Lecture 2 PLATFORM SECURITY IN ANDROID OS

PLATFORM SECURITY IN

ANDROID OS

You will be learning:



_{Android as a software platform}



_{Internals and surrounding ecosystem}



_{Security techniques in Android:}



_{Application signing}



_{Application isolation}



_{Permission-based access control}

Mobile Software platform security

System Updater _Policy Database

Platform Security Architecture

Application Boot Integrity Device Identification Application Database Developer Centralized Marketplace Operator Auxiliary Marketplace Operator Isolated Execution Device Authentication Platform Provider Application Loader Device Management Third-party library Third-party service H W Se cu rit y A PI Secure Storage Boot Verifier Secure Storage Provider Platform Security Component Third-Party Software Component Role

Legacy DAC Execution Protection Hardware-Security Functionality Legend Software Isolation System service System library IPC

Mobile software platforms



_{Which mobile platforms}

Smartphone

platforms

Android

iOS

Windows Phone

Other

81,2%

15,8%

2,2%

0,8%

Android in a nutshell

 _{Linux-based (ARM, x86, x86_64, MIPS)}  _{Widely used for phones and tablets}

 Wearables, smart TVs, cameras, (handheld) gaming consoles, etc.

 _{Open-source software stack +}

Security goals



_{Protect user data}



_{Protect system resources}



_{Provide application isolation}

On terminology



_{Linux = the kernel}



_{”Desktop Linux” ≈ GNU / Linux}



_{Linux DAC = (Unix) file permissions}



_{Linux MAC = SELinux}

Android Software Stack

Middlewa

re

Drivers Binder SELinux

Dalvik ART System Services & Managers Media Services Manager IPC Proxies System Applications Third-party Applications Content Providers HAL Modules Java Core Library Power Management

Android Software Stack

R

eference

monitors

Drivers Binder SELinux

Dalvik ART System Services & Managers Media Services Manager IPC Proxies System Applications Third-party Applications Content Providers HAL Modules Java Core Library Power Management

Android Software Stack

Drivers Binder SELinux

Dalvik ART System Services & Managers Media Services Manager IPC Proxies System Applications Third-party Applications Content Providers HAL Modules Java Core Library Power Management Hardware Trusted OS Kernel Trusted OS Services Trusted Applications

Google. Android for Work Security white paper. 2015

Android OS Trusted Execution Environment

12

Application components

Activity • Visible UI

Service • Background job

Content

Provider • Database

Enck, Ongtang, McDaniel. Enck, Ongtang, McDaniel: Understanding Android Security. 2009

Signature

Manifest Intent

Broadcast Receiver

Software distribution

 _{Apps from multiple sources}

 _{Google Play}  Auxiliary marketplaces  _Sideloading  Pre-installed software  Marketplace services  _Discovery

 Purchase & Installation

 User-submitted ratings / flagging

 Malware scans (Google Bouncer)

 Remote application installation & removal

App Installer

Developer

Application signing



_{Goal: same-origin policy for apps}

Developer signs with private key

Signature verified

with developer’s public key

Application signing (cont.)

 _{For application packages (APKs)}

 _{Self-signed X.509 certificates (no PKI!)}

 Individual signature for each file part of APK

 Package update requires same certificate

 _{For over-the-air updates (OTAs)}

 _{Signature over entire file stored in ZIP comment}  Verified by OS and Recovery Mode

 _{System images must be signed (since 6.0)}

Android application packages

Package Installation

 Code and resources (common)

 /data/app/com.example.app/

 lib/<arch>/libapp.so

 oat/<arch>/base.odex

 base.apk

 _{Data (per user)}

 /data/user/0/com.example.app/  files/  databases/  shared_prefs/  _{/data/user/1/com.example.app/}  ... Com.example.ap p .apk META_INF MANIFEST.MF CERT.RSA CERT.SF AndroidManifest.XML classes.dex lib res assets native code <arch>/libapp.so non-compiled resources application assets

Package management components

Elenkov. Android’s Security Architecture. 2015.

├packages.xml ├packages.list ├app/ ├data/ ├media/ └user/ /data ├ framework/ ├ app/ ├ priv-app/ └ vendor-app/ /system

Application isolation



_{Goal: Applications cannot}

Application isolation

Implementation on Android:



_Kernel:

_{Process & memory protection}



_{Kernel: Linux}

_DAC



_{Kernel: Linux}

_MAC

₍

_SELinux

₎



_Middleware:

_mediation

_of

_{Binder IPC}



_{Applications run in separate Dalvik / ART}

Application Sandbox

 _{Each application assigned a Unix UID}

 _{One UID per user per application (since 5.0)}  UID owns

 Filesystem resources in /data/user/<nr>/

 Processes

 Permissions (!)

 _{Applications from same developer}

(= signed with same developer key) may share UID sandbox

Application isolation

System Third-party applications

Services

Applications

Rooting

 _{Rooting applications exploit vulnerabilities in}

privileged system daemons to obtain shell

 _{Note: bootloader unlocking intentionally}

supported by many OEMs

SE for Android



_{Goal: System services and}

applications should not be able

to deviate from their intended

SE for Android (cont.)



_{Implementation on Android:}



_{Kernel-level MAC (SELinux) –}

Policies based on SELinux context



_{Middleware MAC (MMAC) –}

Policies based on package identity

Smalley, Craig. Smalley, Craig: Security Enhanced (SE) Android. 2013 Android Open Source Project. Security-Enhanced Linux in Android. 2015

SE for Android (cont.)

 _{Enforces MAC even for processes running}

with root/superuser privileges (since 4.4)

 _{Blocks many root exploits and}

misconfigurations

 _{Cannot protect against kernel exploits}

Smalley, Craig. Smalley, Craig: Security Enhanced (SE) Android.2013 Android Open Source Project. Security-Enhanced Linux in Android. 2015

SE for Android



_{Domain -}

_{Label for process(es)}



_Type

_{- Label for object(s)}



_Class

_{- Kind of object being accessed}

 _{(e.g. file, socket)}



_Permission

_{- Operation being performed}

Application isolation (cont)

System Third-party applications

Services

Applications

• Linux DAC domain (UID)

Protected APIs



_{Goal: Protect system resources}

Protected APIs

System Third-party applications

Services

Applications

• Linux DAC domain (UID)

Protected APIs (cont)



_{Implementation in Android:}



_{Protected APIs for ”risky” actions}



_{Permission-based (mandatory)}

Protected APIs(cont)

 _{What kinds of system calls on a smartphone}

Examples of Protected APIs



_{Changing device wallpaper, ringtone}



_{Making phone calls, sending SMS’s}



_{Using camera, microphone, GPS}



_{Internet, wireless, Bluetooth access}



_{Reading/writing contacts, SMS log}



_{Rebooting device}



_{Factory reset}

See also:http://developer.android.com/reference/android/Manifest.permission.html

”Risky

Sensitive user data



_{Subject to permissions checks:}



_{Personal information (e.g. contacts)}



_{Sensitive input devices (e.g.camera)}



Access control & permissions



_{Goal: Controls application}

access to protected APIs

(and each other)

 _{User agency vs. protecting system resources}  _{Usability of security features}

Android permissions



_{4 categories}



_Normal



_Dangerous



_System



_{Signature or System}

Examples of Protected APIs



_{Changing device wallpaper, ringtone}

_{Making phone calls, sending SMS’s}

_{Using camera, microphone, GPS}



_{Internet, wireless, Bluetooth access}

_{Reading/writing contacts, SMS log}

_{Rebooting device}

_{Factory reset}

Permission assignment

 _{Application declare all permissions in}

AndroidManifest.xml

 _{Permissions assigned to application UID}  _{Some permissions not user-grantable}

 Only available to pre-installed applications

My Messenger

INTERNET; READ CONTACTS

Permission assignment

 _{Normal permission granted automatically}

 _{Signature permissions granted if app}

signature matches the declarer of the signature

User approval (up to 5.1)

 _{Dangerous permissions}

require user approval at install time

 _{If not granted, application}

not installed at all!

 _{Granted for all users}

 Stored in

/data/system/packages.xml

User approval (since 6.0)

 _{Dangerous permissions}

require user approval at runtime

 _{If not granted, application}

continues to run with limited capabilities

 _{Permission managed per}

application, per user

 Stored in

/data/system/users/<id>/ runtime-permissions.xml

Permission revocation

 _{May be revoked later}

Alternatives to obtaining

permissions

 _{Delegate task to other application using}

Intent, e.g. invoke Camera app using

ACTION_IMAGE_CAPTURE Intent

 _{Caller does not need CAMERA permission}

 Caller cannot control the user experience, but does not have to provide UI for task

 If no default app available, user is prompted to designate the handler

Intents

 _{Messaging object used for Inter-Component}

Communication (ICC)

 _{Recall: activities, services, content providers,}

broadcast receivers

 _Addressing

 Explicit – fully qualified component name

 _{Implicit – Intent filter declared in manifest}

 Provides a mechanism for late binding

 _{Pending Intents}

Binder

 _{IPC system for object-orientated operating}

system services (comp. CORBA/COM)

 _{Most underlying IPC based on Binder}

 Intents & content providers abstractions on top of Binder

 Cf. local UNIX-domain sockets, signals, filesystem

 _{Bionic libc doesn’t support System V IPC}

 _{Does not provide mediation by itself}

Binder Service Discovery

Linux Kernel

Binder Driver (/dev/binder)

ServiceManager (servicemanager) System Server (system_server) Application(s) binder_ becom e_co nt ext_man ager( ) ioctl(BINDER_SET_CONTEXT_MGR) Services List (*svclist) do_add_ servi ce() do_find _serv ice( ) Other System Services & Managers Activity Manager Package Manager Framework library 1 2 3 Application Components e.g. Activity, Service

etc.

Starting an Activity

e.g. Activity, Service etc. Package Manager

Application Framework

Activity Manager

ICC Reference Monitor

RPC Stub Ma nifes t startActivity(intent) checkCallingPermission(…) PERMISSION_GRANTED Other System Services & Managers Activity onCreate(…) 1 ₃ 4 2 transact(…)

Starting an Activity

e.g. Activity, Service etc. Package Manager

Application Framework

Activity Manager

ICC Reference Monitor

RPC Stub Ma nifes t startActivity(intent) checkCallingPermission(…) PERMISSION_DENIED Other System Services & Managers 1 ₃ 4 2 transact(…) SecurityException

49

Authentication

 _Keyguard

 _Pattern

 PIN / Password

 _{Gatekeeper HAL (since 6.0)}

 _{Allows Keyguard to make use of native security}

features

 _{TrustAgentAPI (since 5.0)}

 _{Enables services that notify the system about}

whether they believe the environment of the device to be trusted

Android Open Source Project. Gatekeeper. Elenkov. Password storage in Android M. 2015. Elenkov. Dissecting Lollipop’s SmartLock. 2014.

Authentication (cont.)

 _{Smart Lock Trust Agent (since 5.0)}

 _{Trusted Bluetooth device}  Trusted NFC

 Trusted place ( via geofencing )

 Facial recognition

 _{On-body detection}

 _{Fingerprint HAL (since 6.0)}

 Access to vendor-specific fingerprint hardware

Elenkov. Dissecting Lollipop’s SmartLock. 2014.

Nexus Help: Set up your device for automatic unlock.

Hardware-based security

features



_Goals:



_{Platform integrity}

Hardware-based security

features



_{Implementation on Android:}



_{Verified boot}



_{Full-disk encryption}



_{Keychain / Keystore}

Keychain

 _{System credential store for private keys and}

certificate chains (since 4.0)

 _{KeyChain API is used for Wi-Fi and Virtual}

Private Network (VPN) certificates

 _{Hardware-backed keystore binds keys to}

device to make them non-exportable

 _{KeyInfo.isInsideSecureHardware() (since 6.0)}

indicates if key is stored in hardware keystore

54

Keystore

 _Keystore

 For application-bound keys

 Access via Java CE API

 _KeymasterHAL

 _{Access to hardware-backed keystore}  _{Assymmetric key generation,}

signing and verification (since 4.1)

 _{Binder IKeyStoreInterface (since 4.3)}

 _{Symmetric key support, access control, public key}

import and private / symmetric key import (since 6.0)

Android Open Source Project. Keymaster. Elenkov. Keystore redesign in Android M.2015.

Keystore (cont.)

Elenkov. Keystore redesign in Android M.2015.

Elenkov. Credential storage enhancements in Android 4.3. 2013.

Propri etory (de vi ce spec ific) Android OS Hardware libQSEEComAPI.so Keymaster HAL libkeymaster.so IKeyStoreService AndroidKeyStoreProvider

Java Cryptography Extensions (JCE)

Application Application

Qualcomm Secure Execution Environment (QSEE) KeyStore Trusted App

ARM TrustZone

Trusted Execution Environment (TEE)

QSEE Communication API

Full Disk Encryption

 _{Block-device encryption based on dm-crypt}  _{Encrypted on first boot (since 5.0)}

 _{AES 128 CBC and ESSIV:SHA256}

 _{DEK encrypted with AES 128}

 _{KEK derived from user PIN / password / pattern}

+ hardware-bound key stored in TEE (since 5.0)

 _{Crypto acceleration through hardware AES}

(e.g. dm-req-crypt)

Android Open Source Project. Full Disk Encryption.

Verified Boot

 _{Based on dm-verity kernel feature}

 _{Calculates SHA256 hash over every 4K block}

of the system partition block device

 Hash values stored in hash tree

 _{Tree collapsed into a single root hash}

 _{Signature of the root hash verified with public}

key included on the boot partition

 Must be verified externally by the OEM

Verified Boot Hash Tree

Mobile Software platform security

System Updater _Policy Database

Platform Security Architecture

Application Boot Integrity Device Identification Application Database Developer Centralized Marketplace Operator Auxiliary Marketplace Operator Isolated Execution Device Authentication Platform Provider Application Loader Device Management Third-party library Third-party service H W Se cu rit y A PI Secure Storage Boot Verifier Secure Storage Provider Platform Security Component Third-Party Software Component Role

Legacy DAC Execution Protection Hardware-Security Functionality Legend Software Isolation System service System library IPC

Did you learn:



_{Android as a software platform}



_{Internals and surrounding ecosystem}



_{Security techniques in Android:}



_{Application signing}



_{Application isolation}



_{Permission-based access control}



_{Hardware-based security features}

Plan for the course



_{Lecture 1: Platform security basics}



_{Lecture 2: Case study – Android}



_{Lecture 3: Mobile software platform}

security in general



_{Lecture 4: Hardware security enablers}



_{Lecture 5: Usability of platform security}



_{Invited lecture: SE Android policies}