Abstract image of a woman sitting on books and studying on a laptop

The Ultimate Android Security Checklist (Mdevcon 2014)

R
Ron Munitz

This document presents an extensive overview of Android security, focusing on various aspects such as the security architecture, application sandboxing, and the importance of properly managing permissions. Key features include user data protection, application isolation, and measures against memory corruption vulnerabilities, all aimed at making attacks on Android applications less rewarding. It also highlights the challenges of reverse engineering and offers insights into code protection strategies, including code obfuscation and native code security considerations.

Technology
Related topics:
Reverse Engineering
1 of 64
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
PSCG The Ultimate Android Security Checklist Ron Munitz Founder & CEO - The PSCG Founder & CTO - Nubo ron@nubosoftware.com ron@android-x86.org https://github.com/ronubo/ @ronubo mdevcon Amsterdam March 2014
This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/4.0/ © Copyright Ron Munitz 2014 PSCG
about://Ron Munitz ● Founder and CEO of the PSCG ○ The Premium Embedded/Android consulting and Training firm ● Founder and CTO of Nubo ○ The first Remote Android Workspace ● Lecturer at Afeka College of Engineering ● Always up for something new ● Building up on diverse engineering experience: ○ Distributed Fault Tolerant Avionic Systems ○ Highly distributed video routers ○ Real Time, Embedded, Server bringups ○ Operating Systems, very esoteric libraries, 0’s, 1’s and lots of them. ■ Linux, Android ,VxWorks, Windows, iOS, devices, BSPs, DSPs,... ● Always willing to learn. Always willing to Teach PSCG
about://Information_Security You just can’t win But you can make attacking unworthy. PSCG
The Android Security Program ● Design Review ○ Each major feature of the platform is reviewed by engineering and security resources. ○ Only within Google and immediate partners ● Penetration Testing and Code Review ○ Performed by the Android Security Team, Google’s Information Security Engineering team, and independent security consultants. ○ Identify weaknesses and possible vulnerabilities well before the platform is open-sourced. PSCG
Android Security Program ● Open Source and Community Review ○ The Android Open Source Project enables broad security review by any interested party. ○ Android uses open source technologies that have undergone significant external security review ● Incident Response ○ A full-time Android security team constantly monitors Android-specific and the general security community for discussion of potential vulnerabilities. ○ They do a fantastic job but they are still only engineers. Not security gods PSCG
Android Security Architecture ● Security Objectives ○ Protect user data ○ Protect system resources (e.g. network, timeslice) ○ Provide application isolation ● More Security Objectives ○ Protect another type of user - the developer ○ Intellectual Property cannot be underestimated ○ And that will be our focus in this talk PSCG
Android Security Architecture ● Key Features ○ Robust security at the OS level through the Linux kernel ○ Mandatory application sandbox for all applications ○ Secure interprocess communication ○ Application signing ○ Application-defined and user-granted permissions ○ Last but not least: the latest and greatest: ■ Enforcing @ SE Linux ■ Multi-user sdcard @ LXC ■ Trusted boot support @ HW ○ ... PSCG
Linux Security basics ● A user-based permissions model ● Process isolation ● Hardware isolation (OS 101) ● Extensible mechanism for secure IPC ● Configurable, hence allows to remove unnecessary and potentially insecure parts of the kernel ● Does not DPI userspace ○ Beware the untrusted device PSCG
Security basics: Process isolation Suppose a multiuser operating system with users A and B. The OS: ● Prevents user A from reading user B's files ● Ensures that user A does not exhaust user B's memory ● Ensures that user A does not exhaust user B's CPU resources ● Ensures that user A does not exhaust user B's devices PSCG
The Android Application Sandbox The Android system assigns a unique user ID (UID) to each Android application and runs it as that user in a separate process. PSCG
The Android Application Sandbox ● The Android operating system is a multi-user Linux system in which each app is a different user. ● By default, the system assigns each app a unique Linux user ID (the ID is used only by the system and is unknown to the app). The system sets permissions for all the files in an app so that only the user ID assigned to that app can access them. ● Multi user support allows the same applications to run on several users ○ App’s “User name” := uX_aY // user X, app Y ○ UID := CONST * X + Y PSCG
The Android Application Sandbox ● Each process has its own virtual machine (VM), so an app's code runs in isolation from other apps. ● By default, every app runs in its own Linux process. ○ This can be changed with shared signatures ● A process starts when any of the app's components needs to be executed ● A process shuts down when it's no longer needed ● Or when the system must recover memory for other apps. ○ This is almost ALWAYS overlooked ○ Indirect attacks are still attacks, and they are harmful (@see Meetup.com’s DDOS incident) PSCG
The Android Application Sandbox Sandbox Isolation Example ● Suppose A tries to do something malicious like ○ read application B's data ○ dial the phone (application P ) without permission ● Then the operating system protects against this because application A does not have the appropriate user privileges. ● Some sort of principle of least privileged ○ Some sort: @see SE Linux PSCG
The Android Application Sandbox Android applications can allow access to their resources to other applications by: ● Declaring the appropriate manifest- permissions ● Running in the same process with other trusted applications, thus sharing access to their data and code ● A classic point for vulnerabilities ○ Abuse of permission mechanism kindness (Or: [I agree]) ○ Automatic exposure on intent filter Use: android:exported=”false” PSCG
The Android Application Sandbox Memory Corruption Exploits ● A memory corruption error does not lead to compromising the security of the device, due to all applications and their resources being sandboxed at the OS level. ● A memory corruption error will only allow arbitrary code execution in the context of that particular application, with the permissions established by the operating system. ● Suspect to data inspection, code injections/tampering... PSCG
The Application Sandbox Rational ● Application Sandbox is enforced by the kernel ● Hence its security reduces to the kernel’s security ● Which means that in a “properly configured” (read: trusted) device one must compromise the security of the the Linux kernel. ● Trust NO ONE ● Or restrict everyone. PSCG
System Permissions Summary of application isolation No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. ● reading or writing the user's private data (such as contacts or emails), ● reading or writing another application's files, ● performing network access, ● keeping the device awake, so on. PSCG
System Permissions Reaching out of the basic sandbox Applications must explicitly share resources and data ● They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox, including access to device features such as the camera. ● Exception: the intent-filter case PSCG
System Permissions The Manifest File - Using Permissions ● To make use of protected features of the device, developers must include in application’s AndroidManifest.xml one or more <uses-permission> tags declaring the permissions that your application needs. PSCG
System Permissions Example of some permissions ACCESS_NETWORK_STATE ● Allows applications to access information about networks CHANGE_NETWORK_STATE ● Allows applications to change network connectivity state DUMP ● Allows an application to retrieve state dump information from system services. DEVICE_ADMIN_POLICY ● Allows an application to apply administrative activities such as wiping a device PSCG
System Permissions Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. ● Android has no mechanism for granting permissions dynamically (at run-time) ● Any attempts to use non explicitly permitted functions will fail ● Applications can also share files by using sharedUserId attribute in the AndroidManifest.xml PSCG
Application Signing All Android applications must be signed. Application or code signing is the process of digitally signing a given application using a private key to: ● Identify the code's author ● Detect if the application has changed ● Establish trust between applications PSCG
Android Application Build Process ● The Android Asset Packaging Tool (aapt) takes your application resource files, such as the AndroidManifest.xml file and the XML files for your Activities, and compiles them. An R.java is also produced so you can reference your resources from your Java code. ● The aidl tool converts any .aidl interfaces that you have into Java interfaces. ● All of your Java code, including the R.java and .aidl files, are compiled by the Java compiler and .class files are output. ● The dex tool converts the .class files to Dalvik byte code. Any 3rd party libraries and .class files that you have included in your project are also converted into .dex files so that they can be packaged into the final .apk file. PSCG
Android Application Build Process ● All non-compiled resources (such as images), compiled resources, and the .dex files are sent to the apkbuilder tool to be packaged into an .apk file. ● Once the .apk is built, it must be signed with either a debug or release key before it can be installed to a device. ● Finally, if the application is being signed in release mode, you must align the .apk with the zipalign tool. Aligning the final .apk decreases memory usage when the application is running on a device. PSCG
Reverse Engineering an App ● In life, it is hard to build and easy to destroy ● In Software it can be the same ● But it doesn’t have to. ● Reverse Engineering is the process of unbuilding. Decompiling. Extracting information out compiled programs ● It is a fascinating domain ● That can have disastrous outcomes
Android rev-eng Tools ● apktool ○ Decodes resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. ● dex2jar ○ dex2jar is a tool for converting Android's .dex format to Java's .class format. just one binary format to another binary format, not to source. ● JD-Project - jd-gui/jd-plugin ○ The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. PSCG
Android rev-eng tools ● smali ○ Assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. Supports the full functionality of the dex format (annotations, debug info, line info, etc.) ● androguard ○ Androguard is mainly a tool written in python to play with : ■ Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), ■ APK (Android application) (.apk) ● There are more. Commercial and non commercial ● When there is a will there is a way ● There is a will. Code, data, behavioral attacks, IP. PSCG
Reverse Engineering an App ● apktool takes your signed or unsigned application apk and retrieves ○ readable AndroidMenifest.xml ○ All it’s resources. ○ .dex/.odex files as .smali files which are dex disassembly. ● dex2jar tool creates jars that contain . class files of the application by converting .dex files. ● A Java Decompiler (*jd*) can then be applied. ○ The source code can be retrieved automatically by installing jd- plugin on Eclipse and opening . class files. Signed Apk Resources apktool .dex files Manifest .class files Java files dex2jar jd-plugin PSCG
Reversing Showcase ● For resources we will use apktool ○ Which are usually available in the . apk without charge ○ But in a binary forms (i.e. XML’s) PSCG
Reversing Showcase PSCG
Reversing Showcase ● After using apktool, we get the resources in the expected folder PSCG
Reversing Showcase ● This tool will serve us to get the .class files PSCG
Reversing Showcase ● After running dex2jar, we get jar file containing the . class files. PSCG
Reversing Showcase ● This tool will help us open .class files without source code ● In this case we install JD-Project as plugin to eclipse ● There is also a standalone version PSCG
Reversing Showcase ● In order for JD- Project to work, we need to have the jar in .classpath ● For that we will add jar file as external PSCG
Reversing Showcase ● There we have it. Snake app reverse engineered. PSCG
Reversing Showcase ● But what if I don’t have Eclipse? ○ Use jd-gui (my current choice) ○ Use JEB ○ Use other commercials or non commercials tools PSCG
Protecting Your Code with Proguard ● Proguard ○ Shrinks, optimizes, and obfuscates your code ■ by removing unused code and renaming classes, fields, and methods with semantically obscure names. ○ The result ■ smaller sized .apk file that is more difficult to reverse engineer. ○ Available through the Android SDK. PSCG
Protecting Your Code with Proguard ● To enable Proguard: ○ set the proguard.config property in the<project_root>/project. properties file. ○ The path can be an absolute path or a path relative to the project's root. ○ usually there is a commented line that should be uncomment in the project.properties ex: # proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt ■ Find examples for proguard-project.txt in Proguard’s webpage. PSCG
Protecting Your Code ● Obfuscate your code ○ Obfuscation Tools ■ DexGuard ○ Same as ProGuard but more and specifically for Android. ■ String Encryption ■ Class Encryption ■ Asset Encryption ■ Tamper Detection ■ …. ○ Not free or open sourced. PSCG
Protecting Your Code ● Obfuscate your code ○ Obfuscation Tools ■ There are more obfuscation companies for java protection ● yGuard ● JODE ● JavaGuard ● jarg ● ... PSCG
Protecting Your Code ● Perform signature verification tasks on a trusted server ● Protect your unlocked content ○ Use a real-time service to deliver your content, such as a content feed. ○ Use a remote server to deliver your content. PSCG
Protecting Your Code ● Know the basics of crypto ○ Nonces must not be predictable or reused. ○ Always use a cryptographically secure random number generator ○ If performing nonce verification on a server, generate the nonces on the server. ● And the non basics ● Know who to trust ● And do not assume your device is a “saint”. PSCG
Protecting Native Code ● While most Android applications developers use pure Android/Java language, it is wrong to assume a pure Java world: ○ Exhibit #1: Anything that uses HTML/JS. ■ Yes. That means all of your hybrid apps. ○ Exhibit #2: Anything that uses native code ■ Most likely games, TIFF/PDF readers, highly optimized code, portable code, high performance code and a lot more. ● Let’s talk about exhibit #2. PSCG
Protecting Native Code ● Briefly: JNI is to Java what __asm is to C ● You can load dynamic libraries “.so” to “extend” your Java code ○ That is not the case for (standard) iOS ● The bad news: Another level to protect. And you HAVE to do it yourself. (Woohoo, DIY!) ● The good news: If you do it right you can make attacker’s life even harder. PSCG
Native Code Protection Techniques ● Similar principles from Java ● Toolchain aid: ○ Optimize ( e.g. gcc -o<X> …) ○ Use different compilers/linkers ○ “Confuse” disassembler with call conventions ○ Strip everything not needed for object relocation (e. g. strip --strip-unneeded) ○ Compilation flags - see the AOSP platform build/core and the NDK prebuilt toolchains. ● User aid - Know your stuff - trust no one. PSCG
Code Protection Techniques ● Encrypt data. ● If you can: implement your own crypto. ○ You should not, cannot, and absolutely must not trust anyone. Or anything. ○ On the other hand: Testing, manpower… Easier to use symmetric crypto for it. ● Common issues: Where do you store the keys? Computation costs. ● Remember Kerckhoffs’s Principles.(Partially) ○ Do not disclose the keys. ○ Do (not) disclose the algorithms (if you can) PSCG
Monitoring countermeasures ● If you don’t need something - release it ○ The longer an object lives - the more suspect to attacking it is ● Cleanup on initialization ● Handle Errors - And cleanup. ○ Program crashes → Memory Dumps → Easier attacks ● Decide whether you protect (X)OR debug. You can’t win it all. ○ Prevent tracing /debugging ○ Remove Logs. PSCG
More things to consider ● Protecting your own native code is relatively easy. ● Protecting 3rd party libraries code is not. ● These techniques are applicable to Windows Phones as well ● And only partially to iOS devices ○ Unless you have the time and knowledge to manipulate the O-Mach structure. ○ Or you use a jailbroken device... ● You can’t win. ● But you can break the attacker’s spirit. PSCG
Using the sdcard ● If you store data on the SD card - you are storing it on a vfat/FAT32 file system ● Which means that everything there is exposed to everyone ● There are some ways to override it ○ See KitKat new external Storage ○ Override fuse implementations ○ SEL inux ○ ...
Secure Containers ● Android allows to protect your APKs ● By mounting them in a secure containers ○ @see /mnt/asec ● It also allows you to add secure data to them ● And protecting it is up to you ○ @see /mnt/obb ○ This is a serious weakness for the wider public ○ As obb’s tend to be shared between processes ○ So encrypt them as well
Rooting Android Rooting describes the acquisition of complete administrator rights on the device, allowing third-party programs to perform operations that were not originally available to them, such as controlling CPU clock speed or overwriting system files. PSCG
Rooting Android Application that has obtained administrative rights comes out of the application “sandbox,” so its declared features and granted permissions are no longer relevant. ● Can read and send files associated with other applications, watch the device’s owner, using the microphone without the owner’s knowledge, etc. PSCG
Rooting Android ● By default, on Android only the kernel and a small subset of the core applications run with root permissions. ● Android does not prevent a user or application with root permissions from modifying the operating system, kernel, and any other application. PSCG
Rooting Android ● In general, root has full access to all applications and all application data. ● Users that change the permissions on an Android device to grant root access to applications increase the security exposure to malicious applications and potential application flaws. PSCG
Rooting Android Relatively easy. Almost too easy (@see XDA) There is a protection To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. *Root access gained via exploiting a kernel bug or security hole can bypass this protection. PSCG
So where is the Checklist?! ● Let’s pay a visit to the Oracle ○ Not the Complexity/Computability one. ○ Not the San Francisco based one either. ○ And not the Spartan one (@see yesterday’s movie) Boy: Do not try and bend the spoon. That's impossible. Instead only try to realize the truth. Neo: What truth? Boy: There is no spoon. Neo: There is no spoon? Boy: Then you'll see that it is not the spoon that bends, it is only yourself. *Quote taken from a movie which requires no introduction. PSCG
So where is the Checklist?! ● The truth is there is no (single) checklist. ● And the reason for that is that the checklist changes according to your reality. ● It is unreal to protect against everything. ● You need to work hard enough to make your attacker make much harder ● If you work too hard - you’ll lose focus. ● So before thinking of a list - think what you really want to protect PSCG
Building your own checklist ● Ask questions. Doubt everything. But be pragmatic. ○ What is my product “secrets”? In particular ■ Do I protect data? ● My data? ● My customer’s data? ■ Do I protect my algorithms? ■ Do I protect my servers against DOS? ■ Do I protect my license? ■ Do I protect my data? ○ Who are my attackers? ○ What can they benefit from attacking my product PSCG
Building your own checklist ● Ask questions. Doubt everything. But be pragmatic. ○ How hard am I willing to work? What is my team’s skillset? ○ How hard will my attacker be willing to work? ○ What happens if an attacker succeeds? ○ What is considered an attacker’s success? ○ What hardware will they possess ○ Will it run a trusted OS? ■ This is actually not trivial - see my ROM cooking bootcamps ● So many questions... PSCG
Building your own checklist ● Never stop asking. ● But prioritize. ● There is NEVER a general solution for all problems. ○ Saying otherwise is great for marketing ○ But that’s a brutal lie ● There are however 10 commandments which are always to be considered. PSCG
The ultimate Security Checklist ● These 10 commandments would be ○ Obfuscate and Shrink ○ Optimize and Strip ○ Encrypt your strings, assets, and data ○ Encrypt database values ○ And keep the keys away if you can ○ Beware your client’s operating system ○ Know what you want protect. Then know how ○ Move your critical algorithms to native code - they will be harder to rev-eng ○ Remove any debugging/tracing/logging remainders ○ Question, doubt and never stop thinking. ● And a bonus advice: ○ Make your own commandments. ○ You know yourself better than the others. PSCG
Thank You PSCG

More Related Content

PDF
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
Ron Munitz
 
PDF
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Codemotion
 
PDF
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
Ron Munitz
 
PDF
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
PPTX
Fast-paced Introduction to Android Internals
Hamilton Turner
 
PDF
Embedded linux build systems
Mender.io
 
PDF
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
PPTX
Android Framework
CodeAndroid
 
The Ultimate Android Security Checklist (AnDevCon Boston 2014)
Ron Munitz
 
Ron Munitz - The Ultimate Android Security Checklist - Codemotion Rome 2015
Codemotion
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
Ron Munitz
 
CodeMotion tel aviv 2015 - burning marshmallows
Ron Munitz
 
Fast-paced Introduction to Android Internals
Hamilton Turner
 
Embedded linux build systems
Mender.io
 
IoT: Contrasting Yocto/Buildroot to binary OSes
Mender.io
 
Android Framework
CodeAndroid
 

What's hot (16)

PDF
A Taste of Monitoring and Post Mortem Debugging with Node
ibmwebspheresoftware
 
PDF
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest Project
 
PDF
Node.js post-mortem debugging with mdb and SmartOS
juliengilli
 
PDF
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis
 
PDF
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Priyanka Aash
 
PPT
DSDP Mobile Tools for Java New and Noteworthy
diegomadruga
 
PPT
DSDP Mobile Tools for Java New and Noteworthy
gustavoeliano
 
PPTX
Android Overview
Raju Kadam
 
PPTX
Android
BVP GTUG
 
PDF
Android workshop material
Reza Yogaswara
 
PDF
Android dev o_auth
lzongren
 
PPTX
From java to android a security analysis
Pragati Rai
 
PPTX
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
PDF
Docker en kernel security
smart_bit
 
PDF
A million ways to provision embedded linux devices
Mender.io
 
PDF
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Mender.io
 
A Taste of Monitoring and Post Mortem Debugging with Node
ibmwebspheresoftware
 
ElasTest presentation in MadridJUG (Madrid December 2017)
ElasTest Project
 
Node.js post-mortem debugging with mdb and SmartOS
juliengilli
 
Mitigating Java Deserialization attacks from within the JVM
Apostolos Giannakidis
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Priyanka Aash
 
DSDP Mobile Tools for Java New and Noteworthy
diegomadruga
 
DSDP Mobile Tools for Java New and Noteworthy
gustavoeliano
 
Android Overview
Raju Kadam
 
Android
BVP GTUG
 
Android workshop material
Reza Yogaswara
 
Android dev o_auth
lzongren
 
From java to android a security analysis
Pragati Rai
 
Metasploit & Windows Kernel Exploitation
zeroSteiner
 
Docker en kernel security
smart_bit
 
A million ways to provision embedded linux devices
Mender.io
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Mender.io
 
Ad

Similar to The Ultimate Android Security Checklist (Mdevcon 2014) (20)

PDF
Unit 1 Kali Nethunter Android: OS, Debub Bridge
ChatanBawankar
 
PDF
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Ron Munitz
 
PDF
Unit Kali NetHunter is the official Kali Linux penetration testing platform f...
ChatanBawankar
 
ODP
Android security in depth - extended
Sander Alberink
 
PPTX
Androidoverview 100405150711-phpapp01
Santosh Sh
 
ODP
Android security in depth
Sander Alberink
 
PDF
MobSecCon 2015 - Burning Marshmallows
Ron Munitz
 
PDF
Voxxed Days Villnius 2015 - Burning Marshmallows
Ron Munitz
 
PPT
Introduction to android sessions new
Joe Jacob
 
ODP
Android App Development - 01 Introduction
Diego Grancini
 
PPTX
3. Android Architecture.pptx
HarshiniB11
 
PPTX
Android Application Development
Ramesh Prasad
 
PDF
Android Internals at Linaro Connect Asia 2013
Opersys inc.
 
PDF
CodeMotion tel aviv 2015 - android reverse engineering lab
Ron Munitz
 
PDF
Running Code in the Android Stack at ELCE 2013
Opersys inc.
 
PPTX
Mobile Application Development powerpoint
JohnLagman3
 
PPT
Android Security
Suminda Gunawardhana
 
PDF
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 
PDF
CNIT 128 Ch 4: Android
Sam Bowne
 
PPTX
Session 2 beccse
vin123456gangal
 
Unit 1 Kali Nethunter Android: OS, Debub Bridge
ChatanBawankar
 
Voxxed days Vilnius 2015 - Android Reverse Engineering Lab
Ron Munitz
 
Unit Kali NetHunter is the official Kali Linux penetration testing platform f...
ChatanBawankar
 
Android security in depth - extended
Sander Alberink
 
Androidoverview 100405150711-phpapp01
Santosh Sh
 
Android security in depth
Sander Alberink
 
MobSecCon 2015 - Burning Marshmallows
Ron Munitz
 
Voxxed Days Villnius 2015 - Burning Marshmallows
Ron Munitz
 
Introduction to android sessions new
Joe Jacob
 
Android App Development - 01 Introduction
Diego Grancini
 
3. Android Architecture.pptx
HarshiniB11
 
Android Application Development
Ramesh Prasad
 
Android Internals at Linaro Connect Asia 2013
Opersys inc.
 
CodeMotion tel aviv 2015 - android reverse engineering lab
Ron Munitz
 
Running Code in the Android Stack at ELCE 2013
Opersys inc.
 
Mobile Application Development powerpoint
JohnLagman3
 
Android Security
Suminda Gunawardhana
 
Leveraging Android's Linux Heritage at AnDevCon IV
Opersys inc.
 
CNIT 128 Ch 4: Android
Sam Bowne
 
Session 2 beccse
vin123456gangal
 
Ad

Recently uploaded (20)

PPTX
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PPT
Geologic Time for studying geology for geologist
ssuser738f5a
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
PDF
Five Habits of High-Impact Board Members
OnBoard
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PPT
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PPTX
Chapter 5: Probability Theory and Statistics
RandyFin
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Unlock new opportunities with location data.pdf
Precisely
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
PDF
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
O2C Customer Invoices to Receipt V15A.pptx
ssuserbfa915
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Geologic Time for studying geology for geologist
ssuser738f5a
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
Taming the Chaos: How to Turn Unstructured Data into Decisions
Safe Software
 
Five Habits of High-Impact Board Members
OnBoard
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
Module 1.ppt Iot fundamentals and Architecture
nanditha7766
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Chapter 5: Probability Theory and Statistics
RandyFin
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Unlock new opportunities with location data.pdf
Precisely
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
Hybrid horned lizard optimization algorithm-aquila optimizer for DC motor
IAESIJAI
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 

The Ultimate Android Security Checklist (Mdevcon 2014)

  • 1. PSCG The Ultimate Android Security Checklist Ron Munitz Founder & CEO - The PSCG Founder & CTO - Nubo ron@nubosoftware.com ron@android-x86.org https://github.com/ronubo/ @ronubo mdevcon Amsterdam March 2014
  • 2. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by- sa/4.0/ © Copyright Ron Munitz 2014 PSCG
  • 3. about://Ron Munitz ● Founder and CEO of the PSCG ○ The Premium Embedded/Android consulting and Training firm ● Founder and CTO of Nubo ○ The first Remote Android Workspace ● Lecturer at Afeka College of Engineering ● Always up for something new ● Building up on diverse engineering experience: ○ Distributed Fault Tolerant Avionic Systems ○ Highly distributed video routers ○ Real Time, Embedded, Server bringups ○ Operating Systems, very esoteric libraries, 0’s, 1’s and lots of them. ■ Linux, Android ,VxWorks, Windows, iOS, devices, BSPs, DSPs,... ● Always willing to learn. Always willing to Teach PSCG
  • 4. about://Information_Security You just can’t win But you can make attacking unworthy. PSCG
  • 5. The Android Security Program ● Design Review ○ Each major feature of the platform is reviewed by engineering and security resources. ○ Only within Google and immediate partners ● Penetration Testing and Code Review ○ Performed by the Android Security Team, Google’s Information Security Engineering team, and independent security consultants. ○ Identify weaknesses and possible vulnerabilities well before the platform is open-sourced. PSCG
  • 6. Android Security Program ● Open Source and Community Review ○ The Android Open Source Project enables broad security review by any interested party. ○ Android uses open source technologies that have undergone significant external security review ● Incident Response ○ A full-time Android security team constantly monitors Android-specific and the general security community for discussion of potential vulnerabilities. ○ They do a fantastic job but they are still only engineers. Not security gods PSCG
  • 7. Android Security Architecture ● Security Objectives ○ Protect user data ○ Protect system resources (e.g. network, timeslice) ○ Provide application isolation ● More Security Objectives ○ Protect another type of user - the developer ○ Intellectual Property cannot be underestimated ○ And that will be our focus in this talk PSCG
  • 8. Android Security Architecture ● Key Features ○ Robust security at the OS level through the Linux kernel ○ Mandatory application sandbox for all applications ○ Secure interprocess communication ○ Application signing ○ Application-defined and user-granted permissions ○ Last but not least: the latest and greatest: ■ Enforcing @ SE Linux ■ Multi-user sdcard @ LXC ■ Trusted boot support @ HW ○ ... PSCG
  • 9. Linux Security basics ● A user-based permissions model ● Process isolation ● Hardware isolation (OS 101) ● Extensible mechanism for secure IPC ● Configurable, hence allows to remove unnecessary and potentially insecure parts of the kernel ● Does not DPI userspace ○ Beware the untrusted device PSCG
  • 10. Security basics: Process isolation Suppose a multiuser operating system with users A and B. The OS: ● Prevents user A from reading user B's files ● Ensures that user A does not exhaust user B's memory ● Ensures that user A does not exhaust user B's CPU resources ● Ensures that user A does not exhaust user B's devices PSCG
  • 11. The Android Application Sandbox The Android system assigns a unique user ID (UID) to each Android application and runs it as that user in a separate process. PSCG
  • 12. The Android Application Sandbox ● The Android operating system is a multi-user Linux system in which each app is a different user. ● By default, the system assigns each app a unique Linux user ID (the ID is used only by the system and is unknown to the app). The system sets permissions for all the files in an app so that only the user ID assigned to that app can access them. ● Multi user support allows the same applications to run on several users ○ App’s “User name” := uX_aY // user X, app Y ○ UID := CONST * X + Y PSCG
  • 13. The Android Application Sandbox ● Each process has its own virtual machine (VM), so an app's code runs in isolation from other apps. ● By default, every app runs in its own Linux process. ○ This can be changed with shared signatures ● A process starts when any of the app's components needs to be executed ● A process shuts down when it's no longer needed ● Or when the system must recover memory for other apps. ○ This is almost ALWAYS overlooked ○ Indirect attacks are still attacks, and they are harmful (@see Meetup.com’s DDOS incident) PSCG
  • 14. The Android Application Sandbox Sandbox Isolation Example ● Suppose A tries to do something malicious like ○ read application B's data ○ dial the phone (application P ) without permission ● Then the operating system protects against this because application A does not have the appropriate user privileges. ● Some sort of principle of least privileged ○ Some sort: @see SE Linux PSCG
  • 15. The Android Application Sandbox Android applications can allow access to their resources to other applications by: ● Declaring the appropriate manifest- permissions ● Running in the same process with other trusted applications, thus sharing access to their data and code ● A classic point for vulnerabilities ○ Abuse of permission mechanism kindness (Or: [I agree]) ○ Automatic exposure on intent filter Use: android:exported=”false” PSCG
  • 16. The Android Application Sandbox Memory Corruption Exploits ● A memory corruption error does not lead to compromising the security of the device, due to all applications and their resources being sandboxed at the OS level. ● A memory corruption error will only allow arbitrary code execution in the context of that particular application, with the permissions established by the operating system. ● Suspect to data inspection, code injections/tampering... PSCG
  • 17. The Application Sandbox Rational ● Application Sandbox is enforced by the kernel ● Hence its security reduces to the kernel’s security ● Which means that in a “properly configured” (read: trusted) device one must compromise the security of the the Linux kernel. ● Trust NO ONE ● Or restrict everyone. PSCG
  • 18. System Permissions Summary of application isolation No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. ● reading or writing the user's private data (such as contacts or emails), ● reading or writing another application's files, ● performing network access, ● keeping the device awake, so on. PSCG
  • 19. System Permissions Reaching out of the basic sandbox Applications must explicitly share resources and data ● They do this by declaring the permissions they need for additional capabilities not provided by the basic sandbox, including access to device features such as the camera. ● Exception: the intent-filter case PSCG
  • 20. System Permissions The Manifest File - Using Permissions ● To make use of protected features of the device, developers must include in application’s AndroidManifest.xml one or more <uses-permission> tags declaring the permissions that your application needs. PSCG
  • 21. System Permissions Example of some permissions ACCESS_NETWORK_STATE ● Allows applications to access information about networks CHANGE_NETWORK_STATE ● Allows applications to change network connectivity state DUMP ● Allows an application to retrieve state dump information from system services. DEVICE_ADMIN_POLICY ● Allows an application to apply administrative activities such as wiping a device PSCG
  • 22. System Permissions Applications statically declare the permissions they require, and the Android system prompts the user for consent at the time the application is installed. ● Android has no mechanism for granting permissions dynamically (at run-time) ● Any attempts to use non explicitly permitted functions will fail ● Applications can also share files by using sharedUserId attribute in the AndroidManifest.xml PSCG
  • 23. Application Signing All Android applications must be signed. Application or code signing is the process of digitally signing a given application using a private key to: ● Identify the code's author ● Detect if the application has changed ● Establish trust between applications PSCG
  • 24. Android Application Build Process ● The Android Asset Packaging Tool (aapt) takes your application resource files, such as the AndroidManifest.xml file and the XML files for your Activities, and compiles them. An R.java is also produced so you can reference your resources from your Java code. ● The aidl tool converts any .aidl interfaces that you have into Java interfaces. ● All of your Java code, including the R.java and .aidl files, are compiled by the Java compiler and .class files are output. ● The dex tool converts the .class files to Dalvik byte code. Any 3rd party libraries and .class files that you have included in your project are also converted into .dex files so that they can be packaged into the final .apk file. PSCG
  • 25. Android Application Build Process ● All non-compiled resources (such as images), compiled resources, and the .dex files are sent to the apkbuilder tool to be packaged into an .apk file. ● Once the .apk is built, it must be signed with either a debug or release key before it can be installed to a device. ● Finally, if the application is being signed in release mode, you must align the .apk with the zipalign tool. Aligning the final .apk decreases memory usage when the application is running on a device. PSCG
  • 26. Reverse Engineering an App ● In life, it is hard to build and easy to destroy ● In Software it can be the same ● But it doesn’t have to. ● Reverse Engineering is the process of unbuilding. Decompiling. Extracting information out compiled programs ● It is a fascinating domain ● That can have disastrous outcomes
  • 27. Android rev-eng Tools ● apktool ○ Decodes resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. ● dex2jar ○ dex2jar is a tool for converting Android's .dex format to Java's .class format. just one binary format to another binary format, not to source. ● JD-Project - jd-gui/jd-plugin ○ The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. PSCG
  • 28. Android rev-eng tools ● smali ○ Assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. Supports the full functionality of the dex format (annotations, debug info, line info, etc.) ● androguard ○ Androguard is mainly a tool written in python to play with : ■ Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), ■ APK (Android application) (.apk) ● There are more. Commercial and non commercial ● When there is a will there is a way ● There is a will. Code, data, behavioral attacks, IP. PSCG
  • 29. Reverse Engineering an App ● apktool takes your signed or unsigned application apk and retrieves ○ readable AndroidMenifest.xml ○ All it’s resources. ○ .dex/.odex files as .smali files which are dex disassembly. ● dex2jar tool creates jars that contain . class files of the application by converting .dex files. ● A Java Decompiler (*jd*) can then be applied. ○ The source code can be retrieved automatically by installing jd- plugin on Eclipse and opening . class files. Signed Apk Resources apktool .dex files Manifest .class files Java files dex2jar jd-plugin PSCG
  • 30. Reversing Showcase ● For resources we will use apktool ○ Which are usually available in the . apk without charge ○ But in a binary forms (i.e. XML’s) PSCG
  • 32. Reversing Showcase ● After using apktool, we get the resources in the expected folder PSCG
  • 33. Reversing Showcase ● This tool will serve us to get the .class files PSCG
  • 34. Reversing Showcase ● After running dex2jar, we get jar file containing the . class files. PSCG
  • 35. Reversing Showcase ● This tool will help us open .class files without source code ● In this case we install JD-Project as plugin to eclipse ● There is also a standalone version PSCG
  • 36. Reversing Showcase ● In order for JD- Project to work, we need to have the jar in .classpath ● For that we will add jar file as external PSCG
  • 37. Reversing Showcase ● There we have it. Snake app reverse engineered. PSCG
  • 38. Reversing Showcase ● But what if I don’t have Eclipse? ○ Use jd-gui (my current choice) ○ Use JEB ○ Use other commercials or non commercials tools PSCG
  • 39. Protecting Your Code with Proguard ● Proguard ○ Shrinks, optimizes, and obfuscates your code ■ by removing unused code and renaming classes, fields, and methods with semantically obscure names. ○ The result ■ smaller sized .apk file that is more difficult to reverse engineer. ○ Available through the Android SDK. PSCG
  • 40. Protecting Your Code with Proguard ● To enable Proguard: ○ set the proguard.config property in the<project_root>/project. properties file. ○ The path can be an absolute path or a path relative to the project's root. ○ usually there is a commented line that should be uncomment in the project.properties ex: # proguard.config=${sdk.dir}/tools/proguard/proguard-android.txt:proguard-project.txt ■ Find examples for proguard-project.txt in Proguard’s webpage. PSCG
  • 41. Protecting Your Code ● Obfuscate your code ○ Obfuscation Tools ■ DexGuard ○ Same as ProGuard but more and specifically for Android. ■ String Encryption ■ Class Encryption ■ Asset Encryption ■ Tamper Detection ■ …. ○ Not free or open sourced. PSCG
  • 42. Protecting Your Code ● Obfuscate your code ○ Obfuscation Tools ■ There are more obfuscation companies for java protection ● yGuard ● JODE ● JavaGuard ● jarg ● ... PSCG
  • 43. Protecting Your Code ● Perform signature verification tasks on a trusted server ● Protect your unlocked content ○ Use a real-time service to deliver your content, such as a content feed. ○ Use a remote server to deliver your content. PSCG
  • 44. Protecting Your Code ● Know the basics of crypto ○ Nonces must not be predictable or reused. ○ Always use a cryptographically secure random number generator ○ If performing nonce verification on a server, generate the nonces on the server. ● And the non basics ● Know who to trust ● And do not assume your device is a “saint”. PSCG
  • 45. Protecting Native Code ● While most Android applications developers use pure Android/Java language, it is wrong to assume a pure Java world: ○ Exhibit #1: Anything that uses HTML/JS. ■ Yes. That means all of your hybrid apps. ○ Exhibit #2: Anything that uses native code ■ Most likely games, TIFF/PDF readers, highly optimized code, portable code, high performance code and a lot more. ● Let’s talk about exhibit #2. PSCG
  • 46. Protecting Native Code ● Briefly: JNI is to Java what __asm is to C ● You can load dynamic libraries “.so” to “extend” your Java code ○ That is not the case for (standard) iOS ● The bad news: Another level to protect. And you HAVE to do it yourself. (Woohoo, DIY!) ● The good news: If you do it right you can make attacker’s life even harder. PSCG
  • 47. Native Code Protection Techniques ● Similar principles from Java ● Toolchain aid: ○ Optimize ( e.g. gcc -o<X> …) ○ Use different compilers/linkers ○ “Confuse” disassembler with call conventions ○ Strip everything not needed for object relocation (e. g. strip --strip-unneeded) ○ Compilation flags - see the AOSP platform build/core and the NDK prebuilt toolchains. ● User aid - Know your stuff - trust no one. PSCG
  • 48. Code Protection Techniques ● Encrypt data. ● If you can: implement your own crypto. ○ You should not, cannot, and absolutely must not trust anyone. Or anything. ○ On the other hand: Testing, manpower… Easier to use symmetric crypto for it. ● Common issues: Where do you store the keys? Computation costs. ● Remember Kerckhoffs’s Principles.(Partially) ○ Do not disclose the keys. ○ Do (not) disclose the algorithms (if you can) PSCG
  • 49. Monitoring countermeasures ● If you don’t need something - release it ○ The longer an object lives - the more suspect to attacking it is ● Cleanup on initialization ● Handle Errors - And cleanup. ○ Program crashes → Memory Dumps → Easier attacks ● Decide whether you protect (X)OR debug. You can’t win it all. ○ Prevent tracing /debugging ○ Remove Logs. PSCG
  • 50. More things to consider ● Protecting your own native code is relatively easy. ● Protecting 3rd party libraries code is not. ● These techniques are applicable to Windows Phones as well ● And only partially to iOS devices ○ Unless you have the time and knowledge to manipulate the O-Mach structure. ○ Or you use a jailbroken device... ● You can’t win. ● But you can break the attacker’s spirit. PSCG
  • 51. Using the sdcard ● If you store data on the SD card - you are storing it on a vfat/FAT32 file system ● Which means that everything there is exposed to everyone ● There are some ways to override it ○ See KitKat new external Storage ○ Override fuse implementations ○ SEL inux ○ ...
  • 52. Secure Containers ● Android allows to protect your APKs ● By mounting them in a secure containers ○ @see /mnt/asec ● It also allows you to add secure data to them ● And protecting it is up to you ○ @see /mnt/obb ○ This is a serious weakness for the wider public ○ As obb’s tend to be shared between processes ○ So encrypt them as well
  • 53. Rooting Android Rooting describes the acquisition of complete administrator rights on the device, allowing third-party programs to perform operations that were not originally available to them, such as controlling CPU clock speed or overwriting system files. PSCG
  • 54. Rooting Android Application that has obtained administrative rights comes out of the application “sandbox,” so its declared features and granted permissions are no longer relevant. ● Can read and send files associated with other applications, watch the device’s owner, using the microphone without the owner’s knowledge, etc. PSCG
  • 55. Rooting Android ● By default, on Android only the kernel and a small subset of the core applications run with root permissions. ● Android does not prevent a user or application with root permissions from modifying the operating system, kernel, and any other application. PSCG
  • 56. Rooting Android ● In general, root has full access to all applications and all application data. ● Users that change the permissions on an Android device to grant root access to applications increase the security exposure to malicious applications and potential application flaws. PSCG
  • 57. Rooting Android Relatively easy. Almost too easy (@see XDA) There is a protection To protect any existing user data from compromise the bootloader unlock mechanism requires that the bootloader erase any existing user data as part of the unlock step. *Root access gained via exploiting a kernel bug or security hole can bypass this protection. PSCG
  • 58. So where is the Checklist?! ● Let’s pay a visit to the Oracle ○ Not the Complexity/Computability one. ○ Not the San Francisco based one either. ○ And not the Spartan one (@see yesterday’s movie) Boy: Do not try and bend the spoon. That's impossible. Instead only try to realize the truth. Neo: What truth? Boy: There is no spoon. Neo: There is no spoon? Boy: Then you'll see that it is not the spoon that bends, it is only yourself. *Quote taken from a movie which requires no introduction. PSCG
  • 59. So where is the Checklist?! ● The truth is there is no (single) checklist. ● And the reason for that is that the checklist changes according to your reality. ● It is unreal to protect against everything. ● You need to work hard enough to make your attacker make much harder ● If you work too hard - you’ll lose focus. ● So before thinking of a list - think what you really want to protect PSCG
  • 60. Building your own checklist ● Ask questions. Doubt everything. But be pragmatic. ○ What is my product “secrets”? In particular ■ Do I protect data? ● My data? ● My customer’s data? ■ Do I protect my algorithms? ■ Do I protect my servers against DOS? ■ Do I protect my license? ■ Do I protect my data? ○ Who are my attackers? ○ What can they benefit from attacking my product PSCG
  • 61. Building your own checklist ● Ask questions. Doubt everything. But be pragmatic. ○ How hard am I willing to work? What is my team’s skillset? ○ How hard will my attacker be willing to work? ○ What happens if an attacker succeeds? ○ What is considered an attacker’s success? ○ What hardware will they possess ○ Will it run a trusted OS? ■ This is actually not trivial - see my ROM cooking bootcamps ● So many questions... PSCG
  • 62. Building your own checklist ● Never stop asking. ● But prioritize. ● There is NEVER a general solution for all problems. ○ Saying otherwise is great for marketing ○ But that’s a brutal lie ● There are however 10 commandments which are always to be considered. PSCG
  • 63. The ultimate Security Checklist ● These 10 commandments would be ○ Obfuscate and Shrink ○ Optimize and Strip ○ Encrypt your strings, assets, and data ○ Encrypt database values ○ And keep the keys away if you can ○ Beware your client’s operating system ○ Know what you want protect. Then know how ○ Move your critical algorithms to native code - they will be harder to rev-eng ○ Remove any debugging/tracing/logging remainders ○ Question, doubt and never stop thinking. ● And a bonus advice: ○ Make your own commandments. ○ You know yourself better than the others. PSCG