back to basics

redlemonbalmΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

107 εμφανίσεις



Description:
brief introduction to basic android security
mechanisms


Speakers:


Adrien

Hamraoui



Fabien Duchene

Android

security

back to basics!
SecurIMAG

2011-12-15

WARNING:
SecurIMAG
is a security club at
Ensimag
. Thoughts, ideas and opinions are not
related to
Ensimag
. Th
e authors assume no
liability including for errors and omissions.

¡¡_ (in)
security

we
trust _!!!
Grenoble INP
Ensimag

Summary

2
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


En-
droeede
?


Android

security

mechanisms



Droid
, show
your

dark

side
!


Practical

demonstration
:
from
trial to full version
1/ En-
droeede
?
3
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


History


Android overview


Dalvik



Play with that robot?
1.1 History
4
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


2003: Android
Inc
,


2005: Google


2007: product release


2010: ROI


Different OS versions of Android market, in 2011:
Sécurité
du
système
Android
,
Nicolas Ruff (EADS), SSTIC
2011

5
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
1.2 Android introduction
6
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Linux kernel 2.6.xxxxx


Some divergences


Smartphones


ARM
1.2. Android overview
7
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
1.3.
Dalvik
?
8
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Dalvik
VM ~ Java VM
… in a special flavor:


Class: subset of the
Apache_Harmony
specifications
o

No JME, Swing, AWT


Just-in-time compiler


No stack machine, but register-based
o

lower CPU frequency => for a similar performance


16 bit instruction set


No swap


Executables
: DEX format
http://
source.android.com
/tech/
dalvik
/
dex-
format.html

1.3 How to play with that robot?
9
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Phone
:


Debug .. then SDK


Root it


Obvious bugs in stupid
customized constructor GUI..
WTF!!


Virtualized
:


Same stuff expect SIM Card,
thus GSM
ntw

o

“Android Emulator”
.. from Android
SDK
o

VirtualBox compatible VM

2/ Android security mechanisms
10
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Application


permissions


Signature


updates


Physical access


Encryption


DEP, ASLR


Rooting


Anti-rooting protections
OS architecture
11
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
Android application
12
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


.
apk
; JAR with .
apk
extensions



Mime:
application/
vnd.android.package
-archive


Content:


Manifest.MF
(JAR typical)


CERT.RSA : certificate of the application


CERT.SF (list of SHA-1 hashes of
ressources
)


classes.dex



res
: dir.
ressources
used


AndroidManifest.xml
: application name,
permissions, referenced libraries
Application Permissions
13
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Exposes
permissions



User is prompted when installing or updating
Manifest.permission
– android developers

Application Signature
14
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Application


self-signed issuing certificate possible (difference with
iOS
)


Firmware
Updates
15
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Automatic
– if permissions do not change


Over-the-air OS update
(no crappy music/video/
podcast/photo/updater/contact
syncer
/reader/
wtf

needed ;)
Isolation, Sandboxing
16
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Each application:


own GID:UID


own storage directory (could be on SD-card)


DEX only able to instance classes:
o

Within exec
o

Ressources
(in APK)
o

Defined in Manifest
Physical access
17
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Authentication / Screen unlock


PIN, Password


Pattern: contiguous path within a 9-
nodes graph


If too many errors, possibility to
reinitiate with Google ID security
question


Cold boot attacks


SD-card
:


no permission (FAT volume)


Out of the box no encryption
Encryption
18
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Whole disk encryption: (Android >=3.0)


Password screen lock


/data
o

AES128 CBC + ESSIV:SHA256 (pwd,salt,SHA-1)


Password change => re-encrypt
o

dm
-crypt (
linux
kernel)


No HW acceleration


Vuln
:
evil-maid, cold-boot
Deep Dive Android Security
,
Aleksandar

Gargenta
,
AnDevConII
, 2011
Memory security protection
19
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
Protec'on  
Against  …  
DEP  (android  >=  2.3)  
Code  execu7on  on  the  stack  and  
heap  
ProPolice
 
Stack  BOF  
safe_iop
()  
Reduce  probability  of  
Int
 OF  
Dlmalloc
()  [
OpenBSD
]  
Double-­‐free  
Calloc
()  [
OpenBSD
]  
Integer  OF  during  alloca7on  
mmap_min_addr
()    [Linux]  
Null  pointer  dereference  
privilege  escala7on  
ASLR
20
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Today :


Prelinking
(@ fixed, for performance)
o

Shared libs compiled Position Independent Code
o

Base
executables
PIC, but not linked as PIE
o

Dynamic linker fix address (not able to relocate itself, diff.
ld.so
)
o

Return-to-
libc
possible


proposal:
Address Space Randomization for Mobile Devices

o

State of the art of ASLR (PAX, Windows, Mac OS X)
o

Disable lib pre-linking: how does it affect compilation?
o

Randomization during update
o

Implemented in android 4.0 (haven’t check how)
3/ Droid, show your dark side!
21
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Big
Brogle
is watching you


Rooting


Attack surface


Permissions … SE


Malwares
Big
Brogle
is watching you
22
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Remote kill switch (Google)


Have you looked at the WHOLE kernel and firmware to
check if a stolen gate does not exist?
Device administrator
23
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
Rooting
24
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


the
good
:


Total control


Remove system apps (or
operators
eg
: “Orange contact
backup”)


Remove rootkit? ;)


method
:
o

Exploit
vuln
. of the current firmware
o

Recovery partition->alternate OS
o

.. Stored /
sdcard
already rooted
firmware
o

Reboot in recovery, flash with rooted
fw

o

Superuser.apk
; /system/bin/
su

Bad rooting stuff..
25
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Save the previous image


If run a non-trusted app, the whole
OS+data
is ***
ed
up


Sometimes disable protections
Attack surface
26
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Webkit
rendering engine


http://www.exploit-db.com/exploits/15548/



http://www.exploit-db.com/exploits/16974/






OS:
libc
,
adb



Native flash player


Communication interfaces:


Data, 3G, always connected


Wifi



Data processing:


SMS

(
eg
: Charlie Miller,
iOS
, SMS fuzzing, crashed the SMS process
rendering
everytime
a specially crafter SMS was received,
BlueHat

2011)



Voicemail
Permissions
27
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Social-Engineering:


Would a
n0ob
standard user do the right decision?


Some “normal” permissions hidden


When a lot of permission, do you really read?


“App phishing”?
Android malwares
28
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15
Funny attack: tap-jacking
29
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Malicious app:


Starts sensible activity (
eg
:
Application trust)


Overlays part of the whole
screen


Fool the user to click


Click not handled by the
attacker layer
Random remarks
30
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


NO:


Firewall


HIDS


Anti-Malware
4/ practical demonstration: from trial to …
31
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Obtaining the .
apk



Extracting the DEX


Visualizing the source code


Modifying the
bytecode



Correct the signature


Reinject
the application
4.1/ Obtaining the application

32
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


First
step
:
get
the
app

from

your
phone


Use the
adb

shell
to
locate
the package :


Check
at
/data/
app
or /data/
app-private



Download

it

with

adb
pull command


Now

let’s
have fun !
4.2/ Coffee time
33
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Now

let’s
have a look
at
the source code !


Use dex2jar to
convert

your
.
apk
file
into
a .jar


Use JDGUI to
view
the source code



Nice ! But
can’t

edit
the code
4.3/
give
me
bytecode

please
!
34
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Use
apktool
to reverse the
apk

into

bytecode



By the
way

thanks

google
to
maintain

apktool
!


Apktool

extract
all the ressources of the
apk
:
AndroidManifest
,
layouts
, values,
pictures



Use
adb
to
download
the
preferences
file of the
application
4.4/ Let's see what you're made of, mister !

35
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Find
the entrance
door
in the
AndroidManifest



Read the code
from
JDGUI and
edit

it
in the
smali
files
4.5/
practical

demonstration

36
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Now

it

is
time to
recreate
the
apk
!


Use
apktools

again
to
build

your
package


Now

sign

your
package
with

jarsigner
(
any
key
will

work
)


Use
adb
to
install
the new package !
4.6/
Some

tools

37
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


Useful
softwares :


Dex2Jar :
https://code.google.com/p/dex2jar/


JDGUI :
http://java.decompiler.free.fr/?q=jdgui


Apktool
:
https://code.google.com/p/android-apktool/


Jarsigner
:
http://docs.oracle.com/javase/1.3/docs/tooldocs/
win32/jarsigner.html



Smali
Wiki :
https://code.google.com/p/smali/w/list



Where

it
all
began
:
https://www.youtube.com/watch?
v=m8fdbfjc8OU
Conclusion
38
SecurIMAG - Android security-back to basics - A. Hamraoui - F.
Duchene - 2011-12-15


A lot of people say “Android is to the mobile environment
what Windows used to be in the 90’s”


Good basis:


Various mitigation techniques (
OpenBSD
, Linux)


BUT:
o

not all phones have NX/DEP in the OS
o

most most deployed version lack: ASLR


Large attack surface


Permissions
: imperfect (SE vulnerable)


Dalvik
VM
(similarities to Java) facilitates reverse
engineering process of DEX application