1. D e s ig n in g S e c u r it y -A w a r e
A n d r o id A p p lic a t io n s f o r t h e
Jean-Pierre Seifert
E n t e r p r i s e Telekom Laboratories, Berlin, Germany
TU Berlin & Deutsche
jpseifert@sec.t-labs.tu-berlin.de

2. Agenda
1. Introduction
2. Some reasons for Access Control in Phones
 mTAN, Signalling based attacks, Premium Rate SMS
Trojan, WAC Operator Billing
3. Access Control in Android
4. The MILS/Seperation Kernel approach for Android
phones
 SE C T ad for L4Android (simko3)
5. Q&A
Deutsche Telekom Laboratories 17.06.2011 2

3. Introduction

4. Cell Phone Security
 A cellular phone is only one part of a much larger system
 Other parts of the system are even more complex
 Historically, both network and devices were closed (started to open)
 Provided some level of protection
 17.5% of American homes had only wireless telephones in
year 2008.
 What about Europe?
 Myself I only have one single phone – a cell phone
 What happens to the network and devices when interfaces
open?
 What happens when we start relying on cell phones for
general computing needs?
Deutsche Telekom Laboratories 17.06.2011 4

5. Cellphone OS Security vs. OS Security
 W hy is cellphone OS security different than ordinary OS security?
 Connected to critical infrastructure - warnings of phone botnets
 Connected to people - attacks can cross into the physical world
 Multiple Stakeholders - there is a lot of money at risk
 Network provider, OEM, enterprise, 3rd-party app developer, content
owner, end user, etc.
 Who has control?
 Who is the adversary?
 Specific usage scenarios
 Always with you
 Only want to carry one
(for business and personal)
Deutsche Telekom Laboratories 17.06.2011 5

6. Cellular Networks
 Cellular networks are complex systems made up of many components and
defined by thousands of pages of standards documents
 3GPP aka GSM, and 3GPP2 aka CDMA ... leads to alphabet soup
 There are many non-security concerns (most of them are non-security)
 Interconnectivity with “landline” phone network
 Efficient radio spectrum deployment
 Maximizing number of active of subscribers
 Low latency call-setup and in-call
 Mobility and roaming (which tower?)
 Handset power consumption (sleep periods)
 Customer databases and billing mechanisms
 and many more ...
Deutsche Telekom Laboratories 17.06.2011 6

7. Stakeholders
 A cellphone stakeholder is an entity with valued interests in
proper phone functioning and something to loose from
malfeasance.
 Variety of stakeholders, and each has its own goals and
concerns
 A stakeholder can be identified by its presence on a phone
1. Provides a means of communication with the outside
world
2 .Uses the handset to deliver information
(e.g., news, music, etc)
3. Provides software or hardware to facilitate 1 and 2
4. An end user of the phone
Deutsche Telekom Laboratories 17.06.2011 7

8. Basic Phone Architecture
 T he hardware and software configuration dictates what sorts of
policy is possible.
 Each phone has implementation specific details, but some general
trends
 Application processor and Baseband processors (most often single
chip)
 Separate firmwares and execution environments
 Example Chips (SoC) -- often bundle hardware features like GPS,
bluetooth, etc.
 Qualcomm Mobile Station Modem (MSM 7x, e.g., MSM 7201a) -
single chip
 TI Open Multimedia Application Platform (OMAP 1xxxx, OMAP
3xxxx) - only app
 Broadcom baseband processors (e.g., ML2011)
 Marvell (PXA series)
Deutsche Telekom Laboratories 17.06.2011 8

9. Some reasons for Access Control in
Phones

10. Example: mTAN – mobile TAN
 TAN → Transaction Authentication Number
– secure online banking
 mTAN generated individually for each transaction
– mTAN send via text SMS
– Limited life time
– Includes: destination account and amount
(with these values customer can verify his transaction)
 Example:
Die mobileTAN für Ihre Überweisung über 11123,45 Euro auf das Konto
123456789 lautet: 73KXCM
Deutsche Telekom Laboratories 17.06.2011 10

11. Example: mTAN – mobile TAN
Deutsche Telekom Laboratories 17.06.2011 11

12. Attacks against mTAN
 Prerequisite
– Attacker has the credentials for the victim's online banking
account
 Attacker's goal
– Successfully complete online bank transfer from victim's
account to attacker account
 Requirement
– Attacker needs to get mTAN from the user's phone
(remember mTAN is send via text SMS)
Deutsche Telekom Laboratories 17.06.2011 12

13. Man-in-the-Mobile Attack against mTAN
 Attacker installs malware on victim's phone
– Malware reads and forwards mTAN SMS to attacker
 This is easy since:
– All mobile OSes provide an API to read incoming SMS
• Users always grant all capability requests!
– Malware just registers, read and forward SMS messages
 Already happening in the field!
– ZITMO (Symbian & Windows Mobile)
Deutsche Telekom Laboratories 17.06.2011 13

14. Example: Eavesdropping on SMS Traffic
 Attacker needs to be close to victim
– Unlikely but possible
 GSM can be easily recorded and decoded (A5/1 and A5/2)
– Public research available including ready to use tools
 Femtocell based attacks can “sniff” 3G traffic
– SecT lab setup → non public yet
– Will be easy to reproduce once published
Deutsche Telekom Laboratories 17.06.2011 14

15. Example: Cellular Signaling
 Signaling traffic generated by theMobile Equipment (ME) is sent to the
MSC and HLR in case of voice calls, SMS, and updating account
settings (such as call-forwarding).
 Packetdata related signaling is mainly directed towards the SGSN, the
GGSN, and of course the HLR.
 Packet Data Protocol (PDP) connection setup is a complex process.
 When ME wishes to establish a PDP context it sends a GPRS-attach
message to the SGSN.
 The SGSN authenticates the ME using the HLR.
 Next, the PDP context is established and stored at the SGSN and GGSN.
 This includes records and parameters for billing, quality of service
information, and the IP address assigned to the specific PDP context.
 Maintenance and distribution of the PDP context information across the
different network components is a costly process as it involves many
components across the cellular network.
Deutsche Telekom Laboratories 17.06.2011 15

16. Example: Cellular Signaling Threats
 Fast PDP context activation and de-activation lead to high network load
on the GGSN and SGSN infrastructure of cellular network operators.
 This is performed by either malicious applications or badly configured
mobile phones.
 This is possible because on smartphone platforms such as Android any
application has access to the network configuration and thus is able to
change the packet-data and APN settings.
 On Android it is possible to force an PDP context change every 2
seconds. This will result in roughly 43,200 PDP activations per day (24
hours).
 If it is installed on enough devices, a rouge application can easily carry out
a Denial-of-Service attack against an operator’s packet-data infrastructure.
GSMA. Network Efficiency Threats v0.4a, May 2010.
Deutsche Telekom Laboratories 17.06.2011 16

17. Example: Premium Rate SMS Trojans
 Fraud caused by SMS Trojans such as FakePlayer-A is a
long standing problem in the mobile phone world
 Costing consumers a considerable amount of money ever year.
 This kind of fraud is possible since on modern smartphones
any application has access to the cellular API and is thus
able to send SMS messages.
 Same problem applies to voice calls to premium numbers.
 Trojan-SMS.AndroidOS.FakePlayer-A.
http://www.fortiguard.com/encyclopedia/virus/android_fakeplayer.a!
tr.html, August 2010.
Deutsche Telekom Laboratories 17.06.2011 17

18. Example: WAC Operator Billing
Pay via Operator bill
• WAC allows to bill consumers buying virtual and digital content
quickly, easily and safely using their m o b i l e p h o n e
numbe r
• It is available for W e b s i t e s , m o b i l e A p p s a n d
W i d g e t s running on M o b i l e s , T a b l e t s , P C s o r
18
e ve n TVs .
Deutsche Telekom Laboratories 17.06.2011 18

19. WAC is an alliance of some of the biggest
companies in the mobile industry.
WAC Board of Directors
Operator
Board Observers Sponsor Members Associate Members
Members
Accenture America Movil Fujitsu Aepona Limo Foundation
Ericsson Bell Mobility IBM Alcatel Lucent Neustar
Huawei China Unicom NEC ASPire-tech NTT Data
Intel Hutchison 3 group Borqs Obigo
Nokia KDDI Cambertech Inc Opera
Qualcomm LG UPlus Capgemini Oracle
Samsung MTS Eyeline Panasonic
Orascom GD RIM
Rogers HP Sandisk
SFR HTC SAP
Vimpelcom IMImobile Sharp
Incross Co. Sony Ericsson
Infraware WiPro
KT Innotz ZTE
LG Electronics
Deutsche Telekom Laboratories 17.06.2011 19

20. WAC has two focus areas.
Network APIs and Operator Billing to be focus.
W A C W id g e t R u n t im e O p e r a t o r N e t w o r ko c
F
us
A P Is
• Increase the overall market for mobile
applications • Exposure of valuable operator network
• Encourage open standardized capabilities to the developer
technologies • Allowing developers to enhance their
• Enable distribution of WAC widgets applications
through multiple channels • Reducing technical and commercial
complexity by offering APIs in a unified,
technology agnostic way
• O p e r a t o r B illin g is t h e
f ir s t A P I
Web: www.wacapps.net/payment-api
YouTube http://bit.ly/nObOd2
Deutsche Telekom Laboratories 17.06.2011 20

21. Using the WAC solution subscribers can pay for
content securely with just a few clicks on the
mobile.
Deutsche Telekom Laboratories 17.06.2011 21

22. Non-mobile devices can also be addressed with
convenient mobile TAN approach.
Illu s t r a t iv e p a y m e n t f lo w s h o w n o n m o b ile d e v ic e –
h o w e v e r t h is a p p lie s f o r o t h e r d e v ic e s a s w e ll, e . g .
T a b le t s o r D e s k t o p s
Deutsche Telekom Laboratories 17.06.2011 22

23. Access Control in Android

24. Android
 One of the most anticipated smartphone operating
systems -- led by Google
 Complete software stack
 Open source (Apache v2 license) ... mostly
 Open Handset Alliance
 ... 30+ industrial partners
 Google, T-Mobile, Sprint, HTC, LG, Motorola,
Samsung, Broadcom, Intent, NVIDIA,
Qualcomm, … .
Deutsche Telekom Laboratories 17.06.2011 24

25. Android Phones
 An Android contains a number of
“applications”
 Android comes installed with a
number of basic systems tools, e.g.,
dialer, address book, etc.
 Developers use the Android API to
construct applications.
 All apps are written in Java and executed
within a custom Java virtual machine.
 Each application package is contained
in a jar file (.apk)
 Applications are installed by the user
 No “app store” required, just build
and go.
 Open access to data and voice
Deutsche Telekom Laboratories
services
17.06.2011 25

26. Security Enforcement
 Android protects application at system level and at the Inter-component
communication (ICC) level.
 Each application runs as a unique user identity, which lets Android limit
the potential damage of programming flaws.
Deutsche Telekom Laboratories 17.06.2011 26

27. Security Enforcement
• Core idea of Android security enforcement
• label assignment to applications and components
• A reference monitor provides mandatory access control
(MAC) enforcement of how applications access
components.
• Access to each component is restricted by assigning it an
access permission label; applications are assigned
collections of permission labels.
• When a component initiates ICC, the reference monitor
looks at the permission labels assigned to its containing
application and
• if the target component’s access permission label is in that
collection— allows ICC establishment to proceed.
Deutsche Telekom Laboratories 17.06.2011 27

28. Access permission logic
The Android middleware implements a reference monitor
providing mandatory access control (MAC) enforcement
about how applications access components.
The basic enforcement model is the same for all component
types. Component A’s ability to access components B and C
is determined by comparing the access permission labels on
B and C to the collection of labels assigned to application 1.
Deutsche Telekom Laboratories 17.06.2011 28

29. Enforcement Conclusion
 Assigning permission labels to an application
specifies its protection domain.
 Assigning permissions to the components in an
application specifies an access policy to protect its
resources.
 Android’s policy enforcement is mandatory, all
permission labels are set at install time and can’t
change until the application is reinstalled.
 Android’s permission label model only restricts
access to components and doesn’t currently
provide information flow guarantees.
Deutsche Telekom Laboratories 17.06.2011 29

30. Security Refinements --- Public vs. Private
Components
 Applications often contain components that another
application should never access.
 For example, component related to password
storing. The solution is to define private component.
 This significantly reduces the attack surface for many
applications.
Deutsche Telekom Laboratories

31. Security Refinements --- Protected APIs
 Not all system resources (for example, network) are
accessed through components — instead, Android
provides direct API access.
 Android protects these sensitive APIs with additional
permission label checks:
 an application must declare a corresponding
permission label in its manifest file to use them.
Deutsche Telekom Laboratories

32. Security Refinements --- Permission
Protection Levels
 The permission protection levels provide a means of
controlling how developers assign permission labels.
 Signature permissions ensure that only the
framework developer can use the specific
functionality (only Google applications can directly
interface the telephony API, for example).
Deutsche Telekom Laboratories

33. Lessons in Defining Policy
 Android security policy begins with a relatively easy-
to-understand MAC enforcement model,
 but the number and subtlety of refinements make
it difficult to discover an application’s policy.
 The label itself is merely a text string,
 but its assignment to an application provides
access to potentially limitless resources.
Deutsche Telekom Laboratories

34. MILS/Seperation Kernel approach for Android
phones

35. Deutsche Telekom Laboratories 17.06.2011 35

36. SiMKo 3
Deutsche Telekom Laboratories 36

37. Simplified overall SiMKo3 system architecture – MILS
approach
Open Compartment Secure Compartment Network Compartment Crypto Compartment
Applications Secure-Applications Genua En-/Decrypter
Office Adobe CitrixVMWare Privacy Store
S/MIMEDialer BackOffice
VPN Firewall
Customer-App-Store Secure Android Connector
S/MIME
Android L4Linux + Google patches L4OpenBSD
L4Linux + Google patches PM-Drv Video-Drv Network-Drv Modem-Drv
L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Video, PM, L4-Drv-Stubs: Network, PM, Voice SNS
Net, Storage, Touch, Crypt Net, Storage, Touch, Crypt SmartCard
Secure Environment
GUI Video-Drv Touch-Drv OTA Storage-Drive En-/DecryptionSmartCard-Drv PowerMgmnt-Drv
IO Memory L4Re
Microkernel
Boot-Loader Key Storage
Hardware
Deutsche Telekom Laboratories 37

38. Network hardening of SiMKo3
Deutsche Telekom Laboratories

39. Modem Virtualization
Deutsche Telekom Laboratories

40. Modem Virtualization
Deutsche Telekom Laboratories

41. SoC of Galaxy S II
Deutsche Telekom Laboratories

42. Early Prototypes
Deutsche Telekom Laboratories 42

43. SiMKo3 is based upon the L4 micro-kernel and the
Samsung Galaxy S II,
and …
Deutsche Telekom Laboratories 43

44. L4Android – www.l4android.org
• L4Android is derived from the L4Linux project,
which is developed at the Technische Universität
Dresden.
• L4Linux is a modified Linux kernel, which runs on
top of the Fiasco.OC microkernel.
• It is binary compatible with the normal Linux
kernel.
• L4Android combines both the L4Linux and Google
modifications of the Linux kernel and thus enables
us to run Android on top of a microkernel.
Deutsche Telekom Laboratories 44

45. Agenda
Thank you for your attention!
1. Introduction
2. Three reasons for Access Control in SmartPhones
 mTAN, Signalling based attacks, Android Trojan(s)
3. So? Access Control in three Linux based
SmartPhones!
 LiMo, MeeGo, Android
4. Problems with MAC for “responsible devices“
5. The MILS/Seperation Kernel approach for Android
phones
 SECT ad for L4Android
6. Conclusion
Deutsche Telekom Laboratories 17.06.2011 45

46. Questions?
Deutsche Telekom Laboratories 46