lange
DESCRIPTION
TRANSCRIPT
![Page 1: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/1.jpg)
State of the Union: Android Security Overview
Matthias Lange, Steffen Liebergeld, April 9th, 2013, Droidcon 2013
![Page 2: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/2.jpg)
Why should I care?
![Page 3: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/3.jpg)
![Page 4: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/4.jpg)
Mobile OS Market Share (2012)
68 %
17 %
5 %4 %4 %
2 %
Android iOS Blackberry Symbian WindowsLinux
http://www.idc.com/getdoc.jsp?containerId=prUS23638712#.UUL-GaVW6-U
![Page 5: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/5.jpg)
Malware Distribution 2010
F-Secure Mobile Threat Report Q4/2012
![Page 6: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/6.jpg)
Malware Distribution 2011
F-Secure Mobile Threat Report Q4/2012
![Page 7: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/7.jpg)
Malware Distribution 2012
F-Secure Mobile Threat Report Q4/2012
![Page 8: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/8.jpg)
No!
![Page 9: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/9.jpg)
High Level Overview
![Page 10: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/10.jpg)
Agenda
• Secure Boot
• Memory Management Security Enhancements
• Android Application Security
• Android Security Problems
• Future Improvements
![Page 11: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/11.jpg)
Secure Boot
![Page 12: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/12.jpg)
Boot Process
1. Initial Bootloader
2. Bootloader
3. Kernel
4. Android init
5. Android platform boot
![Page 13: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/13.jpg)
Boot Architecture
SoCDRAM
Boot Device
CPU
SecuritySubsystem
ROMIBL
DRAMController
ControllerNAND
SD/MMC
eMMC
USB OTG
BootloaderSignature
Kernel
Signature
OM Pin
![Page 14: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/14.jpg)
Signature Check
Image
Signature
Image
Signature
SHA1
Digest/Hash
Check withPublic Key
Digest/Hash
Compare
![Page 15: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/15.jpg)
Memory Protection
![Page 16: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/16.jpg)
Protection Against Memory Corruption
• Since 2.3 Gingerbread
• eXecute Never (XN)
• mmap_min_addr
• Android >= 4.0
• Address Space Layout Randomization (ASLR)
• Android >= 4.1
• Position Independent Executable (PIE)
• Read-only Relocations (RELro)
![Page 17: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/17.jpg)
ASLR
• Randomize mapping location of memory
• Stack, heap, libs, executable
• Primarily provided by Linux kernel
• Usually combined with NX
![Page 18: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/18.jpg)
Randomization in Gingerbread
• cat /proc/PID/maps (vold)00008000-00028000 r-xp 00000000 b3:09 450 /system/bin/vold00028000-00029000 rw-p 00020000 b3:09 450 /system/bin/voldafd00000-afd40000 r-xp 00000000 b3:09 743 /system/lib/libc.soafd40000-afd43000 rw-p 00040000 b3:09 743 /system/lib/libc.sob0001000-b0009000 r-xp 00001000 b3:09 375 /system/bin/linkerb0009000-b000a000 rw-p 00009000 b3:09 375 /system/bin/linkerbebcc000-bebed000 rw-p 00000000 00:00 0 [stack]00029000-00032000 rw-p 00000000 00:00 0 [heap]
00008000-00028000 r-xp 00000000 b3:09 450 /system/bin/vold00028000-00029000 rw-p 00020000 b3:09 450 /system/bin/voldafd00000-afd40000 r-xp 00000000 b3:09 743 /system/lib/libc.soafd40000-afd43000 rw-p 00040000 b3:09 743 /system/lib/libc.sob0001000-b0009000 r-xp 00001000 b3:09 375 /system/bin/linkerb0009000-b000a000 rw-p 00009000 b3:09 375 /system/bin/linkerbecf2000-bed13000 rw-p 00000000 00:00 0 [stack]00029000-00032000 rw-p 00000000 00:00 0 [heap]
![Page 19: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/19.jpg)
Randomization in ICS
• cat /proc/PID/maps (vold)00008000-0001f000 r-xp 00000000 103:01 436 /system/bin/vold0001f000-00020000 rw-p 00017000 103:01 436 /system/bin/vold400b7000-400f9000 r-xp 00000000 103:01 891 /system/lib/libc.so400f9000-400fc000 rw-p 00042000 103:01 891 /system/lib/libc.sob0001000-b0009000 r-xp 00001000 103:01 357 /system/bin/linkerb0009000-b000a000 rw-p 00009000 103:01 357 /system/bin/linkerbeabc000-beadd000 rw-p 00000000 00:00 0 [stack]00020000-0002f000 rw-p 00000000 00:00 0 [heap]
00008000-0001f000 r-xp 00000000 103:01 436 /system/bin/vold0001f000-00020000 rw-p 00017000 103:01 436 /system/bin/vold400bc000-400fe000 r-xp 00000000 103:01 891 /system/lib/libc.so400fe000-40101000 rw-p 00042000 103:01 891 /system/lib/libc.sob0001000-b0009000 r-xp 00001000 103:01 357 /system/bin/linkerb0009000-b000a000 rw-p 00009000 103:01 357 /system/bin/linkerbee36000-bee57000 rw-p 00000000 00:00 0 [stack]00020000-0002f000 rw-p 00000000 00:00 0 [heap]
![Page 20: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/20.jpg)
Randomization in Jelly Bean
• cat /proc/PID/maps (sleep 1000)400e8000-40100000 r-xp 00000000 103:01 429 /system/bin/toolbox40101000-40102000 r--p 00018000 103:01 429 /system/bin/toolbox40102000-40104000 rw-p 00019000 103:01 429 /system/bin/toolbox40093000-400d6000 r-xp 00000000 103:01 86 /system/lib/libc.so400d6000-400d9000 rw-p 00043000 103:01 86 /system/lib/libc.so40195000-401a8000 r-xp 00000000 103:01 889 /system/bin/linker401a8000-401a9000 r--p 00012000 103:01 889 /system/bin/linkerbeb87000-beba8000 rw-p 00000000 00:00 0 [stack]
40046000-4005e000 r-xp 00000000 103:01 429 /system/bin/toolbox4005f000-40060000 r--p 00018000 103:01 429 /system/bin/toolbox40060000-40062000 rw-p 00019000 103:01 429 /system/bin/toolbox40067000-400aa000 r-xp 00000000 103:01 86 /system/lib/libc.so400aa000-400ad000 rw-p 00043000 103:01 86 /system/lib/libc.so4011c000-4012f000 r-xp 00000000 103:01 889 /system/bin/linker4012f000-40130000 r--p 00012000 103:01 889 /system/bin/linkerbef0d000-bef2e000 rw-p 00000000 00:00 0 [stack]
![Page 21: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/21.jpg)
Application Security
![Page 22: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/22.jpg)
Bouncer
• Scans and detects malware while uploading App to Market
• App gets executed in emulator
• Detection of emulator is easy
• Since Jelly Bean 4.2 local version
• Scans Apps from alternative app stores
![Page 23: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/23.jpg)
App Encryption
• Introduced in Jelly Bean 4.1
• Encrypt paid Apps with device specific key
• Disabled after bugs have been found
![Page 24: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/24.jpg)
Android Security Problems
![Page 25: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/25.jpg)
Missing Updates
• At least three parties involved
• Google/OHA, OEM, Carrier
• Fast product cycle
• Carrier can block updates
• Millions of devices with well known vulnerabilities
![Page 26: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/26.jpg)
Android Version Distribution
Donut
Eclair
Froyo
Gingerbread
Honeycomb
Ice Cream Sandwich
Jelly Bean 4.1
Jelly Bean 4.2
0 12,5 25 37,5 50
http://developer.android.com/about/dashboards/index.html, March, 4th 2013
![Page 27: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/27.jpg)
OEM Extensions
• Modifications of the Android core
• Samsung (/dev/exynos-mem, USSD)
• Rootkits in OEM Apps
• Bad software quality
• Linux drivers
![Page 28: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/28.jpg)
Android Security Improvements
![Page 29: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/29.jpg)
New Features in Jelly Bean >= 4.2
• Secure USB debugging (whitelist for adb)
• Better random number generator based on OpenSSL
• SMS confirmation
![Page 30: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/30.jpg)
SEAndroid
• Android combined with SELinux
• Rumor has it: may in Android 5.0
• Samsung Knox
![Page 31: Lange](https://reader031.vdocuments.site/reader031/viewer/2022013121/540926b18d7f7267058b46af/html5/thumbnails/31.jpg)
Thank you! Q&A