SlideShare a Scribd company logo

Android Security Overview and Safe Practices for Web-Based Android Applications

h4oxer
h4oxer

Android Security Overview and Safe Practices for Web-Based Android Applications presentation given at xda:devcon 14' at Manchester

Software
1 of 42
Download to read offline
Android security overview and safe practices for web-based Android applications Incalza Dario @h4oxer
Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • XDA – recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Introduction • Not technical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Applications • Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Android Framework • Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Dalvik Virtual Machine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Kernel • Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
The Android Platform: Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surfaces in Android • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface – Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
Security in web-based application • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
Security in web-based application • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Security in web-based application: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
Thanks!! Q & A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza

Recommended

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 

Recommended

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Смирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationСмирнов Александр, Security in Android Application
Смирнов Александр, Security in Android ApplicationSECON
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure CodingJPCERT Coordination Center
 
Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAhmed Ismail
 

More Related Content

What's hot

Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAvinash Birnale
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 

What's hot (20)

Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security Threats
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android Security
Android SecurityAndroid Security
Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission Model
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development
 
Android system security
Android system securityAndroid system security
Android system security
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Android Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon IndiaAndroid Camp 2011 @ Silicon India
Android Camp 2011 @ Silicon India
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 

Viewers also liked

Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAhmed Ismail
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Android security model
Android security modelAndroid security model
Android security modelrrand1
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Codemotion
 
Android - Model Architecture
Android - Model ArchitectureAndroid - Model Architecture
Android - Model Architecturerendra toro
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 

Viewers also liked (10)

Android Secure Coding
Android Secure CodingAndroid Secure Coding
Android Secure Coding
 
Android verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطةAndroid verysimplebook... أندرويد ببساطة
Android verysimplebook... أندرويد ببساطة
 
Mobile security
Mobile securityMobile security
Mobile security
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
Testing Android Security - Jose Manuel Ortega Candel - Codemotion Amsterdam 2016
 
Android - Model Architecture
Android - Model ArchitectureAndroid - Model Architecture
Android - Model Architecture
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 

Similar to Android Security Overview and Safe Practices for Web-Based Android Applications

Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentSergey Gordeychik
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDefconRussia
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"StHack
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)ClubHack
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)Angelill0
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkDefCamp
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligencePriyanka Aash
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Jerod Brennen
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsPriyanka Aash
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsPriyanka Aash
 

Similar to Android Security Overview and Safe Practices for Web-Based Android Applications (20)

Too soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessmentToo soft[ware defined] networks SD-Wan vulnerability assessment
Too soft[ware defined] networks SD-Wan vulnerability assessment
 
Dmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI IntroDmitriy D1g1 Evdokimov - DBI Intro
Dmitriy D1g1 Evdokimov - DBI Intro
 
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
VMworld 2013: Enhancing Workplace Mobility and BYOD with the VMware Mobile Se...
 
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
Sthack 2015 - Ramon Vicens & Victor Acin - Cyber threats "the reality"
 
Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)Hacking your Droid (Aditya Gupta)
Hacking your Droid (Aditya Gupta)
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland) Securely Deploying Android Device - ISSA (Ireland)
Securely Deploying Android Device - ISSA (Ireland)
 
Dissecting Android APK
Dissecting Android APKDissecting Android APK
Dissecting Android APK
 
Lacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security ThreatsLacework | Top 10 Cloud Security Threats
Lacework | Top 10 Cloud Security Threats
 
My androidpresentation
My androidpresentationMy androidpresentation
My androidpresentation
 
Catch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your networkCatch Me If You Can - Finding APTs in your network
Catch Me If You Can - Finding APTs in your network
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm IntelligenceOrder vs. Mad Science: Analyzing Black Hat Swarm Intelligence
Order vs. Mad Science: Analyzing Black Hat Swarm Intelligence
 
Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!Please, Please, PLEASE Defend Your Mobile Apps!
Please, Please, PLEASE Defend Your Mobile Apps!
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container Applications
 
An Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container ApplicationsAn Attacker Looks at Docker: Approaching Multi-Container Applications
An Attacker Looks at Docker: Approaching Multi-Container Applications
 

Recently uploaded

Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...Bert Jan Schrijver
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogueitservices996
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLionel Briand
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldRoberto Pérez Alcolea
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...OnePlan Solutions
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecturerahul_net
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shardsChristopher Curtin
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationBradBedford3
 

Recently uploaded (20)

Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
JavaLand 2024 - Going serverless with Quarkus GraalVM native images and AWS L...
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Ronisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited CatalogueRonisha Informatics Private Limited Catalogue
Ronisha Informatics Private Limited Catalogue
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
Large Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and RepairLarge Language Models for Test Case Evolution and Repair
Large Language Models for Test Case Evolution and Repair
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Keeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository worldKeeping your build tool updated in a multi repository world
Keeping your build tool updated in a multi repository world
 
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
Revolutionizing the Digital Transformation Office - Leveraging OnePlan’s AI a...
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Understanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM ArchitectureUnderstanding Flamingo - DeepMind's VLM Architecture
Understanding Flamingo - DeepMind's VLM Architecture
 
2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards2024 DevNexus Patterns for Resiliency: Shuffle shards
2024 DevNexus Patterns for Resiliency: Shuffle shards
 
How to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion ApplicationHow to submit a standout Adobe Champion Application
How to submit a standout Adobe Champion Application
 

Android Security Overview and Safe Practices for Web-Based Android Applications

  • 1. Android security overview and safe practices for web-based Android applications Incalza Dario @h4oxer
  • 2. Contents • Introduction • Overview Android platform • Attack surfaces in Android • Security in web-based applications xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 3. Introduction • XDA – recognized Developer • Student M. Sc. Computer science, majoring in Development of Secure Software @ KU Leuven • Android enthusiast/developer • Blogger (http://h4oxer.wordpress.com) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 4. Introduction • Not technical • Call for action • Security is also your responsibility • No need to be a security expert xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 5. The Android platform • Components in five main layers – Android applications – Android Framework – Dalvik Virtual Machine (since 4.4 ART) – User-space native code – The Linux kernel xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 6. The Android platform xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 7. Android Applications • Android Applications – Allows third party developers to add functionality – Interaction through Android Framework API – Applications are signed with keys • Creates a trusted relationship between updates – Application components • AndroidManifest.xml, Intents, Activities, Broadcast Receivers, Services and Content Providers xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 8. Android Framework • Interface for Android applications • Allows developers to perform common tasks • Standard and third-party libraries – i.e. Apache HTTP and SAX XML Parser • Framework managers – i.e. Activity Manager, View System, Package Manager, etc. xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 9. The Dalvik Virtual Machine • Based on Java Virtual Machine • Register-based <-> stack-based • Pretty close to Java but not quite the same • DEX- and O (ptimized) DEX-files • Zygote – Shared core classes and libraries – Loader for Dalvik processes xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 10. User-Space Native Code • Native code in operating system user-space • Comprised of two primary groups – Libraries: • Shared libs, access through JNI • Vendor-specific <-> non-vendor-specific • Bionic • Interesting for security researchers – Core system services • Init • Radio Interface Layer (RIL) • ADB xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 11. The Kernel • Linux Kernel but Android Fork • Binder – IPC mechanism – Client-server model – PID and UID identification for access control • Logger – Four buffers: main, system, radio, event – LogCat xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 12. The Android Platform: Conclusion • Very complex system • Principle of least privilege • Exploit on Android is a collection of vulnerabilities – i.e. ‘diaggetroot’ – HTC J Butterfly xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 13. Attack Surfaces in Android • Terminology – Attack Vector: methods used to carry out an attack – Attack Surface: a target’s ‘open flanks’ • Classification attack surfaces – Physical Adjacency – Local – Physical – Remote xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 14. Attack Surfaces in Android • Surface properties – Attack Vector – Privileges Gained – Memory Safety – Complexity • General Rule: as much privilege possible with as little investment as possible xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 15. Attack Surface – Physical Adjacency • Attacker in range of victim • Wireless supported communication channels – GPS – Baseband – Bluetooth – Wi-Fi – NFC xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 16. Attack Surface – Physical Adjacency • Global Positioning System (GPS) – One-way communications mechanism – Accessible through android.location.* or Google Play Services – End-user privacy not always respected – Location spoof attacks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 17. Attack Surface – Physical Adjacency • Baseband – Communicate with mobile networks – Baseband firmware – Mostly Man-in-the-Middle (MITM) attacks • Set-up a base station with strong signal • Rogue Base Station Attack – Based on protocols • Every protocol is an attack surface • Resource intensive to exploit!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 18. Attack Surface – Physical Adjacency • Bluetooth – Rich attack surface – Based on profiles; +30 profiles! – Requires pairing • Numeric code • Hard-coded codes => interesting! – Possible Attacks: bluejacking, bluesnarfing, bluebugging xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 19. Attack Surface – Physical Adjacency • Wi-Fi – Rich attack surface – Similar attack surface as Bluetooth – Very extensive xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 20. Attack Surface – Physical Adjacency • NFC (Near Field Communication) – Build on RFID – Three main use cases • Tags • ‘beam’ data • Contactless payments – Successful attacks on NFC • Charlie Miller – setup connections BT or Wi-Fi • Georg Wicherski and Joshua J. Drake – browser attack • MWR Labs – exploit file format parsing in Polaris Office xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 21. Attack Surface –Local • Ultimate goal: privileged code execution • Android security architecture based on least privilege • Use code already running on device to gain more privileges • Interesting when rooting? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 22. Attack Surface –Local • The File System – Unix based – Attack surfaces exposed via entries in fs – Exposed IPC functionality – Determining code behind an endpoint xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 23. Attack Surface –Local • System Calls – Kernel is responsible for handling system calls – Kernel handles malicious data in system call – Search for “SYSCALL_DEFINE” in kernel source code xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 24. Attack Surface –Local • Binder – Unique for Android – Basis of Intents – Driver in kernel – Service in native code on top of Binder => Deeper attack surfaces => privilege escalation? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 25. Attack Surface –Local • Other local attack surfaces – Shared memory – Baseband interface – Sockets xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 26. Attack Surface –Physical • Require physical touching • Most people consider physical attacks impossible to defend against xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 27. Attack Surface –Physical • Dismantling devices – Disassembling device and attacking the very hardware – Hardware not adequately protected – Attack surfaces: • Exposed serial ports • Exposed JTAG debug ports – Check Adam Outler on XDA TV!! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 28. Attack Surface –Physical • Android Debug Bridge (ADB) – USB debugging – “Juice Jacking “ – Now authentication with RSA keypair xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 29. Attack Surface –Remote • Largest attack surface • Can be devastating • Holy grail for attacker xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 30. Attack Surface –Remote • Browser Attacks – Browsers are complex systems – A lot of web technologies and protocols • All attack surfaces!! – Drive-by attack = trick user to load url – MitM-attacks – Cross-site scripting (XSS) and Cross-site request forgery (CSRF) – Same-Origin-Policy (SOP) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 31. Attack Surface –Remote • Other Attacks – Ad networks – Media and document processing – Google infrastructure – Malicious apps – third party app ecosystems xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 32. Security in web-based application • Webview component • Webkit web browser engine • Extensive use in hybrid applications • Remote attack surface => security issues xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza Source: MWR Infosecurity
  • 33. Security in web-based application • Disable Support for Plugins – Additional attack surfaces -> needed? – webview.getSettings().setPluginsEnabled(false) • Disable File System Access – Access local resources – Enabled by default! – webview.getSettings().setAllowFileAccess(false) • Disable Javascript – webview.getSettings().setJavaScriptEnabled(false) xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 34. Security in web-based application • Webview issues – is JS necessary ???? – Nothing against MitM => use crypto – Origin checking! – Only load 3rd party trusted content – Java-Javascript bridge is dangerous!!!! • SOP not enforced over bridge xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 35. Security in web-based application • Webview issues Executing Java code in the context of your app! xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 36. Security in web-based application • Resource inspection – Intercept pageloads – Check against whitelist of trusted parties – Override native methods in WebViewClient xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 37. Security in web-based application xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 38. Security in web-based application • Resource inspection – What about IFrames or content between script tags or XmlHttpRequests? – Not intercepted by shouldOverrideUrlLoading – Override shouldInterceptRequest xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 39. Security in web-based application A list of useful methods (http://xda-devcon.com/index.html) • getHost – Gets the encoded host from the authority for the URI xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza • xda-devcon.com • getScheme – Gets the scheme of the URI • http • getPath – Gets the decoded path • index.html
  • 40. Security in web-based application • addJavaScriptInterface – Dangerous – SOP is not enforced for the bridge! – IFrames => nightmare – Hybrid software stacks use this! • Apache Cordova • Sencha Touch – Fracking attacks => generic for all hybrid frameworks xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 41. Security in web-based application: Conclusion – Difficult to get right – Pattern matching for whitelist of extreme importance – Watch out for hybrid mobile apps – Consider the effort of developing native xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza
  • 42. Thanks!! Q & A ? xda:devcon '14 -­‐ Manchester -­‐ Dario Incalza