1. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 1/43
Igor Falcomatà
Android e mobile security
(for developers)
ifalcomata@enforcer.it – CTO, Enforcer
2. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 2/43
• attività professionale:
•analisi delle vulnerabilità e penetration
testing (~15 anni)
•security consulting
•formazione
• altro:
•sikurezza.org
•(F|Er|bz)lug
free advertising >free advertising >
3. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 3/43
http://en.wikipedia.org/w/index.php?title=File:Android-System-Architecture.svg
4. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 4/43
• Architetture: ARM, (MIPS, x86, ..)
• Kernel
• Kernel Linux 2.6.x (Android 1, 2 e 3.x)
• Kernel Linux 3.0.x (Android 4.x)
• componenti e driver standard
• FS, processi, permessi, processi
• vulnerabilità standard ;)
• Componenti custom
• binder, ashmem, pmem, logger, wavelocks, OOM, alarm
timers, paranoid network security, gpio, ..
• android e vendor custom hw driver
• nuove vulnerabilità da scoprire ;)
5. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 5/43
• Sandbox (OS level)
• sandboxing con uid/gid linux + patch kernel (protected API)
• 1 processo = 1 applicazione = 1 VM (+ componenti OS)
• protected API per accesso all'hw: camera, gps, bluetooth,
telefonia, SMS/MMS, connessioni di rete)
• root = root (full access)
• Librerie
• bionic libc (!= gnu libc, !posix)
• udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs)
• Dalvik VM (!= JVM)
• Java Code -> dex bytecode
• custom Java libraries
• può lanciare codice nativo (syscall, ioctls, .. ) -> kernel
6. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 6/43
• Sandbox (OS level)
• sandboxing con uid/gid linux + patch kernel (protected API)
• 1 processo = 1 applicazione = 1 VM (+ componenti OS)
• protected API per accesso all'hw: camera, gps, bluetooth,
telefonia, SMS/MMS, connessioni di rete)
• root = root (full access)
• Librerie
• bionic libc (!= gnu libc, !posix)
• udev, WebKit, OpenGL, SQLite, crypto, .. (& bugs)
• Dalvik VM (!= JVM)
• Java Code -> dex bytecode
• custom Java libraries
• può lanciare codice nativo (syscall, ioctls, .. ) -> kernel
“Like all security features, the
Application Sandbox is not
unbreakable. However, to break
out of the Application Sandbox
in a properly configured device,
one must compromise the
security of the the Linux
kernel.”
“Like all security features, the
Application Sandbox is not
unbreakable. However, to break
out of the Application Sandbox
in a properly configured device,
one must compromise the
security of the the Linux
kernel.”
7. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 7/43
hot-spot user
desktop
ext. router
web server app backend db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
8. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 8/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
9. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 9/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
• vettori:
• chat
• e-mail
• link su social network
• MiTM / dns spoofing / ..
• exploit:
• sito malicious ->
• app (pwned) ->
• kernel (pwned) ->
• r00t!!
10. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 10/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
• classico “client side attack”:
• exploit app/lib
• (webkit, ..)
• exec codice arbitrario
• -> kernel (syscall, ioctls, ..)
• situazione no-win
• “non ci interessa”
• però...:
• root -> controllo completo
• accesso ai dati di ogni app
11. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 11/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
12. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 12/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
13. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 13/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
3rd
party
app backend
• root -> controllo completo
• dati personali
posta, documenti,
rubrica,calendario, ..
• intercettazioni
audio, video, messaging,
network, ..
• geolocalizzazione
foto, social network, ..
• credenziali
siti, posta, VPN, .. → cloud
storage
14. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 14/43
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
Mr. MobileMalicious
app backend
15. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 15/43
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
Mr. MobileMalicious
app backend
OOB covert channel
(UMTS/GPRS/SMS/..)
Bring Your 0wned Device
16. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 16/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
app backend
17. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 17/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
app backend
18. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 18/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
19. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 19/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
no HTTPS (ahi ahi ahi)
MiTM
Hot Spot
Rogue APs
20. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 20/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
21. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 21/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
22. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 22/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
• MiTM (browser)
• no SSL?
• traffic mangling
• SSL?
• utente “continua”?
• game over
23. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 23/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
• MiTM (app)
• no SSL?
• traffic mangling
• SSL?
• app verifica cert?
• OK!
• app non verifica cert?
• game over
24. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 24/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
servizi in cloud
Mr. WifiMiTM
app backend
• game over = traffic mangling
• sniffing
• credenziali
• dati
• reverse engineering
• traffico/protocolli
• business logic
• analisi API/URL
• rogue/fake app
• HTML-like c.s. attacks
• injection JS & co.
• client side injection
25. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 25/43
https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations-101912
26. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 26/43
https://threatpost.com/en_us/blogs/research-shows-serious-problems-android-app-ssl-implementations-101912
Sì vabbé, nel 2012..
ma ora..
27. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 27/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
download .apk
(install app)
28. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 28/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
• .apk
• download
• market install
• adb pull
• estrazione
• dex2jar, apk-extractor, ..
• analisi
• risorse, manifest, ..
• decompilazione
• jd-gui, ypjd, ..
29. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 29/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
30. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 30/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
31. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 31/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
32. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 32/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
• .apk
• analisi business logic
• broken/no auth
• broken/no session management
• credenziali/certificati
• URL/API “privati”
• HTTP/JSON/XMLRPC/WS/..
• SQL Injections
• Path Traversal
• Broken/no auth/session m.
• ...
• custom/altri protocolli
• reverse engineering
• vedi sopra
33. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 33/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
34. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 34/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
http://www.example.com/app/privateapi?user=paperino
http://www.example.com/app/privateapi?user=pluto
35. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 35/43
hot-spot user
desktop
ext. router
web server db server
file server
dep. server
desktop
desktop
firewall
access point
BY0D user
wifi user
3G user
servizi in cloud
Mr. MobileMalicious
app backend
http://www.example.com/app/privateapi?user=paperino&pass=moo
http://www.example.com/app/privateapi?user=pluto'--&pass=boh
36. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 36/43
https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab=Top_Ten_Mobile_Risks
37. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 37/43
bonus track :)
38. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 38/43
bonus track :)
39. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 39/43
http://www.guardian.co.uk/technology/2012/jan/30/android-malware-row
40. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 40/43
• diffusione e “geopardizzazione” (AUGH!)
• sorgenti (AOSP), docs, SDK, NDK, emulatore, ..
• .apk → decompilazione, reversing, debug
• aggiornamenti OS, app e market alternativi
• permessi delle applicazioni “delegati” agli utenti
• Linux Kernel, ~ Linux userspace e librerie (e bug)
• exploit mitigation techniques (fail) (< 2.3, < 4.0.3)
• OOB “covert” channel (umts/gprs, SMS, ..)
• territori poco explorati: OS/lib custom, hw driver
http://www.enforcer.it/dl/android_security_smau2012.pdf
41. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 41/43
• dati personali (posta, documenti, rubrica, calendario, ..)
• intercettazioni (audio, video, messaging, network, ..)
• geolocalizzazione (foto, social network, ..)
• credenziali (siti, posta, VPN, ..) → cloud storage
• HTML-like client side attacks
• EvilApp want to eat your soul.. Install? YES!!!
• BY0D (Bring Your 0wned Device)
• banking OTP ($$)
• NFC ($$)
42. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 42/43
• url e web-services “privati”
• business logic esposta (client-side)
• -> device -> credenziali -> back-end
• -> device -> storage -> back-end
• credenziali e certificati hard-coded (.apk)
• no/lazy input validation
• no/broken authentication & session management
• the good ole web security vulns
43. Android e mobile security (for developers) - ifalcomata@enforcer.it – CTO, Enforcer - Slide 43/43
Webografia: http://www.enforcer.it/dl/android_security_smau2012.pdf
Igor Falcomatà
ifalcomata@enforcer.it – CTO, Enforcer
Android e mobile security
(for developers)
Domande?