User: Password:
Subscribe / Log in / New account


Questions about Android's security model

October 6, 2010

This article was contributed by Nathan Willis

Mobile device security has become a hot topic in recent years as always-on network connectivity has become widespread for smartphone users. Security holes in the operating system itself are certainly an issue, but the bigger threat seems to come from third-party applications distributed widely through web stores and marketplaces. Although Google's Android platform takes steps to isolate applications from each other and has a rigid permissions system, a series of recent events have called into question whether that security model offers significant protection from malicious third-party code.

An example of a "traditional" take on Android's application security model might be one described at the blog, which contrasts the Android Market with Apple's App Store. First, Apple strictly curates what programs are accepted and made available to consumers through the store, but Google offers no such authoritative policing of the Android Market. On the other hand, Google, like Apple, does have a remote "kill switch" it can use to deactivate rogue applications.

In addition to the distribution models, the two platforms also differ in their application permission systems. Apple alerts the user if application attempts to use "push" services or request the device's location through GPS, which the user must either approve or disapprove on each individual request. Android has a predefined set of permissions, each of which the application must register its intent to use. The user is notified of every application's permission requests at install-time, and can later check the list from a control panel. The list of permissions is quite long and specific, Android defenders might say, and exposing it to the user makes Android Market applications safer than App Store downloads, which are impossible to audit altogether.

Granularity and transparency

Android's application permission model has its detractors, however, more so in recent months since the discovery of two malicious applications. Jackeey was a purported wallpaper application that was believed to relay personal information from phones to a web site in China, and Tap Snake was an arcade-style game that secretly reported the phone's location to be monitored remotely.

The trouble is that both apps requested Internet access through the Android permissions system; they simply used that permission to harvest data secretly and upload it to a third party. Simson Garfinkel described this on the MIT Technology Review site as a granularity problem, because "although Android programs are required to tell the user which permissions they use, that doesn't explain what the apps actually do with these permissions."

Garfinkel went on to detail his experience asking for explanations from developers whose applications seemingly requested permissions that had nothing to do with their intended purpose. A battery-saving wallpaper applications, for example, requested "the ability to modify or delete SD card contents, full Internet access, and the ability to read my phone's state and identity." In only one case did Garfinkel receive a reply from the application developer, who claimed that Internet access was required to register the program.

He pointed Android users to a program called TaintDroid, which is a possible solution that will be presented at the Usenix Symposium on Operating Systems Design and Implementation (OSDI). Developed by a team from Penn State, Duke University, and Intel, TaintDroid allows fine-grained monitoring of personal information and other data accessed by Android applications. TaintDroid logs attempts by applications to access specific private or sensitive information on the phone (phone number, IMEI number, SIM card ID, GPS location, camera, microphone, etc.), records attempts to transmit that information, and sends user notifications detailing the traffic to the phone's home screen toolbar.

The code has not yet been released, but the project says it will be made available under an open source license, and interested users can email the project and ask to be notified about the release. The team explains on the landing page that TaintDroid was not implemented as a stand-alone application for their purposes, but as a ROM customization. When the code is eventually released, however, it may eventually find its way either into a standalone application, or be incorporated into community-maintained Android distributions.

No opt-out

Sam Watkins also argues that too many applications request blanket permissions beyond what they really need, noting that almost all of the top 20 Android Market games request full Internet access and GPS location. But he also points out that although Android does a good job of revealing to the user what permissions an application has requested, Android offers no way for a user to deny individual requests. In short, if you do not like the set of permissions that an application requests, your only recourse is to not install it.

He also points out that although Android "sandboxes" individual applications by running each one under a unique user ID (thus preventing applications from sharing files), all applications have full read access to the phone's flash storage card, which is used as a general data storage location. Even worse, for backwards-compatibility reasons, any application can request to use the older Android 1.4 API, giving it write/erase permission over the flash storage — and neither this request nor its consequences are revealed to the user.

None of the preceding privacy violations or attacks require an escalation in privilege; the application requests the permissions it wants, and if the user installs it, he or she is immediately exposed. But Watkins also warns of possible attacks based on gaining root access, citing a demonstration example created by Jon Oberheide.

Watkins recommends two responses to the current situation. First, he suggests voting for issue 10481 on the official Android bug tracker, an enhancement request to implement a method of limiting Internet access. At present, the bug has more than 1300 votes.

Secondly, he recommends installing the Droid Wall firewall application on any Android device. Droid Wall is an iptables configuration tool for Android, building on the Linux kernel's existing packet filtering functionality, and allowing the user to write blacklist and whitelist firewall rules in a simple GUI. Earlier versions of Droid Wall required a separate iptables package to be installed, but since 1.4.0 this has been rolled into Droid Wall itself.

The Droid Wall developers primarily advertise the application as a way to reduce battery and mobile data usage, blocking particular applications from repeatedly using the connection or initiating unwanted transfers. When installed, it automatically collects a list of the other applications installed on the phone, and presents them in a user-friendly checklist; the user can then uncheck any application to block its Internet access. It also allows the user to maintain separate permission lists for WiFi and 3G data connections, and automatically switches between the two rule sets when switching to or from a WiFi hotspot.

The PC security crowd moves in

The Jackeey and Tap Snake incidents raised the profile of Android security problems a few months ago, and major players in the proprietary desktop security market have swept in to collect: both Norton and Symantec Android-specific security suites were unveiled in recent weeks. Both of these applications tackle common "device" security issues, such as on-disk encryption and securing or retrieving data in the event of device loss or theft. The Norton product targets home users, while Symantec targets enterprise deployments.

Neither one addresses the problems created by Android's all-or-nothing application permission requests or the lack of transparency in how applications exercise those permissions. For that, Droid Wall and (when it becomes available) TaintDroid used in tandem may provide the best protection. The TaintDroid team presents its OSDI paper on Wednesday the 6th of October, but a PDF version is already available on the project team's web site.

The paper makes for interesting reading, including the results of a survey of the permissions exercised by the top 30 Android applications. Many, it seems, request permissions that they never exercise — or at least have not exercised yet. A similar survey conducted by Smobile of more than 48,000 Android applications noted that 21 percent requested permission to read private or sensitive information from the phone, and many others "have the ability to read or use the authentication credentials from another service or application," place calls without user interaction, or other potential security breaches.

Google has not officially responded to the published criticism of the application permission system in Android. Bug 10481, while it has received a significant number of comments, has not been assigned. Hopefully the widespread release of TaintDroid will at least raise awareness of the issue in the minds of general Android users. In the meantime, at least the availability of the Android source code makes solutions like TaintDroid and Droid Wall possible.

Comments (5 posted)

Brief items

Security quotes of the week

Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters' secret ballots.
-- J. Alex Halderman on finding a hole in an internet voting system

In the United States the 4th amendment did not come about simply because it was impractical to directly spy on everyone on such a large scale. Nor does it end simply because it may now be technically feasible to do so. Communication privacy furthermore is essential to the normal functioning of free societies, whether speaking of whistle-blowers, journalists who have to protect their sources, human rights and peace activists engaging in legitimate political dissent, workers engaged in union organizing, or lawyers who must protect the confidentiality of their privileged communications with clients. Privacy is ultimately about liberty while surveillance is always about control.
-- David Sugar in an open letter to the Obama administration

It's bad civic hygiene to build technologies that could someday be used to facilitate a police state. No matter what the eavesdroppers say, these systems cost too much and put us all at greater risk.
-- Bruce Schneier

Comments (none posted)

Some Android apps caught covertly sending GPS data to advertisers (ars technica)

Ars technica is reporting that some Android applications are surreptitiously sending GPS coordinates and other information to advertisers. The information comes from a recent study done by researchers from Penn State, Duke University, and Intel Labs. "They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy."

Comments (43 posted)

New vulnerabilities

apr-util: denial of service

Package(s):apr-util CVE #(s):CVE-2010-1623
Created:October 4, 2010 Updated:August 2, 2011
Description: From the Mandriva advisory:

A denial of service attack against apr_brigade_split_line() was discovered in apr-util

Gentoo 201405-24 apr 2014-05-18
SUSE SUSE-SU-2011:1229-1 apache2 2011-11-09
openSUSE openSUSE-SU-2011:0859-1 libapr1 2011-08-02
Slackware SSA:2011-041-03 httpd 2011-02-11
Slackware SSA:2011-041-01 apr-util 2011-02-11
CentOS CESA-2010:0950 apr-util 2011-01-27
Red Hat RHSA-2010:0950-01 apr-util 2010-12-07
Ubuntu USN-1022-1 apr-util 2010-11-25
Ubuntu USN-1021-1 apache2 2010-11-25
Fedora FEDORA-2010-16178 apr-util 2010-10-13
Fedora FEDORA-2010-15916 apr-util 2010-10-08
Fedora FEDORA-2010-15953 apr-util 2010-10-08
Debian DSA-2117-1 apr-util 2010-10-04
Mandriva MDVSA-2010:192 apr-util 2010-10-02

Comments (none posted)

freetype: code execution

Package(s):freetype CVE #(s):CVE-2010-3054 CVE-2010-3311
Created:October 5, 2010 Updated:January 20, 2011
Description: From the Red Hat advisory:

A stack overflow flaw was found in the way the FreeType font rendering engine processed PostScript Type 1 font files that contain nested Standard Encoding Accented Character (seac) calls. If a user loaded a specially-crafted font file with an application linked against FreeType, it could cause the application to crash. (CVE-2010-3054)

It was discovered that the FreeType font rendering engine improperly validated certain position values when processing input streams. If a user loaded a specially-crafted font file with an application linked against FreeType, and the relevant font glyphs were subsequently rendered with the X FreeType library (libXft), it could trigger a heap-based buffer overflow in the libXft library, causing the application to crash or, possibly, execute arbitrary code with the privileges of the user running the application. (CVE-2010-3311)

SUSE SUSE-SU-2012:0553-1 freetype2 2012-04-23
Gentoo 201201-09 freetype 2012-01-23
MeeGo MeeGo-SA-10:31 freetype 2010-10-09
Red Hat RHSA-2010:0864-02 freetype 2010-11-10
Ubuntu USN-1013-1 freetype 2010-11-04
Fedora FEDORA-2010-15785 freetype 2010-10-05
Mandriva MDVSA-2010:201 freetype2 2010-10-13
CentOS CESA-2010:0736 freetype 2010-10-05
CentOS CESA-2010:0737 freetype 2010-10-04
Fedora FEDORA-2010-15705 freetype 2010-10-05
CentOS CESA-2010:0737 freetype 2010-10-05
Debian DSA-2116-1 freetype 2010-10-04
Red Hat RHSA-2010:0737-01 freetype 2010-10-04
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
openSUSE openSUSE-SU-2010:0726-1 freetype2 2010-10-15
Red Hat RHSA-2010:0736-01 freetype 2010-10-04

Comments (none posted)

krb5: code execution

Package(s):krb5 CVE #(s):CVE-2010-1322
Created:October 6, 2010 Updated:November 11, 2010
Description: The MIT krb5 daemon can be made to dereference an uninitialized pointer, leading to a crash, and, possibly, arbitrary code execution. See this SecurityFocus entry for more information.
Gentoo 201201-13 mit-krb5 2012-01-23
Red Hat RHSA-2010:0863-02 krb5 2010-11-10
Mandriva MDVSA-2010:202-1 krb5 2010-11-02
Mandriva MDVSA-2010:202 krb5 2010-10-13
Ubuntu USN-999-1 krb5 2010-10-05
openSUSE openSUSE-SU-2010:0709-1 krb5 2010-10-11
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25

Comments (none posted)

libesmtp: certificate spoofing

Package(s):libesmtp CVE #(s):CVE-2010-1192 CVE-2010-1194
Created:October 5, 2010 Updated:October 6, 2010
Description: From the Mandriva advisory:

libESMTP, probably 1.0.4 and earlier, does not properly handle a \'\0\' (NUL) character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408 (CVE-2010-1192).

The match_component function in smtp-tls.c in libESMTP 1.0.3.r1, and possibly other versions including 1.0.4, treats two strings as equal if one is a substring of the other, which allows remote attackers to spoof trusted certificates via a crafted subjectAltName (CVE-2010-1194).

Mandriva MDVSA-2010:195 libesmtp 2010-10-04

Comments (none posted)

mailman: cross-site scripting

Package(s):mailman CVE #(s):CVE-2010-3089
Created:October 4, 2010 Updated:May 17, 2011
Description: From the Mandriva advisory:

Multiple cross-site scripting (XSS) vulnerabilities in GNU Mailman before 2.1.14rc1 allow remote authenticated users to inject arbitrary web script or HTML via vectors involving (1) the list information field or (2) the list description field.

SUSE SUSE-SR:2011:007 NetworkManager, OpenOffice_org, apache2-slms, dbus-1-glib, dhcp/dhcpcd/dhcp6, freetype2, kbd, krb5, libcgroup, libmodplug, libvirt, mailman, moonlight-plugin, nbd, openldap2, pure-ftpd, python-feedparser, rsyslog, telepathy-gabble, wireshark 2011-04-19
CentOS CESA-2011:0307 mailman 2011-04-14
openSUSE openSUSE-SU-2011:0312-1 mailman 2011-04-07
SUSE SUSE-SR:2011:009 mailman, openssl, tgt, rsync, vsftpd, libzip1/libzip-devel, otrs, libtiff, kdelibs4, libwebkit, libpython2_6-1_0, perl, pure-ftpd, collectd, vino, aaa_base, exim 2011-05-17
openSUSE openSUSE-SU-2011:0424-1 mailman 2011-05-03
CentOS CESA-2011:0307 mailman 2011-03-02
Red Hat RHSA-2011:0308-01 mailman 2011-03-01
Red Hat RHSA-2011:0307-01 mailman 2011-03-01
Ubuntu USN-1069-1 mailman 2011-02-22
Debian DSA-2170-1 mailman 2011-02-18
Fedora FEDORA-2010-14877 mailman 2010-09-17
Fedora FEDORA-2010-14834 mailman 2010-09-17
Mandriva MDVSA-2010:191 mailman 2010-10-01

Comments (none posted)

mantis: multiple cross-site scripting flaws

Package(s):mantis CVE #(s):CVE-2010-2574 CVE-2010-3303
Created:September 30, 2010 Updated:November 9, 2012

From the Red Hat bugzilla entries [1, 2]:

CVE-2010-2574: Cross-site scripting (XSS) vulnerability in manage_proj_cat_add.php in MantisBT 1.2.2 allows remote authenticated administrators to inject arbitrary web script or HTML via the name parameter in an Add Category action.

CVE-2010-3303: XSS vulnerability when uninstalling maliciously named plugins; Multiple XSS issues with custom field enumeration values; XSS issues when using custom field String values; XSS in print_all_bug_page_word.php when printing project and category names

Gentoo 201211-01 mantisbt 2012-11-08
Fedora FEDORA-2010-15082 mantis 2010-09-22
Fedora FEDORA-2010-15080 mantis 2010-09-22

Comments (none posted)

mysql: multiple vulnerabilities

Package(s):mysql CVE #(s):CVE-2010-3676 CVE-2010-3677 CVE-2010-3678 CVE-2010-3679 CVE-2010-3680 CVE-2010-3681 CVE-2010-3682 CVE-2010-3683
Created:October 5, 2010 Updated:January 19, 2011
Description: From the Fedora advisory:

Bug #628660 - CVE-2010-3676 MySQL: mysqld DoS (assertion failure) after changing InnoDB storage engine configuration parameters (MySQL bug #55039)

Bug #628040 - CVE-2010-3677 MySQL: Mysqld DoS (crash) by processing joins involving a table with a unique SET column (MySQL BZ#54575)

Bug #628172 - CVE-2010-3678 MySQL: mysqld DoS (crash) by processing IN / CASE statements with NULL arguments (MySQL bug #54477)

Bug #628062 - CVE-2010-3679 MySQL: Use of unassigned memory (valgrind errors / crash) by providing certain values to BINLOG statement (MySQL BZ#54393)

Bug #628192 - CVE-2010-3680 MySQL: mysqld DoS (assertion failure) by using temporary InnoDB engine tables with nullable columns (MySQL bug #54044)

Bug #628680 - CVE-2010-3681 MySQL: mysqld DoS (assertion failure) by alternate reads from two indexes on a table using the HANDLER interface (MySQL bug #54007)

Bug #628328 - CVE-2010-3682 MySQL: mysqld DoS (crash) by processing EXPLAIN statements for complex SQL queries (MySQL bug #52711)

Bug #628698 - CVE-2010-3683 MySQL: mysqld DoS (assertion failure) while reading the file back into a table (MySQL bug #52512)

Ubuntu USN-1397-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2012-03-12
Gentoo 201201-02 mysql 2012-01-05
Red Hat RHSA-2011:0164-01 mysql 2011-01-18
Mandriva MDVSA-2011:012 mysql 2011-01-17
Debian DSA-2143-1 mysql-dfsg-5.0 2011-01-14
SUSE SUSE-SR:2010:021 mysql, dhcp, monotone, moodle, openssl 2010-11-16
Ubuntu USN-1017-1 mysql-5.1, mysql-dfsg-5.0, mysql-dfsg-5.1 2010-11-11
Mandriva MDVSA-2010:222 mysql 2010-11-09
Mandriva MDVSA-2010:155-1 mysql 2010-11-08
CentOS CESA-2010:0825 mysql 2010-11-05
CentOS CESA-2010:0824 mysql 2010-11-05
Red Hat RHSA-2010:0825-01 mysql 2010-11-03
Red Hat RHSA-2010:0824-01 mysql 2010-11-03
openSUSE openSUSE-SU-2010:0730-1 mysql 2010-10-18
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
openSUSE openSUSE-SU-2010:0731-1 mysql 2010-10-18
Fedora FEDORA-2010-15166 mysql 2010-09-24

Comments (none posted)

php-pecl-apc: cross-site scripting

Package(s):php-pecl-apc CVE #(s):CVE-2010-3294
Created:September 30, 2010 Updated:July 10, 2012

From the Red Hat bugzilla entry:

A potential Cross Site Scripting (XSS) vulnerability was found in the PECL APC package in versions prior to 3.1.4

CentOS CESA-2012:0811 php-pecl-apc 2012-07-10
Scientific Linux SL-php--20120709 php-pecl-apc 2012-07-09
Oracle ELSA-2012-0811 php-pecl-apc 2012-07-02
Red Hat RHSA-2012:0811-04 php-pecl-apc 2012-06-20
Fedora FEDORA-2010-15004 php-pecl-apc 2010-09-21

Comments (none posted)

PostgreSQL: privilege escalation

Package(s):postgresql CVE #(s):CVE-2010-3433
Created:October 6, 2010 Updated:November 23, 2010
Description: The PostgreSQL 9.0.1, 8.4.5, 8.3.12, 8.2.18, 8.1.22, 8.0.26 and 7.4.30 releases fix a potential privilege escalation bug: "The security vulnerability allows any ordinary SQL users with 'trusted' procedural language usage rights to modify the contents of procedural language functions at runtime. As detailed in CVE-2010-3433, an authenticated user can accomplish privilege escalation by hijacking a SECURITY DEFINER function (or some other existing authentication-change operation). The mere presence of the procedural languages does not make your database application vulnerable."
Gentoo 201110-22 postgresql-base 2011-10-25
Red Hat RHSA-2010:0908-01 postgresql 2010-11-23
SUSE SUSE-SR:2010:020 NetworkManager, bind, clamav, dovecot12, festival, gpg2, libfreebl3, php5-pear-mail, postgresql 2010-11-03
Fedora FEDORA-2010-16004 sepostgresql 2010-10-08
openSUSE openSUSE-SU-2010:0903-1 postgesql 2010-10-27
Ubuntu USN-1002-1 postgresql-8.1, postgresql-8.3, postgresql-8.4 2010-10-07
Fedora FEDORA-2010-15954 postgresql 2010-10-08
Fedora FEDORA-2010-15960 postgresql 2010-10-08
CentOS CESA-2010:0742 postgresql 2010-10-10
Ubuntu USN-1002-2 postgresql-8.4 2010-10-07
CentOS CESA-2010:0742 postgresql 2010-10-06
SUSE SUSE-SR:2010:019 OpenOffice_org, acroread/acroread_ja, cifs-mount/samba, dbus-1-glib, festival, freetype2, java-1_6_0-sun, krb5, libHX13/libHX18/libHX22, mipv6d, mysql, postgresql, squid3 2010-10-25
Debian DSA-2120-1 postgresql-8.3 2010-10-12
Mandriva MDVSA-2010:197 postgresql 2010-10-06
Red Hat RHSA-2010:0742-01 postgresql 2010-10-06

Comments (none posted)

qt-creator: insecure manipulation of environment variable

Package(s):qt-creator CVE #(s):CVE-2010-3374
Created:October 4, 2010 Updated:October 6, 2010
Description: From the Mandriva advisory:

A vulnerability has been found in Qt Creator 2.0.0 and previous versions. The vulnerability occurs because of an insecure manipulation of a Unix environment variable by the qtcreator shell script. It manifests by causing Qt or Qt Creator to attempt to load certain library names from the current working directory.

Gentoo 201412-09 racer-bin, fmod, PEAR-Mail, lvm2, gnucash, xine-lib, lastfmplayer, webkit-gtk, shadow, PEAR-PEAR, unixODBC, resource-agents, mrouted, rsync, xmlsec, xrdb, vino, oprofile, syslog-ng, sflowtool, gdm, libsoup, ca-certificates, gitolite, qt-creator 2014-12-11
Mandriva MDVSA-2010:193 qt-creator 2010-10-03

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds