Georgia Weidman, the Founder and CEO of Bulb Security, takes the floor at HITBSecConf2012 Amsterdam to present her research on security details and flaws of the Android permission model.
Cheers everyone to my European debut!
There will be no 0-days in this talk, except one – the 0-day that I came up with last night. I was walking around Amsterdam with some other speakers, and we saw this weird device on the side of the building that kept moving around, and we couldn’t figure out what it was. Of course we googled it to find out what it was, and it actually works with subway, it talks to these little mirrors on the ground to tell whether the subway has sunk or not because there used to be a lake here or something, like all of the Netherlands used to be water and they reclaimed it, so, theoretically, at any time the subway could just, like, sink into the sand and it would all be over. So there’s this device that checks to see if it’s sunk a little bit.
So, my 0-day about how you can shut down the subway is, you know, take a little chisel and drag up the mirror and move it up an inch, and it will make the subway completely freak out, I think, and it’ll stop. So you can stop public transportation in Amsterdam with this 0-day that I just dropped. The rest of it we’re just going to talk about is boring old Android stuff.
Alright, I’m Georgia, we’re going to talk about Android, and I have a little company called Bulb Security that does some security things.
So, first off, the first thing I have to do when I do any research is completely discredit everything I do and say it’s completely not worth it, because we’re going to be talking about bypassing the Android permission model, and I’m going to show you that you don’t have to bypass it at all, that the permission model is just so completely flawed, there’s not even any point in bypassing it.
I’m going to show you an app, I’m not going to tell you what it is, but I’m going to read its permissions and you get to guess what it is, and its permissions are kind of scary. So I’m just going to read it right off my phone, actually.
Alright, the permissions that this app asks before its install are the following: it wants access to my personal information, it wants to read my contact data so it can see everyone I have stored in there, including my work contacts, and this doesn’t just include the phonebook, it’ll include all of my email settings as well. So, if you have this synced with your work contacts, it can see all of them, see their email addresses, phone numbers, names, company affiliation, any data that’s actually stored on the phone.
It can also write this information: for instance, it can overwrite your boss’ contact with its own email address so that then all your emails to your boss with, for instance, your reports in them, like a new version of your pen test report for company ABC, is now going to someone else. That’s not a problem, no…
It also wants this thing called ‘Services that cost you money’. Generally, that tips me off: it might be a little bit scary if it’s going to cost me money. It wants to be able to send SMS messages under that heading, so it wants to be able to send text messages; it can still send them if I’m in Amsterdam, and it’s going to cost me 10 cents a text message. I got a very ‘nice’ text message from my phone provider that said: “You’ve already spent 50 dollars”, and I’ve only been here for a couple of hours, so, yeah, I should stop playing with my data so much when I’m roaming. But it can send text messages on my behalf; it can also send them when I’m in Amsterdam; it can send them to 900 numbers that cost more money; it can send them wherever it wants and they won’t show up in my Sent folder, so I have no idea they were sent at all.
It also wants access to my GPS location, so when I got lost the other day and I turned on my GPS, the app on my phone that asked for this could now see that I am, in fact, in Amsterdam and not at home, so good time to rob my house, right? I’m not there and my phone knows it.It wants access to my messages, it wants to edit SMS – so, read my text messages, change them. It also wants to be able to receive them. Oddly enough, with Android, if you have the permission to receive SMS, you can receive them before the actual text message app does. So you can keep users from ever seeing their text messages at all, which is a good way to run a botnet, I think; if you’re at all familiar with my work, that’s my big thing – the SMS botnets. So it’s a good way to run a botnet, just intercept people’s text messages, and they give you exclusive permission to do so, so you’re not even doing anything wrong.
It also wants access to my accounts. It can access an account authenticator, so it can log into any other account I have on here. Since it’s an Android, it has my Gmail, of course, and anything else I have on here, like, for instance, Twitter – I love Twitter, so it can log on to Twitter for me.
It can also manage those accounts, so theoretically it can actually log me out of my account, it can change my password and make it so that only the phone can get on my Twitter ever again, and that would make me really sad: I don’t know how about you, but I think I would just die if I lost access to my Twitter.
It wants to be able to modify and delete USB storage contents, so it can read anything from the SD card and it can delete it for me. That might be a good thing. I don’t know if you guys over here so much as we in America like to take pictures of ourselves being drunk and stupid on our phones and then post them online. There is actually a start-up in California right now that the whole idea of the app is they’re going to delete your pictures for you, like, after an hour, so there are none of these incriminating pictures on your phone, so that might actually be a good thing, the one permission right there that will delete incriminating pictures of you doing stupid things in Amsterdam, like drinking onstage, hey!Let’s see, it wants to make phone calls, it wants to read the phone state and identity. The phone state and identity – that’s when the users go: “What does that even mean?” But that actually is the personal identification number, it wants to read your IMEI, so it’s a unique number to your phone, and a lot of developers use that as a way to uniquely identify you with the server, which you could think of as uniquely identifying you based on your credit card number. That sounds like such a great idea, doesn’t it? We don’t want that going back and forth to the server, but that’s a cool thing to do with Android, so a lot of apps ask for that and theoretically none of them should.
It wants to prevent my phone from sleeping. If any of you have Androids, you would see why keeping the phone from sleeping might be a bad thing; it runs down your battery; and battery is god in Android.
It wants to write my sync settings, so next time I plug it into the computer, I might have a little surprise coming.And then the final one: it wants network communication; it wants to be able to talk to the Internet.
Anybody want to guess what app this is? (See image) May I introduce you to the absolutely most popular Android download of all times? Facebook for Android. (Page 3) That’s a lot of permissions. See, I’ve had Facebook forever; I was in college when Facebook first came out. You had to have a college, like, .edu email address. I love Facebook, but my Facebook on my computer has one of those permissions: ability to talk to the Internet, none of the other ones. It works great and people love it, and they just made billions of dollars, so why do they have all these?