Android OEM’s applications (in)security and backdoors without permission Andr(cid:19)e Moulu [email protected] Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Plan 1 Context and objectives 2 Android introduction 3 Android security model 4 Methodology 5 Toward a backdoor without permission 6 Post-exploitation 7 Scope of the vulnerabilities 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Context and objectives Why Android? Most used mobile OS Security often questioned because of many malwares Unofficial markets (warez) Show off how an application without any permission can take control of a smartphone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Context and objectives Targeted user Security aware user Doesn’t use alternative markets Checks permissions before installing an application Targeted smartphone Samsung Galaxy S3 (I9300) 50 millions copies sold (March 2013) Actually, the Samsung overlay on the I9300 Some of these applications may also be present on other models Some vulnerabilities may impact other models (S2, S4, Note 1/2, ...) The vulnerable applications can’t be deleted without root access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Plan 1 Context and objectives 2 Android introduction 3 Android security model 4 Methodology 5 Toward a backdoor without permission 6 Post-exploitation 7 Scope of the vulnerabilities 8 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Plan 1 Context and objectives 2 Android introduction Android system and the applications Classical components of an Android application The communication between components The exposition of components 3 Android security model 4 Methodology 5 Toward a backdoor without permission 6 Post-exploitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Scope of the vulnerabilities 8 Conclusion Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation Androidsystemandtheapplications The Android system Generalities and common knowledge Mobile OS (smartphone/tablet) "open source" Based on Linux Developed in C and Java A special virtual machine: DalvikVM Dalvik Bytecode (DEX/ODEX) What is an Android application ? APK (cid:12)le (actually a ZIP (cid:12)le) APK’s most important (cid:12)les: AndroidManifest.xml (con(cid:12)guration, permissions, components, ...) classes.dex (executable bytecode) Native libraries as .so (cid:12)les (JNI) Each application has an unique name (packagename) and is signed by his developper (certi(cid:12)cate) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation ClassicalcomponentsofanAndroidapplication The applicative components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation ClassicalcomponentsofanAndroidapplication The applicative components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Androidintroduction Androidsecuritymodel Methodology Towardabackdoorwithoutpermission Post-exploitation ClassicalcomponentsofanAndroidapplication The applicative components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .