Security - Reading Material

Adam C. Champion and Dong Xuan CSE 4471: Information Security

Based on materials from Tom Eston (SecureState), Apple, Android Open Source Project, and William Enck (NCSU) Organization

• Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security Overview of Mobile Devices

• Mobile computers: – Mainly , tablets – Sensors: GPS, camera, accelerometer, etc. – Computation: powerful CPUs (≥ 1 GHz, multi-core) – Communication: cellular/4G, Wi-Fi, near field communication (NFC), etc. • Many connect to cellular networks: billing system • Cisco: 7 billion mobile devices will have been sold by 2012 [1]

Organization Organization

• Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security iOS/Android Malware

• iOS malware: very little • Juniper Networks: Major increase in Android malware from 2010 to 2011 [18] • Android malware growth keeps increasing ($$$) • Main categories: [19] – Trojans – Monitoring apps/spyware – Adware – Botnets • We’ll look at notable malware examples iOS Malware

• Malware, “fake apps” have hit iOS too – iKee, first iPhone virus, “rickrolled” jailbroken iDevices [25] – Example “fake/similar” apps: • Temple Run: Temple Climb, Temple Rush, Cave Run • Angry Birds: Angry Zombie Birds, Shoot Angry Birds • Not to mention “walkthroughs,” “reference” apps, etc. • banned such apps… – iOS, Android hit with “Find and Call” app • SMS spammed contacts from central server • Removed from App Store, Google Play Android: DroidDream Malware

• Infected 58 apps on Android Market, March 2011 • 260,000 downloads in 4 days • How it worked: – Rooted phone via Android Debug Bridge (adb) vulnerability – Sent premium-rate SMS messages at night ($$$) • Google removed apps 4 days after release, banned 3 developers from Market • More malware found since AngryAndroid: Birds from Fake UnofficialAngry Birds App Space Stores

• Disguised• Bot, Trojan as a Trojan horse • Uses• Masquerades the “GingerBreak” as game exploit• Roots to Android root the 2.3 device • Yourdevices device using becomes part “Gingerbreak” exploit of a botnet • Device joins botnet

http://nakedsecurity.sophos.com/2012/04/12/a ndroid-malware-angry-birds-space-game/ Source: [20] 17 Android: SMS Worm

• Students in previous information security classes wrote SMS worms, loggers on Android • Worm spreads to all contacts via social engineering, sideloading, etc. • Logger stored/forwarded all received SMS messages – Only needed SEND_SMS, RECEIVE_SMS, READ_SMS permissions – Can send 100 SMS messages/hour – One group put SMS logger on Google Play (removed it) Android: Google Wallet Vulnerabilities (1) • Google Wallet enables payments – Uses NFC technology – Many new mobile devices have NFC • Some credit card info stored securely in secure element – Separate chip, SD card, SIM card • Unfortunately, other data are not stored as securely Android: Google Wallet Vulnerabilities (2) • Some information can be recovered from databases on phone: [21] – Name on credit card – Expiration date – Recent transactions – etc. • Google Analytics tracking can reveal customer behavior from non-SSL HTTP GET requests • NFC alone does not guarantee security – Radio eavesdropping, data modification possible [22] – Relay attacks, spoofing possible with libnfc [23] Android: Sophisticated NFC Hack

• Charlie Miller’s Black Hat 2012 presentation: Nokia, Android phones can be hijacked via NFC [24] – NFC/Android Beam on by default on Android 2.3+, Android 4.0+ – Place phone 3–4 cm away from NFC tag, other NFC- enabled phone – Attacker-controlled phone sends data to tag/device, can crash NFC daemon, Android OS – For Android 4.0–4.0.1, can remotely open device browser to attacker-controlled webpage Organization

• Quick Overview of Mobile Devices • iOS/Android Threats and Attacks • iOS/Android Security iOS System Architecture (1)

• Boot sequence: – Bootloader, kernel, extensions, baseband firmware all have cryptographic signatures – Root of trust: burnt into boot ROM at the factory – Each component’s signature is verified – If any signature doesn’t match, the “connect to iTunes” screen is shown Icons from Double-J Design, IconBlock iOS System Architecture (2)

• Software updates – Cannot install older version of iOS on an iDevice; e.g., if device runs iOS 5.1.1, cannot install iOS 4 – Device cryptographically “measures” components, sends to Apple install server with nonce, device ID • Nonce: value used only once • Prevents attacker from “replaying” the value – Server checks measurements; if allowed, server adds device ID to measurements, signs everything iOS Apps and App Store

• All iOS apps signed by Apple (not developer) • Third-party apps signed only after: – Developer ID verification (individual, company) – Review: bugs, work correctly (program analysis) • Each app sandboxed in its own directory – Cannot communicate with other apps – Apps need signed “entitlements” to access user data • Further app protection: – Address Space Layout Randomization (ASLR) for all apps – ARM eXecute Never (XN) bit set for all memory pages iOS Data Protection Measures

• Each iDevice has hardware-accelerated crypto operations (AES-256) • Effaceable Storage: securely removes crypto keys from flash memory – “Erase all content and settings” wipes user data using Effaceable Storage (locally or remotely) – Interact with mobile device management (MDM), Exchange ActiveSync servers – Developers can use APIs for secure file, database storage • Passcodes – Admins can require numeric, alphanumeric, etc. – Wipe device after 10 failed login attempts iPhone Configuration Utility iPhone Configuration Utility

41 Apple: Very Little App PermissionsMiscellaneous Shown iOS SecurityTo Users

• Built-in support for • MainlySSLv3, for privacyTLS, VPNs • Apps• Extensive are limited administrative to what theycontrols: can do • – Password policies * Apps– Disable can access device features, contact data withoute.g., camera permission (will be– Disable fixed Siri in iOS 6) – Remote wipe • Developers can do this on • Apps can access contacts theirwithout own (Yelp)… permission (fixed in iOS 6) Source: [8] 25 iOS Jailbreaking

• Circumvents Apple’s iOS security mechanisms – Violates iDevice’s terms of use – Allows installation of apps from alternative app stores, e.g., – Removes app sandbox – Usually replaces kernel with one accepting non-Apple signatures – Tools: redsn0w, Absinthe, etc. • Legal in U.S. under DMCA 2010 exemption Google Android Platform

• Android: Linux-based mobile handset platform • Developed by Google, Open Handset Alliance for handset manufacturers – Includes T-Mobile, Sprint Nextel, Google, Intel, Samsung, etc. [29] – Free, open mobile handset platform for industry [30] • Flagship: Google Nexus 4 Android Architecture Android Features and Software

• Features • Core Applications – 3D: OpenGL ES 1.0 – Email, SMS, calendar, Google – SQLite: Database engine apps, browser, etc. – WebKit: Web browser – Written in Java – Dalvik: Register-based VM • App Framework similar to Java VM [32] – Full access to same – FreeType: Bitmap and vector framework APIs font rendering – Architecture designed for – Connectivity: , component reuse 802.11, GPS • Runtime – Core C++ library – Multiple Dalvik VMs run in a process, rely on Linux kernel for process isolation [32] Android Security (1)

• Android built on Linux kernel, which provides – User permissions model – Process isolation • Each app is assigned unique user/group IDs, run as a separate process ⇒ app sandbox • System partition mounted read-only • Android 3.0+ enables filesystem encryption using Linux dmcrypt (AES-128) • Device admins can require passwords with specific criteria, remote wipe devices, etc. Android Security (2)

• Android device administration (3.0+): – Remote wipe – Require strong password – Full device encryption – Disable camera Android Security (3)

• Other protection mechanisms: – Android 1.5+: stack buffer, integer overflow protection; double free, chunk consolidation attack prevention – Android 2.3+: format string protection, NX, null pointer dereference mitigation – Android 4.0+: ASLR implemented – Android 4.1+: ASLR strengthened, plug kernel leaks • Capability-based permissions mechanism: – Many APIs are not invoked without permission, e.g., camera, GPS, wireless, etc. – Every app must declare the permissions it needs – Users need to allow these permissions when installing app Android Security (4)

• All Android apps need to be signed: by the developer, not Google • Google Play less regulated – Apps available rapidly after publishing – Bouncer service scans for malware in store [11]

Google Play permissions interface Android Device Diversity (1)

• Android runs on various devices – Different devices run different OS versions – Device manufacturers often add their own custom UIs, software – Mobile operators add their own software – Not all devices are updated Android devices accessing Google Play, to latest Android version! August 2012. Some devices are not always updated to the latest version. These devices • Security challenges… tend to have security vulnerabilities targeted by attackers.

Source: [12] Android Device Diversity (2)

• Notice many Android devices are “orphaned” without major updates [13] • Android developers need to secure their apps for many different devices… Android Device Diversity (3)

The OpenSignalMaps Android app sees almost 4,000 types of device clients. Source: [14] Android Devices

• Android device owners can often get root access to their devices – Process can be as simple as unlocking bootloader – Sometimes, exploit bugs to get root – Result: install OS of choice, bypass device/operator restrictions – Legal under 2010 DMCA exemption • Security problems: – Voids device warranty (usually) – Circumvents app sandbox: root can modify any app’s files – Malware can root and own your device! References (1)

1. Cisco, “Cisco Visual Networking Index: Global Mobile Data Traffic Forecast Update, 2011– 2016”, 14 Feb. 2012, http://www.cisco.com/en/US/solutions/collateral/ns341/ns525/ns537/ ns705/ns827/white_paper_c11-520862.html 2. Samsung, “Exynos 5 Dual,” 2012, http://www.samsung.com/global/business/semiconductor/ product/application/detail?productId=7668&iaId=2341 3. Nielsen Co., “Two Thirds of All New Mobile Buyers Now Opting for Smartphones,” 12 Jul. 2012, http://blog.nielsen.com/nielsenwire/online_mobile/two-thirds-of-new-mobile-buyers- now-opting-for-smartphones/ 4. K. De Vere, “iOS leapfrogs Android with 410 million devices sold and 650,000 apps,” 24 Jul. 2012, http://www.insidemobileapps.com/2012/07/24/ios-device-sales-leapfrog-android-with- 410-million-devices-sold/ 5. K. Haslem, “Macworld Expo: Optimised OS X sits on ‘versatile’ Flash,” 12 Jan. 2007, Macworld, http://www.macworld.co.uk/ipod-itunes/news/index.cfm?newsid=16927 6. Wikipedia, “iOS,” updated 2012, http://en.wikipedia.org/wiki/iOS 7. Apple Inc., “iPhone Developer University Program,” http://developer.apple.com/iphone/program/university.html 8. Apple Inc, “iOS Security,” http://images.apple.com/ipad/business/docs/ iOS_Security_May12.pdf 9. Android Open Source Project, “Android Security Overview,” http://source.android.com/tech/ security/index.html Presentation organization inspired by T. Eston, “Android vs. iOS Security Showdown,” 2012, http://www.slideshare.net/agent0x0/the-android-vs-apple-ios-security-showdown References (2)

10. A. Rubin, 15 Feb. 2012, https://plus.google.com/u/0/112599748506977857728/ posts/Btey7rJBaLF 11. H. Lockheimer, “Android and Security,” 2 Feb. 2012, http://googlemobile.blogspot.com/ 2012/02/android-and-security.html 12. Android Open Source Project, http://developer.android.com/about/dashboards/index.html 13. M. DeGusta, “Android Orphans: Visualizing a Sad History of Support,” 26 Oct. 2011, http://theunderstatement.com/post/11982112928/android-orphans-visualizing-a-sad-history- of-support 14. http://opensignalmaps.com/reports/fragmentation.php 15. http://www.micro-trax.com/statistics ` 16. Lookout, Inc., “Mobile Lost and Found,” 2012, https://www.mylookout.com/resources/ reports/mobile-lost-and-found/ 17. K. Haley, “Introducing the Smartphone Honey Stick Project,” 9 Mar. 2012, http://www.symantec.com/connect/blogs/introducing-symantec-smartphone-honey-stick- project 18. Juniper Networks, Inc., “Global Research Shows Mobile Malware Accelerating,” 15 Feb. 2012, http://newsroom.juniper.net/press-releases/global-research-shows- mobile-malware-accelerating-nyse-jnpr-0851976 References (3)

19. F-Secure, “Mobile Threat Report Q2 2012,” 7 Aug. 2012, http://www.slideshare.net/fsecure/ mobile-threat-report-q2-2012 20. http://nakedsecurity.sophos.com/2012/04/12/a ndroid-malware-angry-birds-space-game/ 21. Via Forensics LLC, “Forensic Security Analysis of Google Wallet,” 12 Dec. 2011, https://viaforensics.com/mobile-security/forensics-security-analysis-google-wallet.html 22. Proxmark, http://www.proxmark.org/ 23. libnfc, http://www.libnfc.org 24. D. Goodin, “Android, Nokia smartphone security toppled by Near Field Communication hack,” 25 Jul. 2012, http://arstechnica.com/security/2012/07/android-nokia-smartphone-hack/ 25. B. Andersen, “Australian admits creating first iPhone virus,” 10 Nov. 2009, http://www.abc.net.au/news/2009-11-09/australian-admits-creating-first-iphone-virus/1135474 26. R. Radia, “Why you should always encrypt your smartphone,” 16 Jan. 2011, http://arstechnica.com/gadgets/2011/01/why-you-should-always-encrypt-your-smartphone/ 27. Heritage Foundation, “Solutions for America: Overcriminalization,” 17 Aug. 2010, http://www.heritage.org/research/reports/2010/08/overcriminalization 28. Wikipedia, http://en.wikipedia.org/wiki/Mobile_device_forensics 29. C. Quentin, http://www.slideshare.net/cooperq/your-cell-phone-is-covered-in-spiders References (4)

30. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and A. M. Smith, “Smudge Attacks on Smartphone Touch Screens,” Proc. USENIX WOOT, 2010. 31. X. Ni, Z. Yang, X. Bai, A. C. Champion, and Dong Xuan, “DiffUser: Differentiated User Access Control on Smartphones,” Proc. IEEE Int’l. Workshop on Wireless and Sensor Networks Security (WSNS), 2009. 32. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” Proc. USENIX OSDI, 2010, http://appanalysis.org 33. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” http://static.usenix.org/event/osdi10/tech/slides/enck.pdf 34. B. Gu, X. Li, G. Li, A. C. Champion, Z. Chen, F. Qin, and D. Xuan, “D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources,” Technical Report, 2012.