history of android security – from linux to jelly bean

Android Security 의 과거와 미래 - From Linux to Jelly Bean작성자 | 최 정 필

소속 | SK 플래닛

About Me

2000 AT&T Wireless: OODB/CORBA

2001Cellvic(JTEL): CellvicOS/JVM

2003 Samsung: JVM for DTV/SimpleJIT

2007 Aromasoft: JVM for Mobile/JIT Optimization/Dalvik

2011 GE korea: Smart appliance/Linux

2012 SK 플래닛 : Android/T-Store ARM/Security

jungpil.@sk.com 또는 lifeisliving@naver.com

1. Why? Linux/Java

2. Which Direction?

3. What to do?

CONTENTS

0. Quiz

개인정보가 인터넷으로 빠져나간다

앱이 허락받지 않은 인터넷을 사용한다

앱이 허락받지 않은 동작 (?) 을 한다

앱이 스스로 루팅을 한다

앱이 코드를 스스로 변경한다

앱이 Dalvik VM 의 정보를 변경한다

안드로이드앱이 Dalvik VM 이 아닌 다른 VM 을 실행시킨다

1. Why? Linux/Java

5 억대 판매된 , 하루에 130만대씩 개통되는 단말 ?A Java platform?

역사상 자바가 표준 개발언어인 첫번째 디바이스 ? RIM? NDK?

A forked Linux?Why linux?

Andy Rubin: was a Apple Employee대안이 없어서 ?

역사상 가장 많이 팔린 linux device?

What is Android?

Linux: Open Source

‘mkdir android ; cd android ; repo init -u git://android.git.k-

ernel.org/platform/manifest.git ; repo sync ; make’

Java: easy to learn, many developers

but an easy language for reverse-enigneeringdex2jar, APKTool, JD-GUI, APKInspector, Smali, Dedexer,,,

환상의 커플 !!!

Linux + Java

Just a linux application

following Google guides

What is an Android App?

Linux Process

Dalvik VM

Bionic

JNI

Is that all???

Missing something…

PackageManager, ActivityManager,,,

Google Guides?

Java?

No more on Android!!!

Dalvik VM is not a security boundary!!!

But Linux Process

Sandbox

Linux UID/Group ID:

a unique id based on its signature assigned when it starts

Linux DAC: all or nothing

old style

root can do everything

RWX

Linux Process

Permission

Need to be described on

AndroidMeanifest.xml

Binder

Kernel Enforcement

group ID

Patch

Internet

With Some Salt

<permission name="android.permission.INTERNET" ><group gid="inet" /></permission>

You can do everything in your processYou can use Reflection/JNI

To call hidden/private methodsTo get/set private fields

• But High return, High risk!!!ex) Unity3D: Using Mono VM

네멋대로 해라

2. Which Direction?

Version Release dateAPI

 level

Distribution (September

4, 2012)

4.1.x Jelly Bean July 9, 2012 16 1.2%

4.0.x Ice Cream Sandwich October 19, 2011 14-15 20.9%

3.x.x Honeycomb February 22, 2011 11-13 2.1%

2.3.x Gingerbread December 6, 2010 9-10 57.5%

2.2 Froyo May 20, 2010 8 14%

2.0, 2.1 Eclair October 26, 2009 7 3.7%

1.6 Donut September 15, 2009 4 0.4%

1.5 Cupcake April 30, 2009 3 0.2%

History of Android

NX bit(No eXecute):

to prevent code execution on heap and stack(2.3+)

Prelink: Used to speed up boot process

removed to prevent return-to-libc attacks(4.0+)

Address Space Layout Randomization(4.0+)

randomize key locations in memory

PIE (Position Independent Executable)

supports (4.1+)

Memory Protection

FileSystem Encryption

3.0+ provides full filesystem encryption. 128bit

AES key derived from user password

Credential Storage

1.6+ restricted for only system

4.0+ provides public API

Filesystem Encryption/Credential Stor-age

1st. Protected APK

/data/app: apk without code

/data/app-private: protected by filesystem

2nd. License Verification Library(LVL)

Google: 2010/7

Amazon: DRM, T-Store:ARM

3rd. Encrypted APK

Jelly Bean

Temporary Closed… but

Copy Protection(Forward Lock)

OMP & ARM Bypass-Attack

ODEX File: optimized dex file

4.0+ provides a raw dex loading API Without ODEX!!!

Dalvik Virtual Ma-chine

(JIT Compiler)

dex file

Storageodex file

(reuse)

decompile hijacking

ODEX & Classloading

Applying SELinux in Android by NSA

Linux Security Modules

Standard Linux Security (Hooking) Framework from v2.6task management (creation, signaling, waiting), program loading (execve), file system management

(superblock, inode, and filehooks), IPC (message queues, shared memory, and semaphore opera-

tions), module hooks (insertion and removal), and network hooks (covering sockets, netlink, network

devices, and other protocol interfaces) security.h

SE-Android Overview

2012/1 AOSP master branch added(HAVE_SELINUX)

in external/libselinux and external/sepolicy

in core/java and core/jni

SELinux.java, AndroidRuntime.cpp, android_os_SELinux.cpp

Slow and incremental applying expected

not enforcing mode but permissive mode

Android 5.0?

Need to consider it!

SE-Android State

ARM’s HW solution

Virtualized processors on a ARM chip

Secure World can read Normal World

But Normal World can’t read Secure World

Already on Galaxy S3!!!

TrustZone

3. What to do?

Use Obfuscator

Use Native Code

Keep data on your server

Sorry, Find your own solutions!

2011 Google I/O Evading Pirates and Stopping Vampires using

License Verification Library, In-App Billing, and App Engine

2012.4 Code Obfuscation for the Amazon In-App 

How to Defense your Code?

Conclusion

Even Android has many security problems, it is an

open, de-facto platform now

It’s getting better but you need to keep your data/

code by your own ways

Its openness and flexibility could give some chances

to creative developers

T-Store promises to help you soon!