Android security in depth - extended

Embed Size (px)

Citation preview

ICT Nieuw

Sander Alberink

Healthcare

Automotive

Industrial Automation

Machine & Systems

Energy

Logistics

Android Security in depth

Agenda

Android overview

System-level security

Application-level security

Enterprise-level security

Show of hands...

Who has...An Android device?

Loaded a custom ROM?

Rooted his device?

Developed for that device?

15 januari 2014

Android Security in depth

Android Security System level

Android system architecture

System level execution

NX-bit

Stack-overflow prevention

Address Space Layout Randomization

dlmalloc/calloc + extensions

mmap_min_addr

Avoid leaking kernel pointer addresses

NX-Bit: stack and heap marked to prevent code execution from NX-marked memory pagesMmap_min_addr prevents MMAPing the lowest pages of virtual memory. A null pointer dereference from the kernel could access that memory and execute code that you prepared beforehand.Leaking point addresses prevented by disallowing unpriviledged app from accessing /proc/kmsg54

Linux security measures

Sandboxing in kernel

Permissions enforced through linux groups

Each app separate UID

Dalvik VM

Not a security boundaryNo security manager

Permissions are enforced in OS, not VM

Bytecode verification optimized for speed, not security

Every app can execute native code!

Zygote process preloads typical classes and dynamic link libraries

Copy-on-writeOnly when new process writes page, new page is allocated.

All pages not be written are shared among all zygote children.

Exec system call is not used in zygote.wipes the page mapping table of process.

It means exec discards zygote cache.

Runs as UID=0 (root). After forking child process, its UID is changed by setuid system call.

Zygote processes

Binder IPC

IPC via kernel interface

Used under water for all IPC in AndroidService to application

Service to system

But also Intent-based communication...

Is security-aware and passes calling UID & GID

15 januari 2014

Powerpoint ICT Automatisering

Additional measures in Android 4.2

Application verificationAdditional scan for malicious sw

Always-on VPN

Improvements to installd/init handling, etc

Bouncer

Checks every app submitted to store (before publication)

Runs app for 5 minutes in emulator, exercising UI

If flagged: manual analysis

Combination of dynamic/static analysis

Submit flagged apps too many times blocked account

Additional measures in Android 4.3

Android sandbox reinforced with SELinux.

No setuid/setgid programs.

ADB Authentication.

Restrict Setuid from Android Apps.

Capability bounding.

AndroidKeyStore Provider.

No setuid

Additional measures in Android 4.3 cont'd

KeyChain isBoundKeyAlgorithm.

NO_NEW_PRIVS. (This requires Linux kernel version 3.5 or greater)

FORTIFY_SOURCE enhancements.

Relocation protections.

Improved EntropyMixer.

Security Fixes.

Additional measures in Android 4.4

Android sandbox reinforced with SELinux in enforcing mode.

Per-user VPN

ECDSA Provider support in AndroidKeyStore.

Device Monitoring Warnings

FORTIFY_SOURCE level 2

Certificate Pinning

Verified boot

Security Fixes

Device monitoring: addition of certificates that may allow monitoring of encryped trafficFortify Source v2: more stricter checking of copies. May cause correct code to failECDSA: Elliptic curves support

Verified boot

Used to verify underlying boot image is not corrupted

Optional feature

No SHA256 hash of entire block device.Works at the block layerHash tree prepared by vendor, signatures of hash-table stored in non-volatile memory on device.

SE Linux/Android

Mandatory Access Control (MAC) for Linux

Enforces a system-wide security policy

Over all processes, objects, and operations

Based on security labels

Can confine flawed and malicious applications

Even ones that run as root / uid 0.

Can prevent privilege escalation

Difference between DAC and MAC

DAC: owner of object (f.i. files) determines access level

MAC: system determines access level

system_appradiotrusted_appnfckernel

Android Security Application level

Intent system

Communication between OS and applications via Intents

OS resolves requested action (e.g. 'edit contact') with all registered Intent receivers

Highly versatile and modular

Allows changing out default functionality for alternatives

Permissions

Permissions determine if an app can perform an action

4 levels:Normal

Dangerous

Signature

System

Permissions cont'd

Permissions checked when:Starting activities

Starting/binding to services

Sending to BroadcastReceivers

Accessings ContentProviders (separate for read and write

and at any given moment using Context.checkCallingPermission()

App signing

All Android applications must be signed by the author (developer) Signing: process of digitally signing a given application using a private key to: Identify author

Detect changes

Establish trust between applications

On Android, certificate (X.509) can be self-signed, no need for a certificate authorityAndroid applications can be built in debug and release-mode:In debug mode the app is automatically signed with debug key and cannot be distributed (e.g. via Google Play)

In release-mode app is signed with private key of developer.

Android Security Enterprise level

Encryption

Full-disk encryption using dm-cryptActually: /data partition

Done using 128 bit AES/SHA256

Master key encrypted with another key based off device PIN/passwdProblem: since PIN is usually 4 digits long, cracking master key is matter of little time...

Start by mounting temporary data fs in RAM and ask for device PIN. Test decrypt using key, if succesful rotate mountpoint.When you have device access to device, everything goes

Device Policies

Determine user-level security

Locate lost devices

Enable remote wipe

Can disable functionality (such as camera)

VPN

Support for VPN connections based onIPSec

PPTP

Own VPN implementation (3rd party, 4.0+)

Requires use of device lock mechanism

As of Android 4.2, always-on VPN is possible too

Manufacturer solutions

Samsung KNOXBased on SE Android with additional policies

Separate USER and Work partitions

Verified boot

Per-app VPN

More comprehensive mobile device management

Work partitions contains apps wrapped by samsung in additional security layer

Questions?

ICT Colors

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Android Security in depth

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

15 januari 2014

Powerpoint ICT Automatisering

Click to edit the title text formatTitelmasterformat durch Klicken bearbeiten

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline Level

Seventh Outline LevelTextmasterformate durch Klicken bearbeiten

Zweite Ebene

Dritte Ebene

Vierte Ebene

Fnfte Ebene

Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline Level

Seventh Outline LevelTextmasterformate durch Klicken bearbeiten

Zweite Ebene

Dritte Ebene

Vierte Ebene

Fnfte Ebene

15-01-14

Powerpoint ICT Software Engineering