Android Security Overview

prof. Carlo Bellettini

carlo.bellettini@unimi.it

Sondaggio

Quanti hanno un telefonino Android?

Mia esperienza su Android

ho iniziato a dare alcune tesi su Android quando c’era il G1
ho avuto come telefoni: HTC Hero, Sony Experia Play, Samsung Galaxy Nexus
ho un tablet: Samsung Galaxy Tab 10.1

Deve essere sicuro?

È un target appetitoso

contiene dati sensibili (nostre password, email, calendario, foto, ???)
è sempre connesso (risorsa preziosa per attacchi, per reperibilità..)
sono molto comuni
hw con significativa potenza di elaborazione
nella maggior parte dei casi, gli update (anche di sicurezza) non sono disponibili o installati

Cosa vogliamo?

Proteggere il sistema da applicazioni pericolose
Avere controllo su cosa può fare una applicazione
Avere garanzie su autore dell'applicazione
Avere garanzie che l'applicazione non sia stata manomessa
Bloccare accessi non autorizzati
Tenere sicuri i dati in caso di furto/perdita

Applicazioni scritte in Java?

Usiamo il sandboxing della JVM ?

in realtà non usiamo proprio la JavaVM ma una DalvikVM

non programmiamo solo in Java...

Dalvik VM non effettua sandboxing

Basato su Linux

Linux ci fornisce:

Modello dei permessi user-based
Isolamento dei processi
Meccanismi di IPC sicuri

Application Sandboxing

La sicurezza viene forzata a livello di OS

UID e GUID univoci (localmente) per ogni applicazione
- fissati al momento della installazione
  - si parte da uid = 10000
- permette chiara separazione tra le applicazioni (da parte di OS)
  - identifica le risorse accessibili dalle singole applicazioni

FileSystem Protection

Partizionamento del file system
- / e /system sono read-only
- /data e /cache sono read-write

I file sono assegnati agli Utenti/Applicazioni... quindi gli accessi sono protetti l’uno dall’altra

E’ possibile criptare l’intero file system a livello kernel con dmcrypt

Isolamento di default

Inizialmente una applicazione ad esempio non può:

Leggere o scrivere fuori dalla propria directory
(Dis)Installare/Modificare altre applicazioni
Usare componenti di altre applicazioni
Usare la rete
Accedere ai dati dell'utente (Contatti, SMS, email)
Usare API potenzialmente non gratuite (effettuare chiamate, mandare SMS,...)
Tenere attivo lo schermo, riavviarsi al boot

Permessi

Vengono richiesti per potere eseguire operazioni sensibili
Le applicazioni dichiarano le loro richieste prima della installazione

Sono caratterizzati da:

nome e descrizione
gruppo
livello (normal, dangerous, signature, signatureOrSystem)

lista permessi

Lista permessi da: Manifest.permission

ACCESS_CHECKIN_PROPERTIES: Allows read/write access to the "properties" table in the checkin database, to change values that get uploaded.
ACCESS_COARSE_LOCATION: Allows an application to access coarse (e.g., Cell-ID, WiFi) location
ACCESS_FINE_LOCATION: Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS: Allows an application to access extra location provider commands
ACCESS_MOCK_LOCATION: Allows an application to create mock location providers for testing
ACCESS_NETWORK_STATE: Allows applications to access information about networks
ACCESS_SURFACE_FLINGER: Allows an application to use SurfaceFlinger's low level features
ACCESS_WIFI_STATE: Allows applications to access information about Wi-Fi networks
ACCOUNT_MANAGER: Allows applications to call into AccountAuthenticators.
ADD_VOICEMAIL: Allows an application to add voicemails into the system.
AUTHENTICATE_ACCOUNTS: Allows an application to act as an AccountAuthenticator for the AccountManager
BATTERY_STATS: Allows an application to collect battery statistics
BIND_APPWIDGET: Allows an application to tell the AppWidget service which application can access AppWidget's data.
BIND_DEVICE_ADMIN: Must be required by device administration receiver, to ensure that only the system can interact with it.
BIND_INPUT_METHOD: Must be required by an InputMethodService, to ensure that only the system can bind to it.
BIND_REMOTEVIEWS: Must be required by a RemoteViewsService, to ensure that only the system can bind to it.
BIND_TEXT_SERVICE: Must be required by a TextService (e.g.
BIND_VPN_SERVICE: Must be required by an VpnService, to ensure that only the system can bind to it.
BIND_WALLPAPER: Must be required by a WallpaperService, to ensure that only the system can bind to it.
BLUETOOTH: Allows applications to connect to paired bluetooth devices
BLUETOOTH_ADMIN: Allows applications to discover and pair bluetooth devices
BRICK: Required to be able to disable the device (very dangerous!).
BROADCAST_PACKAGE_REMOVED: Allows an application to broadcast a notification that an application package has been removed.
BROADCAST_SMS: Allows an application to broadcast an SMS receipt notification
BROADCAST_STICKY: Allows an application to broadcast sticky intents.
BROADCAST_WAP_PUSH: Allows an application to broadcast a WAP PUSH receipt notification
CALL_PHONE: Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.
CALL_PRIVILEGED: Allows an application to call any phone number, including emergency numbers, without going through the Dialer user interface for the user to confirm the call being placed.
CAMERA: Required to be able to access the camera device.
CHANGE_COMPONENT_ENABLED_STATE: Allows an application to change whether an application component (other than its own) is enabled or not.
CHANGE_CONFIGURATION: Allows an application to modify the current configuration, such as locale.
CHANGE_NETWORK_STATE: Allows applications to change network connectivity state
CHANGE_WIFI_MULTICAST_STATE: Allows applications to enter Wi-Fi Multicast mode
CHANGE_WIFI_STATE: Allows applications to change Wi-Fi connectivity state
CLEAR_APP_CACHE: Allows an application to clear the caches of all installed applications on the device.
CLEAR_APP_USER_DATA: Allows an application to clear user data
CONTROL_LOCATION_UPDATES: Allows enabling/disabling location update notifications from the radio.
DELETE_CACHE_FILES: Allows an application to delete cache files.
DELETE_PACKAGES: Allows an application to delete packages.
DEVICE_POWER: Allows low-level access to power management
DIAGNOSTIC: Allows applications to RW to diagnostic resources.
DISABLE_KEYGUARD: Allows applications to disable the keyguard
DUMP: Allows an application to retrieve state dump information from system services.
EXPAND_STATUS_BAR: Allows an application to expand or collapse the status bar.
FACTORY_TEST: Run as a manufacturer test application, running as the root user.
FLASHLIGHT: Allows access to the flashlight
FORCE_BACK: Allows an application to force a BACK operation on whatever is the top activity.
GET_ACCOUNTS: Allows access to the list of accounts in the Accounts Service
GET_PACKAGE_SIZE: Allows an application to find out the space used by any package.
GET_TASKS: Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.
GLOBAL_SEARCH: This permission can be used on content providers to allow the global search system to access their data.
HARDWARE_TEST: Allows access to hardware peripherals.
INJECT_EVENTS: Allows an application to inject user events (keys, touch, trackball) into the event stream and deliver them to ANY window.
INSTALL_LOCATION_PROVIDER: Allows an application to install a location provider into the Location Manager
INSTALL_PACKAGES: Allows an application to install packages.
INTERNAL_SYSTEM_WINDOW: Allows an application to open windows that are for use by parts of the system user interface.
INTERNET: Allows applications to open network sockets.
KILL_BACKGROUND_PROCESSES: Allows an application to call killBackgroundProcesses(String).
MANAGE_ACCOUNTS: Allows an application to manage the list of accounts in the AccountManager
MANAGE_APP_TOKENS: Allows an application to manage (create, destroy, Z-order) application tokens in the window manager.
MASTER_CLEAR
MODIFY_AUDIO_SETTINGS: Allows an application to modify global audio settings
MODIFY_PHONE_STATE: Allows modification of the telephony state - power on, mmi, etc.
MOUNT_FORMAT_FILESYSTEMS: Allows formatting file systems for removable storage.
MOUNT_UNMOUNT_FILESYSTEMS: Allows mounting and unmounting file systems for removable storage.
NFC: Allows applications to perform I/O operations over NFC
PERSISTENT_ACTIVITY: This constant is deprecated. This functionality will be removed in the future; please do not use. Allow an application to make its activities persistent.
PROCESS_OUTGOING_CALLS: Allows an application to monitor, modify, or abort outgoing calls.
READ_CALENDAR: Allows an application to read the user's calendar data.
READ_CONTACTS: Allows an application to read the user's contacts data.
READ_FRAME_BUFFER: Allows an application to take screen shots and more generally get access to the frame buffer data
READ_HISTORY_BOOKMARKS: Allows an application to read (but not write) the user's browsing history and bookmarks.
READ_INPUT_STATE: Allows an application to retrieve the current state of keys and switches.
READ_LOGS: Allows an application to read the low-level system log files.
READ_PHONE_STATE: Allows read only access to phone state.
READ_PROFILE: Allows an application to read the user's personal profile data.
READ_SMS: Allows an application to read SMS messages.
READ_SOCIAL_STREAM: Allows an application to read from the user's social stream.
READ_SYNC_SETTINGS: Allows applications to read the sync settings
READ_SYNC_STATS: Allows applications to read the sync stats
REBOOT: Required to be able to reboot the device.
RECEIVE_BOOT_COMPLETED: Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.
RECEIVE_MMS: Allows an application to monitor incoming MMS messages, to record or perform processing on them.
RECEIVE_SMS: Allows an application to monitor incoming SMS messages, to record or perform processing on them.
RECEIVE_WAP_PUSH: Allows an application to monitor incoming WAP push messages.
RECORD_AUDIO: Allows an application to record audio
REORDER_TASKS: Allows an application to change the Z-order of tasks
RESTART_PACKAGES: This constant is deprecated. The restartPackage(String) API is no longer supported.
SEND_SMS: Allows an application to send SMS messages.
SET_ACTIVITY_WATCHER: Allows an application to watch and control how activities are started globally in the system.
SET_ALARM: Allows an application to broadcast an Intent to set an alarm for the user.
SET_ALWAYS_FINISH: Allows an application to control whether activities are immediately finished when put in the background.
SET_ANIMATION_SCALE: Modify the global animation scaling factor.
SET_DEBUG_APP: Configure an application for debugging.
SET_ORIENTATION: Allows low-level access to setting the orientation (actually rotation) of the screen.
SET_POINTER_SPEED: Allows low-level access to setting the pointer speed.
SET_PREFERRED_APPLICATIONS: This constant is deprecated. No longer useful, see addPackageToPreferred(String) for details.
SET_PROCESS_LIMIT: Allows an application to set the maximum number of (not needed) application processes that can be running.
SET_TIME: Allows applications to set the system time
SET_TIME_ZONE: Allows applications to set the system time zone
SET_WALLPAPER: Allows applications to set the wallpaper
SET_WALLPAPER_HINTS: Allows applications to set the wallpaper hints
SIGNAL_PERSISTENT_PROCESSES: Allow an application to request that a signal be sent to all persistent processes
STATUS_BAR: Allows an application to open, close, or disable the status bar and its icons.
SUBSCRIBED_FEEDS_READ: Allows an application to allow access the subscribed feeds ContentProvider.
SUBSCRIBED_FEEDS_WRITE
SYSTEM_ALERT_WINDOW: Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of all other applications.
UPDATE_DEVICE_STATS: Allows an application to update device statistics.
USE_CREDENTIALS: Allows an application to request authtokens from the AccountManager
USE_SIP: Allows an application to use SIP service
VIBRATE: Allows access to the vibrator
WAKE_LOCK: Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming
WRITE_APN_SETTINGS: Allows applications to write the apn settings
WRITE_CALENDAR: Allows an application to write (but not read) the user's calendar data.
WRITE_CONTACTS: Allows an application to write (but not read) the user's contacts data.
WRITE_EXTERNAL_STORAGE: Allows an application to write to external storage
WRITE_GSERVICES: Allows an application to modify the Google service map.
WRITE_HISTORY_BOOKMARKS: Allows an application to write (but not read) the user's browsing history and bookmarks.
WRITE_PROFILE: Allows an application to write (but not read) the user's personal profile data.
WRITE_SECURE_SETTINGS: Allows an application to read or write the secure system settings.
WRITE_SETTINGS: Allows an application to read or write the system settings.
WRITE_SMS: Allows an application to write SMS messages.
WRITE_SOCIAL_STREAM: Allows an application to write (but not read) the user's social stream data.
WRITE_SYNC_SETTINGS: Allows applications to write the sync settings

Controllo dei permessi

All'interno del file Manifest.xml dichiaro i permessi di cui ho bisogno

    <uses-permission android:name="string" />

Controllo statico dei permessi

Dichiarazione permessi necessari

    <activity android:name=".GetPasswordActivity"
      android:permission="com.yourapp.GET_PASSWORD_FROM_USER" … >
    </activity>
    <service android:name=".UserAuthenticatorService"
      android:permission="com.yourapp.AUTHENTICATE_USER" … >
    </service>
    <provider android:name=".EnterpriseDataProvider"
      android:readPermission="com.yourapp.READ_ENTERPRISE_DATA"
      android:writePermission="com.yourapp.WRITE_ENTERPRISE_DATA" … >
    </provider>

Definizione nuovo permesso

    <permission android:name="com.yourapp.PERMISSION"
    android:protectionLevel="signature"
    android:label="@string/permission_label"
    android:description="@string/permission_desc">
    </permission>

Enforcing dinamico: esempio

Vogliamo scrivere una applicazione che fa vibrare il telefono quando un conoscente è a me vicino. Abbiamo bisogno dei permessi:

ACCESS_FINE_LOCATION: per accedere alla posizione GPS
INTERNET: per trovare e comunicare mia posizione
VIBRATE: per poter fare vibrare il telefono

    <uses-permission android:name="android.permission.VIBRATE" />

Classe Vibrator Doc e Src

Enforcing dinamico: esempio (cont)

Nel nostro programma useremo

mVibrator = (Vibrator)getSystemService(Context.VIBRATOR_SERVICE);
...
mVibrator.vibrate(new long[]{ 0, 200, 0 }, 0);

Nel codice del servizio

    public void vibrate(long milliseconds, IBinder token) {
      if (mContext.checkCallingOrSelfPermission(
                          android.Manifest.permission.VIBRATE)
          != PackageManager.PERMISSION_GRANTED)
            throw new SecurityException( "Requires VIBRATE permission");
    }

Controllo dinamico dei permessi

Permessi... file sul target

Dal file packages.xml (in /data/system/)

    <package name="com.readability" codePath="/data/app/com.readability-1.apk" nativeLibraryPath="/data/data/com.readability/lib" flags="0" ft="136de965d50">
    <sigs count="1">                                                                                                   
      <cert index="6" key="308201bd30820126a00302010202044ea974a6300d06092a864886f70d01010505003023310b300906035504061302555331143012060355040a130b5265616461626"/>
    </sigs>                                                                  
    <perms>                                                                                                                 
      <item name="android.permission.INTERNET" />                                                       
      <item name="android.permission.ACCESS_NETWORK_STATE" />                         
      <item name="android.permission.WRITE_EXTERNAL_STORAGE" />                                                                     
    </perms>                                                                                                 
    </package>

Permessi e GID

Guardiamo il file /etc/permissions/platform.xml

    <permission name="android.permission.INTERNET" >       
        <group gid="inet" />                                        
    </permission>

Sotto Android non ci sono file /etc/passwd o /etc/groups e quindi gli ID sono hardcoded src

    #define AID_INET          3003  /* can create AF_INET and AF_INET6 sockets */
 
    static const struct android_id_info android_ids[] = {
        { "root",      AID_ROOT, },
    ...
        { "inet",      AID_INET, },
    ...
    };

MultiUser

In Android 4.2 è stato aggiunto supporto per multiutenza.

Ad ogni utente viene assegnato un identificativo: 0,10,11,12

I processi assumono dei PID ottenuti per concatenazione:

u0_a3 → 10003
u0_a4 → 10004
…
u10_a3 → 1010003
u10_a4 → 1010004
…
u11_a3 → 1110003
u11_a4 → 1110004

Garantire l'origine di una applicazione

Le applicazioni devono essere firmate per potere essere installate

ma non viene richiesto l'uso di una CA: chiavi self signed

A cosa servono?

per garantire update

Attacchi

root exploit
social engineering
privilege escalation
combo privileges
- shared uid

Root exploit

Non è previsto che una applicazione (non di sistema) abbia diritti di root

bypasserebbe qualunque controllo permessi

Esistono diversi exploit

exploid
- baco in udev (init/ueventd)
rageagainstthecage
- race condition in adbd
softbreak/gingerbreak
- buffer overrun in vold

Privilege Escalation

Un componente riesce (indirettamente) a chiamare un componente protetto da un permesso che non ha

Shared UID

Non è vero che per forza ogni applicazione ha UID univoco

E' possibile condividerlo per applicazioni firmate con la stessa chiave

    <manifest xmlns:android="http://schemas.android.com/apk/res/android"
      ...
      android:sharedUserId="string"
      android:sharedUserLabel="string resource" 
      ... >
    ...
    </manifest>

Possibile scenario: shared ID

Il developer CB sviluppa due applicazioni:

gestore BikeMi
- richiede tra gli altri permessi full internet

generatore di password (SuperGen?)
- NON richiede permessi di rete e quindi penso di potermi fidare

Singolarmente le due applicazioni mi sembrano ragionevoli, ma combinate insieme?

Altro?

sblocco del telefono (PIN?, PASSWORD?, Path?, Sorriso?)
se qualcuno compromette il vostro account google, può installare remotamente applicazioni
Side loading e google app verification service

Risorse

Google

Marko Gargenta, Android Security Underpinnings - Slide e video
Official pages on Security Overview and Security and Permissions
Privilege Escalation Attacks on Android PDF
Google Android: A Comprehensive Security Assessment PDF