security metrics for the android ecosystemdrt24/presentations/2015-spsm... · 2015-10-23 ·...
TRANSCRIPT
![Page 1: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/1.jpg)
Security metrics for the Android ecosystem
Daniel Alastair AndrewThomas Beresford Rice
[email protected]://androidvulnerabilities.org
Daniel gpg:Alastair gpg:Andrew gpg:
5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D99217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B343BF 45D1 1B36 F45C 3F07 DA49 BDB8 8932 5CAC F039
![Page 2: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/2.jpg)
2
Smartphones contain many apps written by a spectrum of developers
How “secure” is a smartphone?
![Page 3: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/3.jpg)
3
Root/kernel exploits are harmful
● Root exploits break permission model● Cannot recover to a safe state● 37% Android malware uses root exploits (2012)● We're interested in critical vulnerabilities,
exploitable by code running on the device
![Page 4: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/4.jpg)
4
Hypothesis: devices vulnerable because they are not updated
● Anecdotal evidence is that updates rarely happen
● Android phones, sold on 1-2 year contracts
![Page 5: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/5.jpg)
5
No central database of Android vulnerabilities: so we're building one
![Page 6: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/6.jpg)
6
Device Analyzer gathers statistics on mobile phone usage
● Deployed May '11
● 23,300 contributors
● 2,000 phone years
● 100 billion records
● 10TB of data
● 600 7-day active contributors
https://deviceanalyzer.cl.cam.ac.uk
![Page 7: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/7.jpg)
7
Device Analyzer gathers wide variety of data
● Including: system stats– OS version and build number
– Manufacturer and device model
![Page 8: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/8.jpg)
8
Is the ecosystem getting updated?
![Page 9: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/9.jpg)
9
Google data: device API levels
![Page 10: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/10.jpg)
10
Are devices getting updated?
![Page 11: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/11.jpg)
11
HTC updates by OS version
![Page 12: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/12.jpg)
12
LG updates by OS version
![Page 13: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/13.jpg)
13
Connecting the two data sets:assume OS version → vulnerability
● We have an OS version from Device Analyzer● We have vulnerability data with OS versions● Match on OS and Build Number and assign:
– Insecure
– Maybe secure
– Secure
![Page 14: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/14.jpg)
14
On average, 85% are vulnerable
85%
4% 11%
![Page 15: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/15.jpg)
15
The FUM metric measures the security of Android devices
free from vulnerabilities
updated to the latest version
mean unfixed vulnerabilities
FUM score=4⋅f +3⋅u+3⋅ 2
1+em
![Page 16: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/16.jpg)
16
4.4.4 KTU84Q
other
2.3.4
GRJ22
2.3.6 GINGERBREAD2.3.7 GRJ22
4.0.1 ITL41F
4.0
.2 ICL5
3F
4.0.3 IML74K
4.0.4 ICL53F
4.0.4 IMM30B
4.0.4 IMM30D4.0.4 IMM76D
4.0.4 IMM76I
4.0.4 IMM76K
4.1 JRN84D
4.1
.1 JRO
03C
4.1.1 JRO03L
4.1.1 JRO03O
4.1.1 JRO03R
4.1.1 JRO03U
4.1.2 JZO54K
4.2 JOP40C
4.2.1 JOP40D
4.2.1 JOP40G
4.2
.2 JD
Q39
4.2.2 JDQ39E4.3 JLS36G
4.3 JSS15J
4.3 JSS15Q
4.3 JWR66V
4.3 JWR66Y
4.3 JWR67B
4.3.1 JLS36I
4.4.2 KOT49H
4.4.2 KVT49L
4.4.3 KTU84M
4.4.4 KTU84P
Galaxy Nexus
1.0
0.8
0.6
0.4
0.2
0.0
Proportion of
devices
2.3
.3 G
RI4
0
![Page 17: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/17.jpg)
17
0.0
0.2
0.4
0.6
0.8
1.0
Proport
ion
2.3.3 GRI40
2.3.5 GRJ90
HTC Desire HD A9191
0.0
0.2
0.4
0.6
0.8
1.0
Pro
por
tion
4.2.2 JDQ39
Symphony W68
![Page 18: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/18.jpg)
18
Nexus devicesLG
MotorolaSamsung
SonyHTC
AsusAlps
SymphonyWalton
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
fP
ropo
rtio
n fr
ee fr
om k
now
n vu
lner
abili
ties
![Page 19: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/19.jpg)
19
Nexus devicesLG
MotorolaSamsung
SonyHTC
AsusAlps
SymphonyWalton
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1u
Pro
port
ion
upd
ate
d to
late
st v
ersi
on
![Page 20: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/20.jpg)
20
Nexus devicesLG
MotorolaSamsung
SonyHTC
AsusAlps
SymphonyWalton
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
2/(1+e^m)2/
(1+
e^m
)
![Page 21: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/21.jpg)
21
Nexus devicesLG
MotorolaSamsung
SonyHTC
AsusAlps
SymphonyWalton
0
1
2
3
4
5
6
7
8
9
10muf
FU
M s
core
![Page 22: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/22.jpg)
22
Why is fixing vulnerabilities hard: software ecosystem is complex
● Division of labour– Open source software– Core OS production
– Driver writer– Device manufacturer
– Retailer
– Customer
● Apple and Google have different models– Hypothesis: Apple's model is more secure
![Page 23: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/23.jpg)
23
Google to the rescue: Play Store
and Verify apps provide security
![Page 24: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/24.jpg)
24
Conclusions
● 85% of Android devices are vulnerable● Ecosystem complex; lack of transparency● FUM metric is a robust measure of security
– A step towards an economic incentive
![Page 25: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/25.jpg)
Security metrics for the Android ecosystem
Daniel Alastair AndrewThomas Beresford Rice
Daniel gpg:Alastair gpg:Andrew gpg:
5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D99217 482D D647 8641 44BA 10D8 83F4 9FBF 1144 D9B343BF 45D1 1B36 F45C 3F07 DA49 BDB8 8932 5CAC F039
![Page 26: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/26.jpg)
26
Example: Android APK duplicate file
● OS does not check for duplicate files in APK● Not a traditional kernel vulnerability● Affected all manufacturers and versions > 1.5● Timeline:
– February 2013: discovered
– February 2013: fixed
– July 2013: Public announcement
● Is the responsible disclosure period sufficient to protect users?
![Page 27: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/27.jpg)
27
Device Analyzer is a good example of Privacy by Design principles
● Transparency, consent, notice and disclosure● Purpose● Security● Access to data and withdrawal● Proactive privacy design● Privacy by default
![Page 28: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/28.jpg)
28
Device Analyzer is representative
● Compared with Google Play API data: Device Analyzer is slightly better
● Compared with User-Agent headers from Rwanda: Device Analyzer is better
● Compared with MDM data from a FTSE 100 company: Device Analyzer is slightly worse
![Page 29: Security metrics for the Android ecosystemdrt24/presentations/2015-SPSM... · 2015-10-23 · Security metrics for the Android ecosystem Daniel Alastair Andrew Thomas Beresford Rice](https://reader033.vdocument.in/reader033/viewer/2022060308/5f0a07257e708231d429aa1f/html5/thumbnails/29.jpg)
29
Nexus and non-Nexus devices
0
2
4
6
8
10
Sco
re
nexus non-nexus