J.-P. Seifert; Security-Aware Android Applications for the Enterprise

D e s ig n in g S e c u r it y -A w a r e
A n d r o id A p p lic a t io n s f o r t h e
Jean-Pierre Seifert
E n t e r p r i s e Telekom Laboratories, Berlin, Germany
TU Berlin & Deutsche
jpseifert@sec.t-labs.tu-berlin.de

Agenda

1. Introduction
2. Some reasons for Access Control in Phones
 mTAN, Signalling based attacks, Premium Rate SMS
Trojan, WAC Operator Billing
3. Access Control in Android
4. The MILS/Seperation Kernel approach for Android
phones
 SE C T ad for L4Android (simko3)
5. Q&A

Deutsche Telekom Laboratories 17.06.2011 2

Cell Phone Security

 A cellular phone is only one part of a much larger system
 Other parts of the system are even more complex
 Historically, both network and devices were closed (started to open)
 Provided some level of protection

 17.5% of American homes had only wireless telephones in
year 2008.
 What about Europe?
 Myself I only have one single phone – a cell phone

 What happens to the network and devices when interfaces
open?

 What happens when we start relying on cell phones for
general computing needs?

Cellphone OS Security vs. OS Security

 W hy is cellphone OS security different than ordinary OS security?

 Connected to critical infrastructure - warnings of phone botnets
 Connected to people - attacks can cross into the physical world

 Multiple Stakeholders - there is a lot of money at risk
 Network provider, OEM, enterprise, 3rd-party app developer, content
owner, end user, etc.
 Who has control?
 Who is the adversary?

 Specific usage scenarios
 Always with you
 Only want to carry one
(for business and personal)

Cellular Networks

 Cellular networks are complex systems made up of many components and
defined by thousands of pages of standards documents
 3GPP aka GSM, and 3GPP2 aka CDMA ... leads to alphabet soup

 There are many non-security concerns (most of them are non-security)
 Interconnectivity with “landline” phone network
 Efficient radio spectrum deployment
 Maximizing number of active of subscribers
 Low latency call-setup and in-call
 Mobility and roaming (which tower?)
 Handset power consumption (sleep periods)
 Customer databases and billing mechanisms
 and many more ...


Stakeholders

 A cellphone stakeholder is an entity with valued interests in
proper phone functioning and something to loose from
malfeasance.
 Variety of stakeholders, and each has its own goals and
concerns

 A stakeholder can be identified by its presence on a phone
1. Provides a means of communication with the outside
world
2 .Uses the handset to deliver information
(e.g., news, music, etc)
3. Provides software or hardware to facilitate 1 and 2
4. An end user of the phone


Basic Phone Architecture

 T he hardware and software configuration dictates what sorts of
policy is possible.
 Each phone has implementation specific details, but some general
trends
 Application processor and Baseband processors (most often single
chip)
 Separate firmwares and execution environments
 Example Chips (SoC) -- often bundle hardware features like GPS,
bluetooth, etc.
 Qualcomm Mobile Station Modem (MSM 7x, e.g., MSM 7201a) -
single chip
 TI Open Multimedia Application Platform (OMAP 1xxxx, OMAP
3xxxx) - only app
 Broadcom baseband processors (e.g., ML2011)
 Marvell (PXA series)


Some reasons for Access Control in
Phones

Example: mTAN – mobile TAN

 TAN → Transaction Authentication Number
– secure online banking

 mTAN generated individually for each transaction
– mTAN send via text SMS
– Limited life time
– Includes: destination account and amount
(with these values customer can verify his transaction)

 Example:
Die mobileTAN für Ihre Überweisung über 11123,45 Euro auf das Konto
123456789 lautet: 73KXCM


Example: mTAN – mobile TAN


Attacks against mTAN

 Prerequisite
– Attacker has the credentials for the victim's online banking
account

 Attacker's goal
– Successfully complete online bank transfer from victim's
account to attacker account

 Requirement
– Attacker needs to get mTAN from the user's phone
(remember mTAN is send via text SMS)


Man-in-the-Mobile Attack against mTAN

 Attacker installs malware on victim's phone
– Malware reads and forwards mTAN SMS to attacker

 This is easy since:
– All mobile OSes provide an API to read incoming SMS
• Users always grant all capability requests!
– Malware just registers, read and forward SMS messages

 Already happening in the field!
– ZITMO (Symbian & Windows Mobile)


Example: Eavesdropping on SMS Traffic

 Attacker needs to be close to victim
– Unlikely but possible

 GSM can be easily recorded and decoded (A5/1 and A5/2)
– Public research available including ready to use tools

 Femtocell based attacks can “sniff” 3G traffic
– SecT lab setup → non public yet
– Will be easy to reproduce once published


Example: Cellular Signaling

 Signaling traffic generated by theMobile Equipment (ME) is sent to the
MSC and HLR in case of voice calls, SMS, and updating account
settings (such as call-forwarding).
 Packetdata related signaling is mainly directed towards the SGSN, the
GGSN, and of course the HLR.

 Packet Data Protocol (PDP) connection setup is a complex process.
 When ME wishes to establish a PDP context it sends a GPRS-attach
message to the SGSN.
 The SGSN authenticates the ME using the HLR.
 Next, the PDP context is established and stored at the SGSN and GGSN.
 This includes records and parameters for billing, quality of service
information, and the IP address assigned to the specific PDP context.
 Maintenance and distribution of the PDP context information across the
different network components is a costly process as it involves many
components across the cellular network.

Example: Cellular Signaling Threats

 Fast PDP context activation and de-activation lead to high network load
on the GGSN and SGSN infrastructure of cellular network operators.

 This is performed by either malicious applications or badly configured
mobile phones.

 This is possible because on smartphone platforms such as Android any
application has access to the network configuration and thus is able to
change the packet-data and APN settings.

 On Android it is possible to force an PDP context change every 2
seconds. This will result in roughly 43,200 PDP activations per day (24
hours).
 If it is installed on enough devices, a rouge application can easily carry out
a Denial-of-Service attack against an operator’s packet-data infrastructure.

GSMA. Network Efficiency Threats v0.4a, May 2010.

Example: Premium Rate SMS Trojans

 Fraud caused by SMS Trojans such as FakePlayer-A is a
long standing problem in the mobile phone world
 Costing consumers a considerable amount of money ever year.

 This kind of fraud is possible since on modern smartphones
any application has access to the cellular API and is thus
able to send SMS messages.
 Same problem applies to voice calls to premium numbers.

 Trojan-SMS.AndroidOS.FakePlayer-A.

http://www.fortiguard.com/encyclopedia/virus/android_fakeplayer.a!
tr.html, August 2010.


Example: WAC Operator Billing

Pay via Operator bill

• WAC allows to bill consumers buying virtual and digital content
quickly, easily and safely using their m o b i l e p h o n e
numbe r
• It is available for W e b s i t e s , m o b i l e A p p s a n d
W i d g e t s running on M o b i l e s , T a b l e t s , P C s o r
18
e ve n TVs .

WAC is an alliance of some of the biggest
companies in the mobile industry.
WAC Board of Directors

Operator
Board Observers Sponsor Members Associate Members
Members
Accenture America Movil Fujitsu Aepona Limo Foundation
Ericsson Bell Mobility IBM Alcatel Lucent Neustar
Huawei China Unicom NEC ASPire-tech NTT Data
Intel Hutchison 3 group Borqs Obigo
Nokia KDDI Cambertech Inc Opera
Qualcomm LG UPlus Capgemini Oracle
Samsung MTS Eyeline Panasonic
Orascom GD RIM
Rogers HP Sandisk
SFR HTC SAP
Vimpelcom IMImobile Sharp
Incross Co. Sony Ericsson
Infraware WiPro
KT Innotz ZTE
LG Electronics


WAC has two focus areas.
Network APIs and Operator Billing to be focus.

W A C W id g e t R u n t im e O p e r a t o r N e t w o r ko c
F
us
A P Is

• Increase the overall market for mobile
applications • Exposure of valuable operator network
• Encourage open standardized capabilities to the developer
technologies • Allowing developers to enhance their
• Enable distribution of WAC widgets applications
through multiple channels • Reducing technical and commercial
complexity by offering APIs in a unified,
technology agnostic way
• O p e r a t o r B illin g is t h e
f ir s t A P I
Web: www.wacapps.net/payment-api
YouTube http://bit.ly/nObOd2

Using the WAC solution subscribers can pay for
content securely with just a few clicks on the
mobile.


Non-mobile devices can also be addressed with
convenient mobile TAN approach.

Illu s t r a t iv e p a y m e n t f lo w s h o w n o n m o b ile d e v ic e –
h o w e v e r t h is a p p lie s f o r o t h e r d e v ic e s a s w e ll, e . g .
T a b le t s o r D e s k t o p s


Android

 One of the most anticipated smartphone operating
systems -- led by Google
 Complete software stack
 Open source (Apache v2 license) ... mostly

 Open Handset Alliance
 ... 30+ industrial partners
 Google, T-Mobile, Sprint, HTC, LG, Motorola,
Samsung, Broadcom, Intent, NVIDIA,
Qualcomm, … .


Android Phones

 An Android contains a number of
“applications”
 Android comes installed with a
number of basic systems tools, e.g.,
dialer, address book, etc.
 Developers use the Android API to
construct applications.

 All apps are written in Java and executed
within a custom Java virtual machine.
 Each application package is contained
in a jar file (.apk)

 Applications are installed by the user
 No “app store” required, just build
and go.
 Open access to data and voice
Deutsche Telekom Laboratories
services
17.06.2011 25

Security Enforcement

 Android protects application at system level and at the Inter-component
communication (ICC) level.

 Each application runs as a unique user identity, which lets Android limit
the potential damage of programming flaws.


Security Enforcement

• Core idea of Android security enforcement
• label assignment to applications and components

• A reference monitor provides mandatory access control
(MAC) enforcement of how applications access
components.

• Access to each component is restricted by assigning it an
access permission label; applications are assigned
collections of permission labels.

• When a component initiates ICC, the reference monitor
looks at the permission labels assigned to its containing
application and
• if the target component’s access permission label is in that
collection— allows ICC establishment to proceed.

Access permission logic

The Android middleware implements a reference monitor
providing mandatory access control (MAC) enforcement
about how applications access components.
The basic enforcement model is the same for all component
types. Component A’s ability to access components B and C
is determined by comparing the access permission labels on
B and C to the collection of labels assigned to application 1.


Enforcement Conclusion

 Assigning permission labels to an application
specifies its protection domain.
 Assigning permissions to the components in an
application specifies an access policy to protect its
resources.

 Android’s policy enforcement is mandatory, all
permission labels are set at install time and can’t
change until the application is reinstalled.
 Android’s permission label model only restricts
access to components and doesn’t currently
provide information flow guarantees.


Security Refinements --- Public vs. Private
Components
 Applications often contain components that another
application should never access.
 For example, component related to password
storing. The solution is to define private component.

 This significantly reduces the attack surface for many
applications.


Security Refinements --- Protected APIs

 Not all system resources (for example, network) are
accessed through components — instead, Android
provides direct API access.

 Android protects these sensitive APIs with additional
permission label checks:
 an application must declare a corresponding
permission label in its manifest file to use them.


Security Refinements --- Permission
Protection Levels

 The permission protection levels provide a means of
controlling how developers assign permission labels.

 Signature permissions ensure that only the
framework developer can use the specific
functionality (only Google applications can directly
interface the telephony API, for example).


Lessons in Defining Policy

 Android security policy begins with a relatively easy-
to-understand MAC enforcement model,
 but the number and subtlety of refinements make
it difficult to discover an application’s policy.

 The label itself is merely a text string,
 but its assignment to an application provides
access to potentially limitless resources.


MILS/Seperation Kernel approach for Android
phones

SiMKo 3

Deutsche Telekom Laboratories 36

Simplified overall SiMKo3 system architecture – MILS
approach
Open Compartment Secure Compartment Network Compartment Crypto Compartment
Applications Secure-Applications Genua En-/Decrypter
Office Adobe CitrixVMWare Privacy Store
S/MIMEDialer BackOffice
VPN Firewall
Customer-App-Store Secure Android Connector
S/MIME
Android L4Linux + Google patches L4OpenBSD
L4Linux + Google patches PM-Drv Video-Drv Network-Drv Modem-Drv
L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Network, PM, Voice SNS
Net, Storage, Touch, Crypt Net, Storage, Touch, Crypt SmartCard

Secure Environment
GUI Video-Drv Touch-Drv OTA Storage-Drive En-/DecryptionSmartCard-Drv PowerMgmnt-Drv

IO Memory L4Re
Microkernel

Boot-Loader Key Storage
Hardware


Network hardening of SiMKo3


Modem Virtualization


SoC of Galaxy S II


Early Prototypes


SiMKo3 is based upon the L4 micro-kernel and the
Samsung Galaxy S II,
and …


L4Android – www.l4android.org

• L4Android is derived from the L4Linux project,
which is developed at the Technische Universität
Dresden.
• L4Linux is a modified Linux kernel, which runs on
top of the Fiasco.OC microkernel.
• It is binary compatible with the normal Linux
kernel.
• L4Android combines both the L4Linux and Google
modifications of the Linux kernel and thus enables
us to run Android on top of a microkernel.


Agenda
Thank you for your attention!
1. Introduction
2. Three reasons for Access Control in SmartPhones
 mTAN, Signalling based attacks, Android Trojan(s)
3. So? Access Control in three Linux based
SmartPhones!
 LiMo, MeeGo, Android
4. Problems with MAC for “responsible devices“
5. The MILS/Seperation Kernel approach for Android
phones
 SECT ad for L4Android
6. Conclusion

Questions?


J.-P. Seifert; Security-Aware Android Applications for the Enterprise

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Destaque

Destaque (8)

Semelhante a J.-P. Seifert; Security-Aware Android Applications for the Enterprise

Semelhante a J.-P. Seifert; Security-Aware Android Applications for the Enterprise (20)

Mais de Droidcon Berlin

Mais de Droidcon Berlin (20)

Último

Último (20)

J.-P. Seifert; Security-Aware Android Applications for the Enterprise

Notas do Editor