Mobile Device Security - Reading Material

1
Mobile Device Security- Reading Material

• Adam C. Champion and Dong Xuan
• CSE 4471 Information Security

Based on materials from Tom Eston (SecureState),
Apple, Android Open Source Project, and William
Enck (NCSU)
2
Organization

• Quick Overview of Mobile Devices
• iOS/Android Threats and Attacks
• iOS/Android Security

3
Overview of Mobile Devices

• Mobile computers
• Mainly smartphones, tablets
• Sensors GPS, camera, accelerometer, etc.
• Computation powerful CPUs ( 1 GHz, multi-core)
• Communication cellular/4G, Wi-Fi, near field
  communication (NFC), etc.
• Many connect to cellular networks billing system
• Cisco 7 billion mobile devices will have been
  sold by 2012 1

Organization
4
Organization

• Quick Overview of Mobile Devices
• iOS/Android Threats and Attacks
• iOS/Android Security

5
iOS/Android Malware

• iOS malware very little
• Juniper Networks Major increase in Android
  malware from 2010 to 2011 18
• Android malware growth keeps increasing ()
• Main categories 19
• Trojans
• Monitoring apps/spyware
• Adware
• Botnets
• Well look at notable malware examples

6
iOS Malware

• Malware, fake apps have hit iOS too
• iKee, first iPhone virus, rickrolled jailbroken
  iDevices 25
• Example fake/similar apps
• Temple Run Temple Climb, Temple Rush, Cave Run
• Angry Birds Angry Zombie Birds, Shoot Angry
  Birds
• Not to mention walkthroughs, reference apps,
  etc.
• Google Play banned such apps
• iOS, Android hit with Find and Call app
• SMS spammed contacts from central server
• Removed from App Store, Google Play

7
Android DroidDream Malware

• Infected 58 apps on Android Market, March 2011
• 260,000 downloads in 4 days
• How it worked
• Rooted phone via Android Debug Bridge (adb)
  vulnerability
• Sent premium-rate SMS messages at night ()
• Google removed apps 4 days after release, banned
  3 developers from Market
• More malware found since

8
Android Fake Angry Birds Space

• Bot, Trojan
• Masquerades as game
• Roots Android 2.3 devices using Gingerbreak
  exploit
• Device joins botnet

Source 20
9
Android SMS Worm

• Students in previous information security classes
  wrote SMS worms, loggers on Android
• Worm spreads to all contacts via social
  engineering, sideloading, etc.
• Logger stored/forwarded all received SMS messages
• Only needed SEND_SMS, RECEIVE_SMS, READ_SMS
  permissions
• Can send 100 SMS messages/hour
• One group put SMS logger on Google Play (removed
  it)

10
Android Google Wallet Vulnerabilities (1)

• Google Wallet enables smartphone payments
• Uses NFC technology
• Many new mobile devices have NFC
• Some credit card info stored securely in secure
  element
• Separate chip, SD card, SIM card
• Unfortunately, other data are not stored as
  securely

11
Android Google Wallet Vulnerabilities (2)

• Some information can be recovered from databases
  on phone 21
• Name on credit card
• Expiration date
• Recent transactions
• etc.
• Google Analytics tracking can reveal customer
  behavior from non-SSL HTTP GET requests
• NFC alone does not guarantee security
• Radio eavesdropping, data modification possible
  22
• Relay attacks, spoofing possible with libnfc 23

12
Android Sophisticated NFC Hack

• Charlie Millers Black Hat 2012 presentation
  Nokia, Android phones can be hijacked via NFC
  24
• NFC/Android Beam on by default on Android 2.3,
  Android 4.0
• Place phone 34 cm away from NFC tag, other
  NFC-enabled phone
• Attacker-controlled phone sends data to
  tag/device, can crash NFC daemon, Android OS
• For Android 4.04.0.1, can remotely open device
  browser to attacker-controlled webpage

13
Organization

• Quick Overview of Mobile Devices
• iOS/Android Threats and Attacks
• iOS/Android Security

14
iOS System Architecture (1)

• Boot sequence
• Bootloader, kernel, extensions, baseband firmware
  all have cryptographic signatures
• Root of trust burnt into boot ROM at the factory
• Each components signature is verified
• If any signature doesnt match, the connect to
  iTunes screen is shown

Icons from Double-J Design, IconBlock
15
iOS System Architecture (2)

• Software updates
• Cannot install older version of iOS on an
  iDevice e.g., if device runs iOS 5.1.1, cannot
  install iOS 4
• Device cryptographically measures components,
  sends to Apple install server with nonce, device
  ID
• Nonce value used only once
• Prevents attacker from replaying the value
• Server checks measurements if allowed, server
  adds device ID to measurements, signs everything

16
iOS Apps and App Store

• All iOS apps signed by Apple (not developer)
• Third-party apps signed only after
• Developer ID verification (individual, company)
• Review bugs, work correctly (program analysis)
• Each app sandboxed in its own directory
• Cannot communicate with other apps
• Apps need signed entitlements to access user
  data
• Further app protection
• Address Space Layout Randomization (ASLR) for all
  apps
• ARM eXecute Never (XN) bit set for all memory
  pages

17
iOS Data Protection Measures

• Each iDevice has hardware-accelerated crypto
  operations (AES-256)
• Effaceable Storage securely removes crypto keys
  from flash memory
• Erase all content and settings wipes user data
  using Effaceable Storage (locally or remotely)
• Interact with mobile device management (MDM),
  Exchange ActiveSync servers
• Developers can use APIs for secure file, database
  storage
• Passcodes
• Admins can require numeric, alphanumeric, etc.
• Wipe device after 10 failed login attempts

18
iPhone Configuration Utility
19
Miscellaneous iOS Security

• Built-in support for SSLv3, TLS, VPNs
• Extensive administrative controls
• Password policies
• Disable device features, e.g., camera
• Disable Siri
• Remote wipe
• Apps can access contacts without permission
  (fixed in iOS 6)

Source 8
20
iOS Jailbreaking

• Circumvents Apples iOS security mechanisms
• Violates iDevices terms of use
• Allows installation of apps from alternative app
  stores, e.g., Cydia
• Removes app sandbox
• Usually replaces kernel with one accepting
  non-Apple signatures
• Tools redsn0w, Absinthe, etc.
• Legal in U.S. under DMCA 2010 exemption

21
Google Android Platform

• Android Linux-based mobile handset platform
• Developed by Google, Open Handset Alliance for
  handset manufacturers
• Includes T-Mobile, Sprint Nextel, Google, Intel,
  Samsung, etc. 29
• Free, open mobile handset platform for industry
  30
• Flagship Google Nexus 4

22
Android Architecture
23
Android Features and Software

• Features
• 3D OpenGL ES 1.0
• SQLite Database engine
• WebKit Web browser
• Dalvik Register-based VM similar to Java VM
  32
• FreeType Bitmap and vector font rendering
• Connectivity Bluetooth, 802.11, GPS

• Core Applications
• Email, SMS, calendar, Google apps, browser, etc.
• Written in Java
• App Framework
• Full access to same framework APIs
• Architecture designed for component reuse
• Runtime
• Core C library
• Multiple Dalvik VMs run in a process, rely on
  Linux kernel for process isolation 32

24
Android Security (1)

• Android built on Linux kernel, which provides
• User permissions model
• Process isolation
• Each app is assigned unique user/group IDs, run
  as a separate process ? app sandbox
• System partition mounted read-only
• Android 3.0 enables filesystem encryption using
  Linux dmcrypt (AES-128)
• Device admins can require passwords with specific
  criteria, remote wipe devices, etc.

25
Android Security (2)

• Android device administration (3.0)
• Remote wipe
• Require strong password
• Full device encryption
• Disable camera

26
Android Security (3)

• Other protection mechanisms
• Android 1.5 stack buffer, integer overflow
  protection double free, chunk consolidation
  attack prevention
• Android 2.3 format string protection, NX, null
  pointer dereference mitigation
• Android 4.0 ASLR implemented
• Android 4.1 ASLR strengthened, plug kernel
  leaks
• Capability-based permissions mechanism
• Many APIs are not invoked without permission,
  e.g., camera, GPS, wireless, etc.
• Every app must declare the permissions it needs
• Users need to allow these permissions when
  installing app

27
Android Security (4)

• All Android apps need to be signed by the
  developer, not Google
• Google Play app store less regulated
• Apps available rapidly after publishing
• Bouncer service scans for malware in store 11

Google Play permissions interface
28
Android Device Diversity (1)

• Android runs on various devices
• Different devices run different OS versions
• Device manufacturers often add their own custom
  UIs, software
• Mobile operators add their own software
• Not all devices are updated to latest Android
  version!
• Security challenges

Android devices accessing Google Play, August
2012. Some devices are not always updated to the
latest version. These devices tend to have
security vulnerabilities targeted by
attackers. Source 12
29
Android Device Diversity (2)

• Notice many Android devices are orphaned
  without major updates 13
• Android developers need to secure their apps for
  many different devices

30
Android Device Diversity (3)
The OpenSignalMaps Android app sees almost 4,000
types of device clients. Source 14
31
Rooting Android Devices

• Android device owners can often get root access
  to their devices
• Process can be as simple as unlocking bootloader
• Sometimes, exploit bugs to get root
• Result install OS of choice, bypass
  device/operator restrictions
• Legal under 2010 DMCA exemption
• Security problems
• Voids device warranty (usually)
• Circumvents app sandbox root can modify any
  apps files
• Malware can root and own your device!

32
References (1)

1. Cisco, Cisco Visual Networking Index Global
   Mobile Data Traffic Forecast Update, 20112016,
   14 Feb. 2012, http//www.cisco.com/en/US/solutions
   /collateral/ns341/ns525/ns537/ns705/ns827/white_p
   aper_c11-520862.html
2. Samsung, Exynos 5 Dual, 2012,
   http//www.samsung.com/global/business/semiconduct
   or/product/application/detail?productId7668iaId
   2341
3. Nielsen Co., Two Thirds of All New Mobile Buyers
   Now Opting for Smartphones, 12 Jul. 2012,
   http//blog.nielsen.com/nielsenwire/online_mobile/
   two-thirds-of-new-mobile-buyers-now-opting-for-sm
   artphones/
4. K. De Vere, iOS leapfrogs Android with 410
   million devices sold and 650,000 apps, 24 Jul.
   2012, http//www.insidemobileapps.com/2012/07/24/i
   os-device-sales-leapfrog-android-with-410-million
   -devices-sold/
5. K. Haslem, Macworld Expo Optimised OS X sits on
   versatile Flash, 12 Jan. 2007, Macworld,
   http//www.macworld.co.uk/ipod-itunes/news/index.c
   fm?newsid16927
6. Wikipedia, iOS, updated 2012,
   http//en.wikipedia.org/wiki/iOS
7. Apple Inc., iPhone Developer University
   Program, http//developer.apple.com/iphone/progra
   m/university.html
8. Apple Inc, iOS Security, http//images.apple.com
   /ipad/business/docs/iOS_Security_May12.pdf
9. Android Open Source Project, Android Security
   Overview, http//source.android.com/tech/securit
   y/index.html

Presentation organization inspired by T. Eston,
Android vs. iOS Security Showdown,
2012, http//www.slideshare.net/agent0x0/the-andro
id-vs-apple-ios-security-showdown
33
References (2)

1. A. Rubin, 15 Feb. 2012, https//plus.google.com/u/
   0/112599748506977857728/posts/Btey7rJBaLF
2. H. Lockheimer, Android and Security, 2 Feb.
   2012, http//googlemobile.blogspot.com/2012/02/an
   droid-and-security.html
3. Android Open Source Project, http//developer.andr
   oid.com/about/dashboards/index.html
4. M. DeGusta, Android Orphans Visualizing a Sad
   History of Support, 26 Oct. 2011,
   http//theunderstatement.com/post/11982112928/andr
   oid-orphans-visualizing-a-sad-history-of-support
5. http//opensignalmaps.com/reports/fragmentation.ph
   p
6. http//www.micro-trax.com/statistics
7. Lookout, Inc., Mobile Lost and Found, 2012,
   https//www.mylookout.com/resources/reports/mobil
   e-lost-and-found/
8. K. Haley, Introducing the Smartphone Honey Stick
   Project, 9 Mar. 2012, http//www.symantec.com/con
   nect/blogs/introducing-symantec-smartphone-honey-s
   tick-project
9. Juniper Networks, Inc., Global Research Shows
   Mobile Malware Accelerating, 15 Feb. 2012,
   http//newsroom.juniper.net/press-releases/global-
   research-shows-mobile-malware-accelerating-nyse-j
   npr-0851976

34
References (3)

1. F-Secure, Mobile Threat Report Q2 2012, 7 Aug.
   2012, http//www.slideshare.net/fsecure/mobile-th
   reat-report-q2-2012
2. http//nakedsecurity.sophos.com/2012/04/12/a
   ndroid-malware-angry-birds-space-game/
3. Via Forensics LLC, Forensic Security Analysis of
   Google Wallet, 12 Dec. 2011, https//viaforensics
   .com/mobile-security/forensics-security-analysis-g
   oogle-wallet.html
4. Proxmark, http//www.proxmark.org/
5. libnfc, http//www.libnfc.org
6. D. Goodin, Android, Nokia smartphone security
   toppled by Near Field Communication hack, 25
   Jul. 2012, http//arstechnica.com/security/2012/0
   7/android-nokia-smartphone-hack/
7. B. Andersen, Australian admits creating first
   iPhone virus, 10 Nov. 2009, http//www.abc.net.au
   /news/2009-11-09/australian-admits-creating-first-
   iphone-virus/1135474
8. R. Radia, Why you should always encrypt your
   smartphone, 16 Jan. 2011, http//arstechnica.com/
   gadgets/2011/01/why-you-should-always-encrypt-your
   -smartphone/
9. Heritage Foundation, Solutions for America
   Overcriminalization, 17 Aug. 2010,
   http//www.heritage.org/research/reports/2010/08/o
   vercriminalization
10. Wikipedia, http//en.wikipedia.org/wiki/Mobile_dev
    ice_forensics
11. C. Quentin, http//www.slideshare.net/cooperq/your
    -cell-phone-is-covered-in-spiders

35
References (4)

1. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and
   A. M. Smith, Smudge Attacks on Smartphone Touch
   Screens, Proc. USENIX WOOT, 2010.
2. X. Ni, Z. Yang, X. Bai, A. C. Champion, and Dong
   Xuan, DiffUser Differentiated User Access
   Control on Smartphones, Proc. IEEE Intl.
   Workshop on Wireless and Sensor Networks Security
   (WSNS), 2009.
3. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J.
   Jung, P. McDaniel, and A. N. Sheth, TaintDroid
   An Information-Flow Tracking System for Realtime
   Privacy Monitoring on Smartphones, Proc. USENIX
   OSDI, 2010, http//appanalysis.org
4. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J.
   Jung, P. McDaniel, and A. N. Sheth, TaintDroid
   An Information-Flow Tracking System for Realtime
   Privacy Monitoring on Smartphones,
   http//static.usenix.org/event/osdi10/tech/slides/
   enck.pdf
5. B. Gu, X. Li, G. Li, A. C. Champion, Z. Chen, F.
   Qin, and D. Xuan, D2Taint Differentiated and
   Dynamic Information Flow Tracking on Smartphones
   for Numerous Data Sources, Technical Report,
   2012.