View
2
Download
0
Category
Preview:
Citation preview
463.11.1Mobile OS Security
Computer Security IICS463/ECE424
University of IllinoisPresentation by: Soteris Demetriou
• 463.14– 14.1 Mobile OS Security Overview
• Today (Tuesday)
– 14.2 Attacks on Android• Next class (Thursday)
CS463 Mobile OS Security lecture series
4
• Basic Phone• Phone with SIM Application Toolkit (STK)– Tiny programs stored on GSM SIM cards – Typically enable value-added features
• Feature Phones– Extra features on the phone firmware itself– Typically provided by the phone manufacturer
• Smart Phones– API available that enables third-party apps
Mobile Phone Evolution
5
Growth of Mobile OS
6
Mobiles, Tablets, PC sales
7
• Why worry specifically about mobile OS security? – Smart phones are computing platforms similar to
desktop OS: why not use the same principles?
• PC versus Smart Phones– Users: Root privileges typically not given to user– Persistent Personal Data
• Input is cumbersome, so credentials are frequently stored
– Battery performance is an issue• Implementing some security features may drain battery
– Network usage can be expensive
PC versus Smart Phones
8
• Unique features in Smart Phones– Location Data
• GPS and Wifi-based tracking
– Premium SMS Messages (expensive)– Placing and recording phone calls– Different authentication mechanisms
• Fingerprint reader (available across platform)• Face Unlock (Android 5.0)• Trusted Places, Devices, Voice (Android 5.0)
– Specific markets for mobile apps
PC versus Smart Phones (contd)
9
10
Mobile OS Security Frameworks
• Covered– Apple iOS Security (Briefly)– Android Security Model
• Not Covered– Windows OS– Blackberry– KaiOS
11
iOS Platform
• Core OS Kernel and Core Services– Kernel: based on Mach kernel (like Mac OS X)– APIs: files, network, SQLite, POSIX threads, UNIX sockets ..
• Media layer: supports 2D and 3D drawing, audio, video
• Cocoa Touch: Foundation framework, OO support for collections, file management, network operations, UIKit
Implemented in C, Objective-C or Swift
13
iOS Security
• System security: Integrated and secure software and hardware that are platform for iPhone, iPad etc.
• Encryption and data protection: Architecture and design that protects user data at rest, even when a device is lost or stolen
• App security: Secure platform foundation• Device controls: Methods that prevent
unauthorized use of the device and enable remote device management
14
• Secure boot chain (application processor)– All startup process components are crypto-signed by Apple– Ensure integrity and proceed only after verifying the chain of trust– BootROM -> {Low-level bootloader ->} iBoot -> kernel
• Secure Enclave Coprocessor (Apple’s interpretation of TPM)– Secure crypto-processor (secure boot; encrypted memory)– Provides primitive cryptographic functions– Provides secure storage of cryptographic keys– Responsible of processing fingerprint/face data.
• Touch ID/Face ID (fingerprint sensing/ TrueDepth camera)– NOTE: a strong passcode forms the foundation of your iOS
device’s cryptographic protection
15
iOS System Security
iOS App Security
• Mandatory code signing– All apps must be signed using an Apple-issued certificate
• Runtime protection– App “sandbox” prevents access to other app’s data – System resources, kernel shielded from user apps
• All third-party apps as well as majority of iOS run under a non-privileged user-id: ‘mobile’
– Inter-app communication and background tasks only through iOS APIs – Access to user information (or iCloud) by third-party must be declared
under ‘entitlements. They are fixed in the app’s signature• System Extension Points can run app extensions
– App extensions run as their own processes (e.g. a filter extension for the Camera system app)
• Application data protection– Apps can take advantage of built-in hardware encryption
16
• Each app has own sandbox directory• Limit app’s access to files, preferences,
network, other resources• Same privileges for each app by default• Limits consequences of attacks
iOS Sandbox
17
• iOS apps all have common default permissions (e.g. Internet)
• However (iOS 6, Sep 2012 onwards) certain permissions need to be enabled dynamically (e.g. Location)
18
iOS Permissions
19
Android
20
Android
• Platform outline:– Linux kernel– Embedded Web Browser– SQL-lite database– Software for secure network communication
• Open SSL, Bouncy Castle crypto API and Java library
– Java platform for running applications– C language infrastructure– Also: video APIs, Bluetooth, vibrate phone, etc.
21
ART ( > v4.4)
Android Market
• Open market– Not rigorously reviewed by Google– Bad applications may show up on market– Malware writers can get code onto platform: Self-
signed applications are possible• shifts focus from remote exploit to privilege escalation
• App permissions granted on user installation Android < 6, at runtime for Android >= 6
23
Android Application Structure
• 4 components– Activity – one-user task
• E.g., scroll through your inbox
– Service – Java daemon that runs in background• E.g., application that streams an mp3
– Broadcast receiver• “mailboxes” for messages from other applications
– Content provider• Store and share data using a relational database interface
• Activating components– Via Intents
24
• Message between components in same or different app• Intent is a bundle of information, e.g.,
– action to be taken– data to act on– category of component to handle the intent– instructions on how to launch a target activity
• Routing can be– Explicit: delivered only to a specific receiver – Implicit: all components that have registered to
receive that action will get the message
Android Intents
25
• Declarations– Components– Component capabilities
• Intent filters• Permissions etc.
– App requirements• Permissions• Sensors etc.
Android Manifest File
26
• Example of permissions provided by Android– “android.permission.INTERNET”– “android.permission.READ_EXTERNAL_STORAGE”– “android.permission.SEND_SMS”
• Protection levels– Dangerous, normal, signature, SignatureOrSystem
• Also possible to define custom permissions– To enable or disable other apps to call their features
• Used to be granted at installation but…
Android Permissions
27
• Example of permissions provided by Android– “android.permission.INTERNET”– “android.permission.READ_EXTERNAL_STORAGE”– “android.permission.SEND_SMS”
• Protection levels– Dangerous, normal, signature, SignatureOrSystem
• Also possible to define custom permissions– To enable or disable other apps to call their features
• Used to be granted at installation but…
Android Permissions
28
• Runtime permissions– Dangerous permissions granted at
runtime– Normal and signature permissions
still granted at installation– Only valid for modern apps (API
>= 23), permissions are still install time for legacy app
– Permissions granted based on a permission group basis (changes in Oreo - version 8)
Android Runtime Permissions
29
Android Permission Groups
30
• All dangerous permissions in a group will be granted!
Isolation
• Multi-user Linux operating system • Each application normally runs as a different user
– Each app has its own VM– Traditional linux-based permissions apply (DAC or Discretionary
Access Control)
• Applications announce permission requirements– Create a whitelist model – user grants access– ICC reference monitor checks permissions (MAC, or Mandatory
Access Control )
31
Linux ProcessDalvik / ART
App 1
Linux ProcessDalvik / ART
App 2
Binder IPC & Permission Enforcement
33
App 1
Android Middleware
Binder IPC
Linux Kernel
App 2
A1C1 A2C1
DAC
MACICC Reference Monitor
Intent
File
Sys
tem
, Soc
kets
34
Comparison: iOS vs Android
Comparison: iOS vs Android• App approval process
– Android apps from “open” app store– iOS vendor-controlled store of vetted apps
• Application permissions– Android permission based on install-time manifest (< 6.0)
• ask-on-first-use (>= 6.0)– All iOS apps have same set of “sandbox” privileges
• Slightly modified from iOS6 onwards
• App programming language– Android apps written in Java; no buffer overflow…– iOS apps written in Objective-C (now Swift)
• TPM on smartphones!35
Android activation estimated at 1 billion by Nov. 2013
~85% of all mobile malware attacks since 2011 on Android
Android malware families quadruple from 2011 to 2012
Android malware
# of Android malware from Q3 2011 to Q2 2012
36
http://www.androidpolice.com
Skype Privacy Leak
37
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
Skype Privacy Leak
38
http://blogs.skype.com/security/2011/04/privacy_vulnerability_in_skype.html
Skype Privacy Leak
39
Free Games:
Not just private information but your money• Angry Birds, Assassin's
Creed, Cut the Rope• Repackaged version on
unofficial application stores• permissions - "sending
messages at premium rates"• send messages every time
app is started• intercept and consume
incoming credit card transaction alerts
40
Free Games: Really?
GingerBreak!• root exploit• install malicious code• communicate to remote
websites to compromise phone information
• download and install further malware
• your device - a part of botnet under the control of hackers
41
• App-store based model– Rely on manual audit (iOS) and accountability– Rely on automated analysis (Android)
• Google Bouncer
• Hardened Platform Security– Security Enhancements for Android (SEAndroid)
• SELinux equivalent for Android
Countermeasures
42
Google Bouncer
43
• Perform Static and Dynamic Analysis– Exact details not known
• Static Analysis (conjectured)– Look at information flow from sources to sinks– Impractical to do it for all possible cases
• Choose some sensitive sinks and sources
• Dynamic Analysis (reverse engineered)– Run app for 5 minutes (emulator)– Look for hidden behavior
• Unknown heuristics
• If flagged à manual analysis à suspension
Google Bouncer
44
• Should Apple allow the FBI to access phones? What security and practical implications would such a decision entail?
Discussion Questions
58
• Which permission model do you prefer: Installation-Time vs Ask-On-First-Use vs something else?
• We’ve seen that most of mobile malware target Android phones? Why do you think this is happening? Is iOS more secure?
• What could a malware do on a mobile device vs a desktop machine?
Discussion Questions
59
• https://www.apple.com/business/docs/iOS_Security_Guide.pdf• https://source.android.com/security/• [EnckIEEES&P09] Understanding Android Security. Enck, William,
Machigar Ongtang, and Patrick McDaniel. "Understanding android security." IEEE security & privacy. 2009
• [WijesekeraUsenix15]: Primal Wijesekera, University of British Columbia; Arjun Baokar, Ashkan Hosseini, Serge Egelman, and David Wagner, University of California, Berkeley; Konstantin Beznosov, University of British Columbia
• [SmalleyNDSS13]: Smalley, Stephen, and Robert Craig. "Security Enhanced (SE) Android: Bringing Flexible MAC to Android." NDSS. Vol. 310. 2013.
Reading
62
Recommended