Read previous: Attack vectors on mobile devices: Symbian mobile security
Having overviewed Symbian OS security scheme, Tam Hanna now focuses on Android and iOS security models’ peculiarities, and speaks on mobile reporting issue.It’s time for Android which runs under slogan: ‘Android is open’, but it’s not only open for development – it’s also open for dangerous code. Android is essentially a huge Java virtual machine. As you can see here, there is the core operating system, the kernel running a virtualization system called Dalvik, and Dalvik runs a bunch of applications (see image).
And the problem is that the applications are written in Java, and Java is very easy to decompile. So if you look for some popular application, you find fifty versions of the same application by different vendors, which have been cloned by simply decompiling the Java code, adding some ad code to change the string of the ad, and re-uploading the application to the website. And even if the Google market bans me, I don’t really care because there are 50,000 other stores where I can give my applications away for free.Android has a security model as well, but the Android security model is different from the Symbian security model in that there is no testing house of some kind which would be responsible for granting the certificate, but rather that each and every user himself decides if he wants to grant permission or not. So basically, every person decides for himself for his own phone. As you see here, if you download the application, it shows you a list of what the application wants to do (see image).
The attack scheme for attacking an Android phone is always the same. Every Android virus follows this scheme: it gets onto a phone by social engineering usually, or by masquerading as a legitimate application; and then it either sends data to the master or calls a premium-rate number.
There is one pretty funny example called DroidKungFu. DroidKungFu abuses the Android security model. How does it do it? It takes place when an update comes, it’s typical for Microsoft. Who of you recently received the Skype update for Android from Microsoft? The thing is this: after you got the update, you suddenly got ads. Microsoft slipped the ads onto your phone during the update, because most people just see the arrow: ’12 updates are available’, and they click: ‘Get all’. And this is what is used by DroidKungFu: you intentionally get an outdated application which then updates itself, and during the update process you don’t get to see the update capabilities.
When DroidKungFu is on the phone, it basically starts sending home data, and now there is a funny thing. DroidKungFu contains an exploit which on some phones gets its root rights, but it does nothing with these root rights. So this is probably an unfinished feature which we will see very soon.
Next stop is Carrier IO. Let’s assume Christo is living in the beautiful United States of America. In the United States of America, the government wants to keep an eye on Christo. And someday, poor Christo runs after me, and I hit him over the head with a beer bottle. And he calls the emergency services: “A shaved monkey just hit me with a beer bottle, help!” And then, a service is activated which is called E9111. The government, the police who takes the call can interact with Christo’s phone to see where he is. Carrier IO was originally intended as a service for the government to track Christo. It was created by a company which was elected as one of the top 15 mobile companies in 2008. The company is also called Carrier IO. It lives on Android, on Blackberry, on Nokia, on iOS, on every phone you have those bastards right from the carrier as a free gift to you.
And the problem is this: their software reports quite a lot. It reports whenever you open an application, when you receive an SMS, if the screen is turned on or off, if the call is received, where you are, and what media you play. For example, in my case they could know that Mr. Hanna often turns on his phone at night, so this means his marriage is not so good, and it means he has insomnia. He listens a lot to DJ Shadow, so this means that his ears are already very damaged. He often receives calls from females who are working in his company, which means that there are too many females in his company and he must be sued for unequal distribution of the jobs, it’s mandatory in Austrian law. And this now sounds crazy.
This is not crazy at all. The data which my phone collects on me is sent via HTTPS to a central portal. And every carrier who has access to this portal can see data on every individual person. So really, he can see that I am using my phone at 2 o’clock at night often. And the point is I cannot opt out of this thing. And just in case anybody of you wonders why the carriers deploy it, they say they need the program to better analyze and understand myself so that they can offer me better products. I’ve got one question: “This stuff has been around for years; why am I less and less happy with every phone I get?”Next stop, we’ve got the only religious sect in mobile – the ‘The Church of Apple’. You know their prophet recently died, so they are really on their way to becoming a church. Most churches, only when their founder dies, become really crazy. So now that Steve Jobs is dead, the situation can become really funny. Well, the simplest way to get a donation from the church is to spam them. If I tell a member of the Apple church that I know something about Apple, they would willingly do anything just to know it first. So I just opened a website with some silly picture of an iPhone (see image), and all the believers click, click, click – ‘Steve Jobs, I pray to you.’ And they click, they click often – and they get a virus. They download a virus, ignoring the security warnings, because it’s Steve Jobs the great God.
There is another beautiful thing, because the Gods of Apple have decided their millions are too silly: if you buy an iPhone – you rent it. You can’t run every app on it. And so there are jailbreaks, where you visit a website and it unlocks your phone. And if any website can get root access, then an evil website can also do so. And now, my idea was – I open the website freelouboutins.com. For the non-females in the room, louboutins are expensive shoes, every female dreams of them. And on freelouboutins.com, you click there and you get the exploit. It would also work with me. But with me it’s much easier – freeredbull.com.
1 – E911 (Enhanced 911) is an example of the modern evolution of telecommunications based system meant as an easy way to link people experiencing an emergency with the public resources that can help