According to the cost of attacking the device, we made the following classification.
- remote attack surface
- Physical Adjacency Attack Surface
- local attack surface
physical attack surface
The remote attack surface
The largest, most dangerous, and most attractive attack surface, without the need for the attacker to physically touch the victim locally.
1. Networking Stacks (network protocol)
The TCP/IP protocol stack provided by the Linux kernel used by the Android system may introduce an attack surface. 1) The underlying network protocol stack of Linux is written in C/C++, and code problems such as "buffer overflow" may lead to remote execution of arbitrary code , 2) In the process of protocol processing, some fields are not judged, resulting in denial of service
Check method: code review, and search for unsafe functions
2. Exposed Network Services
Android itself rarely exposes network services, and most of them are exposed by applications. For example, after enabling the WIFI hotspot function, it will monitor TCP port 53.
Inspection method: You can obtain exposed services by scanning nmap or executing netstat -na|grep LISTEN locally, and then analyze them.
Example: Baidu WormHole is considered such a vulnerability.
3、Moblie Technologies
This type of vulnerability refers to the remote attack surface accessed through mobile phone-specific services, such as SMS and wap services, which other operating systems such as windows and linux do not have.This refers to the attack surface exposed by cellular network services such as SMS, MMS, and telephony.
SMS and MMS services use the WAP protocol, in which the WAP PUSH message can be used to send a Service Loading request (SL message), and the SL message can call the USSD (Unstructured Supplementary Service Data) function to perform recharge, voice mailbox query and other operations
USSD command: When you use the mobile phone keyboard to enter some numbers or symbols that have been pre-established by the network, such as *#, etc., and then press the send button, which is the dial key, you can send a command to the network, and the network selects the service you need according to your command. you. Can be used to make calls, modify PUK, etc. http://baike.baidu.com/link?url=ImBFOug4QRZFJHhypYHxY1i2ZPzzsgQw5Fq-LhWuGD1Bmcvry02IMXqG3QyP7sgZ
WAP PUSH: service information or push information, which is a special format of short message time
There are two contents of WAP Push, one is SI, service indication; the other is SL, service loading. The purpose of both content types is to send a URL link to the phone. SI is to send a notification, warning, reminder and other information to the mobile phone in an asynchronous manner, the user will see the text of the notification displayed on the screen, and then prompt you whether to go to that page, if so, the mobile phone will be activated as a WAP browser , open this link and browse its contents. SL directly sends a URL link to the mobile phone. The mobile phone will not give the user any prompts, but automatically starts the WAP micro-browser, downloads the content corresponding to the URL, and displays it on the mobile phone. It makes people feel as if a page has been pushed down. MMS is implemented using this mechanism. The known attack is that sending SL commands starting with tel:// can trigger a phone call http://www.cnblogs.com/edward259/archive/2010/01/29/1659415.html
4. Client-side Attack Surface
Refers to the remote attack surface introduced by the App installed on Android or the service (App) provided by the system.
4.1 Browser Attack Surface
There are mainly URL phishing, MitM, XSS, CSRF threats
Before android 4.1, use android browser, before 4.4 use chrome for android, after 4.4 use chromium-based web browser (libwebview-chromium.so exists in the framework layer, providing API for upper-layer applications, because it is updated with the framework, so update slow, vulnerable to half day attacks)
In addition, there are other third-party browsers that have an attractive attack surface due to vulnerabilities
4.2 Web-Powered Mobile Apps (web engine mobile application)
Attractive attack surface using webview technology Attacks that exploit WEB View: such as addJavascriptInterface and Android AD network. The client uses webview's xss, csrf, etc.
4.3 Others
include:
- Ad Networks
- Media and Document Processing (open source libraries for processing images and documents, such as (libpng, libjpeg), including recent png attacks and stagefright attacks)
- Electronic Mail
- Google Infrastructure (Google infrastructure services)
- Google Play
- Third-Party App Ecosystems
2. Physical Adjacency (physical adjacency attack)
In a broad sense, it is also considered a kind of long-range attack, but the scope of the attack is limited. include:
- GPS
1. The user's location information is abused by the APP, revealing the user's privacy
2. GPS spoofing: Sending false GPS signals leads to wrong positioning of the GPS device
- Baseband
Baseband processing chip (CP) and android.telephony.stack protocol stack
1. Fake base station
2. Attacks on the RIL layer: related hardware and software such as USRP, BladeRF, open source protocol stack OSmocom
- Bluetooth
Contains nearly 30 profiles, each profile describes a function of Bluetooth
For example:
1.HFP (Hand-free profile)/HSP (Headset profile) defines how to control the microphone, external amplifier and other peripherals
2.FTP (File transfer profile)
3.DUN (Dial-up Networking profile)
4.HID ( Human Interface Device profile)
5. AVRCP (audio/video Remote Control profile)
Possible attack methods: Bluejacking, Bluesnarfing, Bluebugging
These protocol stacks used: After L2CAP/RFCOMM 4.2, use Bluedroid to export API interfaces to the upper layer at the Framework layer
https://source.android.com/devices/bluetooth.html
- Wi-Fi
Function point: connect to the internet, WIFI direct connection
Protocols and algorithms: WEP, WPA, WPA2, open source protocol stack: wpa_supplicant
Possible Attacks: Rogue Hotspot, MITM
- NFC
Read Tag, data transmission (Beam), mobile payment
Calling relationship: physical NFC chip -> kernel: libpn544_fs.so ->
Native: libnfc_jni.so, libnfc.so, libnfc_ndef.so ->
Framework: com.android.nfc -> upper APP
3. Local attack surface
The attacker achieves the effect of the attack by installing a local App.
Exploring the File System
File system access permission settings, SUID/SGUID settings, Owner settings
Inspection tools: adb shell and Canhazaxs
Applications life cycle
Attack Surfaces Introduced During the Application Lifecycle
install
The attack surface introduced in the installation process, such as super long application name attack, malformed AndroidManifest.xml tag, APK occupancy attack, signature vulnerability, etc.
Applications run
Attack Surface Introduced in Operational Processes
backup
Attack surface introduced when applying backup and restore, such as ALLOW-BACKUP vulnerability
Finding Other Local Attack Surface
System Calls
Defined as "SYSCALL_DEFINE" in the source code
Sockets
sockets malicious call
Binder
Shared Memory
Baseband Interface
Attacking Hardware Support Services
API
JAVA Native Interface
JNI malicious call, JNI-DOS
AIDL service Calls
TrustZone Proxy
TurstZone Proxy is a proxy that links the non-secure world and the secure world
CDEV file_operations
The interface of the driver node is defined in file_operations in the driver source code , such as open/write/read/mmap/ioctl
4. Physical attack
USB, adb, etc.
Reference: http://colbert337.github.io/2015/08/24/android-attack-surface/