Escolar Documentos
Profissional Documentos
Cultura Documentos
Permissions
Anthony Hewins and Maria McCulley
Outline:
Problem
Objectives
Motivation
Device ID information
Device ID information and SMS privileges
Device ID information and Location
Device ID information, SMS privileges, and Location
Possible solutions
Overview of Android
If you want access certain sensitive things on the device like phone number,
you have to ask permission from the user.
Google Bouncer
GOOGLE BOUNCER
(Obvious bad intentions)
Google Bouncer
GOOGLE BOUNCER
(Obvious bad intentions)
Bouncer overall
TelephonyManager x = (TelephonyManager)
getSystemService(Context. TELEPHONY_SERVICE);
String phoneNumber = x.getLine1Number(); //Got the phone #
send(output);
//Just stole your phone number, and you didn't even know it
//and Google cant stop them
Device information.
SMS privileges.
Location.
Permissions: Device ID
Device ID information:
Allows read only access to phone state, including the phone number of the device,
current cellular network information, the status of any ongoing calls, and a list of
any PhoneAccounts registered on the device [1]
Basically, you can immediately figure out who someone is with this permission
and if their device is weak to certain attacks/bugs
SMS privileges:
and
READ vs RECEIVE_SMS
READ is only reading the text, RECEIVE is being able to know when a text is
received AND know its contents (and the ability to filter messages as well):
Incoming text
Broadcasting a message
Permissions: Location
Location:
Objectives
1.
2.
Create a survey paper that would thoroughly explain the dangers of device
information.
Outline potential dangers and attacks associated with device information
obtained through READ_PHONE_STATE.
3.
Motivations
The Top 20 Requested Permissions by Malicious
Apps. [5]
These statistics have been done on 1200 Apps and
show that READ_PHONE_STATE permission was
required by 1179 malicious apps.
Also, READ_SMS permission was required by 790
malicious apps, RECEIVE_SMS was required by
1179 malicious apps, and
ACCESS_FINE_LOCATION was required by 432
malicious apps.
Motivations
This data IS sensitive and should NOT be shared
Several studies have shown that malicious applications
use READ_PHONE_STATE much more frequently and that
IMEI and other information is being leaked
Many papers fail to fully explain why
Using IMEI
Using Phone Number
Using IMSI
smsStealer
If someone targets you, the IMEI is essentially the universal key needed to
unlock the profile
READ_PHONE_STATE: IMEI
Make, model, original OS, CPU, and other information about the
device
Could be used in a targeted attack
This information is revealed easily if you try to reset the password for an account that has the
phone number tied to the account
READ_PHONE_STATE: IMSI
Utilize IMSI and IMSI catcher to obtain information about a specified user,
especially location
Celebrity Example
Ex: Facebook, Twitter, T-Mobile, Yahoo mail (there are potentially infinite accounts vulnerable
to this attack, but we have confirmed these services can be exploited)
Two step verification doesnt stop it; the attacker can read that too
Only problem is those are you a robot? checks force the attacker to be there real time
Server
n
tLi
e
g
onCreate()
ely
t
a
di oss
e
m acr t)
m
I
(
nt ne
se nter
i
B
O
M
t
T
case Mobile =
isT
;
break break;
:
t
l
defau
le)
Mobi erver();
S
tell
sT
if(i
Server
Phone #
Attacker side
Forgot your password?
Enter your phone number
and well send you a
verification text:
Server
Service
with user
s account
Recovery number
rifi
e
V
y
tel
a
i
ed ross
m
(Im nt ac et)
se tern
in
Attacker side
hackAccount(77777);
// Attacker will
// automate as much
// as possible*
Attacker side
Incorrect password.
Try to reset it?
Attacker side
2.
Apps should be ONLY have access to getters in app categories that aim to
replace standard messaging apps, tools, etc. Other apps have no use for this
data and can use other identifiers that are safer (e.g. If Clash of Clans calls
getDeviceID(), it should be an immediate flag for Bouncer)
READ_PHONE_STATE is used for some basic functionality of certain apps,
but it still has sensitive data on it and so it can be abused. Split up those
methods into a new permission so its easier to make security decisions.
2.
Instead of sending a text to the phone number of the user in two step
verification, use an in-app notification if the user has the mobile app
associated with that account, which is most people (especially with social
media). This thwarts the vulnerability altogether.
Just increase the difficulty of resetting a password. This is less desirable
since its more effort, but it solves the problem. More Are you human?
prompts is one way to do this, or ask for more verification sources.
Week 5:
Week 1
Week 3
Week 2
Week 4
Week 6
Timeline
Timeline
Week 7 -Complete official
-Begin application
experimenting
-Complete proof of
concept for SMS
attack
Week 8
Week 9
-Prepare for
presentation
-Complete paper and
poster
-Analyze areas of
weakness in our
paper and revise
-Begin poster
Week 10
References
[1] https://developer.android.com/reference/android/Manifest.permission.html
[2]http://tech.firstpost.com/news-analysis/18000-phones-with-same-imei-number-sibal-39714.html
[3] T. Boksasp and E. Utnes, "Android Apps and Permissions: Security and Privacy Risks",Institutt for
telematikk, 2012.
[4] T. Isohara, K. Takemori and A. Kubota, "Kernel-based Behavior Analysis for Android Malware
Detection", 2011 Seventh International Conference on Computational Intelligence and Security, 2011.
[5] Y. Zhou and X. Jiang, "Dissecting Android Malware: Characterization and Evolution",2012 IEEE
Symposium on Security and Privacy, 2012.
Thats all
Questions?
http://reu16.weebly.com/