Tagged: android

What Can Android Learn From Symbian's Security Model?

More bad news for Android owners. A huge Russian malware operation is infecting Android apps in the the Google Play Store. The malware - hopefully now removed - hijacks your personal details, and sends premium rate text messages to drive profits for its owners.

Nasty.

This is the price we pay for Android's open access policy. iPhone users can smirk all they want - but I like being able to run anything I desire on my phone, rather than be restricted to the puritanical walled garden of Apple's App Store.

The late lamented Symbian OS did many things wrong - but it had an interesting approach to keeping users secure from malicious apps.

The first time an app wanted to access a feature - like Internet, SMS, phonebook - the phone would prompt the user to grant the app permission.

Symbian Internet PermissionSymbian Internet Permission 2Symbian Secure Connection prompt

Now, the Symbian model wasn't without flaws. It would often forget that you'd granted an app permission or repeatedly ask annoying questions.

Is this what is needed for Android? the first time an app tries to access, say, the dialer - should Android say "Are you sure you want Angry Birds to make a phone call?"

Or, should Android take a leaf out of BlackBerry 10? When installing the app, the user can choose whether to grant certain permissions.

Finally, what about personal responsibility? The Android permission model is quite opaque to most users, it's true, but there are some basic precautions users can take.

I was recently hit by a "drive by installation". A malicious website automatically downloaded an app to my Android phone. When I clicked on it to install, this is what I got:

Legit App Permissions

If you think a Battery app needs all those permissions... I'm not sure encasing you in bubble-wrap is enough to keep you safe from yourself!

The price of freedom is eternal vigilance. Android needs to do more to allow users to enjoy their freedom.

Going down the Symbian path of insisting every app be signed by a third party and repetitively interrupting the user is probably not the right way to do things. What is clear from the current crop of malware is that simply telling the user of the permissions an app is requesting at installation time is insufficient.

Until Google makes things better for its users, it's worth installing an app like Permissions Denied which will allow you to see which apps have more access than they need - and restrict them if necessary.

Aggressively Defensive Programming

How much checking do we perform that our code is running as intended?

I found a curious bug this weekend, which made me think about some of the assumptions that we use when programming.

Imagine sorting an array using JavaScript.

var arr = [10, 5, 66, 8, 1, 3];
  1. arr.sort();

So far, so normal. Create an array of numbers, then sort that array. The result should always be [1, 3, 5, 8, 10, 66].

Would we ever need to do this?

if (arr[0] < arr[5]) {
  1.    // Do something
  2. } else {
  3.    // THIS SHOULD NEVER HAPPEN!
  4.    laws_of_physics_violated(arr);
  5. }

Sorting an array in this way should never trigger an existential crisis. But suppose it did.

A Brief Word on Android Fragmentation

Android fragmentation has never really bothered me. It's usually a case of sensibly designing a UI to flow correctly and checking the capabilities of a device. No more complex than designing for the web.

This weekend, my father and I spent the weekend building our first joint Android app - First Bid Bridge - it's a simple enough app that we decided to use a WebView and write the game logic in JavaScript.

All was going well until I tested the game on my Dad's phone. It didn't work. All the answers it produced were completely at odds with the answers on my phone.

Welcome To Facebook?

We tried this on every old phone I could find. Android 1.6, 2.3, 4.2 - they all worked. iPhone, Maemo, BlackBerry - hell, even my Internet TV worked flawlessly.

Painstakingly crawling through the logic, I found the problem. A "sorted" array was reversed on his phone! (Galaxy Ace running 2.3.6 for those who want to know.)

Diagnosing

Our app looks at a hand of cards. We split the hand into suits (Spade, Hearts, Diamonds, Clubs). We record how many cards are in each suit.

We then sort the hand by length - if two of the suits have the same length, they are sorted in the order Spades > Hearts > Diamonds > Clubs.

JavaScript allows us to define our own sorting function. Here's ours (in simplified form)

First, we sort by length:

suitsArray.sort(function(x, y)
  1. {
  2.  var o1 = x["length"];
  3.  var o2 = y["length"];
  4.  return o2-o1;
  5. });

Then, we sort by suit order (if the lengths are the same):

suitsArray.sort(function(x, y)
  1. {
  2.  var length1 = x["length"];
  3.  var length2 = y["length"];
  4.  
  5.  if (length1 == length2)
  6.  {
  7.   var suit1 = x["suit"];
  8.   var suit2 = y["suit"];
  9.  
  10.   if(suit1 == "spades")
  11.   {return false;}
  12.  
  13.   if(suit1 == "hearts")
  14.   {return false;}
  15.  
  16.   if(suit1 == "diamonds")
  17.   {return false;}
  18.  
  19.   return true;
  20.  }
  21. });

In every device I tried, this sort worked perfectly. Except on my dad's $@*&ing phone. ARGH! What was even worse, is that we were an hour's journey away from each other, so I couldn't debug on the device.

So, that's where I came up with the idea of Aggressively Defensive Programming. It may not be an original idea - but this is how it works.

Trust, but verify

"Доверяй, но проверяй" as the Russians would say.

Assume that your computer is crazy, possessed, or being zapped by cosmic radiation and check its compliance every step of the way.

Essentially, after every operation, you should verify that the operation has worked. In this case, we did this (simplified):

  1. // The above sort
  2.  
  3. if ((arr[0]["length"] == arr[1]["length"]) && (arr[1]["suit"] == "spades")) {
  4.    // Dammit!
  5.    // Sort the array manually
  6. } else {
  7.    // Carry on as normal
  8. }

Where Should This Be Used

There are four main scenarios where it makes sense to programs defensively.

  1. Your code has a real impact on human health (aeroplane, nuclear reactor, medical device).
  2. The computer you're running on is in a harsh environment and therefore liable to unpredictable behaviour (Mars Rover)
  3. A multithreaded environment where your code cannot lock resources for itself.
  4. You are running on an untrusted computer i.e. one other than your own.

For most of us, the first three are unlikely to trouble us. But the final one is interesting. Almost every piece of code we write will be run on a 3rd party's computer. One over which we have very little control.

But that's what we do when we release apps - or run websites. The code we have lovingly crafted is being run on machines which may have all manner of quirks.

How aggressive should we be with our defences? Do we assume that built in functions work - and only check ones we've written ourselves?

In Principia Mathematica Bertrand Russell famously provided proofs such as "1+1=2".
Principia_Mathematica_theorem_54-43

Is that what we need? Mathematically verify every computer our code runs on? That may be overkill. But I'm starting to come round to the idea of verifying every operation - even if just to throw an exception rather than proceeding in an error prone state.

I leave you with an instructional extract from Douglas Adam's Mostly Harmless:

On board the ship, everything was as it had been for millennia, deeply dark and Silent.

Click, hum.

At least, almost everything.

Click, click, hum.

Click, hum, click, hum, click, hum.

Click, click, click, click, click, hum.

Hmmm.

A low level supervising program woke up a slightly higher level supervising program deep in the ship's semi-somnolent cyberbrain and reported to it that whenever it went click all it got was a hum.

The higher level supervising program asked it what it was supposed to get, and the low level supervising program said that it couldn't remember exactly, but thought it was probably more of a sort of distant satisfied sigh, wasn't it? It didn't know what this hum was. Click, hum, click, hum. That was all it was getting.

The higher level supervising program considered this and didn't like it. It asked the low level supervising program what exactly it was supervising and the low level supervising program said it couldn't remember that either, just that it was something that was meant to go click, sigh every ten years or so, which usually happened without fail. It had tried to consult its error look-up table but couldn't find it, which was why it had alerted the higher level supervising program to the problem .

The higher level supervising program went to consult one of its own look-up tables to find out what the low level supervising program was meant to be supervising.

It couldn't find the look-up table .

Odd.

It looked again. All it got was an error message. It tried to look up the error message in its error message look-up table and couldn't find that either. It allowed a couple of nanoseconds to go by while it went through all this again. Then it woke up its sector function supervisor.

The sector function supervisor hit immediate problems. It called its supervising agent which hit problems too. Within a few millionths of a second virtual circuits that had lain dormant, some for years, some for centuries, were flaring into life throughout the ship. Something, somewhere, had gone terribly wrong, but none of the supervising programs could tell what it was. At every level, vital instructions were missing, and the instructions about what to do in the event of discovering that vital instructions were missing, were also missing.

Small modules of software - agents - surged through the logical pathways, grouping, consulting, re-grouping. They quickly established that the ship's memory, all the way back to its central mission module, was in tatters. No amount of interrogation could determine what it was that had happened. Even the central mission module itself seemed to be damaged.

This made the whole problem very simple to deal with. Replace the central mission module. There was another one, a backup, an exact duplicate of the original. It had to be physically replaced because, for safety reasons, there was no link whatsoever between the original and its backup. Once the central mission module was replaced it could itself supervise the reconstruction of the rest of the system in every detail, and all would be well.

Robots were instructed to bring the backup central mission module from the shielded strong room, where they guarded it, to the ship's logic chamber for installation.

This involved the lengthy exchange of emergency codes and protocols as the robots interrogated the agents as to the authenticity of the instructions. At last the robots were satisfied that all procedures were correct. They unpacked the backup central mission module from its storage housing, carried it out of the storage chamber, fell out of the ship and went spinning off into the void.

This provided the first major clue as to what it was that was wrong.

Further investigation quickly established what it was that had happened. A meteorite had knocked a large hole in the ship. The ship had not previously detected this because the meteorite had neatly knocked out that part of the ship's processing equipment which was supposed to detect if the ship had been hit by a meteorite.

New! Samsung Security Flaw - Disable Lockscreen - Total Control

I have discovered another security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing.

Video.

Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to dial any phone number and run any app!

HOWTO

  1. From the lock screen, hit the emergency call button.
  2. Dial a non-existent emergency services number - e.g. 0.
  3. Press the green dial icon.
  4. Dismiss the error message.
  5. Press the phone's back button.
  6. The app's screen will be briefly displayed.
  7. This is just about long enough to interact with the app.
  8. Using this, you can run and interact with any app / widget / settings menu.
  9. You can also use this to launch the dialler.
  10. From there, you can dial any phone number (one digit at a time) and place a phone call.
  11. With Google Play, you can search for apps using the voice interface.
  12. You can download apps from the app store which will disable the screen lock.

Impact

This does not occur on stock Android from Google. This flaw only seems to be present on Samsung's version of Android. I have only tested it on a Galaxy Note II running 4.1.2 - I believe it should work on Samsung Galaxy SIII. It may work on other devices from Samsung.

My test phone was running 4.1.2 with the Touchwiz launcher from Samsung.

Defending Against This Attack

Until Samsung release a patch, the only way this can be defended against is by completely removing the Samsung firmware and replacing it with a 3rd party ROM.
This ROM for the Galaxy S III claims to have fixed the problem.
I'm sure there will be ROMs for other Galaxy devices in due course.

UPDATE 2013-03-20T16:54:12+00:00

YouTube user "bicecream88" has alerted me to a way to partially defend against this attack.
By disabling your screen animations, it is possible to reduce the amount of time the screen is displayed.

Settings -> Developer Options -> Window animation scale -> off

Repeat for Transition animation scale and Animator duration scale.

The vulnerability is still present - but you need to be a lot quicker in order to exploit it.

Responsible Disclosure

I reported this flaw to Samsung in late February. They are working on a patch which they assure me will be released shortly.
I have delayed public disclosure of this vulnerability. I also asked if they wanted me to delay publication until a patch was ready - however they declined this offer.

If you discover a security issue with Samsung's mobile products, I strongly encourage you to email m.security AT samsung.com

They will provide their PGP public key if you wish to ensure your communications with them are secure.

Thanks

My thanks to Thang Chien of Vietnam, who first demonstrated a variant of this flaw in January.

Thanks also to David Rogers, Marc Rogers, Alec Muffett, and Glyn Wintle for their wisdom and advice around the subject of responsible disclosure. Any faults with this disclosure are mine and mine alone.

Samsung Lock Screen Security Flaw

Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked.

Video:

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Notes

HOWTO

  1. Lock the device with a "secure" pattern, PIN, or password.
  2. Activate the screen.
  3. Press "Emergency Call".
  4. Press the "ICE" button on the bottom left.
  5. Hold down the physical home key for a few seconds and then release.
  6. The phone's home screen will be displayed - briefly.
  7. While the home screen is displayed, click on an app or a widget.
  8. The app or widget will launch.
  9. If the widget is "direct dial" the phone will start ringing.

Limited Scope

It's true, this attack is of limited value. That's one of the reasons why I've disclosed it.

Making a call relies on the phone having a direct dial widget on the home screen.

Running the apps is also of limited use - they go into the background immediately. If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music, interacting with a server) that action will occur.

There is also the privacy concern that an attacker could see what apps you have installed on your homescreen - or see your calendar / emails if you use a widget which displays them.

Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen. Using an external video camera you should be able to clearly see all the user's calender & email widgets if they have enabled them.

Target

I've only tried this on one class of handset. Galaxy Note II N7100. Running 4.1.2 - the latest UK variant.
The two devices both ran the stock launcher and lock screen.
One device was rooted - the other was factory fresh.

I have not tested on any other devices.

Defending Yourself

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Your options are:

  • Do not use direct dial widgets on your homescreen.
  • Remove any calendar or email widgets which may show sensitive information from your homescreens.
  • Ensure that any apps which you do have on your homescreens do not automatically cost you money or act maliciously when launched.
  • Use an app locker to prompt for a password when apps are launched.
  • Changing to a different launcher will not protect you.
  • Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.

Responsible Disclosure

Samsung don't have a dedicated responsible disclosure team. Nor do they offer a bug bounty.
The nearest I've found is this unlisted email address.


i don't find this anywhere publicly, but actually #samsung's mobile devision has a #security point of contact by now: samsung.com">m.security@samsung.com
12/09/2012 21:34 via webReplyRetweetFavorite
@iamnion
Nico Golde

I spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung. I also tried emailing Samsung directly. I know that people within Samsung have been made aware of this bug.

Despite that, five days later, and Samsung's security team have not made any contact with me to discuss this bug or its disclosure.
I wonder if this is typical of Samsung's attitude towards their customers and the industry in general? Do they believe that if they ignore problems, they will disappear?

Conclusion

Samsung have a really poor record on Android security. Avoid purchasing their phones at all costs.

Chrome For Android Font Rendering Bug

The latest version of the Chrome Browser for Android has introduced a curious rendering bug.

When scrolling, I notice that the font hinting seems to break down. This makes the text very "juddery". It looks like the fonts shrink and grow and they scroll. This is very disorienting when reading.

In this example I've noticed that once I've stopped scrolled the page, the fonts are hinted differently.

1
2
3

I've enlarged the examples (without interpolation) so you can see them a bit more clearly.
1 Big
2 Big
3 Big

To give you a good idea of what's happening, I've magnified the letter "e" (again, without interpolation). You can quite clearly see what happens to the font.
e

I can understand why the font hinting changes as the scrolling occurs - but why does it change even after scrolling has finished?

All screenshots taken on an N7100 running 4.1.2 with the latest version of Chrome for Android. The Galaxy Note II has a fairly standard resoltion of 1280×720, giving it 267 PPI - that shouldn't cause any problems.

This issue has been reported to the Chromium team.