h4oxer, profile picture
Uploaded byh4oxer
3,169 views

Android Security Overview and Safe Practices for Web-Based Android Applications

The document provides an overview of Android security, detailing its architecture, attack surfaces, and best practices for securing web-based applications. It highlights the complexity of the Android platform and emphasizes the need for developers to adopt secure practices, particularly in the use of WebView and hybrid applications. Key recommendations include disabling unnecessary features and ensuring resources are only accessed from trusted sources.

Embed presentation

Downloaded 101 times
Android security overview and safe practices for web-based Android applications Incalza Dario @h4oxer
Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • XDA – recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • Not technical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Applications • Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Framework • Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Dalvik Virtual Machine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Kernel • Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android Platform: Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
Security in web-based application • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
Security in web-based application • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Thanks!! Q & A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza

More Related Content

PDF
Deep Dive Into Android Security
byMarakana Inc.
 
PDF
Introduction to Android Development and Security
byKelwin Yang
 
PPT
Android Security
bySuminda Gunawardhana
 
PDF
Смирнов Александр, Security in Android Application
bySECON
 
PPT
Analysis and research of system security based on android
byRavishankar Kumar
 
ODP
Android security in depth
bySander Alberink
 
PPTX
Android sandbox
byAnusha Chavan
 
PPTX
Understanding android security model
byPragati Rai
 
Deep Dive Into Android Security
byMarakana Inc.
 
Introduction to Android Development and Security
byKelwin Yang
 
Android Security
bySuminda Gunawardhana
 
Смирнов Александр, Security in Android Application
bySECON
 
Analysis and research of system security based on android
byRavishankar Kumar
 
Android security in depth
bySander Alberink
 
Android sandbox
byAnusha Chavan
 
Understanding android security model
byPragati Rai
 

What's hot

PPTX
Android security
byMidhun P Gopi
 
PPTX
Android security
byMobile Rtpl
 
PDF
Sperasoft talks: Android Security Threats
bySperasoft
 
PPTX
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 
PDF
Brief Tour about Android Security
byNational Cheng Kung University
 
PPTX
Android Security
byArqum Ahmad
 
PDF
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 
PPT
Understanding Android Security
byAsanka Dilruk
 
PDF
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
byConsulthinkspa
 
PDF
Stealing sensitive data from android phones the hacker way
byn|u - The Open Security Community
 
PDF
Android Security
byMehrnaz Amoon
 
PDF
Android Security
byLars Jacobs
 
PDF
Building Custom Android Malware BruCON 2013
byStephan Chenette
 
PPT
Bypassing the Android Permission Model
byGeorgia Weidman
 
PDF
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
PDF
Android system security
byChong-Kuan Chen
 
PDF
Hacking your Android (slides)
byJustin Hoang
 
PDF
Android Camp 2011 @ Silicon India
byAvinash Birnale
 
PDF
Android Security Development
byhackstuff
 
PPTX
Android secure offline storage - CC Mobile
bySteve De Zitter
 
Android security
byMidhun P Gopi
 
Android security
byMobile Rtpl
 
Sperasoft talks: Android Security Threats
bySperasoft
 
Permission in Android Security: Threats and solution
byTandhy Simanjuntak
 
Brief Tour about Android Security
byNational Cheng Kung University
 
Android Security
byArqum Ahmad
 
Android Security - Common Security Pitfalls in Android Applications
byBlrDroid
 
Understanding Android Security
byAsanka Dilruk
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
byConsulthinkspa
 
Stealing sensitive data from android phones the hacker way
byn|u - The Open Security Community
 
Android Security
byMehrnaz Amoon
 
Android Security
byLars Jacobs
 
Building Custom Android Malware BruCON 2013
byStephan Chenette
 
Bypassing the Android Permission Model
byGeorgia Weidman
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
byCheng-Yi Yu
 
Android system security
byChong-Kuan Chen
 
Hacking your Android (slides)
byJustin Hoang
 
Android Camp 2011 @ Silicon India
byAvinash Birnale
 
Android Security Development
byhackstuff
 
Android secure offline storage - CC Mobile
bySteve De Zitter
 

Viewers also liked

PDF
Android Secure Coding
byJPCERT Coordination Center
 
PDF
Android verysimplebook... أندرويد ببساطة
byAhmed Ismail
 
PPTX
Mobile security
bypriyanka pandey
 
PDF
Testing Android Security
byJose Manuel Ortega Candel
 
PPSX
Mobile device security informative v2
bySalman Zahid
 
PPTX
Android security model
byrrand1
 
PPTX
How iOS and Android Handle Security Webinar
byDenim Group
 
PDF
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
PDF
Android - Model Architecture
byrendra toro
 
PPTX
Security testing of mobile applications
byGTestClub
 
Android Secure Coding
byJPCERT Coordination Center
 
Android verysimplebook... أندرويد ببساطة
byAhmed Ismail
 
Mobile security
bypriyanka pandey
 
Testing Android Security
byJose Manuel Ortega Candel
 
Mobile device security informative v2
bySalman Zahid
 
Android security model
byrrand1
 
How iOS and Android Handle Security Webinar
byDenim Group
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
byCodemotion
 
Android - Model Architecture
byrendra toro
 
Security testing of mobile applications
byGTestClub
 

Similar to Android Security Overview and Safe Practices for Web-Based Android Applications

PDF
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
PPTX
128-ch4.pptx
bySankalpKabra
 
PPTX
How to Test Security and Vulnerability of Your Android and iOS Apps
byBitbar
 
PPTX
Untitled 1
bySergey Kochergan
 
PDF
CNIT 128 Ch 4: Android
bySam Bowne
 
PPTX
Mobile security
byStefaan
 
PPTX
[Wroclaw #1] Android Security Workshop
byOWASP
 
PDF
CodeMotion tel aviv 2015 - burning marshmallows
byRon Munitz
 
PPTX
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
PDF
ToorCon 14 : Malandroid : The Crux of Android Infections
byAditya K Sood
 
PDF
Embedded Android in Real Life - Live Embedded Event 2021
byGary Bisson
 
PDF
Android Attacks
byMichael Scovetta
 
PDF
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
 
PDF
CNIT 128 Ch 1: The mobile risk ecosystem
bySam Bowne
 
PPTX
19-f15-mobile-security.pptx
byJhansigali
 
PDF
Securing Android
byMarakana Inc.
 
PPTX
Android village @nullcon 2012
byhakersinfo
 
PPTX
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
PDF
Yet Another Android Rootkit
byFFRI, Inc.
 
PDF
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
byPROIDEA
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
byFelipe Prado
 
128-ch4.pptx
bySankalpKabra
 
How to Test Security and Vulnerability of Your Android and iOS Apps
byBitbar
 
Untitled 1
bySergey Kochergan
 
CNIT 128 Ch 4: Android
bySam Bowne
 
Mobile security
byStefaan
 
[Wroclaw #1] Android Security Workshop
byOWASP
 
CodeMotion tel aviv 2015 - burning marshmallows
byRon Munitz
 
Hacker Halted 2014 - Reverse Engineering the Android OS
byEC-Council
 
ToorCon 14 : Malandroid : The Crux of Android Infections
byAditya K Sood
 
Embedded Android in Real Life - Live Embedded Event 2021
byGary Bisson
 
Android Attacks
byMichael Scovetta
 
Breaking Secure Mobile Applications - Hack In The Box 2014 KL
byiphonepentest
 
CNIT 128 Ch 1: The mobile risk ecosystem
bySam Bowne
 
19-f15-mobile-security.pptx
byJhansigali
 
Securing Android
byMarakana Inc.
 
Android village @nullcon 2012
byhakersinfo
 
Virtue Security - The Art of Mobile Security 2013
byVirtue Security
 
Yet Another Android Rootkit
byFFRI, Inc.
 
Confidence 2017: SCADA and mobile in the IoT times (Ivan Yushkievich, Alexand...
byPROIDEA
 

Recently uploaded

PPTX
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
PDF
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PDF
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
PPTX
Innovative Software Solutions for Tomorrow’s Challenges | Enterprise-Ready Apps
byYash Singh
 
PDF
SiyanoAV: The Best Antivirus Software for Complete Digital Protection
byabhisheksiyano
 
DOCX
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
PPTX
Streamline Your Production Process with ERP Solutions
byNestorBird
 
PDF
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
PDF
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
PPTX
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
PDF
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
PPTX
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
PDF
From Chatbot to AI Agent: A Practical Comparison
byShiv Technolabs Pvt. Ltd.
 
PPTX
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
PDF
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
PPTX
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
PDF
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
PPTX
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
PDF
"SiyanoAV: Preventing Data Breaches in 2025"
byyogeshchauhanoffice
 
Lead Scoring Models in the Wild: What Works & What Doesn’t
bybbedford2
 
Simplify Finances with Qandle’s Expense Software.pdf
byQandle
 
The future of software delivery is agentic
byMaxim Salnikov
 
Top 10 Ways AI Can Improve SEO Strategies in 2025.pdf
bybpractseo
 
Innovative Software Solutions for Tomorrow’s Challenges | Enterprise-Ready Apps
byYash Singh
 
SiyanoAV: The Best Antivirus Software for Complete Digital Protection
byabhisheksiyano
 
Data Governance and Compliance Choosing a Tableau Replacement with Strong Con...
byVarsha Nayak
 
Streamline Your Production Process with ERP Solutions
byNestorBird
 
How an HR Management System Can Transform Your HR Processes.pdf
byVihan Richard
 
Speculative Automated Refactoring of Imperative Deep Learning Programs to Gra...
byRaffi Khatchadourian
 
AI and Automation Software | Best AI and Automation Software
byEasy Clinic
 
Softaken OCR Image to Text Extractor Tool
byaimberdphilomena
 
PPT - Easy way to improve your website's Google ranking.pptx
byThe Webbuzz
 
From Chatbot to AI Agent: A Practical Comparison
byShiv Technolabs Pvt. Ltd.
 
School-Hall-Pass-System-Modernizing-Student-Movement-Management.pptx
byinfoswipesolutionsin
 
Insurance-CRM-Software-The-Key-to-Digital-Transformation.pdf
byInsurance Tech Services
 
Python_Lecture13_Introduction to PyQt.pptx
byamanaydana
 
Free Versus Paid Enterprise IT Monitoring Tools
byEvaMariaBraun1
 
Real-Time AI Voice Agents over WebRTC - A Practical Playbook
byAlberto González Trastoy
 
"SiyanoAV: Preventing Data Breaches in 2025"
byyogeshchauhanoffice
 

Android Security Overview and Safe Practices for Web-Based Android Applications

  • 1.
    Android security overviewand safe practices for web-based Android applications Incalza Dario @h4oxer
  • 2.
    Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 3.
    Introduction • XDA– recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 4.
    Introduction • Nottechnical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 5.
    The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 6.
    The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 7.
    Android Applications •Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 8.
    Android Framework •Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 9.
    The Dalvik VirtualMachine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 10.
    User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 11.
    The Kernel •Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 12.
    The Android Platform:Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 13.
    Attack Surfaces inAndroid • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 14.
    Attack Surfaces inAndroid • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 15.
    Attack Surface –Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 16.
    Attack Surface –Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 17.
    Attack Surface –Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 18.
    Attack Surface –Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 19.
    Attack Surface –Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 20.
    Attack Surface –Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 21.
    Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 22.
    Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 23.
    Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 24.
    Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 25.
    Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 26.
    Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 27.
    Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 28.
    Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 29.
    Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 30.
    Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 31.
    Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 32.
    Security in web-basedapplication • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
  • 33.
    Security in web-basedapplication • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 34.
    Security in web-basedapplication • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 35.
    Security in web-basedapplication • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 36.
    Security in web-basedapplication • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 37.
    Security in web-basedapplication xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 38.
    Security in web-basedapplication • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 39.
    Security in web-basedapplication A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
  • 40.
    Security in web-basedapplication • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 41.
    Security in web-basedapplication: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 42.
    Thanks!! Q &A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza