Hack In the Box Amsterdam-2012 13:30 Track 1, Day 2

Bypassing the Android Permission Model, presented by Georgia Weidman, CEO Bulb Security

I have a soft spot for Android OS exploitation discussions and tequila, so this was a sweet little piece of key lime pie from Duck Key, FL for me. Gladly it was after lunch. Georgia Weidman greeted her audience wearing an Amsterdam altered period suit and a bottle of aged yet tender and delicious bottle of tequila, enough for sharing. Beyond making her audience at ease with quite a casual introduction, she had some serious questions regarding Android OS security. Is the permissions model in Android working for both developers and end users and are those end users making intelligent decisions? Ms. Weidman says yes if you’re a malware developer and the average smartphone user is trying. What developers declare as permissions required for installation can be vastly different from reality. Additionally, the permissions are too vague and far reaching for users to make a more informed, intelligent decision. She set the temperature of the presentation to low end user bashing and high on unclear and entirely too encompassing permissions for an acceptable security level for any operating system. Especially one which can leak the owner’s personal information almost invisibly. What permissions are really needed by the vast majority of Android applications? Not many, she gives the example of the Facebook application with requires 11 permissions including creepy ones like Your accounts, Discover known accounts. Conversely, Droid Dream, a known malicious application/root kit required only four permissions, none so creepy sounding. Why would Facebook need or want to discover your non-Facebook accounts on the phone but the same is not required when you log into Facebook over the world wide web? In the first demo, simplicity in pwnage was showcased. In less than 50 lines of code and limited permissions presented to the end user the IMEI (a cell phone unique ID number), read contacts and send an SMS. Inside of a few minutes exploitation and compromise was complete. The second of the series of demos began a dive into malicious bot waters over SMS, the presenter’s specialty. “If you write malware for Linux, Android OS [malware development] is an easy transition.” What mitigation strategies are required? No dangerous functionality directly available in public interfaces. Require user interaction for all activities such as sending and receiving SMS messages. Require the permissions tag in the XML manifest for the interface. End users must keep their operating system updates. But, that means that smartphone owners also need the ability to keep the OS updated in an easy manner. Too often phone manufacturers or cell phone providers delay Android OS updates, if provided at all. If the OS update isn’t available, the vulnerability remains and your private information becomes just another commodity on the data leakage open marketplace. Link to the presentation PDF: Link Links to other presentations by Georgia Weidman and her blog: http://georgiaweidman.com/wordpress/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: