430 likes | 659 Views
Securing a mobile platform from the ground up. Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>. Overview. Why care about mobile security? What is Android? How do I develop on Android? Android Market What about Security? Cornerstones of Android security Prevention
E N D
Securing a mobile platform from the ground up Rich Cannings <richc@google.com> Alex Stamos <alex@isecpartners.com>
Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction
Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction
Some Statistics • 6.77 billion people[1] • 1.48 billion Internet enabled PCs[2] • 4.10 billion mobile phones[1] • Mobile phone replacement rate • 12-18 month average[3] • 1.1 billion mobile phones are purchased per year[4] • 13.5% of mobile phone sales are smartphones[5] • The number of smartphones will soon compare with the number of Internet enabled PCs [1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook) [2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1 [3] [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp [5] http://www.gartner.com/it/page.jsp?id=985912
Mobile Security is Getting Interesting • Techniques for desktop analysis are more useful to smart phones • Mobile networks can now be easily manipulated • From phones: • Miller, Lackey, Miras at BlackHat 2009 • From false base stations: • http://openbts.sourceforge.net/
Mobile Security Matures We are now seeing attacks against all layers of mobile infrastructure: • Applications • Platform • OS • Baseband • Network
Mobile Security Matures We are now seeing attacks against all layers of mobile infrastructure: • Applications • Platform • OS • Baseband • Network Mobile devices must be treated as fully fledged computers. Do not assume they are "special".
Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction
The Android Platform • Free, open source mobile platform • Source code at http://source.android.com • Any handset manufacturer or hobbyist can install • Any developer can use • SDK at http://developer.android.com • Empower users and developers
The Android Technology Stack • Linux kernel • Relies upon 90+ open source libraries • Integrated WebKit based browser • SQLite for structured data storage • OpenSSL • BouncyCastle • libc based on OpenBSD • Apache Harmony • Apache HttpClient • Supports common sound, video and image codecs • API support for handset I/O • Bluetooth, EDGE, 3G, wifi • Camera, Video, GPS, compass, accelerometer, sound, vibrator
Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction
Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor
Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor • Services • Runs in the background for an indefinite period of time
Android Development • Java applications are composed of: • Activities • Visual user interface for one focused endeavor • Services • Runs in the background for an indefinite period of time • Intents • Asynchronous messaging • URL dispatching on steroids • Glues many Activities and Services together to make an application • Provides interactivity between applications
Application Lifecycle • Designed to protect battery life
Application Lifecycle • Designed to protect battery life • Activities live on a stack
Application Lifecycle • Designed to protect battery life • Activities live on a stack
Application Lifecycle • Designed to protect battery life • Activities live on a stack • Background activities can be killed at any moment
Application Lifecycle • Designed to protect battery life • Activities live on a stack • Background activities can be killed at any moment • The platform makes it easy for developers to code applications that are killed at any moment without losing state • Helps with DoS issues
Android Market • Connects developers with users • Darwinian environment • Good applications excel • Bad applications forgotten • ~10,000 applications on Market • Balance of openness and security • Not the only way to install apps • Not a walled garden • Developers self-sign applications • For updating • Uses Java's keytool and jarsigner
Application Signing Why self signing? • Market ties identity to developer account • CAs have had major problems with fidelity in the past • No applications are trusted. No "magic key" What does signing determine? • Shared UID for shared keys • Self-updates
Overview • Why care about mobile security? • What is Android? • How do I develop on Android? • Android Market • What about Security? • Cornerstones of Android security • Prevention • Minimization • Detection • Reaction
Security Philosophy • Finite time and resources • Humans have difficulty understanding risk • Safer to assume that • Most developers do not understand security • Most users do not understand security • Security philosophy cornerstones • Need to prevent security breaches from occurring • Need to minimize the impact of a security breach • Need to detect vulnerabilities and security breaches • Need to react to vulnerabilities and security breaches swiftly
Prevent • 5 million new lines of code • Uses almost 100 open source libraries • Android is open source ⇒ can't rely on obscurity • Teamed up with security experts from • Google Security Team • iSEC Partners • n.runs • Concentrated on high risk areas • Remote attacks • Media codecs • New/custom security features • Low-effort/high-benefit features • ProPolice stack overflow protection • Heap protection in dlmalloc
dlmalloc • Heap consolidation attack • Allocation meta-data is stored in band • Heap overflow can perform 2 arbitrary pointer overwrites • To fix, check: • b->fd->bk == b • b->bk->fd == b
Minimize • We cannot rely on prevention alone • Vulnerabilities happen • Users will install malware • Code will be buggy • How can we minimize the impact of a security issue? • My webmail cannot access my banking web app • Same origin policy • Why can malware access my browser? my banking info? • Extend the web security model to the OS
Minimize • Traditional operating system security • Host based • User separation • Mobile OSes are for single users • User separation is like a "same user policy" • Run each application in its own UID is like a "same application policy" • Privilege separation • Make privilege separation relatively transparent to the developer
Application Sandbox • Each application runs within its own UID and VM • Default privilege separation model • Instant security features • Resource sharing • CPU, Memory • Data protection • FS permissions • Authenticated IPC • Unix domain sockets • Place access controls close to the resource, not in the VM
Application Sandbox • Place access controls close to the resource • Smaller perimeter ⇒ easier to protect • Default Linux applications have too much power • Lock down user access for a "default" application • Fully locked down applications limit innovation • Relying on users making correct security decisions is tricky
Permissions • Whitelist model • Allow minimal access by default • Allow for user accepted access to resources • Ask users less questions • Make questions more understandable • 194 permissions • More ⇒ granularity • Less ⇒ understandability
More Privilege Separation • Media codecs are very complex ⇒ very insecure • Won't find all the issues media libraries • Banish OpenCore media library to a lesser privileged process • mediaserver • Immediately paid off • Charlie Miller reported a vulnerability in our MP3 parsing • oCERT-2009-002
Detect • A lesser-impact security issue is still a security issue • Internal detection processes • Developer education • Code audits • Fuzzing • Honeypot • Everyone wants security ⇒ allow everyone to detect issues • Users • Developers • Security Researchers
External Reports • Patrick McDaniel, William Enck, Machigar Ongtang • Applied formal methods to access SMS and Dialer • Charlie Miller, John Hering • Outdated WebKit library with PCRE issue • XDA Developers • Safe mode lock screen bypass • Charlie Miller, Collin Mulliner • MP3, SMS fuzzing results • Panasonic, Chris Palmer • Permission regression bugs • If you find a security issue, please email security@android.com
A User Report • MemoryUp: mobile RAM optimizer • faster, more stable, more responsive, less waiting time • not quite
React • Autoupdaters are the best security tool since Diffie-Hellman • Every modern operating system should be responsible for: • Automatically updating itself • Providing a central update system for third-party applications • Android's Over-The-Air update system (OTA) • User interaction is optional • No additional computer or cable is required • Very high update rate
Shared UID Regression • Shared UID feature • Malware does not hurt computers, malware authors do • Two applications are signed ⇒ can share UIDs • More interactivity • Panasonic reported that shared UID was broken • If the user installs malware, then the attacker could share UIDs with an existing installed app, like the browser • Breaks Application Sandbox
Update Process • 2009-05-14 • Panasonic reported the issue • Patched the issue, wrote regression tests • 2009-05-15 • Kicked off internal audit • Built and tested every flavour of Android • Coordinated a public response with the reporter, carriers, PR and oCERT • 2009-05-21 • Received critical-mass approval • 2009-05-22 • OTAed users, rolled out patches to factories, SDK, and open source • Released advisory (oCERT-2009-006)
Not over yet! • 2009-07-06 • Completed audit and tests • Coordinated a public response with, carriers, PR and oCERT • 2009-07-15 • Received critical-mass approval • 2009-07-16 • OTAed users, rolled out patches to factories, SDK, and open source • 2009-07-16 • Released advisory (oCERT-2009-011)
Conclusion • Security • an ongoing process • not a checkbox • Process • Prevent • Minimize • Detect • React
Questions? • Find a security issue? • Email security@android.com • Want to contribute code? • Visit http://source.android.com • Add me as a code reviewer! • Want to write an Android application? • Visit http://developer.android.com • Want to email us? • Email richc@google.com or alex@isecpartners.com • We are both hiring