400 likes | 548 Views
Mobile Device Security - Reading Material. Adam C. Champion and Dong Xuan CSE 4471: Information Security. Based on materials from Tom Eston (SecureState), Apple, Android Open Source Project, and William Enck (NCSU). Organization. Quick Overview of Mobile Devices
E N D
Mobile Device Security- Reading Material Adam C. Champion and Dong Xuan CSE 4471: Information Security Based on materials from Tom Eston (SecureState), Apple, Android Open Source Project, and William Enck (NCSU)
Organization • Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security
Overview of Mobile Devices • Mobile computers: • Mainly smartphones, tablets • Sensors: GPS, camera, accelerometer, etc. • Computation: powerful CPUs (≥ 1 GHz, multi-core) • Communication: cellular/4G, Wi-Fi, near field communication (NFC), etc. • Many connect to cellular networks: billing system • Cisco: 7 billion mobile devices will have been sold by 2012 [1] Organization
Organization • Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security
iOS/Android Malware • iOS malware: very little • Juniper Networks: Major increase in Android malware from 2010 to 2011 [18] • Android malware growth keeps increasing ($$$) • Main categories: [19] • Trojans • Monitoring apps/spyware • Adware • Botnets • We’ll look at notable malware examples
iOS Malware • Malware, “fake apps” have hit iOS too • iKee, first iPhone virus, “rickrolled” jailbroken iDevices [25] • Example “fake/similar” apps: • Temple Run: Temple Climb, Temple Rush, Cave Run • Angry Birds: Angry Zombie Birds, Shoot Angry Birds • Not to mention “walkthroughs,”“reference” apps, etc. • Google Play banned such apps… • iOS, Android hit with “Find and Call” app • SMS spammed contacts from central server • Removed from App Store, Google Play
Android: DroidDream Malware • Infected 58 apps on Android Market, March 2011 • 260,000 downloads in 4 days • How it worked: • Rooted phone via Android Debug Bridge (adb) vulnerability • Sent premium-rate SMS messages at night ($$$) • Google removed apps 4 days after release, banned 3 developers from Market • More malware found since
Android: Fake Angry Birds Space • Bot, Trojan • Masquerades as game • Roots Android 2.3 devices using “Gingerbreak” exploit • Device joins botnet Source: [20]
Android: SMS Worm • Students in previous information security classes wrote SMS worms, loggers on Android • Worm spreads to all contacts via social engineering, sideloading, etc. • Logger stored/forwarded all received SMS messages • Only needed SEND_SMS, RECEIVE_SMS, READ_SMS permissions • Can send 100 SMS messages/hour • One group put SMS logger on Google Play (removed it)
Android: Google Wallet Vulnerabilities (1) • Google Wallet enables smartphone payments • Uses NFC technology • Many new mobile devices have NFC • Some credit card info stored securely in secure element • Separate chip, SD card, SIM card • Unfortunately, other data are not stored as securely
Android: Google Wallet Vulnerabilities (2) • Some information can be recovered from databases on phone: [21] • Name on credit card • Expiration date • Recent transactions • etc. • Google Analytics tracking can reveal customer behavior from non-SSL HTTP GET requests • NFC alone does not guarantee security • Radio eavesdropping, data modification possible [22] • Relay attacks, spoofing possible with libnfc [23]
Android: Sophisticated NFC Hack • Charlie Miller’s Black Hat 2012 presentation: Nokia, Android phones can be hijacked via NFC [24] • NFC/Android Beam on by default on Android 2.3+, Android 4.0+ • Place phone 3–4 cm away from NFC tag, other NFC-enabled phone • Attacker-controlled phone sends data to tag/device, can crash NFC daemon, Android OS • For Android 4.0–4.0.1, can remotely open device browser to attacker-controlled webpage
Organization • Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security
iOS System Architecture (1) • Boot sequence: • Bootloader, kernel, extensions, baseband firmware all have cryptographic signatures • Root of trust: burnt into boot ROM at the factory • Each component’s signature is verified • If any signature doesn’t match, the “connect to iTunes” screen is shown Icons from Double-J Design, IconBlock
iOS System Architecture (2) • Software updates • Cannot install older version of iOS on an iDevice; e.g., if device runs iOS 5.1.1, cannot install iOS 4 • Device cryptographically “measures” components, sends to Apple install server with nonce, device ID • Nonce: value used only once • Prevents attacker from “replaying” the value • Server checks measurements; if allowed, server adds device ID to measurements, signs everything
iOS Apps and App Store • All iOS apps signed by Apple (not developer) • Third-party apps signed only after: • Developer ID verification (individual, company) • Review: bugs, work correctly (program analysis) • Each app sandboxed in its own directory • Cannot communicate with other apps • Apps need signed “entitlements” to access user data • Further app protection: • Address Space Layout Randomization (ASLR) for all apps • ARM eXecute Never (XN) bit set for all memory pages
iOS Data Protection Measures • Each iDevice has hardware-accelerated crypto operations (AES-256) • Effaceable Storage: securely removes crypto keys from flash memory • “Erase all content and settings” wipes user data using Effaceable Storage (locally or remotely) • Interact with mobile device management (MDM), Exchange ActiveSync servers • Developers can use APIs for secure file, database storage • Passcodes • Admins can require numeric, alphanumeric, etc. • Wipe device after 10 failed login attempts
Miscellaneous iOS Security • Built-in support for SSLv3, TLS, VPNs • Extensive administrative controls: • Password policies • Disable device features, e.g., camera • Disable Siri • Remote wipe • Apps can access contacts without permission (fixed in iOS 6) Source: [8]
iOS Jailbreaking • Circumvents Apple’s iOS security mechanisms • Violates iDevice’s terms of use • Allows installation of apps from alternative app stores, e.g., Cydia • Removes app sandbox • Usually replaces kernel with one accepting non-Apple signatures • Tools: redsn0w, Absinthe, etc. • Legal in U.S. under DMCA 2010 exemption
Google Android Platform • Android: Linux-based mobile handset platform • Developed by Google, Open Handset Alliance for handset manufacturers • Includes T-Mobile, Sprint Nextel, Google, Intel, Samsung, etc. [29] • Free, open mobile handset platform for industry [30] • Flagship: Google Nexus 4
Android Features and Software • Features • 3D: OpenGL ES 1.0 • SQLite: Database engine • WebKit: Web browser • Dalvik: Register-based VM similar to Java VM [32] • FreeType: Bitmap and vector font rendering • Connectivity: Bluetooth, 802.11, GPS • Core Applications • Email, SMS, calendar, Google apps, browser, etc. • Written in Java • App Framework • Full access to same framework APIs • Architecture designed for component reuse • Runtime • Core C++ library • Multiple Dalvik VMs run in a process, rely on Linux kernel for process isolation [32]
Android Security (1) • Android built on Linux kernel, which provides • User permissions model • Process isolation • Each app is assigned unique user/group IDs, run as a separate process ⇒ app sandbox • System partition mounted read-only • Android 3.0+ enables filesystem encryption using Linux dmcrypt (AES-128) • Device admins can require passwords with specific criteria, remote wipe devices, etc.
Android Security (2) • Android device administration (3.0+): • Remote wipe • Require strong password • Full device encryption • Disable camera
Android Security (3) • Other protection mechanisms: • Android 1.5+: stack buffer, integer overflow protection; double free, chunk consolidation attack prevention • Android 2.3+: format string protection, NX, null pointer dereference mitigation • Android 4.0+: ASLR implemented • Android 4.1+: ASLR strengthened, plug kernel leaks • Capability-based permissions mechanism: • Many APIs are not invoked without permission, e.g., camera, GPS, wireless, etc. • Every app must declare the permissions it needs • Users need to allow these permissions when installing app
Android Security (4) • All Android apps need to be signed: by the developer, not Google • Google Play app store less regulated • Apps available rapidly after publishing • Bouncer service scans for malware in store [11] Google Play permissions interface
Android Device Diversity (1) • Android runs on various devices • Different devices run different OS versions • Device manufacturers often add their own custom UIs, software • Mobile operators add their own software • Not all devices are updated to latest Android version! • Security challenges… Android devices accessing Google Play, August 2012. Some devices are not always updated to the latest version. These devices tend to have security vulnerabilities targeted by attackers. Source: [12]
Android Device Diversity (2) • Notice many Android devices are “orphaned” without major updates [13] • Android developers need to secure their apps for many different devices…
Android Device Diversity (3) The OpenSignalMaps Android app sees almost 4,000 types of device clients. Source: [14]
Rooting Android Devices • Android device owners can often get root access to their devices • Process can be as simple as unlocking bootloader • Sometimes, exploit bugs to get root • Result: install OS of choice, bypass device/operator restrictions • Legal under 2010 DMCA exemption • Security problems: • Voids device warranty (usually) • Circumvents app sandbox: root can modify any app’s files • Malware can root and own your device!
References (1) • Cisco, “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011–2016”, 14 Feb. 2012, http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ns705/ns827/white_paper_c11-520862.html • Samsung, “Exynos 5 Dual,” 2012, http://www.samsung.com/global/business/semiconductor/product/application/detail?productId=7668&iaId=2341 • Nielsen Co., “Two Thirds of All New Mobile Buyers Now Opting for Smartphones,” 12 Jul. 2012, http://blog.nielsen.com/nielsenwire/online_mobile/two-thirds-of-new-mobile-buyers-now-opting-for-smartphones/ • K. De Vere, “iOS leapfrogs Android with 410 million devices sold and 650,000 apps,” 24 Jul. 2012, http://www.insidemobileapps.com/2012/07/24/ios-device-sales-leapfrog-android-with-410-million-devices-sold/ • K. Haslem, “Macworld Expo: Optimised OS X sits on ‘versatile’ Flash,” 12 Jan. 2007, Macworld, http://www.macworld.co.uk/ipod-itunes/news/index.cfm?newsid=16927 • Wikipedia, “iOS,” updated 2012, http://en.wikipedia.org/wiki/iOS • Apple Inc., “iPhone Developer University Program,”http://developer.apple.com/iphone/program/university.html • Apple Inc, “iOS Security,”http://images.apple.com/ipad/business/docs/iOS_Security_May12.pdf • Android Open Source Project, “Android Security Overview,”http://source.android.com/tech/security/index.html Presentation organization inspired by T. Eston, “Android vs. iOS Security Showdown,” 2012, http://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdown
References (2) • A. Rubin, 15 Feb. 2012, https://plus.google.com/u/0/112599748506977857728/posts/Btey7rJBaLF • H. Lockheimer, “Android and Security,” 2 Feb. 2012, http://googlemobile.blogspot.com/2012/02/android-and-security.html • Android Open Source Project, http://developer.android.com/about/dashboards/index.html • M. DeGusta, “Android Orphans: Visualizing a Sad History of Support,” 26 Oct. 2011, http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history-of-support • http://opensignalmaps.com/reports/fragmentation.php • http://www.micro-trax.com/statistics ` • Lookout, Inc., “Mobile Lost and Found,” 2012, https://www.mylookout.com/resources/reports/mobile-lost-and-found/ • K. Haley, “Introducing the Smartphone Honey Stick Project,” 9 Mar. 2012, http://www.symantec.com/connect/blogs/introducing-symantec-smartphone-honey-stick-project • Juniper Networks, Inc., “Global Research Shows Mobile Malware Accelerating,” 15 Feb. 2012, http://newsroom.juniper.net/press-releases/global-research-shows-mobile-malware-accelerating-nyse-jnpr-0851976
References (3) • F-Secure, “Mobile Threat Report Q2 2012,” 7 Aug. 2012, http://www.slideshare.net/fsecure/mobile-threat-report-q2-2012 • http://nakedsecurity.sophos.com/2012/04/12/a ndroid-malware-angry-birds-space-game/ • Via Forensics LLC, “Forensic Security Analysis of Google Wallet,” 12 Dec. 2011, https://viaforensics.com/mobile-security/forensics-security-analysis-google-wallet.html • Proxmark, http://www.proxmark.org/ • libnfc, http://www.libnfc.org • D. Goodin, “Android, Nokia smartphone security toppled by Near Field Communication hack,” 25 Jul. 2012, http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/ • B. Andersen, “Australian admits creating first iPhone virus,” 10 Nov. 2009, http://www.abc.net.au/news/2009-11-09/australian-admits-creating-first-iphone-virus/1135474 • R. Radia, “Why you should always encrypt your smartphone,” 16 Jan. 2011, http://arstechnica.com/gadgets/2011/01/why-you-should-always-encrypt-your-smartphone/ • Heritage Foundation, “Solutions for America: Overcriminalization,” 17 Aug. 2010, http://www.heritage.org/research/reports/2010/08/overcriminalization • Wikipedia, http://en.wikipedia.org/wiki/Mobile_device_forensics • C. Quentin, http://www.slideshare.net/cooperq/your-cell-phone-is-covered-in-spiders
References (4) • A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and A. M. Smith, “Smudge Attacks on Smartphone Touch Screens,” Proc. USENIX WOOT, 2010. • X. Ni, Z. Yang, X. Bai, A. C. Champion, and Dong Xuan, “DiffUser: Differentiated User Access Control on Smartphones,”Proc. IEEE Int’l. Workshop on Wireless and Sensor Networks Security (WSNS), 2009. • W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” Proc. USENIX OSDI, 2010, http://appanalysis.org • W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,”http://static.usenix.org/event/osdi10/tech/slides/enck.pdf • B. Gu, X. Li, G. Li, A. C. Champion, Z. Chen, F. Qin, and D. Xuan, “D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources,” Technical Report, 2012.