This document summarizes security threats and attacks on the Android system. It outlines the Android threat model and discusses attacks from computers, firmware, NFC, Bluetooth, and malicious apps. Specific attack vectors are described, such as exploiting update mechanisms, customization vulnerabilities, and speech recognition from gyroscope data. Countermeasures like updating apps and closing unused services are recommended for users. Developers are advised to follow basic security practices like code reviews and penetration testing.

1. Android
System
Security
C.K.Chen
2014/09/02

2. Outline
• Some
news
about
android
threat
• Android
Threat
Model
– AAack
from
Computer
– AAack
from
Firmware
– NFC
Security
– Bluetooth
Security
• Malicious
APP
• Summary

8. Vulnerability

9. Android
Threat
Model

10. AAack
from
Computer
• Gaining
root
access
– Official:
simulate
screen
tap
event
to
the
oem
unlock
menu
on
selected
devices.
– Universal:
linux
local
root
exploit
(CVE-­‐2009-­‐1185
RLIMIT_NPROC
exhausZon)
send
via
USB
• Insert
malicious
payload
– Kernel:
disassemble
boot
parZZon,
replace
kernel
zimage
with
malicious
• OpZonally
unroot
back
to
avoid
detecZon

11. AAack
from
Computer
• Kernel
manipulaZon
• NaZve
ARM
ELF
binary,
bypassed
Android
framework
permission
checking.
• In
sum,
a
complete
phone
provisioning
process
fully
automated
with
evil
payload.

12. AAack
from
Firmware
•
Customize
firmware
– Distributed
by
Network
– Pay
to
manufacturers
for
including
the
malware
– Some
manufacturers
used
firmware
image
from
internet

13. NFC
Security
• Near
field
communicaZon
(NFC)
is
a
set
of
standards
– Smartphones
and
similar
devices
to
establish
radio
communicaZon
– By
touching
them
together
or
bringing
them
into
proximity,
usually
no
more
than
a
few
cenZmeters.

14. NFC
Security
• No
link
level
security
(wireless
not
encrypted)
– Eavesdropping
(sniffing)
– Man-­‐in-­‐the-­‐middle
– Data:
ModificaZon,
CorrupZon,
InserZon
• Tamper
with
NFC/RFID
tags
– Modify
original
tag
– Replace
with
malicious
tag

15. Bluetooth
Security
• Bluetooth
is
a
wireless
technology
standard
for
exchanging
data
over
short
distances

16. Bluetooth
Security
• General
so`ware
vulnerabiliZes
• Eavesdropping
– older
Bluetooth
devices
use
versions
of
the
Bluetooth
protocol
that
have
more
security
holes
• Denial
of
service
• Bluetooth
range
is
greater
than
you
think
– Bluetooth
is
designed
to
be
a
“personal
area
network.”
– Hackers
have
been
known
to
use
direcZonal,
high-­‐gain
antennae
to
successfully
communicate
over
much
greater
distances.
– For
example,
security
researcher
Joshua
Wright
demonstrated
the
use
of
such
an
antenna
to
hack
a
Bluetooth
device
in
a
Starbucks
from
across
the
street.

17. AAack
Webkit
• WebKit
is
a
layout
engine
so`ware
component
for
rendering
web
pages
in
web
browsers.
• Basic
of
web-­‐based
applicaZon

18. AAack
Webkit
•
1.
connect
2.
Send
malicious
content
Malicious
Website
Do
something
bad

19. AAack
Webkit
• hAps://www.youtube.com/watch?
v=czx_AKdj8ug

20. MMS
• MulZmedia
Messaging
Service
– A
standard
way
to
send
messages
that
include
mulZmedia
content
to
and
from
mobile
phones
– It
extends
the
core
SMS
(Short
Message
Service)
capability
that
allowed
exchange
of
text
messages

21. MMS
Flow
(Intra-­‐carrier)
•

22. MMS
AAack
Vectors
• MMS
AAack
Vectors
– Message
Headers
– MMS
uses
many
types
of
messages
SMS,
WAP,
WSP
• Message
contents
– SMIL
• Markup
language
to
describe
content
–
Rich
content
– Images
– Audio/Video

23. MMS
Security
• Mobile
phone
messaging
is
unique
aAack
surface
– Always
on
• FuncZonality
becoming
more
feature
rich
– Ringtones
– Videos
– Pictures
• Technical
hurdles
for
aAackers
are
dropping
– Easily
modified
phones
• FuncZonality
at
higher
layers

24. ImplementaZon
Vulnerability
• Android
flaw
in
parsing
UDH
for
concatenated
messages
– Concatenated
messages
have
a
sequence
number.
Valid
range
is
01-­‐FF.
• Selng
sequence
to
00
triggers
an
unhandled
invalid
array
excepZon.
• Impact:
Crashed
com.android.phone
process
on
Android
G1
– Disables
all
radio
acZvity
on
the
phone.

25. MMS
AAack
•

26. Malicious
APP
• Many
aAack
method
must
though
malicious
APP

27. APP
Permission
• Malicious
app
o`en
declare
more
permissions
android.permission.SEND_SMS
/
RECEIVE_SMS
android.permission.SYSTEM_ALERT_WINDOW
android.permission.READ_CONTACTS
/
WRITE_CONTACTS
android.
permission.READ_CALENDAR
/
WRITE_CALENDAR
android.permission.CALL_PHONE
android.permission.READ_LOGS
android.permission.ACCESS_FINE_LOCATION
android.permission.GET_TASKS
android.permission.RECEIVE_BOOT_COMPLETED
android.permission.CHANGE_WIFI_STATE
com.android.browser.permission.READ_HISTORY_BOOKMARKS
/
WRITE_HISTORY_BOOKMARKS

28. Confused
Deputy
AAack

29. Repackage
APK
• Fake
app
which
clone
the
code
from
the
original
one
– And
add
some
malicious
code
– Change
the
ad
library

30. Repackage
APK

31. Privilege
EscalaZon
•
Two
or
more
malicious
app
– Has
less
permission
and
seem
not
harmful
– With
communicate
though
intent,
these
apps
achieve
malicious
behaviors
which
require
higher
permission

32. MiZgate
the
Threat
• For
the
user
– Update
to
the
newest
version
• Android
• APP
– Close
unused
service
– Install
APP
that
you
trust

33. MiZgate
the
Threat
• For
the
Developer
– Basic
Security
Concept
– Code
Review
– PenetraZon
Test
– Keep
up
to
the
newest
aAack

34. Summary
• First,
we
share
some
security
new
in
android
• With
so
many
interface
for
communicaZon,
the
aAack
vector
is
become
more
wide
• The
threat
model
of
android
is
discuss
• Numerous
aAack
method
is
introduced
• Some
easy
guideline
is
proposed
for
user
and
developer

35. Q&A

36. The
New
AAack
• While
we
already
talk
about
some
general
aAack
– But
aAacker’s
methods
change
with
Zme,
more
special
and
more
sophisZcated
– Current,
numerous
android
security
flaws
are
proposed
in
security
conference

37. UI
State
Inference
AAack
• AAacker
can
guest
what
AcZvity
is
current
viewed
by
user
– Try
to
hijack
the
AcZvity
– Do
something
bad
• Demo
video

38. Recognizing
Speech
From
Gyroscope
Signals
• Gyroscope
is
the
device
is
a
device
for
measuring
or
maintaining
orientaZon

39. Recognizing
Speech
From
Gyroscope
Signals
• Gyroscope
is
low
level
permission
for
app
– User
may
ignore
it
• While
speech
record
is
dangerous
permission
• Researchers
show
that
it
is
possible
to
recover
the
speech
from
Gyroscope
informaZon

40. Exploit
Update
Mechanism
• New
OS
version
presumably
fixes
security
loopholes
and
enhances
the
system’s
security
protecZon
• AutomaZcally
acquire
significant
capabiliZes
without
users’
consent
once
they
upgrade
to
newer
versions!
– automaZcally
obtaining
all
new
permissions
added
by
the
newer
version
OS
– replacing
system-­‐level
apps
with
malicious
ones
– injecZng
malicious
scripts
into
arbitrary
webpages

41. Exploit
Update
Mechanism
• It
exploits
the
flaws
in
the
updaZng
mechanism
of
the
“future”
OS,
which
the
current
system
will
be
upgraded
to
• Demo
video

42. Security
Risks
in
CustomizaZons
• For
each
new
Android
version,
Google
first
releases
it
to
mobile
phone
vendors,
allowing
them
to
add
their
apps,
device
drivers
and
other
new
features
to
their
corresponding
Android
branches.
• Recent
studies
show
that
many
pre-­‐loaded
apps
on
those
images
are
vulnerable,
leaking
system
capabiliZes
or
sensiZve
user
informaZon
to
unauthorized
parZes.
2014/5/19
42

43. Security
Risks
in
CustomizaZons
• The
security
risks
here,
however,
go
much
deeper
than
those
on
the
app
layer.
• ParZcularly,
they
almost
always
need
to
modify
a
few
device
drivers
(e.g.,
for
camera,
audio,
etc.)
and
related
system
selngs
to
support
their
hardware.
2014/5/19
43

44. Security
Risks
in
CustomizaZons
• Device
drivers
work
on
the
Linux
layer
and
communicate
with
Android
users
through
framework
services.
• Therefore,
any
customizaZon
on
an
Android
device
needs
to
make
sure
that
it
remains
well
protected
at
both
the
Linux
and
framework
layers.
• However,
vendors
usually
doesn't
have
the
Zme
to
properly
address
such
problems.
2014/5/19
44

45. The
Peril
of
FragmentaZon
• Android
devices
contain
a
large
piece
which
is
customize
by
vender
– Kernel
– Firmware
• For
ease
of
programming,
some
security
policies
are
broken
• DEMO
Video