Security Issues in Android Custom ROM’s

A presentation at c0c0n 2011 in October 2011 in Kochi, Kerala, India by Anant Shrivastava

Slide 1

Slide 1

Security Issues In Android (Custom ROM’s) Anant Shrivastava http://anantshri.info

Slide 2

Slide 2

Agenda ● Introduction to Concept : Custom Rom ● Why Security Review ● Security Issues ● PoC : Data Theft Tool ● Protection Tips ● Demo : Tool

Slide 3

Slide 3

What is Android ROM ● Android ROM is the OS Firmware layer of Phone. ● Generally consist of /system partition ● May include /data partition ● Contains – Kernel – Dalvik – Libraries – Framework – Application (Vendor Provided)

Slide 4

Slide 4

Android Architecture

Slide 5

Slide 5

ROM’s concept ● Android Basically has two ROM’s or firmwares. ● Stock : Pre installed by Manufacturers ● ● Custom : AfterMarket version, not supported by manufacturer. Example – CyanogenMod : claimed as aftermarket firmware. – MIUI : Chinese by origin, mimic’s iPhone Looks. – OMFGB : Gingerbread Enhanced

Slide 6

Slide 6

Advantage of Custom ROM’s ● Bring out the best of all World’s, example : – You may like SE hardware but love htc sense UI. – You prefer minimal phone, or avoid default apps. – Roms with specific features ● When Carrier / manufacturer stop providing updates ● Bleeding Edge (2.3.7) ● Pre-rooted ● Targetted : Speed, Gaming,Performance, Battery ● Overclocking and underclocking

Slide 7

Slide 7

Where can i get it • http://cyanogenmod.com • http://miui.org • http://forum.xda-developers.com • http://android.modaco.com • http://modmymobile.com/forum.php • And many more underground forums.

Slide 8

Slide 8

Recipe Modify Stock ROM ● Parellel after market ROM’s ● Best of Both ● General ROM cookers are here for either ● ● Fun ● Profit ● They Can attitude.

Slide 9

Slide 9

Why Security Review Next In Thing : Designing Malware and Exploits for android On top of that : employee’s Pressure to integrate Android in Corporate infrastructure. AfterMarket Distribution like CyanogenMod are considered viable alternative. Lots of work is underway to safely implement CyanogenMod in Corporate Environment.

Slide 10

Slide 10

Are we Missing Something ● Did anyone tried peeking under the hood. ● This is what we will be doing today

Slide 11

Slide 11

Practices under Scrutiny ● USB Debugging enabled ● Adb Shell root mode ● System permissions ● Installation from unknown source ● Adb shell over wifi ● Su acccess and settings ● Custom Recoveries

Slide 12

Slide 12

USB Debugging enabled ● ADB or Android Debug Bridge ,Google’s Debug. ● Menu → Settings → Applications → Development ● Supports – Push / Pull Files and folders – Remount system partitions – Installation of software without prompt – Fastboot with different Kernel

Slide 13

Slide 13

Adb Shell root mode ● Special Setting making adb run in root mode. ● Activated at boot time. ● boot.img → ramdisk.cpio.gz → build.prop ● Do you pay attention to the other end of charging Dock. :)

Slide 14

Slide 14

ADB Shell over WiFi ● This Settings allow adb shell to be used over wifi network. (Freedom from Wires :) ) ● At boot time or run time both. ● service.adb.tcp.port = <tcp_port_no> ● Combine with our beloved ro.secure, you literally handover your device shouting : ”PLEASE OWN ME”. ● This is hypothetical as of now, no known usage found so far.

Slide 15

Slide 15

System permissions ● ● ● ● /system should be readonly as its critical section of phone. Its observed at lots of places where Cooker’s keep 777 settings for /system Do you remember : – /system/app : system apps – /system/bin : executable Remember ROOTKITS, TROJAN, MALWARE

Slide 16

Slide 16

Unknown Source Installation ● ● This Settings disallows third party softwares, forces the use of Android Market. Aftermarket forum practices, enable Unknown Sources.

Slide 17

Slide 17

Su Access ● ● ● ● With greater Power comes greater responsibility. SU or switch user binary is a direct indication of a rooted device. However default protection from unauthorized execution is not available. Superuser.apk is only known protection.

Slide 18

Slide 18

Recovery Images ● ● ● Android Provides an option to install Custom Recovery softwares. Recovery softwares provide un restricted root access by default. Putting a phone in recovery mode is as simple as reboot, press backspace or vol_down till recovery starts.

Slide 19

Slide 19

Slide 20

Slide 20

Demo PoC tool DEMO IS INTENTIONALLY NOT DEVELOPED TO A LARGE EXTEND TO AVOID SCRIPT KIDDIE APPROACH

Slide 21

Slide 21

Protection ● Developers – Avoid settings not so required for normal user. – Give recomendation to close unknow source setting. – ● Users – Take a closer look at Development Process. – Ask Questions – Run ARE YOU INSECURE

Slide 22

Slide 22

Are you Insecure Demo

Slide 23

Slide 23

About Me Anant Shrivastava CEH, RHCE Interested in Android, Linux, Web 2.0 Member of Null and G4H ● Email : anant@anantshri.info ● Web : http://anantshri.info ● Blog : http://blog.anantshri.info