Android Security

Transcript

1. Android Security XKE201707 Qian Jin

2. Agenda • Mobile Security in a Nutshell • Android Security

   Overview • Secure Network communication • Reverse engineering • Obfuscation • Tampering Detection • More Security Tips • Conclusion

3. Mobile Security in a Nutshell

4. A Smartphone contains an MNO (Mobile Network Operator) smartcard with

   a connection to a mobile network. Moreover, it has an operating system that can be extended with third-party software.

5. Specifics of Mobile Devices • Creation of cost: billing event,

   Payment system • Network environment: strong connection, OTA firmware update process, remote device • Limited device resources: RAM, battery • Expensive computation cost: security algorithm

6. Mobile Device Attack Vectors • Hardware-centric attacks • Device-independent attacks

   • Software-centric attacks • User-layer attacks

7. Mobile Device Attack Models • Eavesdropping • Availability attacks •

   Privacy attacks • Impersonation Attacks

8. SMS Vulnerabilities An implementation bug in the SMS parser of

   the Siemens S55: receiving a short message with Chinese characters lead to a Denial of Service (DoS)

9. MMS Vulnerabilities Commwarrior is a Symbian Bluetooth worm that was

   the first to spread via Multimedia Messaging Service (MMS) and Bluetooth. The worm affects only the Nokia Series 60 software platform.

10. Image Credit: https://www.cyber.nj.gov/threat-profiles/mobile-malware/

11. Number of detected malicious installation packages (Q2 2015 - Q1

    2016)

12. Distribution of new mobile malware by type, Q1 2016 vs.

    Q4 2015
13. None

14. Mobile Malware: Infection Methods • Browser-based vulnerabilities • WiFi Man

    In The Middle • Distribution via application markets • Mail attachement • Physical compromise

15. Safari JavaScript pop-up scareware (March 2017)

16. iOS malware XcodeGhost (September 2015)

17. Android Malware “Judy”

18. Android Malware “Ghost Push” • encrypt its APK and shell

    code, • run a malicious DEX file without notification, • add a “guard code” to monitor its own processes, • rename .APK (Android application package) files used to install the malicious apps, • and launch the new activity as the payload.

19. iOS Malware WireLurker

20. HummingBad: A Persistent Mobile Chain Attack (Feb 2016) The first

    attack vector, called Right_core, is a silent operation triggered by one of three common events on the device. • BOOT_COMPLETED – occurs after booting the device. • TIME_TICK – occurs every time a minute passes. • SCREEN_ON – occurs when the screen is turned on. The second attack vector, called qs, is initiated only if the first vector failed to gain root. This attack vector uses social engineering in order to achieve its purspose. The component “qs” is also XOR encrypted and needs to be decrypted by the parent malware. The malware’s authors Yingmob racked up around US $300,000 per month at its peak.

21. HummingBad returns as HummingWhale (Jan 2017)

22. Malware: detection • Signature based detection • Static function call

    analysis • Anomaly detection • Rootkit detection • Software-based attestation: verify the memory contents of embedded devices and establish the absence of malicious changes to the memory contents.

23. Software-based Attestation Figure 1: Generic external memory verification. The verifier

    has a copy of the device’s presumed memory, and sends a request to the embedded device. The device can prove its memory contents by returning the correct response.

24. Software-based Attestation Figure 2: Memory verification attack. The attacker replaces

    the verification code with malicious verification code and copies the old verification code into empty memory.

25. Operation System Protection • Limited privileges and process isolation •

    File permissions • Hardened Kernels ◦ Address Space Layout Randomization ◦ Stack protection ◦ Non-executable writable memory • Sane Default Settings (e.g. bluetooth connectivity) • OTA Updates

26. CopperheadOS ➔ Hardened C standard library and compiler toolchain ➔

    Hardened kernel ➔ Stronger sandboxing and isolation for apps & services ➔ Backported security features and quicker patching ➔ Firewall & network hardening ➔ Open-source and free of proprietary services ➔ Security-centric user experience changes

27. Android Security Overview

28. None

29. System and kernel security • Linux security ◦ A user-based

    permissions model ◦ Process isolation ◦ Extensible mechanism for secure IPC (Inter-Process Communication) ◦ The ability to remove unnecessary and potentially insecure parts of the kernel • Application sandbox: UID, separate process, native code
30. None
31. None

32. System and kernel security • System Partition and Safe Mode

    • Filesystem Permissions • SELinux: Security-Enhanced Linux • Verified boot (Android 6.0+) • Cryptographic APIs ◦ KeyChain Class, from API 14 • Rooting of Devices

33. System and kernel security • Filesystem Encryption ◦ Android 3.0+:

    full filesystem encryption ◦ Android 5.0+: supports full-disk encryption ◦ Android 7.0+: file-based encryption • Password Protection

34. Root with Caution!

35. App Security: Elements of Applications • AndroidManifest.xml: the control file

    that tells the system what to do with all the top-level components • Activities: the code for a single, user-focused task • Services: a body of code that runs in the background, in its own process or in the context of another application. Bind to use • Broadcast Receiver: an object that is instantiated when an IPC mechanism known as an Intent is issued by the operating system or another application

36. App Security: Permission Model Android 6.0+: Requesting Permissions at Run

    Time Accessing Protected APIs: • Camera functions • Location data (GPS) • Bluetooth functions • Telephony functions • SMS/MMS functions • Network/data connections

37. App Security: IPC Inter-Process Communication • Binder • Services •

    Intents • ContentProviders: a data storehouse that provides access to data on the device, e.g. for contact list access.

38. Mediaserver ... Medie Player Linux Kernel /dev/binder Servicemanager System_server ...

    App3 App2 App1 Context Manager Camera Audio Flinger Package Manager Location Manager

39. Application System Server Manager Service Binder IPC Binder.getCallingUid() Binder.getCallingPid() Proxy

    Stub AIDL

40. App Security: CA & Application Signing • Certificate authorities ◦

    Prior to Android 7.0: device manufacturers could modify the set of CAs shipped on their devices ◦ Android 7.0+: uniform set of system CAs, modification by device manufacturers is no longer permitted • Application Signing ◦ Shared UID feature: declare security permissions at the Signature protection level, restricting access only to applications signed with the same key

41. Secure Network communication

42. None
43. None

44. Security with HTTPS and SSL Possible SSH handshake exception while

    verifying server certificates: • Unknown certificate authority • Self-signed server certificate • Missing intermediate certificate authority
45. None

46. Security with HTTPS and SSL OkHttp attempts to balance two

    competing concerns: • Connectivity to as many hosts as possible. That includes advanced hosts that run the latest versions of boringssl and less out of date hosts running older versions of OpenSSL. • Security of the connection. This includes verification of the remote webserver with certificates and the privacy of data exchanged with strong ciphers.

47. SSL Pinning Pinning is the process of associating a host

    with their expected X509 certificate or public key. • Which certificate to pin against in the chain? • Certificate or public key pinning? • Handling compromise: Fail hard or fail soft? • Where should we store the certificate/public key? ◦ Preloading ◦ Trust on first use ◦ Over the air

48. Do not do SSL pinning without the blessing of your

    server’s TLS administrator!

49. Network Security Configuration <?xml version="1.0" encoding="utf-8"?> <manifest ... > <application

    android:networkSecurityConfig="@xml/network_security_config"...> ... </application> </manifest>

50. Reverse engineering

51. Figure 1. The build process of a typical Android app

    module.
52. None

53. Free tools • Apktool: https://ibotpeaches.github.io/Apktool/ • dex2jar: https://github.com/pxb1988/dex2jar • smali/baksmali:

    an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation: https://github.com/JesusFreke/smali • jd-gui: https://github.com/java-decompiler/jd-gui
54. None

55. Pro Tools • JEB Decompiler: https://www.pnfsoftware.com/ • Hex Rays decompiler:

    https://www.hex-rays.com/products/decompiler/

56. Pull APK from device $ adb shell pm list packages

    $ adb shell pm path your-package-name $ adb pull /full/directory/of/apk
57. None
58. None

59. Convert .dex to .class $ sh d2j-dex2jar.sh -f /your/apk/file

60. very readable if no obfuscation is in place

61. Demo Time Let’s dig some .apk dirt

62. Obfuscation

63. ProGuard

64. ProGuard: Shrinking Java source code (.java files) is typically compiled

    to bytecode (.class files). Bytecode is more compact than Java source code, but it may still contain a lot of unused code, especially if it includes program libraries. Shrinking programs such as ProGuard can analyze bytecode and remove unused classes, fields, and methods. The program remains functionally equivalent, including the information given in exception stack traces.

65. ProGuard: Obfuscation Compiled bytecode still contains a lot of debugging

    information: source file names, line numbers, field names, method names, argument names, variable names, etc. This information makes it straightforward to decompile the bytecode and reverse-engineer entire programs. Sometimes, this is not desirable. Obfuscators such as ProGuard can remove the debugging information and replace all names by meaningless character sequences, making it much harder to reverse-engineer the code. It further compacts the code as a bonus.

66. ProGuard: Preverification When loading class files, the class loader performs

    some sophisticated verification of the byte code. This analysis makes sure the code can't accidentally or intentionally break out of the sandbox of the virtual machine.

67. ProGuard: Options • Input/Output Options • Keep Options • Shrinking

    Options • Optimization Options • Obfuscation Options • Preverification Options

68. ProGuard: example -injars bin/classes -outjars bin/classes-processed.jar -libraryjars /usr/local/java/android-sdk/platforms/android-9/android.jar -dontpreverify -repackageclasses

    '' -allowaccessmodification -optimizations !code/simplification/arithmetic -keep public class mypackage.MyActivity

69. android { buildTypes { release { minifyEnabled true // Library

    specific proguard files proguardFile 'proguard-google-play-services.pro' proguardFile 'proguard-gson.pro' ... // Default proguard files & project app specific rules, proguardFile 'proguard-project-app.pro' proguardFile getDefaultProguardFile('proguard-android.txt') // As of Gradle Android plugin 1.1.0, the test APK has a separate config testProguardFile 'proguard-project-test.pro' } } }
70. None

71. DexGuard • By GuardSqaure, CTO Eric Lafortune • DexGuard is

    the commercial sibling of ProGuard for Android. • ProGuard provides name obfuscation: it can replace the original names of classes, methods, and fields by short, meaningless names. DexGuard additionally provides string encryption and class encryption.

72. Ref: https://www.pnfsoftware.com/blog/a-look-inside-dexguard/

73. Tampering Detection

74. Tampering Detection • Check in run time if application has

    been modified in anyway or if the signature is changed • Verify the installer • It can be done with PackageManager • Multiple check point & use obfuscation in case it’s bypassed • Fail policy: what happens if modification is detected?

75. Tampering Detection Example public boolean isHacked(Context context, String myPackageName, String

    google, String amazon){ // Renamed? if (context.getPackageName().compareTo(myPackageName) != 0) { return true; // BOOM! } // Relocated? String installer = context.getPackageManager().getInstallerPackageName(myPackageName); if (installer == null){ return true; // BOOM! } if (installer.compareTo(google) != 0 && installer.compareTo(amazon) != 0){ return true; // BOOM! } return false; }

76. Tampering Detection • Obfuscation is fundamental! • Avoid client-side checks

    • You may want to check out SafetyNet API: https://developer.android.com/training/safetynet/index.html

77. More Security Tips

78. Security Tips • Remove logcat logging from your production builds

    • Avoid storing your data in the shared storage • Encrypt your preferences / files => the private folder can be found on the device at path /data/data/yourpackage • Encrypt your SQLite database: https://github.com/sqlcipher/sqlcipher

79. Conclusion

80. I probably need another XKE to continue...

81. Thanks! :)