history of android security – from linux to jelly bean
DESCRIPTION
Presentation for NHN Deview 2012 http://deview.kr/2012/xe/index.php?document_srl=442&dummy=1&mid=trackTRANSCRIPT
Android Security 의 과거와 미래 - From Linux to Jelly Bean작성자 | 최 정 필
소속 | SK 플래닛
About Me
2000 AT&T Wireless: OODB/CORBA
2001Cellvic(JTEL): CellvicOS/JVM
2003 Samsung: JVM for DTV/SimpleJIT
2007 Aromasoft: JVM for Mobile/JIT Optimization/Dalvik
2011 GE korea: Smart appliance/Linux
2012 SK 플래닛 : Android/T-Store ARM/Security
1. Why? Linux/Java
2. Which Direction?
3. What to do?
CONTENTS
0. Quiz
개인정보가 인터넷으로 빠져나간다
앱이 허락받지 않은 인터넷을 사용한다
앱이 허락받지 않은 동작 (?) 을 한다
앱이 스스로 루팅을 한다
앱이 코드를 스스로 변경한다
앱이 Dalvik VM 의 정보를 변경한다
안드로이드앱이 Dalvik VM 이 아닌 다른 VM 을 실행시킨다
1. Why? Linux/Java
5 억대 판매된 , 하루에 130만대씩 개통되는 단말 ?A Java platform?
역사상 자바가 표준 개발언어인 첫번째 디바이스 ? RIM? NDK?
A forked Linux?Why linux?
Andy Rubin: was a Apple Employee대안이 없어서 ?
역사상 가장 많이 팔린 linux device?
What is Android?
Linux: Open Source
‘mkdir android ; cd android ; repo init -u git://android.git.k-
ernel.org/platform/manifest.git ; repo sync ; make’
Java: easy to learn, many developers
but an easy language for reverse-enigneeringdex2jar, APKTool, JD-GUI, APKInspector, Smali, Dedexer,,,
환상의 커플 !!!
Linux + Java
Just a linux application
following Google guides
What is an Android App?
Linux Process
Dalvik VM
Bionic
JNI
Is that all???
Missing something…
PackageManager, ActivityManager,,,
Google Guides?
Java?
No more on Android!!!
Dalvik VM is not a security boundary!!!
But Linux Process
Sandbox
Linux UID/Group ID:
a unique id based on its signature assigned when it starts
Linux DAC: all or nothing
old style
root can do everything
RWX
Linux Process
Permission
Need to be described on
AndroidMeanifest.xml
Binder
Kernel Enforcement
group ID
Patch
Internet
With Some Salt
<permission name="android.permission.INTERNET" ><group gid="inet" /></permission>
You can do everything in your processYou can use Reflection/JNI
To call hidden/private methodsTo get/set private fields
• But High return, High risk!!!ex) Unity3D: Using Mono VM
네멋대로 해라
2. Which Direction?
Version Release dateAPI
level
Distribution (September
4, 2012)
4.1.x Jelly Bean July 9, 2012 16 1.2%
4.0.x Ice Cream Sandwich October 19, 2011 14-15 20.9%
3.x.x Honeycomb February 22, 2011 11-13 2.1%
2.3.x Gingerbread December 6, 2010 9-10 57.5%
2.2 Froyo May 20, 2010 8 14%
2.0, 2.1 Eclair October 26, 2009 7 3.7%
1.6 Donut September 15, 2009 4 0.4%
1.5 Cupcake April 30, 2009 3 0.2%
History of Android
NX bit(No eXecute):
to prevent code execution on heap and stack(2.3+)
Prelink: Used to speed up boot process
removed to prevent return-to-libc attacks(4.0+)
Address Space Layout Randomization(4.0+)
randomize key locations in memory
PIE (Position Independent Executable)
supports (4.1+)
Memory Protection
FileSystem Encryption
3.0+ provides full filesystem encryption. 128bit
AES key derived from user password
Credential Storage
1.6+ restricted for only system
4.0+ provides public API
Filesystem Encryption/Credential Stor-age
1st. Protected APK
/data/app: apk without code
/data/app-private: protected by filesystem
2nd. License Verification Library(LVL)
Google: 2010/7
Amazon: DRM, T-Store:ARM
3rd. Encrypted APK
Jelly Bean
Temporary Closed… but
Copy Protection(Forward Lock)
OMP & ARM Bypass-Attack
ODEX File: optimized dex file
4.0+ provides a raw dex loading API Without ODEX!!!
Dalvik Virtual Ma-chine
(JIT Compiler)
dex file
Storageodex file
(reuse)
decompile hijacking
ODEX & Classloading
Applying SELinux in Android by NSA
Linux Security Modules
Standard Linux Security (Hooking) Framework from v2.6task management (creation, signaling, waiting), program loading (execve), file system management
(superblock, inode, and filehooks), IPC (message queues, shared memory, and semaphore opera-
tions), module hooks (insertion and removal), and network hooks (covering sockets, netlink, network
devices, and other protocol interfaces) security.h
SE-Android Overview
2012/1 AOSP master branch added(HAVE_SELINUX)
in external/libselinux and external/sepolicy
in core/java and core/jni
SELinux.java, AndroidRuntime.cpp, android_os_SELinux.cpp
Slow and incremental applying expected
not enforcing mode but permissive mode
Android 5.0?
Need to consider it!
SE-Android State
ARM’s HW solution
Virtualized processors on a ARM chip
Secure World can read Normal World
But Normal World can’t read Secure World
Already on Galaxy S3!!!
TrustZone
3. What to do?
Use Obfuscator
Use Native Code
Keep data on your server
Sorry, Find your own solutions!
2011 Google I/O Evading Pirates and Stopping Vampires using
License Verification Library, In-App Billing, and App Engine
2012.4 Code Obfuscation for the Amazon In-App
How to Defense your Code?
Conclusion
Even Android has many security problems, it is an
open, de-facto platform now
It’s getting better but you need to keep your data/
code by your own ways
Its openness and flexibility could give some chances
to creative developers
T-Store promises to help you soon!