3. Show of hands...
Who has
■ An Android device?
■ Loaded a custom ROM?
■ Rooted his device?
■ Developed for that device?
22 mei 2013 Android Security in depth4
6. System level execution
NX-bit
Stack-overflow prevention
Address Space Layout Randomization
dlmalloc/calloc + extensions
mmap_min_addr
7. Linux security measures
Sandboxing in kernel
Permissions enforced through linux groups
Each app separate UID
8. Dalvik VM
Not a security boundary
■ No security manager
■ Permissions are
enforced in OS, not VM
■ Bytecode verification
optimized for speed, not
security
9. Zygote process preloads typical classes
and dynamic link libraries
Copy-on-write
■ Only when new process writes page,
new page is allocated.
■ All pages not be written are shared
among all zygote children.
Exec system call is not used in zygote.
■ wipes the page mapping table of
process.
■ It means exec discards zygote cache.
Runs as UID=0 (root). After forking child
process, its UID is changed by setuid
system call.
Zygote processes
10. Binder IPC
■ IPC via kernel interface
■ Used under water for all IPC in Android
• Service to application
• Service to system
• But also Intent-based communication...
■ Is security-aware and passes calling UID & GID
22 mei 2013 Powerpoint ICT Automatisering11
11. Additional measures in Android 4.2
Application verification
■ Additional scan for
malicious sw
Always-on VPN
Improvements to
installd/init handling, etc
13. Intent system
Communication between OS and
applications via Intents
OS resolves requested action
(e.g. 'edit contact') with all
registered Intent receivers
Highly versatile and modular
Allows changing out default
functionality for alternatives
15. Permissions cont'd
Permissions checked when:
■ Starting activities
■ Starting/binding to services
■ Sending to BroadcastReceivers
■ Accessings ContentProviders (separate for read and
write
■ … and at any given moment using
Context.checkCallingPermission()
16. App signing
All Android applications must be signed by the author (developer)
Application or code signing is the process of digitally signing a given application
using a private key to:
Identify the code's author
Detect if the application has changed
Establish trust between applications
On Android, the certificate (X.509) can be self-signed, so there is no need for a
certificate authority
Android applications can be built in debug and release-mode:
In debug mode the app is automatically signed with debug key and cannot be
distributed (e.g. via Google Play)
In release-mode the app is signed with the private key.
18. Encryption
Full-disk encryption using dm-crypt
■ Actually: /data partition
Done using 128 bit AES/SHA256
Master key encrypted with another key based off device
PIN/passwd
■ Problem: since PIN is usually 4 digits long, cracking
master key is matter of little time...
19. Device Policies
Determine user-level
security
Locate lost devices
Enable remote wipe
Can disable functionality
(such as camera)
20. VPN
Support for VPN connections based on
■ IPSec
■ PPTP
■ Own VPN implementation (3rd party, 4.0+)
Requires use of device lock mechanism
As of Android 4.2, always-on VPN is possible too
Mmap_min_addr prevents MMAPing the lowest pages of virtual memory. A null pointer dereference could access that memory and execute code that you prepared beforehand.