Lecture 3 MOBILE SOFTWARE PLATFORM SECURITY You will be learning: . General model for mobile platform security Key security techniques and general architecture . Comparison of four systems Android, iOS, MeeGo (MSSF), Symbian 2 Mobile platforms revisited . Android ~2007 . Java ME ~2001 “feature phones”: 3 billion devices! Not in smartphone platforms . Symbian ~2004 First “smartphone” OS 3 Mobile platforms revisited . iOS ~2007 iP* devices; BSD-based . MeeGo ~2010 Linux-based MSSF (security architecture) . Windows Phone ~2010 . ... 4 Symbian . First widely deployed smartphone OS EPOC OS for Psion devices (1990s) . Microkernel architecture: OS components as user space services Accessed via Inter-process communication (IPC) 5 Symbian Platform Security . Introduced in ~2004 . Apps distributed via Nokia Store Sideloading supported . Permissions are called ‘capabilities’, fixed set (21) 4 Groups: User, System, Restricted, Manufacturer 6 Symbian Platform Security . Applications identified by: UID from protected range, based on trusted code signature Or UID picked by developer from unprotected range Optionally, vendor ID (VID), based on trusted code signature 7 Apple iOS . Native application development in Objective C Web applications on Webkit . Based on Darwin + TrustedBSD kernel extension TrustedBSD implements Mandatory Access Control Darwin also used in Mac OS X 8 iOS Platform Security . Apps distributed via iTunes App Store . One centralized signature authority Apple software vs. third party software . Runtime protection All third-party software sandboxed with same profile Permissions: ”entitlements” (post iOS 6) Contextual permission prompts: e.g. location 9 MeeGo . Linux-based open source OS, Intel, Nokia, Linux Foundation Evolved from Maemo and Moblin . Application development in Qt/C++ . Partially buried, but lives on Linux Foundation shifted to HTML5- based Tizen MeeGo -> Mer -> Jolla’s Sailfish OS 10 MeeGo Platform Security . Mobile Simplified Security Framework (MSSF) Permissions: “resource tokens” Enforced via “Smack” Apps identified by signatures from “software sources” Policy specifies privileges grantable by software sources 11 Mobile platform security . Recall three basic security principles: Application isolation Permission-based access control Application signing 12 Ecosystem stakeholders Developer Marketplace operator Platform provider Mobile Mobile device operator Device manufacturer Administrator User See also: Book section 2.1. 13 Mobile platform architecture Mobile Device Application Application Library Service Plugin Mobile Platform (OS) OS middleware System System libraries services (Inter-process ) communication (IPC) OS kernel Device resources Legend Mobile Platform Component Third-Party Software Component 14 Platform security architecture Mobile Third-party Third-party System System Application Device library service service library User Platform Security Architecture Developer Reference Monitor IPC Software Isolation Platform Application System Updater Provider Policy Installer Database Centralized HW Security HW Security API Marketplace Operator Device Application Administrator Management Application Loader Database Auxiliary Marketplace Boot Secure Storage Execution Operator Legacy DAC Verifier Provider Protection Boot Secure Device Isolated Device Integrity Storage Identification Execution Authentication Legend Platform Security Third-Party Software Hardware-Security Role Component Component Functionality 15 Step 1a: Developer publishes an application Developer submits the application to a centralized Developer requests marketplace Mobile Device permissions for his application Platform Security Architecture Developer In some platforms the Centralized application can be Marketplace directly “sideloaded” to Operator the mobile device Auxiliary Marketplace Operator Some platforms Legend support auxiliary Role marketplaces 16 Step 1b: Marketplace signs the application In some platforms the developer signs the Mobile app package Device Platform Security Architecture Developer Centralized Marketplace provider Marketplace checks the application (and Operator requested permissions) Auxiliary and signs the app package Marketplace Operator Legend Role 17 Step 2: Application installation Installer may prompt the user to accept some of Installer checks the requested Installer consults local application permissions policy database about signature and Mobile requestedDevice permissions requested permissions User Platform Security Architecture Installer stores Developer assigned Application Policy Installer application Centralized Database Marketplace Application permissions Operator installer Application Auxiliary component Boot Secure Storage Database Marketplace needs Verifier Provider Operator integrity Mobile device protection Boot Secure receives an Integrity Storage application Legend installation package from a marketplace Permission and policyRole Platform Security Hardware-Security (or developer) databases need Component Functionality integrity protection 18 Step 3a: Application loading Loader attaches permissions to the Mobile Device started process Application User Platform Security Architecture Developer Application Policy Installer Database Centralized Marketplace Operator Application Application Loader Database Auxiliary Marketplace Boot Secure Storage Loader reads permissionsOperator from Verifier Provider the permission database Loader Boot Secure Integrity Storage Integrity of installed component Legend application binaries needs Platform Security Hardware-Security Role integrity ComponentThird-Party Software Functionality protection Component 19 Step 3b: Application execution OS/HW isolate applications from one another at runtime Reference Mobile monitor Third-party Third-party System System Device Application library service service library checks User permissions Platform Security Architecture Software to control Reference Monitor IPC Isolation Developer access to Application API Security HW system Applications andPolicy Installer Database Centralized resources platform need to Marketplace communicate with each Operator Application other and HWApplication Loader Database Some Auxiliary Legacy Execution Marketplace applications Boot Secure Storage Operator need secure Verifier Provider DAC Protection state (e.g., DRM) Boot Secure Isolated Some applications Integrity Storage Device Execution Device need device IdentificationLegend Authentication identification and Platform Security Third-Party Software Hardware-Security authentication Role Some applications need Component Component Functionality secrecy for their (e.g., provisioning) persistent storage 20 Step 4: System updates System updater System updater rewrites parts of verifies received system software update using policy database Mobile Third-party Third-party System System Platform Device Application library service service library providers issue User (signed) system updates Platform Security Architecture Developer Reference Monitor IPC Software Isolation Platform Application System Updater Provider Policy Installer Database Centralized HW Security HW Security API Marketplace Operator Device Application Administrator Application Loader Management Database Auxiliary Marketplace Boot Secure Storage Execution Operator Legacy DAC Verifier Provider Protection Administrators may update device policies Boot Secure Device Isolated Device and applications Integrity Storage Identification Execution Authentication Legend System updates Platform Security Third-Party Software Hardware-Security Role may need device System updates need secure Component Component Functionality identification state to prevent rollbacks to previous system version 21 Recap: main techniques Mobile Third-party Third-party System System Application Device library service service library User 5. Application Platform Security Architecture isolation 4. Permission-based Developer access control Reference Monitor IPC Software isolation 1. Permission Platform Application System Updater request Provider Policy Installer Database 3. Permission Centralized HW Security HW Security API Marketplace assignment Operator 2. Application Device Application Administrator Management Application Loader signing Database Auxiliary Marketplace Boot Secure Storage Execution Operator Legacy DAC Verifier Provider Protection 6. API to system functionality (e.g. secure storage) Boot Secure Device Isolated Device Integrity Storage Identification Execution Authentication Legend Platform Security Third-Party Software Hardware-Security Role Component Component Functionality 22 Platform security architecture Mobile Third-party Third-party System System Application Device library service service library User Platform Security Architecture Developer Reference Monitor IPC Software isolation Platform Application System Updater Provider Policy Installer Database Centralized HW Security HW Security API Marketplace Operator Device Application Administrator Management Application Loader Database Auxiliary Marketplace Boot Secure Storage Execution Operator Legacy DAC Verifier Provider Protection Boot Secure Device Isolated Device Integrity Storage Identification Execution Authentication Legend Platform Security Third-Party Software Hardware-Security Role Component Component Functionality 23 Why Generalize? “The General Problem” http://xkcd.com/974/ 24 Mobile Device Application Library Android Java/Dalvik native User OS Middleware ActivityManagerService/ Developer PackageManagerService