Smartphone Usage
Smartphone Applications
Overview
» Built-in Protections (iOS and Android)
» Jailbreaking and Rooting
» Security Risks
» Malware
» Suggestions
Protections: Apple versus Google
» Approval Processes
» Access Control
» Data Protection
Approval Process
Apps
Apple
Code review, testing, etc.
Installation App Distribution
Apps
Other 3rd Party stores
Apple’s App Development Process
Registration Certificate
Accountability, Code Integrity Issued by Apple
App development App Developer
Public Key Encryption and PKI
» Traditional Encryption: Secret Key Encryption
> The same key is used for encryption and decryption
> The key must be secret
> Algorithms: AES, DES
» Public Key Encryption
> Public Key: public, used for encryption
> Private key: secret, used for decryption
> Algorithms: RSA
Public Key Encryption
Public Key: KeyPub Private Key: KeyPriv
KeyPub
M1
M2
M3
Decryption using KeyPriv
Enc(M2)
Algorithm: RSA, ElGamal
Digital Signature using Public Key
Public Key: KeyPub Private Key: KeyPriv
M, Signature
Verify M is
written by Alice.
Alice
(M, KeyPriv) Signature
KeyPub
KeyPub
M’, Signature Verify M’ is NOT written by Alice.
Algorithm: RSA, ElGamal, DSA
Digital Signature using Public Key
Du’s Private Key Digital Signature S
Du’s Public Key Du
Question: How do you know the public key is Du’s?
Everybody can verify whether the code is written by Du or not.
Digital Certificate and PKI
Public Key
Name: Kevin Du M:
M, VeriSign’s Private Key Example: VeriSign
Digital Signature S
VeriSign’s Public Key
Verification By everybody
Digital Ceritificate:
Public Key
Name: Kevin Du
Some other information VeriSign’s Signature
Usually preloaded in browsers and OS M
The Whole Process
Weakness of PKI
» We trust CAs (Certificate Authority)
» CAs can be compromised
> July 10 – July 20, 2011: DigiNotar’s system was hacked
> 500 rogue certificates were issued by hackers
– Google, Skype, Mozilla, Microsoft
> Microsoft remove this CA from its OS
> Google and Mozilla block all DigiNotar’s digital certificate
> DigiNotar filed for bankruptcy in September 2011.
Apple’s App Development Process
Registration Certificate
Accountability, Code Integrity Issued by Apple
App development App Developer
Google’s App Development Process
Certificate
Accountability, Code Integrity Issued by a
trusted party
App development
Anonymous Certificate (self-signed)
No Accountability, No Code Integrity
Only for Android Market, Not for 3rd party market App Developer
Access Control
» We’ve Learned: Downloaded programs are dangerous
> Virus, Worms
> Trojan, Backdoors
» Apps are downloaded programs.
» Need to control their access.
Unix Security Basics: Users
» Normal Users
> uid: user ID
> Users are separated from each other
» Root Users (Administrator, Superuser)
> uid = 0
> Root has all the privileges
> if (uid ==0) do privileged operations
Unix File Permission
-rwxr-x--- 2 richard staff 12040 Aug 20 1996 mydata.txt
owner group others
Access Control
System Resources
Isolations
- Isolations among Apps
- Isolation between App and System
GPS
Isolation among Apps
Uid = 6001 Uid = 6009 Uid = 7003
• Each App runs as a separate user (normal user)
• Access control is enforced by the underlying Linux File permission: rw-rw----
Break The Isolation among Apps
Uid = 1020 Uid = 6009
Security Check
• Data sharing among apps
• Use the functionalities of other apps
Isolation Between App and System
System Resources
• Each app runs as a normal user
• Only root can directly access system resources
GPS
OS Kernel Hardware
Allow Apps to Access System Resources
System Resources GPS
OS Kernel
Hardware Privileged Deputy (e.g. system
services)
Security Check
Access Control
System Resources
Permissions Controlled How to cross the isolation boundary?
- Between Apps
- Between App and System GPS
Permission-Based Access Control
Execution Installation
User
A B C A B C
Declare Permissions
(Android defines 100+ permissions)
Can only use
GPS, Internet Alert: Ask once SMS, Email, Call: Ask every time Many Others: Granted
Permission Examples in Android
ACCESS_FINE_LOCATION Access GPS
BLUETOOTH Connect to Bluetooth device CALL_PHONE Directly make phone calls
CAMERA Use camera
INTERNET Access to the Internet
READ_CONTACTS Read user’s contacts data WRITE_CONTACTS Write contacts data
READ_CALENDAR Read user’s calendar data
READ_SMS Read SMS messages
SEND_SMS Send SMS messages
Android’s Permission System
I need: INTERNET Device ID
Accept ! Wireless fraud
This is where the problem is.
Malware: Malicious Software
» Malware: Malicious Software
> Information Stealer (spyware)
> Money Stealer (e.g. make phone calls)
> Control the phone (e.g. bot)
» How do malware attack?
Malicious web sites
How Malware Attacks Systems
Privilege Escalation (Jailbreaking/Rooting)
Malicious Apps
Abusing the given privileges
• Stealing personal info.
• Making expensive phone call
Suggestion: patch your system, read reviews, check developer’s reputation.
Malicious PDF files
Example: Attacks Through Browser
» The user visits a malicious or infected website
» Code in the page exploit a vulnerability in WebKit, the engine of browsers (CVE-2010-1807)
» The attack then exploits a Skype vulnerability (CVE-2011-1717)
> allows local users to read sensitive files including
contacts, conversation transcripts, voicemail, and so on.
Jailbreaking and Rooting
Apple’s Control
Jailbreak
Unapproved Apps
Google’s Control
Rooting
Apps with More power
More control Custom OS
They are legal, but they bring more security risks.
Custom OS
Suggestion: don’t do it if you don’t have to.
A Typical Attack on Android
Legitimate Developer
Malicious Developer
Android Market, or
3rd-Party Markets Cases:
MYOURNET (21 apps) Droid Dream (>58 apps)
Suggestions:
Read reviews
Check developers Check permissions Install virus scan Victim
Example: Fake Angry Birds Space
» Faked one available on various Android app marketplaces, not Google’s market
» Trojan Horse: Andr/KongFu-L
» Use GingerBreak exploit to gain root access
» Install malicious code
Attack on Web: A Design Flaw
3rd Party App: Not by FB
Malicious App Contents
Damage:
- Delete Friends
- Steal info. In Facebook - Post messages
Affect most systems
- iOS, Android, Windows Phone
Suggestion:
Use 1st party or trusted 3rd party apps to access Web accounts
WebView
Data Protection
Recent Studies (March 2012)
» American lost $30B worth of smartphones.
» Only 50% lost phones are returned.
» Nearly all who found the lost phones tried to access the information on the phone.
» 22% of the respondents lost their phones.
» 70% didn’t use password protection.
Consequence of Device Loss
Email Facebook
Other Accounts Online
Banking Company
WiFi Amazon
Data
Lock the phone does not help much.
Cloud Services
Remote wipe has limited power.
Data Encryption
iPhone 3GS
Encryption is useless
iPhone 4
Password, PIN
PIN: easily crackable 4 digit PIN = 14 bits
Strong encryption: 128 bits Suggestion: don’t lose your phone
Apple v.s. Google
» Tight Control: Apple
> Control on iOS code
> Code checking, accountability √
> Control on the app market √
» Loose Control: Google
> Open source: public scrutiny, contribution by others √
> No code checking, no accountability
> So far, Android has more malwares than iOS
Summary of Suggestions
» Don’t root/jailbreak if not necessary
» Be more careful when downloading Android Apps
» Avoid 3rd-party Android market
» Paid apps turned free: check the developers
» PIN doesn’t protect your data much
Questions?
