MobileDeviceandPlatformSecurity– PartII

JohnMitchell

CS155 Spring2017

GuestLectureTuesdayJune6

• Diogo Mónica,DirectorofsecurityatDocker• Topicsincludecontainersecurityandwhatitislikeworkingasasecurityengineer

• Diogo averygoodspeaker.Pleaseshowyourappreciatingandcometoclass.

• Wewillincludetopicsonthefinalexam

Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories

– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses

– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel

• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation

Tues

Thurs

ANDROID

Historyandearlydecisions

Androidhistory

• Android,IncfoundedbyAndyRubinaround2005– WorkedwithHTC-builtdevicewithaphysicalkeyboard– ScrappedBlackberry-likephonewheniPhonecameout– FirstAndroidphoneHTCDream,Oct2008(T-MobileG1):touchscreenandkeyboard

• Open-sourcesoftwareproject• BackedandacquiredbyGoogle

HTCDream• Firstphonehad

– Android1.6(Donut)– 3.15megapixelrear

camerawithauto-focus– 3.2inchtouchscreen– Gmail, GoogleMaps,

Search,GoogleTalk, YouTube,calendar,contacts,alarm

Androidecosystem

• Open-sourcesoftwaredistributedbyGoogle– IncreasenumberofusersanddeviceslinkedtocoreGoogleproducts

• Multiplehardwarevendors– Cancustomizesoftwarefortheirproducts

• Openmarketplaceforapps

Appmarket

• Self-signedapps• Apppermissions

– grantedonuserinstallation

• Openmarket– Badappsmayshowuponmarket– Shiftsfocusfromremoteexploittoprivilegeescalation

ANDROIDPLATFORM

Devicelockingandpermissions

Devicelockandunlock

• SimilarPINandfingerprint• FingerprintAPIletsusers

– Unlockdevice– Securelysignintoapps– UseAndroidPay– PurchaseonPlayStore

Androidpermissions

• ExampleofpermissionsprovidedbyAndroid

– “android.permission.INTERNET”– “android.permission.READ_EXTERNAL_STORAGE– “android.permission.SEND_SMS”– “android.permission.BLUETOOTH”

• Alsopossibletodefinecustompermissions

Androidpermissionmodel

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

ANDROIDPLATFORM

Platformsecurityfeatures

Android

• Platformoutline:– Linuxkernel,browser,SQL-litedatabase– Softwareforsecurenetworkcommunication

• OpenSSL,BouncyCastlecryptoAPIandJavalibrary

– Clanguageinfrastructure– Javaplatformforrunningapplications

• Dalvik bytecode,virtualmachine

Exploitprevention• Opensource:publicreview,noobscurity• Goals

– Preventremoteattacks,privilegeescalation– Securedrivers,mediacodecs,newandcustomfeatures

• Overflowprevention– ProPolice stackprotection

• FirstontheARMarchitecture– Someheapoverflowprotections

• ChunkconsolidationinDLmalloc (fromOpenBSD)

• ASLR– Avoidedininitialrelease

• Manypre-linkedimagesforperformance– LaterdevelopedandcontributedbyBojinov,Boneh

dlmalloc (DougLea)

• Storesmetadatainband• Heapconsolidationattack

– Heapoverflowcanoverwritepointerstopreviousandnextunconsolidatedchunks

– Overwritingthesepointersallowsremotecodeexecution

• Changetoimprovesecurity– Checkintegrityofforwardandbackwardpointers

• Simplycheckthatback-forward-back=back,f-b-f=f– Increasesthedifficultyofheapoverflow

ANDROIDPLATFORM

Appexecutionenvironment

Applicationdevelopmentconcepts• Activity– one-usertask

– Example:scrollthroughyourinbox– Emailclientcomprisesmanyactivities

• Service– Javadaemonthatrunsinbackground– Example:applicationthatstreamsanmp3inbackground

• Intents– asynchronousmessagingsystem– Fireanintenttoswitchfromoneactivitytoanother– Example:emailapphasinbox,composeactivity,vieweractivity

• Userclickoninboxentryfiresanintenttothevieweractivity,whichthenallowsusertoviewthatemail

• Contentprovider– Storeandsharedatausingarelationaldatabaseinterface

• Broadcastreceiver– “mailboxes”formessagesfromotherapplications

SecurityFeatures• Isolation

– Multi-userLinuxoperatingsystem– Eachapplicationnormallyrunsasadifferentuser

• Communicationbetweenapplications– MaysharesameLinuxuserID

• Accessfilesfromeachother• MaysharesameLinuxprocessandDalvik VM

– Communicatethroughapplicationframework• “Intents,”basedonBinder,discussedinafewslides

• Batterylife– Developersmustconservepower– Applicationsstorestatesotheycanbestopped(tosavepower)andrestarted– helpswithDoS

Applicationdevelopmentprocess

Applicationsandbox

• Applicationsandbox– EachapplicationrunswithitsUIDinitsownDalvikvirtualmachine

• ProvidesCPUprotection,memoryprotection• AuthenticatedcommunicationprotectionusingUnixdomainsockets

• Onlyping,zygote(spawnanotherprocess)runasroot

– Applicationsannouncepermissionrequirement• Createawhitelist model– usergrantsaccess

– Don’tinterruptuser– allquestionsaskedasinstalltime

• Inter-componentcommunicationreferencemonitorcheckspermissions

Androidpermissionmodel

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

AndroidIntents

• Msg betweencomponentsinsameordifferentapp• Intentisabundleofinformation,e.g.,

– actiontobetaken– datatoacton– categoryofcomponenttohandletheintent– instructionsonhowtolaunchatargetactivity

• Routingcanbe– Explicit:deliveredonlytoaspecificreceiver– Implicit:allcomponentsthathaveregisteredtoreceivethatactionwillgetthemessage

• Layersofsecurity– Eachapplicationexecutesasitsownuseridentity– Androidmiddlewarehasreferencemonitorthatmediatestheestablishmentofinter-componentcommunication(ICC)

Source: Penn State group Android security paper

Source: Penn State group, Android security tutorial

Securityissueswithintents

• Senderofanintentcanverifythattherecipienthasapermissionbyspecifyingapermissionwiththemethodcall

• Senderscanuseexplicitintentstosendthemessagetoasinglecomponent(avoidingbroadcasting)

• Receivershavetohandlemaliciousintents

Attack:Permissionredelegation

• Definition:anapplicationwithoutapermissiongainsadditionalprivilegesthroughanotherapplication

• Exampleofthe“confuseddeputy”problem

Permissionredelegation

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

Permissionredelegation

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

Howcouldthishappen?

• Appw/permissionsexposesapublicinterface• Studyin2011

– Examine872apps– 320ofthese(37%)havepermissionsandatleastonetypeofpubliccomponent

– Constructattacksusing15vulnerabilitiesin5apps• Reference

– PermissionRe-Delegation:AttacksandDefenses,AdrienneFelt,HelenWang,AlexanderMoshchuk,StevenHanna,ErikaChin,Usenix 2011

Example:powercontrolwidget• DefaultwidgetsprovidedbyAndroid,presentonalldevices

• CanchangeWi-fi,BT,GPS,DataSync,ScreenBrightnesswithonlyoneclick

• UsesIntenttocommunicatetheeventofswitchingsettings• AmaliciousappwithoutpermissionscansendafakeIntentto

thePowerControlWidget,simulatingclicktoswitchsettings

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

Vulnerableversions(inred)

• Principleofleastprivilegehelpsbutisnotasolution• Appswithpermissionsneedtomanagesecurity

https://www.owasp.org/images/3/3e/Danelon_OWASP_EU_Tour_2013.pdf

JavaSandbox

• Fourcomplementarymechanisms– Classloader

• Separatenamespacesforseparateclassloaders• Associatesprotectiondomainwitheachclass

– VerifierandJVMrun-timetests• NOuncheckedcastsorothertypeerrors,NOarrayoverflow• Preservesprivate,protectedvisibilitylevels

– SecurityManager• Calledbylibraryfunctionstodecideifrequestisallowed• Usesprotectiondomainassociatedwithcode,userpolicy

StackInspection

• Permissiondependson– Permissionofcallingmethod

– Permissionofallmethodsaboveitonstack

• Uptomethodthatistrustedandassertsthistrust

Manydetailsomittedhere

java.io.FileInputStream

method f

method g

method h

Stories:Netscapefont/passwd bug;Shockwaveplug-in

ANDROIDMALWARE

.

Androidmalwareexample

Installmalicious“conferenceapp”

MalwarebehaviortriggeredbyC&Cserver(Chuli)

Chuli source-to-sink flows

ANDROIDWEBAPPS

.

A Large-Scale Study of Mobile Web App Security

Patrick Mutchler, Adam Doupe, John Mitchell, Chris Kruegel, Giovanni Vigna

MobileApps

MobileApps

MobileApps

• Mobile web app: embeds a fully functional web browser as a UI element

MobileWebApps

Obj foo = new Object();addJavascriptInterface(foo, ‘f’);

JavaScriptBridge

JavaJavaScript

JavaScriptBridge

JavaJavaScript

f.bar();

Why?

• Full-featuredmobilewebapps

• ExposephonefunctionalitytoJavaScript

SecurityConcerns

• Whocanaccessthebridge?

– Everyone

Isolated in Browser

NoorigindistinctioninWebView

Java

JavaScript

f.bar();

StaticAnalysis

• Howmanymobilewebapps?

• HowmanyuseJavaScriptBridge?

• Howmanyvulnerable?

ExperimentalResults

• 737,828freeappsfromGooglePlay(Oct’13)

• 563,109appsembedabrowser

• 219,404usetheJavaScriptBridge

• 107,974haveatleastonesecurityviolation

Mostsignificantvulnerabilities

1. Loading untrusted web content

2. Leaking URLs to foreign apps

3. Exposing state changing navigation to foreign apps

1. Loading untrusted web content

2. Leaking URLs to foreign apps

3. Exposing state changing navigation to foreign apps

“You should restrict the web-pages that can load inside your WebView with a whitelist.”

- Facebook

“…only loading content from trusted sources into WebView will help protect users.”

- Adrian Ludwig, Google

1. Navigate to untrusted content

// In app codemyWebView.loadUrl(“foo.com”);

<!-- In HTML --><a href=“foo.com”>click!</a>

<!-- More HTML --><iframe src=“foo.com”/>

// In JavaScriptwindow.location = “foo.com”;

public boolean shouldOverrideUrlLoading(WebView view, String url){

// False -> Load URL in WebView// True -> Prevent the URL load

}

public boolean shouldOverrideUrlLoading(WebView view, String url){

String host = new URL(url).getHost();if(host.equals(“stanford.edu”))

return false;log(“Overrode URL: ” + url); return true;

}

ReachUntrustedContent?

• 40,084appswithfullURLsanduseJavaScript

Bridge

• 13,683apps(34%)canreachuntrusted

content

UseHTTPS?

• 152,706appswithpartiallycomputedURLs• 87,968apps(57%)withHTTPURLs

HandlingSSLErrors

onReceivedSslError

1. handler.proceed()2. handler.cancel()3. view.loadUrl(...)

MishandlingSSLErrors

• 117,974appsimplementonReceivedSslError

• 29,652apps(25%)must ignoreerrors

Vulnerability % Relevant % Vulnerable

Unsafe Nav 15 34

HTTP 40 56

Unsafe HTTPS 27 29

Primaryresults

Popularity

Outdated Apps

29% unsafe nav

Libraries

51% HTTP

53% unsafe HTTPS

AdditionalsecurityissuesBasedon998,286freewebappsfromJune2014

Takeaways

• Apps must not load untrusted content into WebViews

• Able to identify violating apps using static analysis

• Vulnerabilities are present in the entire app ecosystem

ANDROIDVERSIONING

.

Target Fragmentation in Android Apps

Patrick MutchlerJohn Mitchell

Yeganeh SafaeiAdam Doupe

Android apps can run using outdated OS behavior- The large majority of Android apps do this- Including popular and well maintained apps

Takeaways

Outdated security code invisibly permeates the app ecosystem- “Patched” security vulnerabilities still exist in the wild- “Risky by default” behavior is widespread

What is target fragmentation?

Target fragmentation statistics

Security consequences

Roadmap

What is target fragmentation?

Target fragmentation statistics

Security consequences

Roadmap

“If the device is running Android 6.0 or higher… [the app] must request each dangerous permission that it needs while the app is running.

- Android Developer Reference

“If the device is running Android 6.0 or higher and your app's target SDK is 6.0 or higher [the app] must request each dangerous permission that it needs while the app is running.

- Android Developer Reference

“If the [operating system version of the device] is higher than the version declared by your app’s targetSdkVersion, the system may enable compatibility behaviors to ensure that your app continues to work the way you expect.”

- Android Developer Reference

What is target fragmentation?

Target fragmentation statistics

Security consequences

Roadmap

1,232,696 Android Apps

Popularity, Category, Update, and Developer metadata

Collected between May 2012 and Dec 2015

Broken into five datasets by collection date

Dataset

Android 5.0

Released

Android 5.1

Released

Android 6.0

Released

App Collected

Outdatedness

App Collected

Outdatedness

App Updated

Negligent Outdatedness

Android 5.0

Released

Android 5.1

Released

Android 6.0

Released

What is target fragmentation?

Target fragmentation statistics

Security consequences

Roadmap

Fragment InjectionVulnerable App

PreferenceActivity

AttackedFragment

Malicious Intent

Extra.SHOW_FRAGMENT “Attacked Fragment”

Extra.SHOW_FRAG_ARG

Data OtherExtras

A malicious application can invoke any exported PreferenceActivity class and supply it with

an :android:show_fragment Intent extra in order to make it load an arbitrary class.

securityintelligence.com/new-vulnerability-android-framework-fragment-injection/

Fragment Injection

Fixed in Android 4.4

Developers implement isValidFragment to authorize fragments

// Put this in your appprotected boolean isValidFragment(String fName){

return MyFrag.class.getName().equals(fName);}

Fragment Injection

Vulnerable if:- Targets 4.3 or lower (31%)- Some class inherits from PreferenceActivity (4.8%)- That class is exported (1.1%)- That class does not override isValidFragment (0.55%)

4.2% of apps vulnerable if no fix was ever implemented

Mixed Content in WebView

Mixed Content in WebView

Major web browsers block Mixed Content

In Android 5.0, WebViews block Mixed Content by default

Can override default with setMixedContentMode()

SOP for file:// URLs in WebView

Android 4.1 separate file:// URLs are treated as unique origins

Can override with setAllowFileAccessFromFileURLs()

Android apps can run using outdated OS behavior- The large majority of Android apps do this- Including popular and well maintained apps

Outdated security code invisibly permeates the app ecosystem- “Patched” security vulnerabilities still exist in the wild- “Risky by default” behavior is widespread

Summary of Target Fragmentation

Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories

– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses

– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel

• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation

Tues

Thurs

Comparison:iOS vs Android

• Appapprovalprocess– Androidappsfromopenappstore– iOS vendor-controlledstoreofvettedapps

• Applicationpermissions– Androidpermissionbasedoninstall-timemanifest– AlliOS appshavesamesetof“sandbox”privileges

• Appprogramminglanguage– AndroidappswritteninJava;nobufferoverflow…– iOSappswritteninObjective-C

ComparisoniOS Android Windows

Unix x x

Windows

Open market x

Closedmarket x

Vendorsigned x

Self-signed x

Userapprovalofpermissions x

Managedcode x

Nativecode x

ComparisoniOS Android Windows

Unix x x

Windows x

Open market x

Closedmarket x x

Vendorsigned x

Self-signed x x

Userapprovalofpermissions x 7-> 8

Managedcode x x

Nativecode x

Twolecturesonmobilesecurity• Introduction:platformsandtrends• Threatcategories

– Physical,platformmalware,maliciousapps• Defenseagainstphysicaltheft• Malwarethreats• Systemarchitectureanddefenses

– AppleiOSsecurityfeaturesandappsecuritymodel– Androidsecurityfeaturesandappsecuritymodel

• Securityappdevelopment– WebView– secureappandwebinterfacedev– Devicefragmentation

Tues

Thurs