SlideShare a Scribd company logo

Securely Deploying Android Devices

Download as PPT, PDF
A
Angelill0

Angel Alonso-Parrizas presented ways to securely deploy Android devices. The document discussed improving security in areas like communications channels, access control, software policies and passwords. It proposed establishing an encrypted VPN tunnel for all device traffic. The document also suggested disabling USB access, enforcing strong passwords, and remotely installing authorized apps only. The goal was to align Android devices with corporate security policies and IT management.

Technology
1 of 16
Securely Deploying Android Devices Angel Alonso-Parrizas 22th March 2011
About me and this project • Angel Alonso-Parrizas – parrizas@gmail.com – Security Engineer @ Verizon Zurich team – MSc, BSc, MSSF, GCIH, GCIA, GCFW, GCFA, GSEC, GSNA, CISSP, CISA, CISM – 8 years working in different security roles and companies – http://www.angelalonso.eu | http://twitter.com/Angelill0 • The project – Practicum for the Master in Security and Forensic at Dublin City University http://www.uv.es/parrizas/alonsoparrizas-android-thesis.pdf – GIAC GCIH Gold Paper http://www.sans.org/reading_room/whitepapers/sysadmin/securely- deploying-android-devices_33799 • The idea – Need vs security – Android smartphones aligned with security policies/standards
Agenda • Android model and threats – Android architecture – Linux model / permissions – Some example of recent threats • Improving security in different areas – Communications channel – Access control – Software policy – Password policy – Remote access control – Additional security layers – Hardening the stack and the Operating System • Conclusions
Android Model • Applications – Linux UID model – File permissions • Libraries & VM – Dalvik VM isolation – SSL • Kernel 2.6 – Drivers – Devices (eg: bluetooth)
Permissions • Open repositories: Market, Appbrain.. • Developer decides the permissions – AndroidManifest.xml • User install the application – Install the application (up to the user!) – Do all the user read ? – Do all the user understand ? <manifest xmlns:android="http://schemas.android.com/apk – Low granularity (everything or nothing) /res/android" • Any security issues? package="com.example.android.home"> <uses-permission – Repository vs malware android:name="android.permission.CALL_PHONE"/ > – Developers vs bad guys <uses-permission android:name="android.permission.GET_TASKS"/> – End user is not a security expert <uses-permission android:name="android.permission.READ_CONTACT S"/> <uses-permission android:name="android.permission.SET_WALLPAPE R
Some examples of threats • Catching AuthTokens in the Wild, The Insecurity of Google's ClientLogin Protocol [13/05/2011] – Steal authentication tokens through open WiFi in some Google Applications – Impersonate the user and even steal his Google account – Application not properly build and lack of encryption in critical tasks • DroimDreamLight / DroidDream [30/05/2011] – Typical malware (nothing new so far) – 30k -120k users affected (not too bad) – Steal information, install software.. • Android.Nickspy [27/07/2011] – Trojan horse – What else can we expect? Umm.. Something recording our conversation?, yes we can! – …and sending the stolen information through a TCP connection
The lab • HTC Desire • SDK Toolkit (Linux, Mac or windows) • WiFi connection • 3G card with Internet access • Some security tools – iptables – OpenVPN – SSH • Dedicated Linux server – Virtual Private Server (VPS)
Communication channels Communications channel N Netfilter / Policies on demand VP 1. Encryption of traffic 2. Drop traffic in the smartphone 3. Traffic policy in the VPS (eg: user) 4. Analysis of the traffic in the VPS Netfilter / DROP Default route = tun0
Access control • Android user has access to control the phone – USB is used to manage the software – USB is used to access the shell – full access to the system – USB must be disable – Just remove permission on the adbd daemon (/sbin/adbd) • SSH access should be given to Security Administrator – Dropbear is your friend (SSHD version for embedded system) – Use keys instead of password – The authorized host is the VPS endpoint – SSH only allowed through VPN interface (tun0)
Software Policy • Only authorized software must run on the device – Follow the internal policies / standards – Mitigate the risk of infected software • Baselines for each user / role – Some users might need special software for their role • Remove unnecessary software – Remove Market – Change permission of the container for each application • Applications must be able to be installed remotely – No need of physical access – Use SCP to upload the APK file – Change the permissions of the /system/bin/pm – Install the application – Revoke the permissions
SD Card and Bluetooth • SD Card – FAT file system – Lack of encryption – Model of permission is broken – Some attacks can use the SD card to execute code and hijack – Umount the /mnt/sdcard on booting time • Bluetooth – To be or not to be, that’s the question! – Functionality vs Security, that’s the question! – Disable /dev/ttyHS0 and /dev/ttyMSM0
Password Policy • Password policy aligned with company policies • Google Apps for business – Centralize policy management – Enforce the policy – Password complexity – Number of characters – Expiration date – Number of old password – Wipe threshold • Device Policy application (agent)
Remote control and additional security controls • Locate remotely through GPS • Google Apps for business – GPS + Google Maps – Remote wipping – Remote Lock • Autowipe – Remote wipe through text message – Wipe if the SIM card is swapped • Antivirus – AVG for mobile – Scan applications – Web filters in real time
Hardening of the Operating system while booting • Remove unnecessary binaries – irssi, netcat, tcpdump… • Set properly the permissions – root rw------- • Harden the TCP/ IP stack • Boot process in Android – Ramdisk is a problem – But.. /data/local/userinit.sh • Customize scripts – userinit.sh, removesotware.sh, iptables.sh – Easily adaptable to different environment
Conclusions • Improved the security in different Areas • Implemented a security channel • Filter and analyze the traffic • Reduced the risk of unauthorized software • Aligned with corporate policies • Setup a central point to manage • Added additional security controls / layers • Deployed customizable scripts
Questions?

Recommended

NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 

Recommended

NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...
Exploiting Redundancy Properties of Malicious Infrastructure for Incident Det...Positive Hack Days
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Webinar On Ethical Hacking & Cybersecurity - Day2
Webinar On Ethical Hacking & Cybersecurity - Day2Mohammed Adam
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 
Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)SURBHI SAROHA
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksDr. Ahmed Al Zaidy
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Securityankitmehta21
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteMarkDowd13
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data HackingMd Abu Syeem Dipu
 
Senior Technology Education
Senior Technology EducationSenior Technology Education
Senior Technology EducationSummerpair77
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...Edureka!
 
Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsMayank Dhiman
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsMayank Dhiman
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 
Securing Android
Securing AndroidSecuring Android
Securing AndroidMarakana Inc.
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptxSankalpKabra
 

More Related Content

What's hot

Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_finalPacSecJP
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamMohammed Adam
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)SURBHI SAROHA
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)Justin Hoang
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksDr. Ahmed Al Zaidy
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Securityankitmehta21
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteMarkDowd13
 
Senior Technology Education
Senior Technology EducationSenior Technology Education
Senior Technology EducationSummerpair77
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...Edureka!
 
Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsMayank Dhiman
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseFidelis Cybersecurity
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsMayank Dhiman
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554TISA
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tPriyanka Aash
 

What's hot (20)

Mickey pacsec2016_final
Mickey pacsec2016_finalMickey pacsec2016_final
Mickey pacsec2016_final
 
BugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed AdamBugBounty Roadmap with Mohammed Adam
BugBounty Roadmap with Mohammed Adam
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)Confidentiality policies UNIT 2 (CSS)
Confidentiality policies UNIT 2 (CSS)
 
Android system security
Android system securityAndroid system security
Android system security
 
Hacking your Android (slides)
Hacking your Android (slides)Hacking your Android (slides)
Hacking your Android (slides)
 
Chapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering AttacksChapter 2 Malware and Social Engineering Attacks
Chapter 2 Malware and Social Engineering Attacks
 
Testingfor Sw Security
Testingfor Sw SecurityTestingfor Sw Security
Testingfor Sw Security
 
What's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynoteWhat's in a Jailbreak? - BSides 2019 keynote
What's in a Jailbreak? - BSides 2019 keynote
 
Mobile phone Data Hacking
Mobile phone Data HackingMobile phone Data Hacking
Mobile phone Data Hacking
 
Senior Technology Education
Senior Technology EducationSenior Technology Education
Senior Technology Education
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
Ethical Hacking Career | Ethical Hacker Jobs & Salary | Cybersecurity Course ...
 
Breaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutionsBreaking Fraud & Bot detection solutions
Breaking Fraud & Bot detection solutions
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Capture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception DefenseCapture the Flag Exercise Using Active Deception Defense
Capture the Flag Exercise Using Active Deception Defense
 
Breaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection SolutionsBreaking Fraud & Bot Detection Solutions
Breaking Fraud & Bot Detection Solutions
 
Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554Apt sharing tisa protalk 2-2554
Apt sharing tisa protalk 2-2554
 
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-tDefcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
Defcon 22-alex zacharis-nikolaos-tsagkarakis-po s-attacking-t
 

Similar to Securely Deploying Android Devices

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidSam Bowne
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applicationsSatish b
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...Area41
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSEC-Council
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Tizen Security
Tizen SecurityTizen Security
Tizen SecurityJason Ross
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointHamilton Turner
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsJorge Orchilles
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Ajin Abraham
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidMichael Rushanan
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityLumension
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1Nikhil Kulkarni
 

Similar to Securely Deploying Android Devices (20)

Securing Android
Securing AndroidSecuring Android
Securing Android
 
128-ch4.pptx
128-ch4.pptx128-ch4.pptx
128-ch4.pptx
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
CNIT 128 Ch 4: Android
CNIT 128 Ch 4: AndroidCNIT 128 Ch 4: Android
CNIT 128 Ch 4: Android
 
Pentesting iPhone applications
Pentesting iPhone applicationsPentesting iPhone applications
Pentesting iPhone applications
 
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
hashdays 2011: Tobias Ospelt - Reversing Android Apps - Hacking and cracking ...
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Hacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OSHacker Halted 2014 - Reverse Engineering the Android OS
Hacker Halted 2014 - Reverse Engineering the Android OS
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Tizen Security
Tizen SecurityTizen Security
Tizen Security
 
Bringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android EndpointBringing Government and Enterprise Security Controls to the Android Endpoint
Bringing Government and Enterprise Security Controls to the Android Endpoint
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
17-Android.pptx
17-Android.pptx17-Android.pptx
17-Android.pptx
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Android Security Humla Part 1
Android Security Humla Part 1Android Security Humla Part 1
Android Security Humla Part 1
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 

Recently uploaded

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 

Securely Deploying Android Devices

  • 1. Securely Deploying Android Devices Angel Alonso-Parrizas 22th March 2011
  • 2. About me and this project • Angel Alonso-Parrizas – parrizas@gmail.com – Security Engineer @ Verizon Zurich team – MSc, BSc, MSSF, GCIH, GCIA, GCFW, GCFA, GSEC, GSNA, CISSP, CISA, CISM – 8 years working in different security roles and companies – http://www.angelalonso.eu | http://twitter.com/Angelill0 • The project – Practicum for the Master in Security and Forensic at Dublin City University http://www.uv.es/parrizas/alonsoparrizas-android-thesis.pdf – GIAC GCIH Gold Paper http://www.sans.org/reading_room/whitepapers/sysadmin/securely- deploying-android-devices_33799 • The idea – Need vs security – Android smartphones aligned with security policies/standards
  • 3. Agenda • Android model and threats – Android architecture – Linux model / permissions – Some example of recent threats • Improving security in different areas – Communications channel – Access control – Software policy – Password policy – Remote access control – Additional security layers – Hardening the stack and the Operating System • Conclusions
  • 4. Android Model • Applications – Linux UID model – File permissions • Libraries & VM – Dalvik VM isolation – SSL • Kernel 2.6 – Drivers – Devices (eg: bluetooth)
  • 5. Permissions • Open repositories: Market, Appbrain.. • Developer decides the permissions – AndroidManifest.xml • User install the application – Install the application (up to the user!) – Do all the user read ? – Do all the user understand ? <manifest xmlns:android="http://schemas.android.com/apk – Low granularity (everything or nothing) /res/android" • Any security issues? package="com.example.android.home"> <uses-permission – Repository vs malware android:name="android.permission.CALL_PHONE"/ > – Developers vs bad guys <uses-permission android:name="android.permission.GET_TASKS"/> – End user is not a security expert <uses-permission android:name="android.permission.READ_CONTACT S"/> <uses-permission android:name="android.permission.SET_WALLPAPE R
  • 6. Some examples of threats • Catching AuthTokens in the Wild, The Insecurity of Google's ClientLogin Protocol [13/05/2011] – Steal authentication tokens through open WiFi in some Google Applications – Impersonate the user and even steal his Google account – Application not properly build and lack of encryption in critical tasks • DroimDreamLight / DroidDream [30/05/2011] – Typical malware (nothing new so far) – 30k -120k users affected (not too bad) – Steal information, install software.. • Android.Nickspy [27/07/2011] – Trojan horse – What else can we expect? Umm.. Something recording our conversation?, yes we can! – …and sending the stolen information through a TCP connection
  • 7. The lab • HTC Desire • SDK Toolkit (Linux, Mac or windows) • WiFi connection • 3G card with Internet access • Some security tools – iptables – OpenVPN – SSH • Dedicated Linux server – Virtual Private Server (VPS)
  • 8. Communication channels Communications channel N Netfilter / Policies on demand VP 1. Encryption of traffic 2. Drop traffic in the smartphone 3. Traffic policy in the VPS (eg: user) 4. Analysis of the traffic in the VPS Netfilter / DROP Default route = tun0
  • 9. Access control • Android user has access to control the phone – USB is used to manage the software – USB is used to access the shell – full access to the system – USB must be disable – Just remove permission on the adbd daemon (/sbin/adbd) • SSH access should be given to Security Administrator – Dropbear is your friend (SSHD version for embedded system) – Use keys instead of password – The authorized host is the VPS endpoint – SSH only allowed through VPN interface (tun0)
  • 10. Software Policy • Only authorized software must run on the device – Follow the internal policies / standards – Mitigate the risk of infected software • Baselines for each user / role – Some users might need special software for their role • Remove unnecessary software – Remove Market – Change permission of the container for each application • Applications must be able to be installed remotely – No need of physical access – Use SCP to upload the APK file – Change the permissions of the /system/bin/pm – Install the application – Revoke the permissions
  • 11. SD Card and Bluetooth • SD Card – FAT file system – Lack of encryption – Model of permission is broken – Some attacks can use the SD card to execute code and hijack – Umount the /mnt/sdcard on booting time • Bluetooth – To be or not to be, that’s the question! – Functionality vs Security, that’s the question! – Disable /dev/ttyHS0 and /dev/ttyMSM0
  • 12. Password Policy • Password policy aligned with company policies • Google Apps for business – Centralize policy management – Enforce the policy – Password complexity – Number of characters – Expiration date – Number of old password – Wipe threshold • Device Policy application (agent)
  • 13. Remote control and additional security controls • Locate remotely through GPS • Google Apps for business – GPS + Google Maps – Remote wipping – Remote Lock • Autowipe – Remote wipe through text message – Wipe if the SIM card is swapped • Antivirus – AVG for mobile – Scan applications – Web filters in real time
  • 14. Hardening of the Operating system while booting • Remove unnecessary binaries – irssi, netcat, tcpdump… • Set properly the permissions – root rw------- • Harden the TCP/ IP stack • Boot process in Android – Ramdisk is a problem – But.. /data/local/userinit.sh • Customize scripts – userinit.sh, removesotware.sh, iptables.sh – Easily adaptable to different environment
  • 15. Conclusions • Improved the security in different Areas • Implemented a security channel • Filter and analyze the traffic • Reduced the risk of unauthorized software • Aligned with corporate policies • Setup a central point to manage • Added additional security controls / layers • Deployed customizable scripts