Android Hax
4 likes844 views
This document summarizes a presentation on Android security given by Jon Oberheide. The presentation covers an overview of the Android architecture and security model, vulnerabilities in the Android Market app distribution process and Google's use of GTalkService for app installation, a tool called RootStrap that allows remote execution of native ARM code payloads on Android devices, and potential ways this could enable large-scale rooting of Android devices through a popular trojan app. The presentation concludes with questions and a call for further Android security research.
Android Hax
- 1. Android Hax Jon Oberheide jon@oberheide.org Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 1
- 2. Agenda Android Security Overview Market and the Mystical GTalkService The RootStrap PDP Wrap-Up / Q&A Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 2
- 3. Android Overview Base platform ARM core Linux 2.6.3x kernel Native Libraries libc, WebKit, etc Dalvik VM Register-based VM Runs dex bytecode Applications Developed in Java Runs on Dalvik VM Linux process 1-1 Jon Oberheide - Android Hax - SummerCon 2010
- 4. Hardware Features ARM11 TrustZone? Unused! ARM11 Jazelle JVM? Unused! ARMv6 eXecute-Never (XN)? Unused! Jon Oberheide - Android Hax - SummerCon 2010
- 5. Linux Environment Executable Non- stack/heap! randomized Mobile ASLR sucks. mmap/brk! Jon Oberheide - Android Hax - SummerCon 2010
- 6. Permission-Based Model Apps explicitly request pre-defined permissions Examples: Cellular: calls, SMS, MMS Network, bluetooth, wifi Hardware settings: vibrate, backlight, etc Location: coarse/fine App data: contacts, calendar Jon Oberheide - Android Hax - SummerCon 2010
- 7. App Sandboxing Sandboxed by standard UNIX uid/gid generated unique per app at install High-level permissions restricted by Android runtime framework Jon Oberheide - Android Hax - SummerCon 2010
- 8. App Distribution Application signing No CAs Self-signed by developers Android Market $25 signup, anyone can publish Anonymous sign-up possible Jon Oberheide - Android Hax - SummerCon 2010
- 9. App Piracy Trivial copy protection provided by market Off? On? Apps stored Apps stored in in /data/app/ /data/app-private/ Accessible to Only accessible users if rooted phone Jon Oberheide - Android Hax - SummerCon 2010
- 10. Agenda Android Security Overview Market and the Mystical GTalkService The RootStrap PDP Wrap-Up / Q&A Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 10
- 11. Perceived Market Flow BROWSE INSTALL PAY INSTALLED! Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 11
- 12. ACTUAL Market Flow Google is a sneaky panda! You don't actually download / install the app through the market application When you click install in market app Google servers push an out-of-band message down to you via persistent data connection Triggers INSTALL_ASSET intent to start install Intent handler fetches APK and installs Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 12
- 13. Dex Bytecode RE Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 13
- 14. GTalkService Connection Persistent data connection Speaks XMPP Same connection now used for C2DM push service It's SSL, but... If you MITM or C2DM spoof Remote intent / app install If you pop GTalkService servers Push down code to all Android phones in the world? Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 14
- 15. Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 15
- 16. Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 16
- 17. Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 17
- 18. Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 18
- 19. Disclaimer Useful though if you want to fetch a large amount of apps and do some fuzzing, analysis, whatever I've got a repo of ~10k apps Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 19
- 20. Agenda Android Security Overview Market and the Mystical GTalkService The RootStrap PDP Wrap-Up / Q&A Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 20
- 21. Android Native Code Dalvik VM != sandbox Not limited to executing dex bytecode Can pop out of the VM to execute native code Linux kernel = swiss cheese Wonderful attack surface Any 3rd party app can root your phone by exploiting a kernel vulnerability via native code Native code packaged within APKs But why limit execution of native code to build-time packaged modules? Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 21
- 22. RootStrap Enter, RootStrap Silent runtime fetching and execution of remote ARM payloads Not really a bot..more of a general purpose distributed computing platform ;-) Currently available in Android market Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 22
- 23. RootStrap Example Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 23
- 24. Native ARM Code Delivery Fetch index file Lists available exploits and module names http://jon.oberheide.org/rootstrap/index Yank down ARM modules Dumped to Android app private storage eg. /data/data/org.rootstrap/files, not ./libs Load via JNI and execute each payload System.load(.../files/root1.so); result = root1(); Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 24
- 25. How to Build a Mobile Botnet Build some fun legit-looking games / apps Include RootStrap functionality Periodically phone home to check for new payloads As soon as new kernel vuln discovered, push out exploit payload Before providers push out OTA patch Trivial to win that race, slow OTA updates Rootkit a bunch of phones! Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 25
- 26. A Wolf in Vampire's Clothing? RootStrap app is boring and not sneaky No one would intentionally download it Need something legit looking to get a significant install base How about an RootStrap-enabled app claiming to be a preview for the upcoming Twilight Eclipse movie?!? Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 26
- 27. Fake Twilight Eclipse App Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 27
- 28. Andy and Jaime Don't Like It :-( Still, 200+ downloads in under 24 hours With a legit-looking app/game, you could collect quite an install base for RootStrap Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 28
- 29. RootStrap Payloads sock_sendpage NULL deref Old, but still works on some phones fork/execve from JNI is a bit wacky Supervisor App vulns? su without approval jailbroken phone is less safe Meterpretux? Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 29
- 30. Agenda Android Security Overview Market and the Mystical GTalkService The RootStrap PDP Wrap-Up / Q&A Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 30
- 31. Wrap-Up Native code support sucks. Not so easy to take away Build-time signing / loader verification? Android homework Poke at the GTalkService code paths Write some RootStrap payloads Port to other platforms? Fuzz the new Android Acrobat app! Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 31
- 32. Q&A QUESTIONS? Jon Oberheide @jonoberheide jon@oberheide.org http://jon.oberheide.org Jon Oberheide - Android Hax - SummerCon 2010 際際滷 # 32