cs 563 mobile os device security
play

CS 563 Mobile OS & Device Security Advanced Computer Security - PowerPoint PPT Presentation

Jun 01, 2023 •282 likes •807 views

CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Gliz Seray Tuncay Administrative Announcements : Reaction paper was due today (and all classes)

  1. CS 563 Mobile OS & Device Security Advanced Computer Security CS 563 University of Illinois at Urbana-Champaign Presentation by: Güliz Seray Tuncay

  2. Administrative Announcements : • Reaction paper was due today (and all classes) • Feedback for reaction papers soon • “Preference Proposal” Homework due 9/24 Learning Objectives : • Background of mobile OSes • Study the security fundamentals of Android OS • Discuss privilege escalation and web attacks Reminder : Please put away (backlit) devices at the start of class 2

  3. Mobile Phone Evolution • Basic Phone • Phone with SIM Application Toolkit (STK) – Tiny programs stored on GSM SIM cards – Typically enable value-added features • Feature Phones – Extra features on the phone firmware itself – Typically provided by the phone manufacturer • Smart Phones – API available that enables third-party apps 3

  4. Growth of Mobile OS 4

  5. Mobiles, Tablets, PC sales 6

  6. PC versus Smart Phones • Why worry specifically about mobile OS security? – Smart phones are computing platforms similar to desktop OS: why not use the same principles? • PC versus Smart Phones – Users: Root privileges typically not given to user – Persistent Personal Data • Input is cumbersome, so credentials are frequently stored – Battery performance is an issue • Implementing some security features may drain battery – Network usage can be expensive 7

  7. PC versus Smart Phones (cont’d) • Unique features in Smart Phones – Location Data • GPS and Wifi-based tracking – Premium SMS Messages (expensive) – Making and recording phone calls – Logs of previously sent SMS – Different authentication mechanisms • Fingerprint reader (available across platform) • Face Unlock (Android 5.0) • Trusted Places, Devices, Voice (Android 5.0) – Specific markets for mobile apps 8

  8. 9

  9. Mobile OS Security Frameworks • Covered – Android Security Model • Not Covered – Apple iOS – Windows OS – Blackberry 10

  10. Android 11

  11. Android • Platform outline: – Linux kernel – Embedded Web Browser – SQL-lite database – Software for secure network communication • Open SSL, Bouncy Castle crypto API and Java library – Java platform for running applications – C language infrastructure – Also: video APIs, Bluetooth, vibrate phone, etc. 12

  12. ART ( > v4.4)

  13. Android Market (Google Play Store) • Self-signed apps • Open market – Not rigorously reviewed by Google (unlike Apple) – Bad applications may show up on market – Malware writers can get code onto platform: Self- signed applications are possible • shifts focus from remote exploit to privilege escalation 14

  14. Android Application Structure • 4 components – Activity – one-user task • E.g., scroll through your inbox – Service – Java daemon that runs in background • E.g., application that streams an mp3 – Broadcast receiver • “mailboxes” for messages from other applications – Content provider • Store and share data using a relational database interface • Activating components – Via Intents 15

  15. Android Intents • Message between components in same or different app • Intent is a bundle of information, e.g., – action to be taken – data to act on – category of component to handle the intent – instructions on how to launch a target activity • Routing can be – Explicit: delivered only to a specific receiver – Implicit: all components that have registered to receive that action will get the message 16

  16. Android Manifest File • Declarations – Components – Component capabilities • Intent filters • Permissions etc. – App requirements • Permissions • Sensors etc. 17

  17. Android Permissions • Example of permissions provided by Android – “android.permission.INTERNET” – “android.permission.READ_EXTERNAL_STORAGE” – “android.permission.SEND_SMS” • Protection levels – Dangerous, normal, signature • Also possible to define custom permissions – To enable or disable other apps to call their features • Used to be granted at installation but… 18

  18. Android Permissions • Example of permissions provided by Android – “android.permission.INTERNET” – “android.permission.READ_EXTERNAL_STORAGE” – “android.permission.SEND_SMS” • Protection levels – Dangerous, normal, signature • Also possible to define custom permissions – To enable or disable other apps to call their features • Used to be granted at installation but… 19

  19. Android Runtime Permissions • Runtime permissions – Dangerous permissions granted at runtime – Normal and signature permissions still granted at installation – Only valid for modern apps (API >= 23), permissions are still install time for legacy app – Permissions granted based on a permission group basis 20

  20. Android Permission Groups • All dangerous permissions in a group will be granted! Q: Which permission model do you prefer: Installation-Time vs Ask- On-First-Use vs something else? As a user? Complications for developers? 21

  21. Isolation • Multi-user Linux operating system • Each application normally runs as a different user – Each app has its own VM – Traditional linux-based permissions apply (DAC) • Applications announce permission requirement – Create a whitelist model – user grants access – ICC reference monitor checks permissions (MAC) App 1 App 2 Dalvik / ART Dalvik / ART Linux Process Linux Process 23

  22. Inter-component Communication • Flexibility and reusability important for Android – Enable apps to work together to accomplish things • Apps communicate through application framework – Intents based on Binder IPC – Implemented in kernel as a driver 25

  23. Binder IPC & Permission Enforcement App 1 App 2 A1C1 A2C1 Intent File System, Sockets ICC Reference Monitor MAC Android Middleware uids of caller and callee Binder IPC DAC Linux Kernel Q: Heavily relying on IPC (Android) vs completely standalone apps (iOS, kind of)? Which one do you think is better? 26

  24. 27

  25. Android malware 29

  26. Android malware 30

  27. Attacks on Android • Privilege Escalation Attacks on Android • Web Attacks on Android • Phishing • Clickjacking • Side-channel etc. 31

  28. Privilege Escalation Attacks on Android • Gaining elevated access to resources that are normally protected from an application • 2 major classes – confused deputy attacks: leveraging unprotected interfaces of benign applications • Permission re-delegation attacks – collusion attacks: malicious applications merge their permissions • Other interesting ones: mobile OS update etc. 32

  29. Permission Re-delegation Attacks confused deputy Wi-Fi Manager Permission ? i F - Wi-Fi Control i W s s e c c requested in A App advance Access Wi-Fi? Access Wi-Fi? Permission Attack App not requested 33 [FeltUSENIX11] Felt, Adrienne Porter, et al. "Permission Re-Delegation: Attacks and Defenses." USENIX Security Symposium . 2011.

  30. Why could this happen? • App w/ permissions exposes a public interface – The “deputy” app may accidentally expose privileged functionality… – … or intentionally expose it, but the attacker invokes it in a surprising context • Example: broadcast receivers in Android – … or intentionally expose it, attempt to reduce the invoker’s authority, but do it incorrectly • Dynamic (programmatic) permission checks – checkCallingPermission(), checkCallingOrSelfPermission() etc. 34 [FeltUSENIX11] Felt, Adrienne Porter, et al. "Permission Re-Delegation: Attacks and Defenses." USENIX Security Symposium . 2011.

  31. Public Interfaces in Android Manifest • Via exported tag – <service android:name=“.WiFiService” android:exported=“true”> </service> • Via intent filters – <receiver android:name=“.WiFiBroadcastReceiver”> <intent-filter> <action android:name=“android.intent.action.WIFI”/> </intent-filter> Component is still public if </receiver> android:exported=“false” and It has an intent filter! 35 [FeltUSENIX11] Felt, Adrienne Porter, et al. "Permission Re-Delegation: Attacks and Defenses." USENIX Security Symposium . 2011.

  32. Public Interfaces in Android Manifest 36

  33. Public Interfaces in Android Manifest 37

  34. Prevalence of Public Interfaces • Examine 872 apps • 320 of these (37%) have permissions and at least one type of public component • 9% of all apps perform dynamic permission checks – But typically to protect content providers and not services or broadcast receivers – Only 1 application in a random set w/ 50 apps does so to protect a service or broadcast receiver • 11 of 16 system applications are at risk 38 [FeltUSENIX11] Felt, Adrienne Porter, et al. "Permission Re-Delegation: Attacks and Defenses." USENIX Security Symposium . 2011.

  35. Implementing the attack • Constructing the attack – Build call graph of the app – Search the call graph to find paths from public entry points to protected system APIs • Likely to miss some viable paths – Cannot detect flow through callbacks • Only construct attacks on API calls for verifiable side effects 39 [FeltUSENIX11] Felt, Adrienne Porter, et al. "Permission Re-Delegation: Attacks and Defenses." USENIX Security Symposium . 2011.

Recommend

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device

Towards a Unified Framework for Mobile Device Security Wayne A. Jansen, NIST Mobile Device Background* Mobile Device Background* Mobile Device Background* Mobile Device Background* Inexpensive, ubiquitous, wireless, networked,

478 views • 19 slides
Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security

CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps Defense

1.17k views • 93 slides
Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction:

Spring 2018 CS 155 Mobile Device and Platform Security John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories n Physical, platform malware, malicious apps Defense against physical theft Thurs

1.28k views • 64 slides
Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device

Mobile Application Security Testing and Code Review 19 Nov 2013 Mobile and Smart Device Security 2013 Boston, MA Presen sented ted by: Francis Brown &amp; Joe DeMesy Bishop Fox www.bishopfox.com Introductions VERY QUICKLY

3.77k views • 83 slides
Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda

Mobile Device Security and Privacy Information Security and Privacy Office January 2012 Agenda Protecting mobile devices and your privacy Protecting Mobile Devices and Your Privacy Before We Start The City of Phoenix does not

971 views • 52 slides
Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management

Edgefield SS Mobile Device Management Briefing Date: 17 th April 19 Mobile device management (MDM) An MDM solution control to deploy, monitor, and manage devices Basic F c Fea eatures in ScreenGuide de [Parent] Configure daily Screen Time

144 views • 12 slides
CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL:

CSE 543 - Computer Security Lecture 26 - Mobile phone security December 11, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Mobile Phones Networked device

302 views • 11 slides
CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software

CS 528 Mobile and Ubiquitous Computing Lecture 11: Mobile Security and Mobile Software Vulnerabilities Emmanuel Agu Mobile Security Issues Introduction So many cool mobile apps Access to web, personal information, social media, etc

1.05k views • 55 slides
Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC

Securing Next- generation Mobile Platf orms: The User- to- Device Authentication I ssue MPSoC (August 2006) Srivaths Ravi (Email: sravi@nec- labs. com) NEC Laboratories America Princeton, NJ Security Requirements of Mobile Appliances

159 views • 12 slides
CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mobile Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Mobile computing You are tasked in developing a mobile computing system. What features do you need? How do you ensure device

383 views • 24 slides
Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO

Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO

Practical Attacks against Mobile Device Management Solutions Michael Shaulov, CEO michael@lacoon.com Daniel Brodie, Sr Security Researcher daniel@lacoon.com About: Daniel Security researcher for nearly a decade From PC to Mobile

693 views • 54 slides
MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered

MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered

MOBILE TOUCHSCREEN UI FARHANA HAQUE TOUCHSCREEN MOBILE Input device: mobile phone Layered with special type of glass on top User interact directly on the glass Interaction through finger or stylus HAPTIC FEEDBACK Touch

294 views • 17 slides
What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017

What, exactly, is different or new about MOBILE mobile security? SECURITY TECHNOLOGIES 2017 Dan S. Wallach , Rice University tl;dr The computers inside the computer Every chip has one or more CPUs inside; they have exploitable bugs

1.23k views • 87 slides
Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li,

Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li,

Data Collection through Device- to-Device Communications for Mobile Big Data Sensing Hanshang Li, Ting Li, Xinghua Shi and Yu Wang College of Computing and Informatics University of North Carolina at Charlotte May 17 , 2016 @ The First

566 views • 39 slides
A Snapshot of the Mobile HTML5 Revolution @ jamespearce The Pledge Single device Multi device

A Snapshot of the Mobile HTML5 Revolution @ jamespearce The Pledge Single device Multi device

A Snapshot of the Mobile HTML5 Revolution @ jamespearce The Pledge Single device Multi device Sedentary user Mobile user * Declarative Imperative Thin client Thick client Documents Applications * or supine, or sedentary, or passive,

1.03k views • 84 slides
Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Hardware and Device Drivers Device virtualization Device drivers and security Bjrn

Outline Faculty of Computer Science Institute for System Architecture, Operating Systems Group What's so different about device drivers? Hardware access Writing device drivers on L4 Reuse of legacy drivers Hardware and Device

619 views • 12 slides
Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan

Introduction HISP OOB Channels Problem definition Proposed methods Security and usability study Conclusion Secure and Usable Out-Of-Band Channels for Ad hoc Mobile Device Interactions Ronald Kainda, Ivan Flechais, A.W. Roscoe Workshop in

650 views • 18 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction

Latest Trends in Mobile Security By M K Chaithanya C-DAC Hyderabad Outline Introduction Statistics of Mobile Usage Current State of Mobile Security Recent Attacks Various Mobile Threats Security &amp; Privacy

1.03k views • 57 slides
www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device

www.unique-project.eu Exchange of security-critical data Computing Device Computing Device generates, stores and processes security-critical information 2 PUFs: Myth, Fact or Busted? CHES 2012 However: Cryptographic secrets can be leaked

443 views • 26 slides
Mobile Device Security: Threats, Governance, and Safeguards Larry G. Wlosinski, CISSP, CAP,

Mobile Device Security: Threats, Governance, and Safeguards Larry G. Wlosinski, CISSP, CAP,

April 2016 Mobile Device Security: Threats, Governance, and Safeguards Larry G. Wlosinski, CISSP, CAP, CCSP, CISM, CISA, CRISC, CBCP, CDP, ITIL v3 L_Wlosinski@Hotmail.com 1 Larry G. Wlosinski, CISSP, CAP, CCSP, CISM, CISA, CRISC, CBCP, CDP,

1.3k views • 93 slides
Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues.

Mobile network security issues A very short overview of some mobile security issues. Mobile access is expected to become the main access method. Services and mobile commerce (mCommerce) are expected to become a major business.

818 views • 20 slides
Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director -

Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director -

8/29/2016 Trends in Mobile Device Forensics Jonathan Rajewski, MS, CCE, CFE, CISSP, ENCE, TJFC Director - Senator Leahy Center for Digital Investigation @jtrajewski Associate Professor - Digital Forensics | Cyber Security

344 views • 18 slides
Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project

Mobile Apps INFM 603 Week 10 Agenda Questions Mobile Apps HCI Project discussions Native Apps Live on device Access to all device features GPS, accelerometer, compass, list of contacts Written for specific

654 views • 38 slides

More recommend