SlideShare una empresa de Scribd logo

Android Security Overview and Safe Practices for Web-Based Android Applications

h4oxer
h4oxer

Android Security Overview and Safe Practices for Web-Based Android Applications presentation given at xda:devcon 14' at Manchester

Software
1 de 42
Descargar para leer sin conexión
Android security overview and safe practices for web-based Android applications Incalza Dario @h4oxer
Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • XDA – recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • Not technical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Applications • Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Framework • Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Dalvik Virtual Machine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Kernel • Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android Platform: Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
Security in web-based application • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
Security in web-based application • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Thanks!! Q & A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza

Recomendados

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 

Recomendados

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAhmed Ismail
 

Más contenido relacionado

La actualidad más candente

Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 

La actualidad más candente (20)

Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Android system security
Android system securityAndroid system security
Android system security
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 

Destacado

Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAhmed Ismail
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Android security model
Android security modelAndroid security model
Android security modelrrand1
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Codemotion
 
Android - Model Architecture
Android - Model ArchitectureAndroid - Model Architecture
Android - Model Architecturerendra toro
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Destacado (10)

Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطة
 
Mobile security
Mobile securityMobile security
Mobile security
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
 
Android - Model Architecture
Android - Model ArchitectureAndroid - Model Architecture
Android - Model Architecture
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

Similar a Android Security Overview and Safe Practices for Web-Based Android Applications

Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsPriyanka Aash
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsPriyanka Aash
 

Similar a Android Security Overview and Safe Practices for Web-Based Android Applications (20)

Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
My androidpresentation
My androidpresentationMy androidpresentation
My androidpresentation
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container Applications
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container Applications
 

Último

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...OnePlan Solutions
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

Último (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 

Android Security Overview and Safe Practices for Web-Based Android Applications

  • 1. Android security overview and safe practices for web-based Android applications Incalza Dario @h4oxer
  • 2. Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 3. Introduction • XDA – recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 4. Introduction • Not technical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 5. The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 6. The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 7. Android Applications • Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 8. Android Framework • Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 9. The Dalvik Virtual Machine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 10. User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 11. The Kernel • Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 12. The Android Platform: Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 13. Attack Surfaces in Android • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 14. Attack Surfaces in Android • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 15. Attack Surface – Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 16. Attack Surface – Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 17. Attack Surface – Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 18. Attack Surface – Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 19. Attack Surface – Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 20. Attack Surface – Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 21. Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 22. Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 23. Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 24. Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 25. Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 26. Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 27. Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 28. Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 29. Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 30. Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 31. Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 32. Security in web-based application • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
  • 33. Security in web-based application • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 34. Security in web-based application • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 35. Security in web-based application • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 36. Security in web-based application • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 37. Security in web-based application xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 38. Security in web-based application • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 39. Security in web-based application A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
  • 40. Security in web-based application • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 41. Security in web-based application: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 42. Thanks!! Q & A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza