CS 155

Spring 2013

Mobile Platform Security Models

John Mitchell

Outline
Introduction Apple iOS security model Android security model Windows 7 Mobile security model

Mobile phone market share

Many mobile apps

Mobile Operating Systems

Mobile OS Vulnerabilities
Mobile OS Exploits

Source: IBM X-Force, Mar 2011 6

Two attack vectors

Web browser Installed apps
Both are increasing in prevalence and sophistication

source: https://www.mylookout.com/mobile-threat-repo

Mobile malware attacks

Unique to phones:

Premium SMS messages Steal location Record phone calls Log SMS
Connects to botmasters Steal data Phishing Malvertising

Similar to desktop/PCs:

8

Mobile malware
Dec. 2009: Developer 09Droid uploads ~50 apps that impersonate banks Phishing/steal user credentials Mar/May 2011: DroidDream, DroidDreamLite re-package legitimate apps June 2011: Trojan impersonates Angry Birds plugin
Courtesy: Dasient

Mobile malware examples

DroidDream (Android)

Over 58 rooted apps uploaded to Google app marketplace Conducts data theft; send credentials to attackers Experimental; rick-rolled the phone Worm capabilities (targeted default ssh pwd) Worked only on jailbroken phones with ssh installed (could have been worse) Captures mTANs from SMS messages; aimed at defeating 2-factor auth Works in conjunction with Zeus botnet; sent in conjuction with user PC infection Propagates via SMS; claims to install a security certificate

Ikee (iOS)

Zitmo (Symbian, BlackBerry, Windows Mobile, & Android)

10

Outline
Introduction Apple iOS security model Android security model Windows 7 Mobile security model

11

Differences between platforms

Operating system

Unix Windows Market: Vendor controlled/Open App signing: Vendor-issued/self-signed Managed execution: Java, .Net Native execution: Objective C

Approval process for applications

Programming language for applications

12

Apple iOS

13

From: iOS App Programming Guide

iOS Platform

Kernel: based on Mach kernel like Mac OS X Core OS and Core Services: APIs for files, network, includes SQLite, POSIX threads, UNIX sockets Media layer: supports 2D and 3D drawing, audio, video Cocoa Touch: Foundation framework, OO support for collections, file management, network operations; UIKit Implemented in C and Objective-C
14

iOS Application Development

15

Apps developed in Objective-C using Apple SDK Event-handling model based on touch events Foundation and UIKit frameworks provide the key services used by all iOS applications

Apple iOS Security

Device security: Methods that prevent unauthorized use of the device Data security: Protecting data at rest, even when a device is lost or stolen Network security: Networking protocols and the encryption of data in transmission App security: Secure platform foundation

Reference: http://images.apple.com/iphone/business/docs/iOS_Security.pdf
16

Device Security
Strong passcodes Passcode expiration Passcode reuse history Maximum failed attempts Over-the-air passcode enforcement Progressive passcode timeout

17

Data Security
Hardware encryption Data protection Remote wipe Local wipe Encrypted Configuration Profiles Encrypted iTunes backups

18

Network Security
Built-in Cisco IPSec, L2TP, PPTP VPN SSL VPN via App Store apps SSL/TLS with X.509 certificates WPA/WPA2 Enterprise with 802.1X Certificate-based authentication RSA SecurID, CRYPTOCard

19

Security Services Framework

Generic Security Services framework (GSS.framework) provides a standard set of security-related services to iOS applications.

IETF RFC 2743 and RFC 4401

http://www.ietf.org/rfc/rfc2743.txt http://tools.ietf.org/html/rfc4401

20

App Security
Runtime protection

Mandatory code signing

Apps sandbox prevents access to other apps data System resources, kernel shielded from user apps Inter-app communication only through iOS APIs Code generation prevented
All apps must be signed using an Apple-issued certificate Encrypted keychain for storing identities, user names, pwds

Keychain services

CommonCrypto APIs Application data protection

Apps can take advantage of built-in hardware encryption

21

iOS Sandbox

Limit apps access to files, preferences, network, other resources Each app has own sandbox directory Limits consequences of attacks Same privileges for each app
22

Outline
Introduction Apple iOS security model Android security model Windows 7 Mobile security model

23

Android
Platform outline:

Linux (Unix operating system) kernel Browser SQL-lite database Software for secure network communication
Open SSL, Bouncy Castle crypto API and Java library

Java platform for running applications C language infrastructure

Bionic LibC (small code, good performance, no GPL)

Apache Harmony libraries Also: video stuff, Bluetooth, vibrate phone, etc.

24

25

Android challenges
Android market

Not reviewed by Google (diff from Apple) Bad applications may show up on market Malware writers may be able to get code onto platform: shifts focus from remote exploit to privilege escalation
Developers must conserve power Applications store state so they can be stopped (to save power) and restarted helps with DoS

Battery life

26

Security Features
Isolation

multi-user Linux operating system each application normally runs as a different user May share same Linux user ID
Access files from each other May share same Linux process and Dalvik VM

Communication between applications

Communicate through application framework

Based on Binder, discussed in a few slides

27

Application development process

28

Application development concepts

Activity one-user task

Service Java daemon that runs in background

Example: scroll through your inbox Email client comprises many activities

Intents asynchronous messaging system

Example: application that streams an mp3 in background

Fire an intent to switch from one activity to another Example: email app has inbox, compose activity, viewer activity
which then allows user to view that email

User click on inbox entry fires an intent to the viewer activity,

Content provider

Broadcast receiver

Store and share data using a relational database interface mailboxes for messages from other applications

29

Exploit prevention
100 open source libraries + 500 million lines new code

Goals

Open source -> no obscurity

Overflow prevention

Prevent remote attacks Secure drivers, media codecs, new and custom features ProPolice stack protection

Some heap overflow protections ASLR performance impact

First on the ARM architecture

No ASLR in initial release

Chunk consolidation in DL malloc (from OpenBSD)

Later developed and contributed by Bojinov, Boneh

Many pre-linked images for performance Cant install different images on different devices in the factory

30

Application sandbox
Application sandbox

Each application runs with its UID in its own Dalvik virtual machine
Provides CPU protection, memory protection Authenticated communication protection using Unix

domain sockets Only ping, zygote (spawn another process) run as root

Applications announces permission requirement

Create a whitelist model user grants access

But dont want to ask user often all questions asked as install time

Inter-component communication reference monitor

checks permissions

31

Layers of security

Each application executes as its own user identity Android middleware has reference monitor that mediates the establishment of inter-component communication (ICC)

32

Source: Penn State group Android security paper

33

Source: Penn State group, Android security tutorial

dlmalloc (Doug Lea)

Stores meta data in band Heap consolidation attack

Heap overflow can overwrite pointers to previous and next unconsolidated chunks Overwriting these pointers allows remote code execution Check integrity of forward and backward pointers
Simply check that back-forward-back = back, f-b-f=f

Change to improve security

Team believes this increases the difficulty of heap overflow

34

Java Sandbox
Four complementary mechanisms

Class loader
Separate namespaces for separate class loaders Associates protection domain with each class

Verifier and JVM run-time tests

NO unchecked casts or other type errors, NO array

overflow Preserves private, protected visibility levels

Security Manager
Called by library functions to decide if request is allowed Uses protection domain associated with code, user policy

35

Comparison: iOS vs Android

App approval process

Application permissions

Android apps from open app store iOS vendor-controlled store of vetted apps
Android permission based on install-time manifest All iOS apps have same set of sandbox privileges Android apps written in Java; no buffer overflow iOS apps written in Objective-C Android PIN code iOS has delayed lock, answer calls w/o code, other features

App programming language

Data protection

36

See also: http://palisade.plynt.com/issues/2011Oct/android-vs-ios/

Outline
Introduction Apple iOS security model Android security model Windows 7 Mobile security model

37

Windows Phone OS 7.0 security model

Principles of isolation and least privilege Concept of chambers. Each chamber:

Provides a security and isolation boundary Is defined and implemented using a policy system

The security policy of a chamber defines what operating system (OS) capabilities the processes in that chamber can access

38

Reference: Windows Phone 7 security model, OEG331 12/2010

Isolation
Every application on Windows Phone 7 runs in its own isolated chamber All applications have basic set of permissions, including a storage file Cannot access memory used or data stored by other applications, including the keyboard cache. No communication channels between applications, except through the cloud Non-MS applications distributed via Windows Phone Marketplace stopped in background When user switches applications, previous application is shut down Reason: application cannot use critical resources or communicate with Internetbased services while the user is not using the application

39

Four chamber types

Three chamber types have fixed permission sets Fourth chamber type is capabilities-driven.

Applications that are designated to run in the fourth chamber type have capability requirements that are honored at installation and at run-time.

40

Overview of four chambers

Trusted Computing Base (TCB) chamber

unrestricted access to most resources can modify policy and enforce the security model. kernel and kernel-mode drivers run in the TCB Minimizing the amount of software that runs in the TCB is essential for minimizing the Windows Phone 7 attack surface

41

Overview of four chambers

Elevated Rights Chamber (ERC) can access all resources except security policy.

Standard Rights Chamber (SRC) is default for pre-installed applications.

Intended for services and user-mode drivers

Least Privileged Chamber (LPC) is default chamber for all non-Microsoft applications

All applications that do not provide device-wide services Outlook Mobile is an example that runs in the SRC

LPCs are configured using capabilities as described in the following slide.

Source: Windows Phone 7 security model, OEG331 12/2010

42

Windows Phone 7 Capabilities

W7 Capability: a resource associated with user privacy, security, cost, or business concerns Examples: geographical location information, camera, microphone, networking, and sensors. The LPC defines a minimal set of access rights by default, and can be expanded using capabilities. Capabilities are granted during application installation, and their privileges cannot be elevated at run time.

43

Granting privileges to applications

Goal: application receives all capabilities that are needed to perform all its use cases, but no more. Each application discloses its capabilities to the user,

Listed on Windows Phone Marketplace. Explicit prompt upon application purchase, for those capabilities that have legal requirements for explicit disclosure and specific consent collection Disclosure within the application, when the user is about to use the location capability for the first time.

Developers use the capability detection tool that is distributed with the Windows Phone Developer Tools to create the capability list for their application. The capability list is included in the application manifest in the application package (WMAppManifest.xml).
44

Managed code
Application development model uses of managed code only

45

.NET Code Access Security

Default Security Policy is part of the .NET Framework

Default permission for code access to protected resources

Use EnvironmentPermission class for environment variables access permission. The constructor defines the level of permission (read, write,) The Deny method of the permission class denies access to the associated resource The RevertDeny method will cause the effects of any previous Deny to be cancelled

Permissions can limit access to system resources.

Deny and Revert

46

Example: code requires permission

class NativeMethods { // This is a call to unmanaged code. Executing this method // requires the UnmanagedCode security permission. Without // this permission, an attempt to call this method will throw a // SecurityException: [DllImport("msvcrt.dll")] public static extern int puts(string str); [DllImport("msvcrt.dll")] internal static extern int _flushall(); }

47

Example: Code denies permission not needed

[SecurityPermission(SecurityAction.Deny, Flags = SecurityPermissionFlag.UnmanagedCode)] private static void MethodToDoSomething() { try { Console.WriteLine( "); SomeOtherClass.method(); } catch (SecurityException) { } }
48

.NET Stackwalk
Demand must be satisfied by all callers

Ensures all code in causal chain is authorized Cannot exploit other code with more privilege
A has P?

Code A
calls

Code B
calls

B has P?

Code C

Demand P

49

Stackwalk: Assert
The Assert method can be used to limit the scope of the stack walk

Processing overhead decreased May inadvertently result in weakened security

50

Summary
Introduction Apple iOS security model Android security model Windows 7 Mobile security model

51

Differences between platforms

Operating system

Unix Windows Market: Vendor controlled/Open App signing: Vendor-issued/self-signed Managed execution: Java, .Net Native execution: Objective C

Approval process for applications

Programming language for applications

52

53

Security Comparison: iOS vs Android

iOS ASLR DEP App Store Yes Yes Large walled garden, apps manually vetted Android No No Open w/ some automated checking

App Signing Sandbox

Permissions checking Susceptible to drive-bys

Registered developer Shared across all apps

N/A Yes

Anyone can self-sign One per app (distinct user and VM per app)
User-based Yes

54