SMARTPHONES AND RELATED TECHNOLOGIESRoberto Beraldi

Smartphone = Computer+• A smartphone is indeed a sophisticated computer

• Application CPU, Baseband CPU, GPU, Encryption CPU• RAM,ROM, Flash• Rich set of sensors an communication tech (GSM, Wi-fi, BT,

NFC,..)

• Custom OS and application management• Android (Linux), iOS (BSD)

• Special care is taken to ensure security • Sensitive data are stored

• Contacts, message sent/received, bank info, etc..• Mobile Payment• Unwanted action• …

Main stakeholders

Mobile Device

DeviceManufacturer

OS/PlatformProvider

User Developer

OfficialMarketplace

AOSP vs iOSAndroid Studio vs xCode

Apple vs many

Google vs Apple vs…

Why security is so important?

OS installation• Secure boot (chain)

• Only signed OS from known origin can be loaded• Integrity, Authenticity

• Dm-verity (android, against rootkit)

• iOS Update• Downgrade not possible (unless…)• hash of update code, device unique ID (ECID) and nonce from

device (apple)• No copy to other devices, no old versions

Verified boot (iOS)

Booting (android)

Digital signature

Recovery mode• ‘Magic’ combination of keys allowing:• Reboot system :• apply update from… : firmware installation (from internal

storage, SD or PC (adb).• wipe… : e.g., data factory reset• Connect iTunes for new download (iOS)

Application installation• iOS:

• Official marketplace (Apple)• Undergo to approval (application vetting)

• PC (debug only)

• Android: • Official marketplace (Google Play, >1.5M apps)

• Amazon Appstore, GetJar, Samsung Apps, Mobogenie• SlideMe, Phoload, Insyde Market, Camangi, F-Droid, etc…• PC (debug)

• Server (setting: unknown origin)• Tools:

• Verify Apps (warn about installed malicious app)

Application installation• Developer registers to the marketplace• Developer signs its app and upload to MP• MP owner can in turn sign the app• (for debug purpose app can be uploaded via USB)• (For android, it can downloaded from any server)

• Users download the app and grant permissions• App installer verifies the app signature (origin and

integrity)• Policy manager stores the granted permissions for future

checks (at run-time) to implement sandboxing

Main security techniques in mobile phones• Application isolation

• Sandboxing• Permission-based access control

• Users grant/revoke permissions to make sensible operations

• Application signing• Only signed apps can be installed (e.g., from Apple)• Updates must come from the same developer

• Data encryption

• Application vetting (apple)

• Memory randomization (apple)

Some word about sandboxing• Sandobox: A security mechanism for separating running

programs, usually in an effort to mitigate system failures or software vulnerabilities from spreading [wikipedia].

Sandbox

Process/User

Resource/Object

Sandbox

‘Secure’ Communication facility

Sanboxing in Android (at kernel level)• Exploits multiuser facility• During installation, each package gets a user identifier (UID)

and a group identifier (GID).• Each application has a corresponding Linux user

• app_x, � 10000 + x• Ex.apk � 10001 (first installed app)

• Recall DAC policy (owner, group, other) X (r w x)• As different apps receive different UID (unless.. see later), they

cannot share resources, in particular an app receives a file that cannot accessed from other apps

• To access System resources (like camera, /dev/camera) an app is assigned the same GID of the resource

• At app level this is mapped to the notion of permission (seelater)

Sandboxing in iOS

Permissions in android (main idea)

UID-GUI

Sanboxing in android (binder)• As apps run with different process ID, an Inter-Process

Communication (IPC) framework is required.• In Android, a special framework called Binder is used for

inter-process communication• Binder mediates any communication• When a process make a call, it checks if the is assigned

with the permission• If the calling process has the required permission then the

service invocation will be allowed. • Otherwise, a security check exception will be thrown

(usually, SecurityException).

https://crypto.stanford.edu/cs155/lectures/

SELinux in android• The Android sandbox also uses Security Enhanced Linux

(SELinux) to enforce Mandatory Access Control (MAC) over all processes, even processes running with root and superuser privileges (android 5+).

• SELinux provides a centralized analyzable policy and strongly separates processes from one another

• Drawbacks: many policy rules (complexity)

• https://static.googleusercontent.com/media/enterprise.google.com/en//android/static/files/android-for-work-security-white-paper.pdf

SEAndroid Access Control

SUBJECTS(DOMAINS)

OPERATION OBJETCS

Application….

FileSocket..

R,W,X,bind,..

Allow [domain][type] : [class][allowed permissions]

subject object

https://source.android.com/security/selinux/

Trusted Execution Environment (TEE) - android

• A TEE processor is typically a separate microprocessor in the system or a virtualized instance of the main processor.

• The TEE processor is isolated from the rest of the system using memory and I/O protection mechanisms supported by the hardware. It runs its own OS

Data encryption (android)• Cryptography is used throughout Android to provide

confidentiality and integrity. • Google supports most of the industry-standard algorithms.• All user-created data is automatically encrypted before

committing it to disk and all reads automatically decrypt data before returning it to the calling process

• The encryption algorithm is 128 (AES) with cipher-block chaining (CBC) and ESSIV:SHA256.

Source:https://static.googleusercontent.com/media/enterprise.google.com/en//android/static/files/android-for-work-security-white-paper.pdf

Data encryption (apple)

Source:https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Secure Enclave - Apple• The Secure Enclave is a coprocessor fabricated in the

Apple S2, Apple A7, and later A-series processors. • It uses encrypted memory and includes a hardware

random number generator. • The Secure Enclave provides all cryptographic operations

for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised.

• Used in Mobile Payment with TouchID• Apple has not released its design specifications

• Cupcake (1.5)• Donut (1.6)• Éclair (2.0/2.1)• Froyo (2.2)• Gingerbread (2.3)• Honeycomb (3.0/3.1/3.2)• Ice Cream sandwich (4.0)• Jelly Bean (4.1/4.2/4.3)• Kitkat (4.4)• Lollipop (5.0/5.0.2)

HW: Sensors• Most devices have built-in sensors that measure motion, orientation,

and various environmental conditions.

• Three broad categories of sensors:

• Motion sensors. These sensors measure acceleration forces and rotational forces along three axes. This category includes accelerometers, gravity sensors, gyroscopes

• Position sensors. These sensors measure the physical position of a device. This category includes and magnetometers, proximity sensor

• Environmental sensors. These sensors measure various environmental parameters, such as ambient air temperature and pressure, illumination, and humidity. This category includes barometers, photometers, and thermometers.

• .

Example of list of available sensors(iPhone 6S+)• Proximity sensor• Ambient light sensor• 12MP Camera with OIS• Accelerometer• Gyroscope• Compass• Barometer• NFC for Apple Pay• Touch ID fingerprint scanner• Pressure sensitive display

Example: Accelometer• They are Micro ElectroMechanical Systems or

micromachine

http://www5.epsondevice.com/en/information/technical_info/gyro/

GPS• Based on triangolaritazion• Principle: the position of a device can be determined from

the distance from 3 known positions and their coordinate

All details: http://geomatica.como.polimi.it/corsi/misure_geodetiche/seminario20040519.pdf

Triangolarization (2D)

(x1,y1)d1

(x2,y2)

(x3,y3)

(x1-x)2+(y1-y)2=d1

(x2-x)2+(y2-y)2=d2

(x3-x)2+(y3-y)2=d3

d2

d3

(x,y)

GPS• Based on triangolaritazion• 24+3 satellites• Circular orbits on 6 circular planes at about 20 Km from

the ground• The receiver computes the distance from the satellites

using synchronized clocks• Computing the distance requires to know the delay

(about 0,007 s) and start time of the received signal• Satellite clocks are atomic clocks, while gps receiver

clocks are not, but their values are adjusted when the intersection of the spheres is not unique

• Relativistic effects have to be managed

All details: http://geomatica.como.polimi.it/corsi/misure_geodetiche/seminario20040519.pdf

GPS

d

d2=(xs-x)2+(ys-y)2+(zs-z)2

(xs,ys,zs)

(x,y,z)

….

d=λ(t-δt)

4 equations�4 satellites

HW location• Other location providers are based on cell-ID and wi-fi• Android uses these methods together (GPS, cell tower,

Wi-Fi) to get an idea of where the device is, and make that available to apps via a "Location Services" API.

Touch screen technologies• Resistive touch screen • Capacitive touch screen (� used in modern

smartphones)• Single touch / multi-touch (pointers)

Touch screen: gesture

Icons

LCD

Pixel density (dots per inch, dpi)

x

1,5x d

1,5 x2+x2=d2 � x=1,77 � dpi=320/1,77=180dpi

480/320

Aspect Ratio (AR)= 3:2

(AR+1) x2=d2 � x=d /sqrt(1+AR) � dpi=w/x

width (w)

height (h)

Other «magic integers»• 4:3• 5:3• 16:9• 16:10

Uman eye resolution:about 600dpi@30cm

Example: density and screen size(android)

See also: https://design.google.com/devices/