Android security research experiences
Security studies to do
From the Angle of attack, for example, can be: a module for hole mining method, using the technology of a hole, through reverse engineering cracking programs, decrypt data, the system or application to breach security attack technology such as infection, hijacking, etc.
And defense is: killing a malicious application, the method of detecting and preventing the exploit, to enhance the security of the system and the third party applications to provide solutions, etc.
Normally attack and prevention, of course, is the concept of fuzzy, a security technology often on both ends, may be more worthy of note is the idea behind a technology and consciousness.Researchers need to pour into inspiration on new technology, and pay a fair amount of sweat, get some results, through the difficult exploration process won great sense of accomplishment.I also often in when Android adb shell of $becomes # excitement yelling (terminal program from the average user to root), because before this often has experienced a complex vulnerability analysis and the use process.
Need to have knowledge
Before the official start of the security research, first of all, to master certain knowledge and skills.Safety involves the category of knowledge is infinite, but most of the time can have a problem to understand relevant knowledge, but the following content is I think should master in advance.
"To grasp the theory of knowledge"
Mainly operating system principle.This is a very important knowledge, is the premise of understanding a particular system.Though the university teaching material in the Linux Kernel for case teaching, but Microsoft's open source Windows as a Kernel (hereinafter referred to as WRK) is a very good learning materials.Than just reading the source code and analysis, diy kernel compilation system, step by step, use the debugger to debug the kernel more helpful.Finally also can try to write your own kernel driver modules or analysis of the existing kernel rootkits to deep understanding of the operating system.I have a very long period of time in the university based on the analysis of WRK, understand the system boot, memory management, process management, thread scheduling, file system, network drive, etc, have been very helpful to me.In view of the development and debugging of the embedded platform has certain limitations and inconvenience, I don't suggest the beginning research on mobile device operating system kernel, on the PC to complete this part of knowledge reserves will be more convenient.
In terms of the mobile platform, understand the operating system will help us further understand the Android system itself, and in understanding the Android system, to be able to discuss the security of the Android system, it is a gradual process.
"A few need to master language"
Researchers do not need special strong software development capability, need to pay attention to the internal implementation process is a language.Master C/C + +, can understand the language by the compiler handle assembly level after the implementation of the principle.Understand Java, it is necessary to understand the Dalvik/ART implementation process within the virtual machine.For x86 / ARM assembly, can read, meet don't know the instructions to find the answer from the instructions manual.
In addition, you also need to get a script language, is mainly used to quickly write small tools or POC, I recommend the Python, because most of the open source community Android security analysis tools are written in Python, for example, the well-known Androguard and Drozer.
Reverse engineering is a necessary skill.Analysis of malware behavior or closed source software vulnerability analysis, reverse engineering.But more importantly, reverse engineering can let us draw nutrition from closed source program, to speed up the understanding system.In this kind of program for the disassembly, debugging process, also will deepen the understanding of the operating system, programming language internal implementation, will the above knowledge together.
Fabolous Geohot recently use CVE - 2014-3153 developed by the Android 4.4 Root kill tool Towelroot, most people don't understand this complex utilization methods, but I through the Towelroot reverse engineering, the first time to understand several key techniques of the exploit (Towelroot joined a lot of confusion to the reverse engineering, and thus high difficulty).Maybe we are not a genius, but reverse engineering can make us keep up with the pace of the genius from time to time.
Understand the Android system
The Android source code is very large, even if only see the system components, I am afraid, is better for a few years.What's more, its source code is not all Android phones, as well as the Linux kernel, baseband, bootloader and TrustZone waiting for us to explore the underlying module.We just need to understand what support Android system running at the heart of the service, and the Android system security mechanism design, the rest is in the need to use it to analysis.
In terms of components, the following should be preferred to understand.
1. The Zygote: Android applications of incubator, all Android fork and the process to the program.
2. The Binder: Android inter-process communication mechanism, it is the core functional components of the Android platform.
3. Package Manager Service: application installation Package management Service, not only responsible for the Package to install and uninstall, more important is responsible for the Android information query and control, such as Android rights management.
4. The Activity Manager Service: management of the Android framework layer process, and also includes four major components of the Android application logic implementation.
5. Dalvik virtual machine: although will be replaced by ART, but Dalvik still is to help us understand the virtual machine and the Android executable file format of good teaching material.
In terms of security mechanism, you need to know the following points.
Sandbox isolation: sandbox is different based on different application User ID, its essence is the Linux to the isolation of different users access.
2. The application access control: Android applications need to apply for the appropriate permissions to access the system resources and information, most of the rights by the Android framework layer API to control, another part of the permission to the Group ID, application made by the Linux kernel control.
3. SE Linux: the Linux kernel layer security enhancements, is a set of independent of traditional Linux mandatory access control mechanism of access control.Google has transplanted the mechanism to the Android kernel, it brings some challenges to the kernel exploit.
Android security research direction and current situation of hot
【 phone Root and kernel bug mining use 】
In the Android 2. X times, often use a few holes in the mobile phone can be user layer application root, is now mainly depends on the kernel vulnerabilities.Android introduced a new kernel module for the Linux kernel, and the drive scheme of different vendors.It is introduced a new security hidden danger for the system kernel, qualcomm, MTK or samsung Orion or huawei haisi chip, how many are there have been some loopholes in the kernel, the Android platform is the kernel of a major focal point.As Google to the introduction of the SE Linux Android, less attack surface, but cannot completely solve the problem of the kernel exploit.From a defensive perspective, also faces the challenge: some APT attacks if using kernel vulnerabilities, will be able to get a full control of the system.The Android platform
kernel vulnerabilities have continued exposure for a long time, and the exploit and sustainable prevention is still hot.
From this direction, you first need to understand the Linux kernel, and continuously for the current has publicly CVE vulnerability analysis, understand the cause of the vulnerability and various types.In the use of loopholes, open source projects run_root_shell can serve as a reference, the project contains multiple use of implementation, the vulnerability of the classic is a good material to entry.In addition, also can focus on foreign POC program or to a key root products for analysis.
【 Android applications and system framework layer holes mining
The Android itself focuses on four major components, usually some logic to handle problems lead to information leakage, such as identity authentication to bypass.Thanks to Android sandbox mechanism, application itself the attack surface is relatively small, but some developers seem so proof in the process of coding showed poor safety awareness.In addition around the WebView or SSL holes caused by security problems are more common.
Framework layer holes is also logical loopholes in the majority, but the damage is often greater than application.More famous high risk vulnerabilities include Master Key signature bypass, the WebView remote code execution, etc.
Now there are some loopholes open source mining tools such as Drozer and Intent of the Fuzzer.We can be modified on the basis of this, if you have unique ideas, also can try to develop our mining tools.
Look from the number, privacy steal and fishing software are main types of malicious software in the Android platform.
If the user for an application permissions, an application can easily obtain the user's messages, contacts, the geographical position, recording and other private
information.Android platform requires active defense program control application for privacy, there are two kinds of methods, one kind is integrated into the vendor's ROM code, another is to use the API Hook to achieve.No matter use which kinds of means, the current problems we are facing is how to more intelligently administrative rights for the user, in order to reduce disturb defense software frequently popup window.
On the market is filled with a lot of fake payment application, they may seem there is no difference with the original application, because these fake applications are from the original application to tamper with.These software are usually user id and password to steal the malicious code.Security software need through such means as signature, code features for identification.
Look from the trend, malicious software is no longer limited to the Android installation package (APK) distributed in the form of, and often with Linux executables (ELF), the system is to attack at a deeper level.Security products currently on the market for the APK killing has been relatively mature, but also to detect and disinfect malicious software of the system underlying layer without special perfect implementation, the new threat to some level of APT defense are still in the exploratory stage.
Known malicious software Oldboot is malicious programs use the underlying technology against the killing of a typical case, a full analysis of the application details have been publicly, readers can search for articles from the Internet, to better understand how to analyze malware behavior.
For a long time, mobile payment using message authentication code and pay password payer authentication problems independently.But there are still messages or the password was tapped the risk of being stolen, so some vendors to follow U aegis scheme on the PC, launch shield or bluetooth audio authentication solution.And the use of ARM TrustZone architecture will pay the certification process, independently of the operating system, is also a direction.Mobile payment is a strong demand, still have a lot of package worth exploring.
The application of reinforcement (shell) and reverse engineering.
Game, payment application has the very strong against reverse-engineering, cracking, tamper-proof demand, there are several mature solution.So far, but Android to the ELF format program protection is not enough, the ultimate protection, of course, is to use a similar PC VMProtect virtual machine.Reverse engineering and reinforce the protection is a process of constant attack and defense, the protection of the reinforcement scheme need to constantly improve their strength, a loophole in the repair scheme.For reverse engineer, reverse not means can't analysis program behavior.A good software tracking method tends to make you get twice the result with half the effort.
Better known to the current domestic reinforcement scheme 360 bang bang
reinforcement and strengthening to protect, love, encryption, etc., you can see the corresponding information website in these products.
The enterprise security BYOD 】
Only terminal device itself, a BYOD is usually the solution is to isolate the two mobile phone system environment: a common, a private, both influence each other.Samsung's KNOX security suite provides such a function, use the Container, will need to be segregated public application package;Google is also developing a similar application, but progress is slow.Such schemes are usually closely integrated and the system itself, implementing such a scheme, or find security vulnerabilities in such schemes, is also a new direction.
Example: the Android vold 4.4.2 system holes
"How to loopholes in the first place that"
Not all the holes will be incorporated into the vulnerability database (CVE), many holes are repaired in secret.One way is to see the version upgrade the Android source code Change Log, with luck, you will note from the AOSP Git Commit information to the following:
Hole information.If you are sensitive to this article submitted to record the problems behind the enough, can find a problem.
In fact, only a few people noticed this information.Most people know this problem before, has been mastered the technical details and developed a root for Moto tools has been put on the XDA BBS and Twitter.
"How to master holes details"
Maybe you will think of the "or" [Root 4.4 x] Pie for Motorola devices "tool for reverse engineering, but through JEB, passed complex confusion can find it.
This confusion is called dexGuard, more complex than Google using ProGuard.Also took energy shell, is to develop a software can do actions to track (trace) ROM to analyze it, but it is more advanced topics.
First put tools away, in fact, we can also through using the method of existing information on the vulnerability analysis.First of all, we have obtained the leak repair information (see https://android.googlesource.com/platform/system/vold/+/0de7c61 for the diff information), the problems appeared in the process of system vold, coupled with the source code and analysis report issued by the AIRBUS, we can know the following information.
1. The problems appeared in the system process vold (volume management process), it is a run at root partition management process.Function modules of the specific problems is that the ASEC (Android Secure External Caches), its function is roughly the application file that is stored on the SD card authority management.Because the SD card format of the file system is FAT, it itself is not support file permissions management.
2. Use the "VDC asec create YOURNAME corruption none 2000 false" command, vold process receives the message, in/data/app - SEC directory to create a folder/data/app - SEC/YOURNAME, and mount this directory into/MNT/asec/YOURNAME.
3. As shown in the code, vold in/data/app/SEC and YOURNAME together, use the sprintf, not the string of YOURNAME do any check.This means we can YOURNAME structure into ".. /.. / PATH "form.So vold will mount any catalog for us, if the directory already exists (for example, / sbin), will be covered by the new mount directory.
"How to use the holes for the root"
Since vold can repeat mount any catalog for us, it means that we can use their directory specified directory covers system, also is equivalent to the can replace system files to get the chance as root to perform.Will/sbin directory to mount, replace the/sbin/adbd file, and when the system process adbd again by the init process starts, we will have the chance to root permission to execute arbitrary code.This exploit code is very simple.
This command first to create a symbolic link to/sbin/data/local/TMP/test1.Then use the VDC send vold trigger message, the vulnerability of the vold will take/data/app - SEC /../../ data/local/TMP/test1 mount up.Because the/data/local/TMP/test1 / sbin symbolic links, so the/sbin directory is covered into an empty partition.This empty partition is not to write, but we can within the partition based symbolic links, so I to/data/local/TMP/adbd created a symbolic link is/sbin/adbd.Thus, / sbin/adbd have pointed to a manageable we file: / data/local/TMP/adbd.When adbd process is killed, the init process will restart adbd, / data/local/TMP/adbd run as root permissions.Back to do is install su program for mobile phone, so far, root process is complete.