securing a mobile platform from the ground up rich cannings alex stamos
TRANSCRIPT
![Page 1: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/1.jpg)
Securing a mobile platform from the ground up
Rich Cannings <[email protected]>Alex Stamos <[email protected]>
![Page 2: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/2.jpg)
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
![Page 3: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/3.jpg)
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
![Page 4: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/4.jpg)
Some Statistics
• 6.77 billion people[1]
• 1.48 billion Internet enabled PCs[2]
• 4.10 billion mobile phones[1]
• Mobile phone replacement rateo 12-18 month average[3]
o 1.1 billion mobile phones are purchased per year[4]
o 13.5% of mobile phone sales are smartphones[5]
• The number of smartphones will soon compare with the number of Internet enabled PCs
[1] http://en.wikipedia.org/wiki/List_of_countries_by_number_of_mobile_phones_in_use (based on The World Factbook)[2] http://www.itu.int/ITU-D/icteye/Reporting/ShowReportFrame.aspx?ReportName=/WTI/InformationTechnologyPublic&RP_intYear=2008&RP_intLanguageID=1 [3] [4] http://www.infonetics.com/pr/2009/2h08-mobile-wifi-phones-market-research-highlights.asp[5] http://www.gartner.com/it/page.jsp?id=985912
![Page 5: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/5.jpg)
Mobile Security is Getting Interesting
• Techniques for desktop analysis are more useful to smart phones
• Mobile networks can now be easily manipulatedo From phones:
Miller, Lackey, Miras at BlackHat 2009o From false base stations:
http://openbts.sourceforge.net/
![Page 6: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/6.jpg)
Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
• Applications• Platform• OS• Baseband• Network
![Page 7: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/7.jpg)
Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
• Applications• Platform• OS• Baseband• Network
Mobile devices must be treated as fully fledged computers.
Do not assume they are "special".
![Page 8: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/8.jpg)
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
![Page 9: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/9.jpg)
• Free, open source mobile platformo Source code at http://source.android.com
• Any handset manufacturer or hobbyist can install• Any developer can use
o SDK at http://developer.android.com• Empower users and developers
The Android Platform
![Page 10: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/10.jpg)
The Android Technology Stack
• Linux kernel• Relies upon 90+ open source libraries
o Integrated WebKit based browsero SQLite for structured data storageo OpenSSLo BouncyCastleo libc based on OpenBSDo Apache Harmonyo Apache HttpClient
• Supports common sound, video and image codecs• API support for handset I/O
o Bluetooth, EDGE, 3G, wifio Camera, Video, GPS, compass, accelerometer,
sound, vibrator
![Page 11: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/11.jpg)
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
![Page 12: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/12.jpg)
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavor
![Page 13: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/13.jpg)
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavoro Services
Runs in the background for an indefinite period of time
![Page 14: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/14.jpg)
Android Development
• Java applications are composed of:o Activities
Visual user interface for one focused endeavoro Services
Runs in the background for an indefinite period of time• Intents
o Asynchronous messagingo URL dispatching on steroidso Glues many Activities and Services together to make an
applicationo Provides interactivity between applications
![Page 15: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/15.jpg)
Example Email Application
![Page 16: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/16.jpg)
Application Lifecycle
• Designed to protect battery life
![Page 17: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/17.jpg)
Application Lifecycle
• Designed to protect battery life• Activities live on a stack
![Page 18: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/18.jpg)
Application Lifecycle
• Designed to protect battery life• Activities live on a stack
![Page 19: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/19.jpg)
Application Lifecycle
• Designed to protect battery life• Activities live on a stack• Background activities can be
killed at any moment
![Page 20: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/20.jpg)
Application Lifecycle
• Designed to protect battery life• Activities live on a stack• Background activities can be
killed at any moment• The platform makes it easy for
developers to code applications that are killed at any moment without losing stateo Helps with DoS issues
![Page 21: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/21.jpg)
Android Market
• Connects developers with users• Darwinian environment
o Good applications excel o Bad applications forgotten
• ~10,000 applications on Market• Balance of openness and security
o Not the only way to install appso Not a walled garden
• Developers self-sign applicationso For updatingo Uses Java's keytool and jarsigner
![Page 22: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/22.jpg)
Application Signing
Why self signing?• Market ties identity to developer account• CAs have had major problems with fidelity in the past• No applications are trusted. No "magic key"
What does signing determine?• Shared UID for shared keys• Self-updates
![Page 23: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/23.jpg)
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android security Prevention Minimization Detection Reaction
![Page 24: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/24.jpg)
Security Philosophy
• Finite time and resources• Humans have difficulty understanding risk• Safer to assume that
o Most developers do not understand securityo Most users do not understand security
• Security philosophy cornerstoneso Need to prevent security breaches from occurringo Need to minimize the impact of a security breacho Need to detect vulnerabilities and security breacheso Need to react to vulnerabilities and security breaches
swiftly
![Page 25: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/25.jpg)
Prevent
• 5 million new lines of code• Uses almost 100 open source libraries• Android is open source can't rely on obscurity⇒• Teamed up with security experts from
o Google Security Teamo iSEC Partnerso n.runs
• Concentrated on high risk areaso Remote attackso Media codecso New/custom security features
• Low-effort/high-benefit featureso ProPolice stack overflow protectiono Heap protection in dlmalloc
![Page 26: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/26.jpg)
dlmalloc
• Heap consolidation attack• Allocation meta-data is stored in
band• Heap overflow can perform 2
arbitrary pointer overwrites• To fix, check:
o b->fd->bk == bo b->bk->fd == b
![Page 27: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/27.jpg)
WebKit Heap Overflow
![Page 28: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/28.jpg)
Minimize
• We cannot rely on prevention aloneo Vulnerabilities happen
• Users will install malware• Code will be buggy• How can we minimize the impact of a security issue?• My webmail cannot access my banking web app
o Same origin policy• Why can malware access my browser? my banking info?• Extend the web security model to the OS
![Page 29: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/29.jpg)
Minimize
• Traditional operating system securityo Host basedo User separation
• Mobile OSes are for single users• User separation is like a "same user policy"• Run each application in its own UID is like a "same
application policy" o Privilege separation
• Make privilege separation relatively transparent to the developer
![Page 30: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/30.jpg)
Application Sandbox
• Each application runs within its own UID and VM
• Default privilege separation model
• Instant security featureso Resource sharing
CPU, Memoryo Data protection
FS permissionso Authenticated IPC
Unix domain sockets• Place access controls close
to the resource, not in the VM
![Page 31: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/31.jpg)
Application Sandbox
• Place access controls close to the resourceo Smaller perimeter easier to protect⇒
• Default Linux applications have too much power• Lock down user access for a "default" application• Fully locked down applications limit innovation• Relying on users making correct security decisions is
tricky
![Page 32: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/32.jpg)
Permissions
• Whitelist model1.Allow minimal access by
default• Allow for user accepted
access to resources• Ask users less questions• Make questions more
understandable• 194 permissions
o More granularity⇒o Less understandability⇒
![Page 33: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/33.jpg)
More Privilege Separation
• Media codecs are very complex very insecure⇒• Won't find all the issues media libraries• Banish OpenCore media library to a lesser privileged
processo mediaserver
• Immediately paid offo Charlie Miller reported a vulnerability in our MP3
parsingo oCERT-2009-002
![Page 34: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/34.jpg)
Detect
• A lesser-impact security issue is still a security issue
• Internal detection processeso Developer educationo Code auditso Fuzzingo Honeypot
• Everyone wants security allow everyone to ⇒detect issueso Userso Developerso Security Researchers
![Page 35: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/35.jpg)
External Reports
• Patrick McDaniel, William Enck, Machigar Ongtango Applied formal methods to access SMS and Dialer
• Charlie Miller, John Heringo Outdated WebKit library with PCRE issue
• XDA Developerso Safe mode lock screen bypass
• Charlie Miller, Collin Mullinero MP3, SMS fuzzing results
• Panasonic, Chris Palmero Permission regression bugs
• If you find a security issue, please email [email protected]
![Page 36: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/36.jpg)
User Reporting
![Page 37: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/37.jpg)
A User Report
• MemoryUp: mobile RAM optimizero faster, more stable, more responsive, less waiting timeo not quite
![Page 38: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/38.jpg)
React
• Autoupdaters are the best security tool since Diffie-Hellman• Every modern operating system should be responsible for:
o Automatically updating itselfo Providing a central update system for third-party
applications• Android's Over-The-Air update system (OTA)
o User interaction is optionalo No additional computer or cable is requiredo Very high update rate
![Page 39: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/39.jpg)
Shared UID Regression
• Shared UID featureo Malware does not hurt computers, malware authors doo Two applications are signed can share UIDs⇒o More interactivity
• Panasonic reported that shared UID was brokeno If the user installs malware, then the attacker could share
UIDs with an existing installed app, like the browsero Breaks Application Sandbox
![Page 40: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/40.jpg)
Update Process
• 2009-05-14o Panasonic reported the issueo Patched the issue, wrote regression tests
• 2009-05-15o Kicked off internal audito Built and tested every flavour of Androido Coordinated a public response with the reporter, carriers,
PR and oCERT• 2009-05-21
o Received critical-mass approval• 2009-05-22
o OTAed users, rolled out patches to factories, SDK, and open source
o Released advisory (oCERT-2009-006)
![Page 41: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/41.jpg)
Not over yet!
• 2009-07-06o Completed audit and testso Coordinated a public response with, carriers, PR and
oCERT• 2009-07-15
o Received critical-mass approval• 2009-07-16
o OTAed users, rolled out patches to factories, SDK, and open source
• 2009-07-16o Released advisory (oCERT-2009-011)
![Page 42: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/42.jpg)
Conclusion
• Securityo an ongoing processo not a checkbox
• Processo Prevento Minimizeo Detecto React
![Page 43: Securing a mobile platform from the ground up Rich Cannings Alex Stamos](https://reader036.vdocument.in/reader036/viewer/2022062421/56649c755503460f94928ba5/html5/thumbnails/43.jpg)
Questions?
• Find a security issue?o Email [email protected]
• Want to contribute code?o Visit http://source.android.como Add me as a code reviewer!
• Want to write an Android application?o Visit http://developer.android.com
• Want to email us?o Email [email protected] or [email protected] We are both hiring