COMS 69981 Fall 2012 Instructor Li Erran Li lel2139columbiaedu httpwwwcscolumbiaedu lierranlicoms699811Fall2012 Lecture 12 Mobile Platform Security Attacks and Defenses ID: 245952
Download Presentation The PPT/PDF document "Cellular Networks and Mobile Computing" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Cellular Networks and Mobile ComputingCOMS 6998-1, Fall 2012
Instructor: Li Erran Li (lel2139@columbia.edu)http://www.cs.columbia.edu/~lierranli/coms6998-11Fall2012/Lecture 12: Mobile Platform Security: Attacks and Defenses
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
1Slide2
Mobile Security Attacks and Defenses
Inter application communication related attacksPermission re-delegation (confused deputy attacks) Collusion attacksSystem vulnerability based attacksControl flow attacks (code injection attacks)Root exploits (e.g. adbd bug used by DroidKungfu malware)Application specific attacks (e.g. texting apps)11/27/12Cellular Networks and Mobile Computing (COMS 6998-11)
2Slide3
Permission Re-delegation: Attacks and Defenses
Adrienne Porter Felt1, Helen J Wang2, Alexander Moshchuk2, Steve Hanna1, Erika Chin11University of California, Berkeley
2Microsoft Research
3
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)Slide4
modern client platforms
Applications are untrusted, or partially trustedIsolated from each other, except for IPCBy default, denied access to private devices and dataUsers explicitly grant permissions for devices, dataEach application may have its own set of permissions
4
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide5
permissions
Android, iOS, HTML5, browser extensions…5
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide6
permission re-delegation
Permission re-delegation occurs when an application without a permission gains additional privileges through another applicationA special case of the confused deputy problemPrivilege obtained through user permissions6
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide7
7
API
Settings
Demo malware
toggleWifi
()
pressButton
(0)
Permission System
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide8
Outline
Threat modelPermission re-delegation is a real problem, andsystems should not permit permission re-delegationWe propose IPC Inspection as a defense mechanism811/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide9
API
The permission systemPermission system enforces user’s permission policy
Malware
Deputy
toggleWifi
()
9
Permission System
toggleWifi
()
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide10
The deputy
Has user authorizationNot malicious, but not a security watchdogExposes public services Confused? Careless?
Malware
Deputy
Malware
10
API
Permission System
toggleWifi
()
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide11
The attacker
User installs/runs it, but doesn’t trust itExploits a deputy to access a resource
Malware
API
Deputy
Malware
toggleWifi
()
pressButton
(0)
11
Permission System
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide12
Real world
permission re-delegation attacksAndroid case study,precautionary for the future of the web1211/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide13
Identifying candidates
Two necessary preconditions for an attack: Has a dangerous permissionHas a public interfaceAnalyzed manifests of 872 Android applications16 system apps, 756 most popular, 100 recently uploaded320 apps (37%) are candidates for attacks13
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide14
Finding exploits
Built tool for finding attacksCall graph analysis:find paths from public entry points to protected API callsManually verified all exploits
14
Public
e
ntry points
API calls
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide15
attacks
Built attacks using 5 of the 16 system appsFound 15 attacks in the 5 applicationsSeveral confirmed and fixedThis is a lower bound; likely more exist1511/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide16
16
API
Settings
Demo malware
wifiManager.setWifiEnabled
(true)
Message:
0://0#0
Permission System
Attack on the settings app
com.android.settings.widget
.
SettingsAppWidgetProvider
User pressed button[0]
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide17
More example attacks
DeskClock:Start an internal serviceTell it to infinitely vibrate with a WAKE_LOCK onPhone:Trigger the “phone call answered” message receiverPhone call will be silenced, vibrate cancelled1711/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide18
Preventing
permission re-delegation1811/27/12Cellular Networks and Mobile Computing (COMS 6998-11)Courtesy:
Felt et. alSlide19
Our goals
We don’t want to rely on application developers for preventionEnable the system to prevent permission re-delegationWe don’t want to break applications1911/27/12Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide20
IPC Inspection
When a deputy receives a message, system reduces deputy’s permissions (for the session) to: {requester’s permissions} {deputy’s permissions}A deputy’s current set of permissions captures its communication historyDeputy can specify who can(not) send it messagesGeneralizes stack inspection to IPC calls
20
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide21
Handling a potential attack
Time-of-use systemAdd a new runtime prompt for permission re-delegationInstall-time systemRequester must statically ask for necessary permissionsPermission re-delegation is simply blocked at runtime
2111/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide22
Application instances
Deputy might need to service user and multiple app requesters simultaneouslySolution: create one instance per requestUser interacts with primary instance When new interaction starts, create a new “application instance”Each instance has its own set of current permissionsHowever, instances share app storage, etc.2211/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide23
implementation
Android implementation: modify PackageManager, ActivityManagerPackageManager installs applications, stores permissions, enforces permission requirementsActivityManager notifies PackageManager when relevant events happen, e.g. starting Activity, receiving Broadcast IntentA few hundred lines of code
23
11/27/12Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide24
evaluation
Do we break applications?Do we stop attacks?2411/27/12Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide25
Broken applications
Intentional Deputy5 applications (25%) Requester6 applications (30%)25
One application is both an intentional deputy and a requester
Developers
might
need to make changes to these applications:
Of those requesters:
2 of 6 requesters (10% of apps) need to add permissions
20 Android applications
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide26
Effectiveness at Attack prevention
26Unintentional Deputy4 applications (20%)IPC Inspection prevents these from being exploited:
Also stops all the attacks on the built-in system applications
20 Android applications
11/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide27
Conclusion
Real world permission re-delegation vulnerabilities existA third of Android system applications contain permission re-delegation attacksFuture systems should be designed to prevent permission re-delegationIPC Inspection: an OS mechanism that prevents permission re-delegationInstall-time: some requesters will need to add permissions2711/27/12
Cellular Networks and Mobile Computing (COMS 6998-11)
Courtesy:
Felt et. alSlide28
Guess Who’s Texting You?
Evaluating the Security of Smartphone Messaging ApplicationsSebastian SchrittwieserSlide29
Smartphone Messaging
Aim at replacing traditional text messaging (SMS) and GSM/CDMA/3G callsFree phone calls and text messages over the InternetNovel authentication conceptPhone number used as single authenticating identifierSlide30
Internet
Telecom infrastructureSlide31
Motivation
Traditional SMS/talk
Messenger/VoIP Apps
Protocol
proprietary
HTTP(S), XMPP
Security
cryptographically sound authentication
(SIM card)
application depended, much weaker authentication (phone number, IMEI, UDID)
Users
’
perception
SMS/talkSlide32
Evaluation
Authentication Mechanism and Account Hijacking
Sender ID Spoofing / Message Manipulation
Unrequested SMS / phone calls
User Enumeration
Modifying Status MessagesSlide33
Experimental Setup
Samsung Nexus S running Android 2.3.3 and Apple iPhone 4 running iOS 4.3.3SSL proxy to read encrypted HTTPS trafficUsed to understand the protocol, not for the actual attack (i.e., MITM between victim and server)!Slide34
Certificates?Slide35Slide36
WhatsApp
WowTalk
Viber
Forfone
Tango
EasyTalk
Voypi
eBuddy XMS
HeyTellSlide37
WhatsApp
Paper:
Guess who
’s texting you? Evaluating the Security of Smartphone Messaging Applications
Schrittwieser, S., Frühwirt, P., Kieseberg, P., Leithner, M., Mulazzani, M., Huber, M., Weippl, E., NDSS 2012Slide38
WhatsApp
Instant MessagingStatus messages23+ million users worldwide (estimation)> 10 billion messages per dayClients available for Android, iOS, Symbian and BlackberrySlide39Slide40
Authentication in WhatsAppSlide41Slide42
Attack against authenticationSlide43
Attack againstauthentication
Intercepting the connection between the server and the attacker’s phoneThe victim’s phone isn’t involved in the attack at allSimilar attacks successful in 6 out of 9 tested applicationsSlide44
WowTalkSlide45
Free SMS (WhatsApp)
Authentication code in HTTPS request can be replaced with arbitrary textNo server-side validation (command injection?)Forwarded to SMS proxy and sent via SMSCan be misused for sending free SMSSlide46
Status MessagesSlide47Slide48
https://s.whatsapp.net/client/iphone/u.php?cc=
countrycode&me=phonenumber&s=statusmessageSlide49
Sender ID spoofing
Example: ForfoneMessages are authenticated by IMEI (Android) or UDID (iOS)Both numbers can be accessed by 3rd party applicationsVoypi: no authentication at allSlide50
User Enumeration
Applications upload the user’s address book to the serverServer compares the contained phone numbers to already registered phone numbersServer returns a subset list containing only phone numbers that are registeredEntire user base enumeration?Slide51
User Enumeration
US area code 619 (Southern San Diego)Number range: +1 (619) XXXXXXX10 million possible phone numbersUploaded entire number range in chunks of 5000 numbers eachWhatsApp returned a subset containing 21.095 (active) phone numbersSlide52
On vacation
Sleeping
at work but not doing shit
Nicaragua in
4 days!!
Heartbroken
Missing my love!
At work ... Bleh.
On my way to Ireland!
I
’
m never drinking againSlide53Slide54
User Enumeration
Entire Austria (population: 8.3 million)4 carriers, 12.3 million SIM cardsUploaded entire number range in chunks of 5000 numbers eachServer returned 182.793 WhatsApp users (phone number + status message) in less than 5 hoursSlide55
Results
Account Hijacking
Spoofing/Manipulation
Unrequested SMS
Enumeration
Other Vulnerabilities
WhatsApp
yes
no
yes
yes
yes
Viber
no
no
yes
yes
no
eBuddy XMS
no
no
yes
yes
no
Tango
yes
no
yes
yes
no
Voypi
yes
yes
yes
yes
yes
Forfone
no
yes
yes
yes
no
HeyTell
yes
no
no
limited
no
EasyTalk
yes
no
yes
yes
no
Wowtalk
yes
no
yes
yes
yesSlide56
Responsible Disclosure
Research between spring and fall 2011Vendors notified in November 2011Vulnerabilities weren’t made public until NDSSWhatsApp fixed some vulnerabilities:Account hijacking & free SMS(Modifying status messages)Slide57
Independent Results (WhatsApp)
Andreas Kurtz (June 2011)account hijackingSEC Consult Vulnerability Lab (September 2011)updating arbitrary users' statusaccount hijacking (brute force)usage of plain text protocolsSeveral blog posts on WhatsApp security in 2011Slide58
Conclusions
6 out of 9 tested applications have broken authentication mechanismsMany other vulnerabilitiesAll identified flaws stem from well-known software design and implementation errorsTrusting the clientNo input validationNo/weak authentication mechanisms