on and portable device, how to securely store data for different use cases, and how to uncover secure storage flaws in real-world applications.

00c21d937f1f9c421d26c2c719b8fce0?s=128

Daniel A. Mayer

August 05, 2015
Tweet

Transcript

  1. Faux Disk Encryption Realities of Secure Storage on Mobile Devices

    Daniel A. Mayer @DanlAMayer Drew Suarez @utkan0s August 5, 2015
  2. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Who we are Daniel Mayer Principal Security Consultant with NCC Group Developer of idbtool.com, iOS pentesting tool Drew Suarez Senior Security Consultant with NCC Group CyanogenMod (OSS) Device bringup / Wiki NCC Group UK Headquarters, Worldwide Offices Softare Escrow, Testing, Domain Services 2
  3. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Outline 1. Introduction 2. Secure Storage on iOS 3. Secure Storage on Android 4. Where does this leave us? 3
  4. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Apps Dominate Mobile Traditional All data stored on server Tight controls Mobile Data stored on device Difficult to control 4
  5. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Challenge: Device Mobility Data is being carried around Devices prone to loss/theft [1] 1.4 million phones lost 3.1 million stolen (US, 2013) 5 [2]
  6. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Challenge: Data Accessibility Local Data Data cached and stored on the device Credentials Usernames / passwords Access tokens 6
  7. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Challenge: Usability Known security controls reduce usability 7
  8. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Remote Attacker
  9. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Coffee Shop Attacker
  10. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Casual Thief
  11. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Targeted Attacks
  12. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Nation States
  13. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices There is no absolute security 8 Capabilities / Sophistication Security Effort
  14. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Mobile Data Security 9
  15. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices A Word on Full-Disk Encryption Encrypts files stored on the file-system Transparently decrypted when read Transparently encrypted when written Protection only when device is turned off In combination with strong passcode! Need more fine-grained control 10
  16. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Secure Data Storage …on iOS 11
  17. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Boot/App signing Apple Hardware + Apple Software Boot Chain Completely Signed Hardware root of trust (ROM) contains Apple CA iOS Updates Signed by Apple Downgrades not allowed App Signing All code running on iOS must be signed by Apple Jailbreak disables many of these controls 12 [3]
  18. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Bootstrapping Encryption Device Passcode Not stored on device Derive encryption key when entered Wipe key when device is locked Problems Users choose weak passcodes [1] Prone to offline brute-force attacks 13
  19. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Hardware Root of Trust Tie Encryption to a Device Unique encryption key per device Cannot be read by operating system Can “ask” Secure Enclave to decrypt Hardware Controls Enforce brute-force controls Enforce device-wipe 14
  20. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 15 File System Key File Meta Data File Key Hardware Key [3]
  21. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 15 File System Key Class Keys File Meta Data File Key Passcode Key Hardware Key PBKDF2 [3]
  22. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 15 File System Key Class Keys File Meta Data File Key Passcode Key Hardware Key PBKDF2 [3]
  23. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 15 Class Keys File Meta Data File Key Passcode Key Hardware Key PBKDF2 [3]
  24. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 16 Class Keys Passcode Key Hardware Key [3]
  25. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 16 Passcode Key Hardware Key NSFileProtectionComplete NSFileProtectionComplete UntilFirstUserAuthentication NSFileProtectionNone [3]
  26. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Encryption Hierarchy 16 Passcode Key Hardware Key NSFileProtectionComplete NSFileProtectionComplete UntilFirstUserAuthentication NSFileProtectionNone Passcode Key NSFileProtectionComplete UntilFirstUserAuthentication NSFileProtectionComplete [3]
  27. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices iOS Keychain Structured Data Store Lives in SQLite database Entries individually Encrypted Main Criticism Data not deleted when app is uninstalled! 17
  28. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Keychain 18 File Protection (NSFileProtection) Keychain Class (kSecAttrAccessible) Effect None Always No protection. UntilFirstUserAuthentication AfterFirstUnlock Protected from boot until user unlocks. Complete WhenUnlocked Protected when device is locked. N/A WhenPasscodeSet Only store if passcode is set. [4]
  29. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Usability vs. Security Data Accessibility Some data must be accessible when device is in use 19 AfterFirstUnlock WhenUnlocked Always Backup
  30. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Tackling Usability TouchID Usability feature Controlled by Secure Enclave Encourages users to set passcode Simply protects passcode-based key 20 https://www.youtube.com/watch?v=vI3OvT4b-sA
  31. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Advanced Controls User Presence for Keychain Requires users to enter Passcode (or TouchID) Local Authentication OS-level API Not tied-in with crypto Bypassable when jailbroken [5] Use Keychain User Presence instead 21
  32. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Security Threats Jailbreak Passcode may not protect you from this Access to all non-protected data Malicious Applications Asking for access to personal data Evil maid-style attacks Jailbreak device Backdoor OS / App 22 http://idbtool.com
  33. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Secure Data Storage …on Android 23
  34. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Evolution of Android Security 24 Feature 4.0 4.1 4.2 4.3 4.4 5.x ASLR X X X X X X DEP/PIE X X X X X Restricted logcat X X X X X Restricted adb X X X X Manifest Export Security X X X X Secure Random from OpenSSL X X X X Untrusted Application Malware Scanning X X X X SELinux (Permissive) X X X SELinux (Enforcing) X X KeyStore Hidden Keys* X X X No setuid/getuid, nosuid X X X Text Relocation Protection X X X dm-verity X X TEE signing of KEK X forceencrypt X*
  35. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Adoption of Android Security 25 Mixpanel [6]
  36. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Flash back to iOS Adoption.. 26 Mixpanel [7]
  37. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Impact on Application Devs 27 Developers face different platform versions and security APIs Code complexity and inconsistent behavior Access to more secure functionality is not available for all users Security improvements available via latest version Complicated problem of an OTA update process
  38. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices How Android Encryption Works 28 Disk Sectors AES CBC Mode ESSIV: SHA256 DEK [8,9]
  39. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices How Android Encryption Works 28 Disk Sectors AES CBC Mode ESSIV: SHA256 DEK KEK+IV AES CBC Mode Encrypted DEK Stored on Partition [8,9]
  40. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices How Android Encryption Works 28 PBKDF2 or scrypt Password Key Disk Sectors AES CBC Mode ESSIV: SHA256 DEK KEK+IV AES CBC Mode Encrypted DEK Stored on Partition [8,9]
  41. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Signed Password Key PBKDF2 or scrypt RSA 2048 Signature How Android Encryption Works 28 PBKDF2 or scrypt Password Key Disk Sectors AES CBC Mode ESSIV: SHA256 DEK KEK+IV AES CBC Mode Encrypted DEK Stored on Partition [8,9]
  42. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices How Android Encryption Works This protection only covers the userdata partition Crypto footer Carved out of end of userdata partition (-16kB) Sometimes there is a dedicated partition Master key stored here encrypted by the KEK LUKS-ish but not quite. Footer can only hold one decryption key 29 DEK AES CBC Mode KEK+IV Encrypted DEK Stored on Partition [8,9]
  43. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Android Credential Storage System Credential Store allows for storage of VPN Keys WiFi Asymmetric keys Encrypted by key derived from user's passcode Can be hardware backed Private keys non-extractable, even as root Requires use of device in attack Issues with KeyStore Inconsistent protections available to developers Unclear documentation and erratic behavior causes keys to be wiped (fixed in 5.0) Improving with M 30 [10]
  44. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Google & OEMs Wild inconsistencies among devices Boot loader security Hardware backed crypto storage TEE / TrustZone Boot image type Different OEMs offer different protection schemes eMMC write protection Boot image signature verification Locked, locked but unlockable, permissive by default Difficult problem to solve Challenging for Google to enforce consistent protections on the OEMs Apple has a distinct advantage in controlling the whole stack 31
  45. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Importance of Boot Security 32 A typical vulnerable boot chain of trust boot (kernel) /system /data bootloader Vulnerable! (without signing) Vulnerable! (without dm-verity)
  46. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Download Mode Samsung specific boot loader interface for their Android devices Internally, Samsung uses a tool called ODIN Interacts with the device and flash firmware images Check out heimdall if you want a cross-platform, open source version Overly permissive! Most devices allow direct write access Except for a few US carrier protected models (Boot image signature verification) 33 [11,12]
  47. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices lk (little kernel) Bootloader Issues with lk used on many devices “Fastboot boot command bypasses signature verification (CVE-2014-4325)” [13] “Incomplete signature parsing during boot image authentication leads to signature forgery (CVE-2014-0973)” [14] “Improper partitions bounds checking when flashing sparse images (CVE-2015-0567)” [15] 34
  48. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices laf Bootable partition named laf found on many LG devices Communication via Send_Command binary (Windows) Also available as python script for all platforms Drops into a root shell Flash new images from shell Fixed? Not quite. 35 [16]
  49. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Let’s revisit: “FDE protects data when device is turned off” 36
  50. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Mobile “Evil Maid” Attacks Exploit permissive bootloader Flash custom boot image Backdoor in kernel in image < 2 minutes (including reboots!) Give device back to user Profit! Get encryption key… …or data exfiltration …or shells 37 ROSIE!
  51. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Dev Step 1: Flash Recovery 38 ODIN [17] TWRP [18] For more info on recovery… [19]
  52. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Dev Step 2: Backdoor the Kernel 39
  53. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Dev Step 3: Test Exploit 1. Compile backdoored kernal 2. Create boot image 3. Flash boot image via recovery 4. Reboot and test 40
  54. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices The Attack: Flash and Reboot 41
  55. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices The Attack: Review Possible on a number of OEM devices This is not a new problem Google provides mechanisms to prevent this Similar attack possible in iOS, but requires jailbreak 42
  56. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices A penny for your thoughts…? 43 Secure configurations by default! Responsible bootloader unlock capabilities Clearly documented security guarantees Consistency among OEM partners
  57. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices “Alternatives” to Platform Security 44
  58. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices No Password? No Problem!? What if users may not have set passcodes? Custom App Containers Add passcode to app Derive encryption key Encrypt data Wipe key! Challenges Crypto is hard! [20] Not hardware backed, no brute-force protection 45
  59. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Online Apps No Offline Storage Does data need to be offline? Consider storing server-side Usability Login each time Long-lived token, back to storage problem 46
  60. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Where does this leave us? 47
  61. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Best Practices for Users General Set a (strong) passcode! Use the latest OS available for your hardware iOS Enable (remote) wipe Android Choose your phone wisely Encrypt your device 48
  62. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Best Practices for Developers General Determine if data has to be stored locally Android Relying on platform security is challenging Discussion: supporting old versions of Android iOS Use protection class that requires passcode Warn user when no passcode is set 49
  63. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices The Road Ahead 50
  64. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Usability For Users Beyond Passwords Biometrics For Developers Consistency in platform With sane, documented defaults 51
  65. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Black Hat Sound Bytes 1. Security controls should be balanced with data sensitivity and threat model. 2. Protect data until access is actually needed. 3. Secure storage relies on the entire stack being secured. 52
  66. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices References [1] Consumer Reports. Smart phone thefts rose to 3.1 million last year, Consumer Reports finds, May 2014 [2] http://www.engadget.com/2012/04/09/us-carriers-agree-to-build-stolen-phone-database-and-blacklist/ [3] Apple Inc. iOS Security - iOS 8.3 or later. https://www.apple.com/privacy/docs/iOS_Security_ Guide_Oct_2014.pdf, April 2015 [4] Apple Inc. Keychain Services Reference. https://developer.apple.com/library/ios/documentation/ Security/Reference/keychainservices/index.html, 2015 [5] SuccessID - TouchID override & simulation - https://hexplo.it/successid-touchid-override-simulation/ [6] https://mixpanel.com/trends/#report/android_frag [7] https://mixpanel.com/trends/#report/ios_frag [8] Android Security Internals: An In-Depth Guide to Android's Security Architecture, Elenkov, N., No Starch Press [9[ Android Explorations, Elenkov, N., http://nelenkov.blogspot.com/ [10] Google. Android Keystore Changes. https://developer.android.com/preview/behavior-changes. html#behavior-keystore. [11] http://wiki.cyanogenmod.org/w/Template:Samsung_install [12] http://forum.xda-developers.com/showthread.php?t=810130 [13] https://www.codeaurora.org/projects/security-advisories/fastboot-boot-command-bypasses-signature-verification-cve-2014-4325 [14] https://www.codeaurora.org/projects/security-advisories/incomplete-signature-parsing-during-boot-image-authentication-leads-to-signature-forgery- cve-2014-0973 [15] https://www.codeaurora.org/projects/security-advisories/lk-improper-partition-bounds-checking-when-flashing-sparse-images-cve [16] http://forum.xda-developers.com/android/development/guide-root-method-lg-devices-t3049772 [17] http://forum.xda-developers.com/galaxy-s3/themes-apps/27-08-2013-odin-3-09-odin-1-85-versions-t2189539 [18] https://twrp.me/ [19] https://youtu.be/5W_s--ISqyo - Making Androids Bootable Recovery Work For You, Drew Suarez [20] the matasano crypto challenges, http://cryptopals.com/ 53
  67. Daniel A. Mayer, Drew Suarez - Realities of Secure Storage

    on Mobile Devices Thank you! Questions? 54