Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov...
Transcript of Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov...
![Page 1: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/1.jpg)
Security of
Mobile Applications
Vitaly Shmatikov
CS 6431
![Page 2: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/2.jpg)
Structure of Android Applications
This is a very brief and incomplete summary
• See Enck et al. “Understanding Android Security”
Applications include multiple components
• Activities: user interface
• Services: background processing
• Content providers: data storage
• Broadcast receivers for messages from other apps
Intent: primary messaging mechanism for interaction between components
slide 2
![Page 3: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/3.jpg)
Explicit Intents
slide 3
Yelp Map App
Name: MapActivity
To: MapActivity
Only the specified destination receives this message
![Page 4: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/4.jpg)
Implicit Intents
slide 4
Yelp
Map App
Handles Action: VIEW
Implicit Intent Action: VIEW
Browser App
Handles Action: VIEW
![Page 5: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/5.jpg)
Android Security Model
Based on permission labels assigned to applications and components
Every app runs as a separate user
• Underlying Unix OS provides system-level isolation
Reference monitor in Android middleware mediates inter-component communication
slide 5
Access permitted if labels assigned to the invoked component are in the collection of invoking component
![Page 6: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/6.jpg)
Mandatory Access Control
Permission labels are set (via manifest) when app is installed and cannot be changed
Permission labels only restrict access to components, they do not control information flow – means what?
Apps may contain “private” components that should never be accessed by another app (example?)
If a public component doesn’t have explicit permissions listed, it can be accessed by any app
slide 6
![Page 7: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/7.jpg)
System API Access
System functionality (eg, camera, networking) is accessed via Android API, not system components
App must declare the corresponding permission label in its manifest + user must approve at the time of app installation
Signature permissions are used to restrict access only to certain developers
• Ex: Only Google apps can directly use telephony API
slide 7
![Page 8: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/8.jpg)
Refinements
Permission labels on broadcast intents
• Prevents unauthorized apps from receiving these intents – why is this important?
Pending intents
• Instead of directly performing an action via intent, create an object that can be passed to another app, thus enabling it to execute the action
• Invocation involves RPC to the original app
• Introduces delegation into Android’s MAC system
slide 8
![Page 9: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/9.jpg)
Unique Action Strings
slide 9
Common developer pattern
Showtime Search
Results UI
IMDb App Handles Actions: willUpdateShowtimes, showtimesNoLocationError
Implicit Intent Action: willUpdateShowtimes
![Page 10: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/10.jpg)
Eavesdropping
slide 10
[Felt et al. “Analyzing Inter-Application Communication in Android”. Mobisys 2011]
Showtime Search
Malicious Receiver
IMDb App
Handles Action: willUpdateShowtimes, showtimesNoLocationError
Implicit Intent Action: willUpdateShowtimes
Eavesdropping App
![Page 11: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/11.jpg)
Intent Spoofing
slide 11
[Felt et al.]
Malicious Component
Results UI
IMDb App
Handles Action: willUpdateShowtimes, showtimesNoLocationError
Action: showtimesNoLocationError
Malicious Injection App
Also man-in-the-middle
![Page 12: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/12.jpg)
System Broadcast
slide 12
[Felt et al.]
Component App 1
Handles Action: BootCompleted
Component App 2
Handles Action: BootCompleted
Component App 3
System Notifier
Action: BootCompleted
Event notifications broadcast by the system (can’t be spoofed)
Broadcast receivers make components publicly accessible
![Page 13: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/13.jpg)
Exploiting Broadcast Receivers
slide 13
[Felt et al.]
Handles Action: BootCompleted
Malicious Component
Malicious App
Component
App 1
To: App1.Component
![Page 14: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/14.jpg)
Real World Example: ICE
slide 14
[Felt et al.]
Allows doctors access to medical information on phones
Contains a component that listens for the BootCompleted system broadcast
On receipt of this intent, exits the app and locks the screen
![Page 15: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/15.jpg)
Permissions: Not Just Android
slide 15
All mobile OSes, HTML5 apps, browser extensions…
![Page 16: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/16.jpg)
Permission Re-Delegation
An application with a permission performs a privileged task on behalf of an application without permission
slide 16
[Felt et al. “Permission Re-Delegation: Attacks and Defenses”. USENIX Security 2011]
API
Malware Settings
app
TurnOnWifi()
Permission System
turnOnWifi()
API
Permission System
Public service for receiving UI messages
pressButton(0)
Malware Settings
app
turnOnWifi()
User pressed button
![Page 17: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/17.jpg)
Examples of Re-Delegation
Permission re-delegation is an example of a “confused deputy” problem
The “deputy” app may accidentally expose privileged functionality…
… or intentionally expose it, but the attacker invokes it in a surprising context
• Example: broadcast receivers in Android
… or intentionally expose it and attempt to reduce the invoker’s authority, but do it incorrectly
• Remember postMessage origin checks?
slide 17
[Felt et al.]
![Page 18: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/18.jpg)
Mobile Apps in Web Languages
slide 18
![Page 19: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/19.jpg)
Hybrid App Development
slide 19
![Page 20: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/20.jpg)
WebView
Embedded browser in smartphone apps
Basic same origin policy inside the browser + holes in the browser sandbox allowing Web code to invoke native functionality
• Camera, contacts, file system, etc.
Multiple “bridges” between Web and local code
• JavaScript interfaces to local objects
• Interception of browser events (eg, special URLs)
• Other custom and ad-hoc schemes
slide 20
[Luo et al. “Attacks on WebView in the Android System”. ACSAC 2011]
![Page 21: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/21.jpg)
Invoking Java from JavaScript
slide 21
[Luo et al.]
![Page 22: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/22.jpg)
Invoking JavaScript from Java
slide 22
[Luo et al.]
![Page 23: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/23.jpg)
The Hybrid Security Model
slide 23
![Page 24: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/24.jpg)
Attacks from Malicious App
slide 24
[Luo et al.]
JavaScript injection Event sniffing and hijacking
![Page 25: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/25.jpg)
Attack from Malicious Web Content
slide 25
[Luo et al.]
![Page 26: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/26.jpg)
Frame Confusion
slide 26
[Luo et al.]
What is the origin of this JavaScript object?
![Page 27: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/27.jpg)
Android
Java code
It Gets Worse
slide 27
[Luo et al.]
Java Reflection API…
accessible from Web side
![Page 28: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/28.jpg)
Showing this content is Ok, only native access should be blocked
Simple Fixes Don’t Work
Most hybrid frameworks don’t even attempt to verify whether access request comes from an authorized Web origin
PhoneGap attempts to filter based on developer-provided whitelist
• Mediation either incomplete (does not catch iframe loads) or too strict (prohibits even loading of content from other origins, breaks look-and-feel)
• Incorrect origin checks
– Broken regexes bite again – anchoring bugs, etc.
slide 28
[Georgiev et al. “Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks”. NDSS 2014]
![Page 29: Security of Mobile Applicationsshmat/courses/cs6431/mobile.pdfMobile Applications Vitaly Shmatikov CS 6431 Structure of Android Applications This is a very brief and incomplete summary](https://reader035.fdocuments.us/reader035/viewer/2022070721/5ee13913ad6a402d666c2dcd/html5/thumbnails/29.jpg)
State of the Union
Convergence of Web and mobile programming
Complex, poorly understood software stacks with badly fitting security policies
New classes of vulnerabilities
• Worst case: Web advertiser gets to inject arbitrary code into mobile apps running on your phone!%#$!
Evolving defenses
• Our capability-based NoFrak defense is being integrated into PhoneGap, but that’s just the first step…
slide 29