You are on page 1of 43

Securing a mobile platform

from the ground up



Rich Cannings <richc@google.com>
Alex Stamos <alex@isecpartners.com>
Overview
Why care about mobile security?
What is Android?
How do I develop on Android?
o Android Market
What about Security?
o Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
Overview
Why care about mobile security?
What is Android?
How do I develop on Android?
o Android Market
What about Security?
o Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
Some Statistics
6.77 billion people[1]
1.48 billion Internet enabled PCs[2]
4.10 billion mobile phones[1]
Mobile phone replacement rate
o 12-18 month average[3]
o 1.1 billion mobile phones are purchased per year[4]
o 13.5% of mobile phone sales are smartphones[5]
The number of smartphones will soon compare with the
number of Internet enabled PCs
[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook)
[2] http://www.itu.int/ITU-
D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1
[3]
[4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp
[5] http://www.gartner.com/it/page.jsp?id=985912

Mobile Security is Getting Interesting
Techniques for desktop analysis are more useful to smart
phones

Mobile networks can now be easily manipulated
o From phones:
Miller, Lackey, Miras at BlackHat 2009
o From false base stations:
http://openbts.sourceforge.net/
Mobile Security Matures
We are now seeing attacks against all layers of mobile
infrastructure:

Applications
Platform
OS
Baseband
Network


Mobile Security Matures
We are now seeing attacks against all layers of mobile
infrastructure:

Applications
Platform
OS
Baseband
Network

Mobile devices must be treated as fully fledged computers.

Do not assume they are "special".
Overview
Why care about mobile security?
What is Android?
How do I develop on Android?
o Android Market
What about Security?
o Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
Free, open source mobile platform
o Source code at http://source.android.com
Any handset manufacturer or hobbyist can install
Any developer can use
o SDK at http://developer.android.com
Empower users and developers
The Android Platform
The Android Technology Stack
Linux kernel
Relies upon 90+ open source libraries
o Integrated WebKit based browser
o SQLite for structured data storage
o OpenSSL
o BouncyCastle
o libc based on OpenBSD
o Apache Harmony
o Apache HttpClient
Supports common sound, video and image codecs
API support for handset I/O
o Bluetooth, EDGE, 3G, wifi
o Camera, Video, GPS, compass, accelerometer,
sound, vibrator
Overview
Why care about mobile security?
What is Android?
How do I develop on Android?
o Android Market
What about Security?
o Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
Android Development
Java applications are composed of:
o Activities
Visual user interface for one focused endeavor
Android Development
Java applications are composed of:
o Activities
Visual user interface for one focused endeavor
o Services
Runs in the background for an indefinite period of time
Android Development
Java applications are composed of:
o Activities
Visual user interface for one focused endeavor
o Services
Runs in the background for an indefinite period of time
Intents
o Asynchronous messaging
o URL dispatching on steroids
o Glues many Activities and Services together to make an
application
o Provides interactivity between applications
Example Email Application
Application Lifecycle
Designed to protect battery life
Application Lifecycle
Designed to protect battery life
Activities live on a stack
Application Lifecycle
Designed to protect battery life
Activities live on a stack
Application Lifecycle
Designed to protect battery life
Activities live on a stack
Background activities can be
killed at any moment
Application Lifecycle
Designed to protect battery life
Activities live on a stack
Background activities can be
killed at any moment
The platform makes it easy for
developers to code
applications that are killed at
any moment without losing
state
o Helps with DoS issues
Android Market
Connects developers with users
Darwinian environment
o Good applications excel
o Bad applications forgotten
~10,000 applications on Market
Balance of openness and security
o Not the only way to install apps
o Not a walled garden
Developers self-sign applications
o For updating
o Uses Java's keytool and jarsigner

Application Signing
Why self signing?
Market ties identity to developer account
CAs have had major problems with fidelity in the past
No applications are trusted. No "magic key"

What does signing determine?
Shared UID for shared keys
Self-updates


Overview
Why care about mobile security?
What is Android?
How do I develop on Android?
o Android Market
What about Security?
o Cornerstones of Android security
Prevention
Minimization
Detection
Reaction
Security Philosophy
Finite time and resources
Humans have difficulty understanding risk
Safer to assume that
o Most developers do not understand security
o Most users do not understand security

Security philosophy cornerstones
o Need to prevent security breaches from occurring
o Need to minimize the impact of a security breach
o Need to detect vulnerabilities and security breaches
o Need to react to vulnerabilities and security breaches
swiftly

Prevent
5 million new lines of code
Uses almost 100 open source libraries
Android is open source can't rely on obscurity
Teamed up with security experts from
o Google Security Team
o iSEC Partners
o n.runs
Concentrated on high risk areas
o Remote attacks
o Media codecs
o New/custom security features
Low-effort/high-benefit features
o ProPolice stack overflow protection
o Heap protection in dlmalloc
dlmalloc

Heap consolidation attack
Allocation meta-data is stored in
band
Heap overflow can perform 2
arbitrary pointer overwrites
To fix, check:
o b->fd->bk == b
o b->bk->fd == b
WebKit Heap Overflow
Minimize
We cannot rely on prevention alone
o Vulnerabilities happen
Users will install malware
Code will be buggy
How can we minimize the impact of a security issue?
My webmail cannot access my banking web app
o Same origin policy
Why can malware access my browser? my banking info?
Extend the web security model to the OS
Minimize
Traditional operating system security
o Host based
o User separation
Mobile OSes are for single users
User separation is like a "same user policy"
Run each application in its own UID is like a "same
application policy"
o Privilege separation
Make privilege separation relatively transparent to the
developer
Application Sandbox
Each application runs within
its own UID and VM
Default privilege separation
model
Instant security features
o Resource sharing
CPU, Memory
o Data protection
FS permissions
o Authenticated IPC
Unix domain sockets
Place access controls close
to the resource, not in the VM

Application Sandbox
Place access controls close to the resource
o Smaller perimeter easier to protect
Default Linux applications have too much power
Lock down user access for a "default" application
Fully locked down applications limit innovation
Relying on users making correct security decisions is
tricky

Permissions
Whitelist model
1.Allow minimal access by
default
2.Allow for user accepted
access to resources
Ask users less questions
Make questions more
understandable
194 permissions
o More granularity
o Less understandability

More Privilege Separation
Media codecs are very complex very insecure
Won't find all the issues media libraries
Banish OpenCore media library to a lesser privileged
process
o mediaserver
Immediately paid off
o Charlie Miller reported a vulnerability in our MP3
parsing
o oCERT-2009-002
Detect
A lesser-impact security issue is still a security
issue
Internal detection processes
o Developer education
o Code audits
o Fuzzing
o Honeypot
Everyone wants security allow everyone to
detect issues
o Users
o Developers
o Security Researchers

External Reports
Patrick McDaniel, William Enck, Machigar Ongtang
o Applied formal methods to access SMS and Dialer
Charlie Miller, John Hering
o Outdated WebKit library with PCRE issue
XDA Developers
o Safe mode lock screen bypass
Charlie Miller, Collin Mulliner
o MP3, SMS fuzzing results
Panasonic, Chris Palmer
o Permission regression bugs

If you find a security issue, please email security@android.com
User Reporting
A User Report
MemoryUp: mobile RAM optimizer
o faster, more stable, more responsive, less waiting time
o not quite
React
Autoupdaters are the best security tool since Diffie-Hellman
Every modern operating system should be responsible for:
o Automatically updating itself
o Providing a central update system for third-party
applications
Android's Over-The-Air update system (OTA)
o User interaction is optional
o No additional computer or cable is required
o Very high update rate
Shared UID Regression
Shared UID feature
o Malware does not hurt computers, malware authors do
o Two applications are signed can share UIDs
o More interactivity
Panasonic reported that shared UID was broken
o If the user installs malware, then the attacker could share
UIDs with an existing installed app, like the browser
o Breaks Application Sandbox
Update Process
2009-05-14
o Panasonic reported the issue
o Patched the issue, wrote regression tests
2009-05-15
o Kicked off internal audit
o Built and tested every flavour of Android
o Coordinated a public response with the reporter, carriers,
PR and oCERT
2009-05-21
o Received critical-mass approval
2009-05-22
o OTAed users, rolled out patches to factories, SDK, and
open source
o Released advisory (oCERT-2009-006)
Not over yet!
2009-07-06
o Completed audit and tests
o Coordinated a public response with, carriers, PR and
oCERT
2009-07-15
o Received critical-mass approval
2009-07-16
o OTAed users, rolled out patches to factories, SDK, and
open source
2009-07-16
o Released advisory (oCERT-2009-011)
Conclusion
Security
o an ongoing process
o not a checkbox
Process
o Prevent
o Minimize
o Detect
o React

Questions?
Find a security issue?
o Email security@android.com
Want to contribute code?
o Visit http://source.android.com
o Add me as a code reviewer!
Want to write an Android application?
o Visit http://developer.android.com
Want to email us?
o Email richc@google.com or alex@isecpartners.com
o We are both hiring

You might also like