Intentsandroid

AndroidSecurityAnalysisFinalReportMichaelPeckGananandKiniAndrewPylesMarch2016Sponsor:NSADept.
No.
:J83HContractNo.
:W56KGU-14-C-0010ProjectNo.
:0715N6CZ-AATheviews,opinionsand/orfindingscontainedinthisreportarethoseoftheMITRECorporationandshouldnotbeconstruedasanofficialgovernmentposition,policy,ordecision,unlessdesignatedbyotherdocumentation.
Approvedforpublicrelease;distributionunlimited.
16-02022016TheMITRECorporation.
Allrightsreserved.
MTR150440MITRETECHNICALREPORT1ApprovedByChristineAlicea,ProjectLeaderDate2TableofContents1Introduction.
42AddressingAndroidAppVulnerabilitieswiththeAndroidLintChecker.
52.
1AppData-in-TransitVulnerabilitiesduetoInsecureCertificateValidationorHostnameValidation52.
2AppData-at-RestVulnerabilitiesduetoInsecureFilePermissions72.
3BroadcastReceiverVulnerabilities72.
4BestPracticesforNativeCode.
82.
5DemonstratingEffectivenessofLintChecks.
82.
5.
1MITRESecureCodeReviewPractice.
82.
5.
2F-Droid.
92.
6ApplyingLintCheckswithoutSourceCodeAccess93EnhancingAndroidOSPlatformSecurity113.
1Data-in-TransitVulnerabilities.
113.
1.
1CertificatePinningManifestAttribute.
113.
1.
2ManifestAttributestoPreventOverridingX509TrustManagerandHostnameVerifier.
.
.
.
.
.
123.
2Data-at-RestVulnerabilitiesduetoInsecureFilePermissions123.
3MitigationsforPlatformExploitationTechniques.
133.
3.
1PreventingDynamicCodeExecution.
133.
3.
1.
1AndroidWebView.
153.
3.
1.
2ART.
163.
3.
1.
3DynamicBytecodeExecution.
173.
3.
2LimitingPrivilegesoftheSystemUserid.
173.
4KeyChainImprovements.
174ConclusionandPotentialFutureWork.
195References…20AppendixAUsingtheNewLintChecks.
25AppendixBDemonstrationApplication.
27AppendixCAndroidRuntime(ART)AdditionalDiscussion.
28C.
1ARTBackground.
28C.
2JITCompilationinART.
28C.
2.
1Motivation.
28C.
2.
2SecurityRisks29AppendixDMemoryMappingExamples30D.
1MemoryMappingsofChromeApp30D.
2MemoryMappingsofApplicationUsingWebView313ListofFiguresFigure1:ExampleLintOutputReportingaVulnerableHostnameVerifierImplementation5Figure2:SpoofedSMSIntentExample.
9Figure3:ExampleofaMaliciousAppDownloadingandExecutingExploitCodeafterInstallation.
14Figure4:ExampleofUsingtheKeyChaintoSelectaKey18Figure5:MemoryMappingsofChromeApp.
30Figure6:MemoryMappingsofAudibleApp.
3141IntroductionAccordingtorecentworldwidesalesfiguresreportedbyGartner[1],Androidisthemostpopularoperatingsystem(OS)whenconsideringallgeneral-purposecomputingplatforms(smartphones,tablets,laptops,andPCs).
MobileOSessuchasAndroidintroducenewsecurityarchitecturesdesignedwiththeexperienceofpastlessonslearnedfromtraditionalcomputingplatforms.
Mostnotably,Androidprovidesasandboxforapplications(hereinafter"apps")whichisolatesappdataandcodeexecutionfromotherapps[2].
Androidplacessecuritycontrolsonallowedinteractionsbetweenapps,andbetweeneachappandunderlyingdeviceresources.
TheAndroidsecurityarchitectureisdesignedtoprovideprotectionfrommaliciousappbehaviors,andtoincreaseresiliencetopreventorminimizetheimpactofexploitationofsecurityvulnerabilities.
Bydefault,appscannotaccessdatastoredbyanotherapp,andarerestrictedfrominterferingwiththebehaviorofanotherapp.
Appsmustrequestpermissiontoaccessdevicecapabilitiessuchasthemicrophone,camera,orphysicallocationservices,suchasGlobalPositioningSystem(GPS).
Appsalsomustrequestpermissiontoaccesssensitiveinformationrepositoriessuchascontactlists.
Appsarealsolimitedintheirabilitytoaccessotherunderlyingdeviceresourcesandservices.
Everyappmustincludeamanifestfile(AndroidManifest.
xml)thatdefinestheapp'spermissionsandotherimportantproperties.
ThecontentsofthemanifestfilearereadandenforcedbytheAndroidOS.
Nevertheless,opportunitiesforexploitingappsecurityvulnerabilitiesexist.
SeveraltypesofvulnerabilitiesarecommonlyfoundinAndroidapps.
Thesevulnerabilities,whenpresent,canbeexploitedbyresidentmaliciousappsorbynetwork-basedattackers.
Additionally,maliciousappsmayattempttoexploitAndroidplatformvulnerabilitiesasameansofbypassingAndroid'ssandboxprotections.
Thisreportdescribestheresultsofourresearcheffortstomitigatetheseissuesby:Developingstaticanalysischecksthatallowappdevelopers,securityanalysts,andappstoreoperatorstoidentifyandeliminatecommonAndroidappvulnerabilities.
EnhancingtheAndroidOStopreventcommonvulnerabilitiesfrombeingexploited,topreventuseofcommonmaliciousappattackpatterns,andtoimprovethesecurityservicesprovidedtoapps.
OurstaticanalysischeckshavebeenmergedintotheAndroidOpenSourceProject'slinttool.
TheyarepresentintheAndroidStudio2.
0betareleaseandinthecurrentbetareleaseoftheAndroidPluginforGradle.
OurcontributionhasbeennotedintheAndroidSecurityAcknowledgementswebpage[46].
Enterprisesareinvestingsignificantresourcesinappvettingpersonnel,tools,andtechniquestodeterminewhetherappsaresafetodeployontheirdevices.
StrongerunderstandingofthesandboxprotectionsprovidedbytheAndroidOS,andimprovementstothoseprotectionswhereappropriate,willenableenterprisestoefficientlyallocateandprioritizetheirlimitedvettingresourcesbasedonthesecurityprotectionsalreadyprovidedbytheunderlyingdeviceplatform.
52AddressingAndroidAppVulnerabilitieswiththeAndroidLintCheckerTheAndroidOpenSourceProjectincludesafree,opensourceSoftwareDevelopmentKit(SDK)typicallyusedbysoftwaredeveloperstocreateAndroidapps.
TheSDKcontainsacodescanningtoolcalledlint[3].
Lintscansappcodeusingdefinedrulesandalertsthedevelopertopotentialissues(including,butnotlimitedto,securityissues).
LintisintegratedintoAndroidStudioandEclipse,theprimarygraphicalenvironmentsusedbyAndroidappdevelopers.
Lintisalsointegratedintocommand-lineAndroidappdevelopmenttoolssuchasgradleandant.
Thus,placingchecksforcommonappsecurityvulnerabilitiesinlintenablesdeveloperstoeasilyidentifyandcorrectsecuritymistakesup-frontintheappdevelopmentlifecycle,minimizingsecurityrisksandcosts.
Lintcanalsobeusedbysecurityassessorswhohaveaccesstosourcecode.
Wedevelopedseveralnewlintchecks,discussedbelow,forcommonappsecurityvulnerabilities.
OurcheckswereacceptedbytheAndroidOpenSourceProjectandareincludedintheAndroidStudio2.
0betareleaseandinthecurrentbetareleaseoftheAndroidPluginforGradleusedbytheAndroidSDKwhencompilingappsfromthecommandline.
AppendixAprovideshistoricalinformation,nolongerneeded,describinghowtocompilethechecksascustomrulesandincorporatethemintothelinttoolasaplugin.
AppendixBprovidesdetailsofanappwithdeliberatelyintroducedvulnerabilitiesthatweusedtodemonstratethelintchecks.
Figure1showsanexampleofoutputfromthelinttoolreportingavulnerableHostnameVerifierimplementation(asdescribedbelowinSection2.
1.
1).
Inthisexample,thelinttool'sHyperTextMarkupLanguage(HTML)outputisshown.
LintcanalsooutputEXtensibleMarkupLanguage(XML)orplaintext.
Figure1:ExampleLintOutputReportingaVulnerableHostnameVerifierImplementation2.
1AppData-in-TransitVulnerabilitiesduetoInsecureCertificateValidationorHostnameValidationNumerouseffortshavedocumentedcommonfailuresbyAndroidappstoproperlycheckX.
509certificateswhileestablishingSecureSocketLayer(SSL)andTransportLayerSecurity(TLS)sessions,makingthenetworkconnectionssusceptibletoman-in-the-middle(MITM)attacks:Fahl,etal.
[4]staticallyanalyzed13,500popularfreeappsfromtheGooglePlayStoreandfoundthat1,074appscontainSSLspecificcodethateitheracceptsallcertificates,oracceptsallhostnamesforacertificate,andthusarevulnerabletoMITMattacks.
Theyperformedamanualauditof100appsandfoundthat41ofthose100werevulnerabletoMITMattacks.
6Sounthiraraj,etal.
[5]staticallyanalyzed23,418appsfromtheGooglePlayStoretosimilarlysearchforTrustManagerandHostnameVerifierissues,finding1,453potentiallyvulnerableapps.
Theyapplieddynamicanalysistothoseappsandconfirmed726tobevulnerabletoMITMattacks.
FireEye[6]reviewed"the1,000most-downloadedfreeappsintheGooglePlayStoreasofJuly17,2014.
"Theyfoundthatofthe614appsthatuseSSL/TLStocommunicatewitharemoteserver,448useTrustManagersthatdonotproperlycheckcertificates,and50useHostnameVerifiersthatdonotproperlycheckhostnames.
MontelibanoandDormann[7]dynamicallyanalyzed1,000,500AndroidappsusingtheCERTTapiocatool,findingTLS-relatedvulnerabilitiesin23,667oftheapps.
Additionally,asdescribedbyGraceetal.
[8],networkcommunicationsareinsomecasesusedbyappstodynamicallydownloadnewcodefortheapptoexecute.
Graceetal.
,foundthisbehaviorinadvertisinglibrariesembeddedintomobileapps,meaningthattheappdevelopermaynotevenbeawareofthefunctionalityanditspotentialsecurityimpact.
SuccessfulMITMattackscouldprovideremotecodeexecutionability,asdemonstratedbyRyanWeltonofNowSecureagainstakeyboardapprunningwithsystem-levelprivilegesonmanySamsungdevices[9].
Android'sstandardTLSlibraryusesimplementationsoftheX509TrustManagerJavaclasstoperformcertificatevalidation.
Bydefault,anOS-providedX509TrustManagerclassisused,butappshavetheabilitytodefineandusetheirownX509TrustManager.
Forexample,appdeveloperscommonly,andlegitimately,providetheirownX509TrustManagertoimplementcertificatepinning.
Certificatepinningisthepracticeofdefiningarestrictedlistoftrustedcertificateauthorities(CAs)fortheapp'snetworkconnectionsratherthantrustingalloftheCAsinthedefaultAndroidtruststore.
WhilethiscanpreventMITMattacksduetomaliciouscertificatesissuedbyrogueorcompromisedCAs,theriskofimplementationmistakesincreaseswhendevelopersprovidetheirownX509TrustManagerinsteadofusingtheplatformdefaultimplementation.
Similarly,Android'sstandardTLSlibraryusesimplementationsoftheHostnameVerifierJavaclasstoensurethatthehostnameassertedbytheotherendpoint'sX.
509certificatematchestheexpectedvalue.
Bydefault,anOS-providedHostnameVerifierisused,butappshavetheabilitytodefineandusetheirownHostnameVerifier.
JustaswithX509TrustManager,theriskofimplementationmistakesincreaseswhendevelopersprovidetheirownHostnameVerifierimplementationratherthanusetheplatformdefaultimplementation.
ToguardagainsttheuseofX509TrustManagerandHostnameVerifierimplementationsthatbypassthedesiredsecuritychecks,wewrote4lintcheckstargetingtrustmanagementfunctionality.
WewrotealintcheckthatidentifiesinsecureX509TrustManagerimplementationswhosecheckServerTrustedorcheckClientTrustedmethodsdonothing,thuscausinganypresentedcertificatechaintobetrusted[10].
ActingonthesuggestionofaGoogleengineerwhoreviewedourlintchecks,weadditionallyalsowrotealintcheckforuseofSSLCertificateSocketFactory.
getInsecure(),whichreturnsanSSLSocketFactorywithcertificatechecksdisabled[11].
WewrotealintcheckthatidentifiesinsecureHostnameVerifierimplementationswhoseverifymethodalwaysreturnstrue,thustrustinganyhostnameandmakingtheconnectionsusceptibletoMITMattacks[12].
7WealsowrotealintcheckforuseofSSLCertificateSocketFactory.
createSocket()withanInetAddress(anIPaddress)asthefirstparameterratherthanaDNSname,disablinghostnameverification[11].
2.
2AppData-at-RestVulnerabilitiesduetoInsecureFilePermissionsEachAndroidapphasitsowninternalstoragedirectory.
Linuxfilepermissionsaresupposedtopreventappsfromreadingorwritingfilesinanotherapp'sinternalstoragedirectory.
However,anappmayinadvertentlysetitsfilepermissionstoworld-readableorworld-writable,allowingotherappstoreadormanipulatetheapp'sprivatefiles.
Forexample,filepermissionvulnerabilitieswereidentifiedintheSkypeappforAndroidin2011[13].
Skypestoredsensitiveinformationincludingaccountinformationandcontactlistinformationasbothworld-readableandworld-writable.
Morerecently,NowSecureidentifiedappsthatstoretheirownexecutablecodewithworld-writablepermissions[14],allowingamaliciousapptooverwritetheexecutablecodeandachievetheabilitytoexecutemaliciouscodewiththeprivilegesofthevulnerableapp.
TheAndroidSDKdeprecatedtheabilityforappstousetheAndroidMODE_WORLD_READABLEandMODE_WORLD_WRITEABLEflagstosetinsecurefilepermissions,andstronglydiscouragesthispracticeintheAndroiddeveloperdocumentation.
Lintchecksalreadyexisttodetectuseoftheseflagsbyappdevelopers,butdonotcoveralloftheapplicablemethods.
WeexpandedthecoverageoftheMODE_WORLD_READABLEandMODE_WORLD_WRITEABLElintchecks[15],andadditionallyintroducedchecksforuseofthejava.
io.
File.
setReadable()andjava.
io.
File.
setWritable()methods[16],whichcanalsobeusedinAndroidtosetfilepermissions.
2.
3BroadcastReceiverVulnerabilitiesAndroidprovidesIntentsasameansofcommunicationbetweenapplications.
AnIntentcanbeusedtoinvokeanAndroidActivity,Service,orBroadcastReceiver.
AnIntentcanbedeclaredaseitherexplicitorimplicit.
AnexplicitIntentdeclaresthedestinationapplicationandcomponentwithinthatapplication.
AnimplicitIntentdoesnotdeclareanexactdestination,butratherdeclaresanactionstringandotherinformation.
PotentialdestinationapplicationsdeclareIntentfiltersintheirAndroidManifest.
xmlfileforthetypesofIntentstheywouldliketoreceive.
TheAndroidOSusesthisinformationtodeterminewhichdestinationcomponentstodeliveranimplicitIntentto.
AndroidappscandefineBroadcastReceivercomponentstoreceiveandactuponbroadcastintentmessagessentfromtheAndroidOSorfromotherinstalledAndroidapps.
WewrotelintcheckstoidentifytwocommonBroadcastReceivervulnerabilities[17].
ThefirstcheckidentifiesbroadcastreceiversthatdeclareanIntentfilterforaprotected-broadcastactionstringbutfailtoactuallychecktheactionstringinreceivedbroadcastIntents.
Intentscontainingprotected-broadcastactionstringscanonlybesentbyAndroidOScomponents,notbythird-partyapps.
However,ifthereceiversimplyassumesthatthereceivedbroadcastintentcontainstheprotected-broadcastactionstringwithoutactuallychecking,thenasdescribedbyChinetal.
[18],amaliciousthird-partyappcaninjectitsownbroadcastintentintothebroadcastreceiver.
Thisissuelikelyoriginatesduetoappdevelopersmistakenlybelievingthatintent-filtersdeclaredintheirappmanifestsactasasecurity8mechanism,wheninrealityintent-filtersareonlyusedbyAndroidtoresolvethedestinationofimplicitIntents.
IntentsenderscanuseexplicitIntentstoattempttodeliverIntentstoanydestinationregardlessofintent-filter.
Thesecondcheckidentifiesbroadcastreceiversthatdeclareanintent-filterfortheSMS_DELIVERorSMS_RECEIVEDactionstringbutfailtoensurethatthesenderholdstheBROADCAST_SMSpermission.
Inthesecases,amaliciousthird-partyappcanpotentiallyinjectbroadcastsintothevulnerableappthatwouldthenbetreatedasiftheywereShortMessageService(SMS)messagesreceivedbythedevice[19].
ThisissuewasmitigatedbeginninginAndroid6.
0byaddingtheactionstringstotheprotected-broadcastactionstringlist[20](however,ifthereceiverdoesnotcheckthesender'spermission,thenitmustbesuretocheckthereceivedintent'sactionstring).
2.
4BestPracticesforNativeCodeAsabestpractice,appsshouldplacetheirnativesharedlibrariesinthe"lib"directorywithintheapppackage.
TheAndroidpackagemanagerextractsthesefilesintoanapplibrarydirectoryin/data/app-libthatappsthemselvescannotwriteto,forcingcodeupdatestobedistributedasupdatedapppackagesratherthanpermittingappstodirectlymodifytheirowncode.
Theabilityforappstoupdatetheirowncodeisanattackvectorthathasbeenobservedinmaliciousappsandalsoasourceofappsecurityvulnerabilities,forexampleasdescribedby[14].
AppscanuseeithertheloadmethodorloadLibrarymethod(ineitherthejava.
lang.
Runtimeclassorthejava.
lang.
Systemclass)toloadnativecode.
Theloadmethodtakesinanabsolutepath,allowingappstoloadnativecodefromanylocation.
TheloadLibrarypathsimplytakesthelibrarynameitselfandwillonlyloadlibrariesfromauthorizedlocations(theplatformlibrarylocations/system/liband/vendor/libandtheapp'slibrarydirectoryin/data/app-lib).
Weproposedalintchecktoidentifycallstojava.
lang.
Runtime.
load()andjava.
lang.
System.
load()andrecommendtheuseinsteadofjava.
lang.
Runtime.
loadLibrary()andjava.
lang.
System.
loadLibrary()[50].
Weadditionallyproposedalintchecktoidentifythepresenceofnativecodeintheassetsandresappbuilddirectoriesandrecommendthatthenativecodeinsteadbeplacedsothatitgetsbundledintothecompiledapppackage'slibdirectory.
Thesebestpractices,iffollowedbyappdevelopers,couldimprovethefeasibilityofremovingtheabilityforappstoexecutecodeintheirinternalstoragedirectoriesinafutureAndroidrelease.
OurrecommendationsforthisaredescribedinmoredetailinSection3.
3.
1.
2.
5DemonstratingEffectivenessofLintChecksThefollowingsectionsdiscusstheeffectivenessoftheAndroidlintchecksthatwecreatedforthiseffort.
2.
5.
1MITRESecureCodeReviewPracticeMITRE'sSecureCodeReviewPracticeanalyzessoftwarecodeforsecurityflawsattherequestofMITREprojectleaders.
WeappliedtheAndroidlinttool,includingournewchecks,tothree9Androidappssubmittedforcodereviewin2015and2016.
Lintenabledustoidentifyanumberofsecurityissuesthatwesubsequentlyreportedtothedevelopers.
2.
5.
2F-DroidF-Droid[21]isarepositoryofopensourceAndroidapps.
InApril2015,werantheAndroidlinttoolagainst981appsobtainedfromtherepository1.
Ournewlintchecksatthetime(wedevelopedadditionalcheckssince)identifiedpotentialsecurityissuesin127ofthe981apps.
ThecombinationofourlintchecksandthesecuritychecksalreadyincludedintheAndroidlinttoolidentifiedpotentialsecurityissuesin568ofthe981apps.
Asanexample,weidentifiedaBroadcastReceivervulnerabilityinanappthatdisplaysreceivedSMSmessages.
TheappdoesnotverifythatthesenderholdstheBROADCAST_SMSpermission.
Theappalsodoesnotcheckthatthereceivedbroadcastintentactuallycontainstheandroid.
provider.
Telephony.
SMS_RECEIVEDactionstring.
AsshowninFigure2,wewereabletodemonstrateusingamaliciousapptoinjectaspoofedSMSintothevulnerableapp,whichcausedtheSMStobedisplayedtotheuser.
Figure2:SpoofedSMSIntentExample2.
6ApplyingLintCheckswithoutSourceCodeAccessWedemonstratedalimitedabilitytoapplytheAndroidlinttooltocompiledAndroidapppackages(.
apkfiles),ratherthanjustonappsforwhichsourcecodeisavailable.
AndroidlintchecksprimarilyanalyzeeitherJavasourcecodefiles(.
javafiles),compiledJavabytecode(.
classfiles),appmanifestfiles(AndroidManifest.
xml)oracombinationofthethree2.
Withoutsourcecodeaccess,wecouldrunthelintchecksthatoperateoncompiledJavabytecodeorappmanifestfilesandobtainoutput,butthechecksthatoperateonJavasourcecodefilesobviouslydonotproduceanyresultssincenoJavasourcecodefilesareavailableinthiscase.
InJuly2015,werantheAndroidlinttool(usingthepre-existingsecuritychecksinthelinttoolaswellasthesubsetofourchecksthatwerereadyforuseatthetime)on1726AndroidapppackagesobtainedfromtheGooglePlayStore.
Theseweregatheredfromthetopfree100appsineachofthePlayStore's20categories;someappswereinmultiplecategoriesorfailedtodownload.
Weidentifiedpotentialvulnerabilitiesinalargenumberofapps,including:PotentialTransportLayerSecurityvulnerabilities(842apps)1F-Droidcontained1671applicationsatthetimeofouranalysis.
Wewereonlyabletoget981applicationstosuccessfullycompileandprovidelintoutput,soonlythose981applicationswereincludedinouranalysis.
2Lintcheckscanalsoanalyzeapplicationresourcefilesaswellasanyarbitraryfilewithintheapplicationbuilddirectory.
10DoesnotdeclareallowBackupinthemanifest.
Defaultstotrue,perhapsunintentionallyallowingtheapp'sinternaldatatobebackedupoverUSBusing'adbbackup'(664apps)BroadcastReceivercanpotentiallyreceivespoofedsystembroadcasts(417apps)Appwaspublishedwithdebugcapabilitiesenabled(156apps)BroadcastReceivercanpotentiallyreceivespoofedSMSbroadcasts(36apps)Furtherdetailedexaminationwouldbeneededtodetermineifanyofthepotentialvulnerabilitiesareactuallyexploitable.
Unfortunately,AndroidStudio'slintintegrationdoesnotsupporttheuseofJavabytecode-basedlintchecks,whichhasledGoogletomovetowardstheuseofJavasourcecode-basedlintchecksandawayfromtheuseofJavabytecode-basedlintchecks.
ThispracticewilllimittheeffectivenessofapplyingthelinttooltocompiledAndroidapppackages.
GoogletakesstepsofitsowntoassessthesecurityofappsintheGooglePlayStore,likelybyapplyingitsowninternalstaticanalysischeckstocompiledAndroidapppackages.
Ifissuesarefound,Googleprovidesnotificationstodevelopersoftheaffectedapps[59][42][43][44].
113EnhancingAndroidOSPlatformSecurityInthefollowingsection,wediscusschangesthatweproposedtotheAndroidOStomaketheplatformmoresecure.
3.
1Data-in-TransitVulnerabilitiesAcommonsecurityissuefoundinnetworkcommunicationofAndroidappsiscommunicatingincleartextratherthancryptographicallyprotectingnetworkcommunicationusingTLSorasimilarprotocol.
Android6.
0introducedtheusesCleartextTrafficmanifestattribute3[22][23].
Theattributecurrentlydefaultstotrue,butwhensettofalsedeclarestheappdeveloper'sintentionthattheappshouldnotperformanycleartextnetworkcommunication.
TheAndroidOSwillthenmakeabest-effortattempttopreventtheappfromusingcleartextprotocolssuchasHyperTextTransferProtocol(HTTP)ratherthanacryptographicallyprotectedprotocolsuchasHTTPSecure(HTTPS).
ThemanifestattributeisenforcedbyAndroid'sbuilt-innetworkcommunicationlibraries.
Ifappsthemselvesweretobundleintheirownnetworkcommunicationimplementations,theattributewouldnotnecessarilybeenforced.
MotivatedbyusesCleartextTraffic,weproposedseveraladditionalmanifestattributes,detailedbelow.
GoogleandtheAndroidOpenSourceProjectdidnotacceptourproposals,respondingthattheyalreadyhadaneffortunderwaytoprovidesimilarcapabilities.
TheirinitialproposalwaspostedtotheirpubliccodereviewsysteminearlyNovember2015[24]wellafterwehadinitiatedourowninvestigationsandhassincebeenincludedintheAndroidNDeveloperPreviewastheNetworkSecurityConfigurationfeature[57][58].
3.
1.
1CertificatePinningManifestAttributeInspiredbypreviousworkdonebyTendulkarandEnck[25],weproposed[26]acert-pinmanifestattributetoenableappdeveloperstodeclarecertificatepinsthatshouldbeusedforTLS-protectednetworkconnectionsmadebytheapp.
Asdescribedabove,appdeveloperscurrentlymustwriteacustomX509TrustManagertoimplementcertificatepinning.
ByallowingdeveloperstospecifycertificatepinsinthemanifestandhavingthosebeautomaticallyusedbyAndroid'sbuilt-inTLSimplementation,developerswouldnolongerneedtowriteacustomX509TrustManager,eliminatingapotentialsourceofsecuritybugs.
Additionally,itismuchsimplerforsecurityassessorstoauditthemanifestattributecontentsthantoaudittheapplicationsourcecodeorcompiledbytecode.
Androidcurrentlyincludescertificatepinningsupport,butit(untiltheAndroidNDeveloperPreview)onlysupportsasystem-widecertificatepinlist,canonlybeupdatedbyanauthorizedentitysuchasGoogle,anddoesnotallowper-appmodificationstothelist4.
Ourimplementationbuiltuponthisalreadyexistingcertificatepinningsupportbutextendedittobecustomizableonaper-appbasis.
3AppleiOS9,releasedaroundthesametimeasAndroid6.
0,addedasimilarnewfeaturecalledAppTransportSecuritythatdefaultstorequiringallapplicationnetworkcommunicationuseHTTPSwithTLS1.
2andspecificciphersuites(cryptographicalgorithms).
UnlikeAndroid6.
0,AppleiOS9'sdefaultbehavioristoenablethefeature.
4NikolayElenkovprovidesadetaileddescriptionofAndroid'sbuilt-incertificatepinningfunctionalityhere:http://nelenkov.
blogspot.
com/2012/12/certificate-pinning-in-android-42.
html(accessed30July2015),withthecaveatthathisstatementthat"thestandardcheckServerTrusted()methoddoesn'tconsultthepinlist"isnolongeraccurate.
ThecheckServerTrusted()methodinthedefaultX509TrustManagerdoesnowusethepinlist.
123.
1.
2ManifestAttributestoPreventOverridingX509TrustManagerandHostnameVerifierAspreviouslydescribed,customX509TrustManagerimplementationsareacommonsourceofsecurityvulnerabilities.
WeproposedanallowTLSTrustManagerOverridemanifestattributewithaninitialdefaultvalueoftrue.
Whenthevariableissettofalse,theappisdeclaringthatitdoesnotintendtooverridetheAndroidplatform'sdefaultTLSTrustManagerimplementationusedtoverifyservercertificates.
TheAndroidplatform'sTLSlibrarywillthenignoreattemptsbytheapptooverridetheTrustManager.
Thisisabest-effortmechanismthatwouldonlybeeffectiveforappsthatuseAndroid'sbuilt-inTLSimplementation,althoughthird-partyimplementationscouldalsochoosetohonortheflag.
Weimplementedthisattribute,modifiedAndroid'sconscryptlibrarytomakeuseofit,anddemonstrateditseffectivenesswithaproof-of-conceptapp.
WeadditionallyproposedasimilarmanifestattributeallowTLSHostnameVerifierOverridewithaninitialdefaultvalueoftrue[28].
Whenfalse,theappisdeclaringthatitdoesnotintendtooverridetheAndroidplatform'sdefaultTLSHostnameVerifierimplementationusedtoverifyserverhostnames.
TheAndroidplatform'sbuilt-inlibrarywillthenignoreattemptsbytheapptooverridetheHostnameVerifier.
3.
2Data-at-RestVulnerabilitiesduetoInsecureFilePermissionsAspreviouslydescribed,Androidappsmayinadvertentlysetfilepermissionstoworld-readableorworld-writable,potentiallyplacingsensitivedataatriskofbeingreadormanipulatedbyotherapps.
Security-EnhancedLinux(SELinux)mandatoryaccesscontrolpoliciescanbeusedtopreventappsfromreading/writingtotheinternalstoragedirectoryofotherapps,regardlessoffilepermissions,whilestillallowingAndroid'spreferredmethodsofsharingdatabetweenappssuchasContentProvidertobeused.
However,addingSELinuxpoliciesintroducescompatibilityconcernsforanyappsthatdependontheabilitytosetfilepermissions.
Inanefforttoimproveappsecuritywhileaddressingthecompatibilityconcerns,weproposedanewisolatedAppDataappmanifestattribute[29]toprovideappdeveloperswiththeabilitytoopt-intohavethesestricterpoliciesappliedupontheirapps.
Theattributedeclareswhethertheplatformshouldpreventreadandwriteaccesstotheapp'sinternaldatastoragedirectorybyotherappsandalsopreventtheappfromreadingorwritingtootherapps'internaldatastoragedirectoriesregardlessofassignedfilepermissions.
Theattribute'sdefaultvalueisfalse,butthedefaultcouldbechangedtotrue(orbetteryet,forcedtotrue)inafutureAndroidAPIlevelafterprovidingappdevelopersadequatewarningandtimetoadjusttheirapps.
WeimplementedthisSELinuxopt-inapproachbyappendinga":isolated"suffixtotheapp'sseinfostringwithintheAndroidOS.
TheseinfostringisusedbyAndroidtodeterminewhatSELinuxdomaintheappwillbeexecutedinandwhatdomainwillbeusedfortheapp'sinternalstoragedirectoryandfiles.
Unfortunately,ourisolatedAppDataappmanifestattributewasnotaccepted.
InJanuary2016,weproposedanalternateapproachthat,withoutintroducinganewmanifestattribute,couldbeusedtoautomaticallyapplythepolicybasedontheappmanifest'stargetSdkVersionfield.
WeproposedaminTargetSdkVersioninputselectorbeaddedforuseintheseapp_contextsfile[62].
Theseapp_contextsfile,partofthe13deviceSELinuxpolicyconfiguration,determinestheSELinuxdomainandrelatedpolicyconfigurationtobeappliedtoeachAndroidappbasedontheapp'sproperties.
TheminTargetSdkVersioninputselectorcouldbeusedtophaseinnewSELinuxpoliciesforappsbygivingappdevelopersanopportunitytomakeanyneededcompatibilitychangestotheirappsbeforeupdatingeachapp'stargetSdkVersionfieldintheapp'sAndroidManifest.
xml.
ThetargetSdkVersionfieldisusedbytheappdevelopertospecify,forcompatibilitypurposes,thehighestversionofAndroid(byAPIlevel)thatthedeveloperhastestedtheappwith[60].
ThisgeneralpatternhasbeenusedinthepastforAndroidsecurityimprovementsthatcouldaffectappcompatibility.
Forexample,AndroidContentProvidersusedtobeexported(madeavailableforusebyotherapps)bydefault,butthisbehaviorwaschangedforappswithatargetSdkVersionof17orhigher[61].
3.
3MitigationsforPlatformExploitationTechniquesInthissection,wediscusstechniquesthatamalicioususercanemploytoexploittheAndroidplatform,andourrecommendedmitigations.
3.
3.
1PreventingDynamicCodeExecutionAnumberofappvettingservicesexistthatattempttoanalyzeAndroidappbehaviorformaliciousactivities,themostwell-knownbeingtheGoogleBouncerserviceusedtoassessappsthataresubmittedtotheGooglePlayStore.
Maliciousappscanevadeappvettingbydynamicallydownloadingandexecutingmaliciouscodeatexecutiontime,forexampleasillustratedinFigure3below.
Sincethemaliciouscodeisnotincludedintheapppackagethatwentthroughthevettingprocess,itlikelywillescapedetection.
ThisapproachwassuggestedanddemonstratedbyJonOberheide[30],anddescribedbyPoeplauetal.
[31].
Areal-worldexampleofthistechniquewasfoundinmaterialsallegedlyleakedinJuly2015fromHackingTeam,anItaliancompanythatprovides"easy-to-useoffensivetechnologytotheworldwidelawenforcementandintelligencecommunities".
TheseleakedmaterialscontainedsourcecodeforanAndroidappthatHackingTeamapparentlyplacedintheGooglePlayStore,whichdownloadsandexecutesplatformexploitcodeafterinstallation[32].
Maieretal.
alsodescribetheirsuccessusingthesetechniques[33].
14Figure3:ExampleofaMaliciousAppDownloadingandExecutingExploitCodeafterInstallationAsabestpractice,Androidappsshouldplacenativesharedlibrariesinthelibdirectorywithintheapppackage.
Atinstallationtime,theAndroidpackagemanagerextractsthesesharedlibrariesintoanapplibrarydirectoryin/data/app-libthatappsthemselvescannotwriteto.
Thisapproachforcescodeupdatestobedistributedasapppackageupdates,preventingappsfromdirectlymodifyingtheirowncodeandenablingcodereviewbyappstores.
However,nothingcurrentlypreventsAndroidappsatexecutiontimefromdownloadingnativecode,writingthecodetoastoragedirectorythattheapphaswritepermissionto(suchastheapp'sinternaldatastoragedirectory),andthenexecutingthecode5.
SELinuxmandatoryaccesscontrolpoliciescanbeaddedthatblockappsfromhavingexecutepermissionoveranylocationthattheycanwriteto,forcingthedevelopertobundleexecutablecodewiththedistributedapppackagewhereitismorefeasibletoinspect.
InthemasterdevelopmentbranchoftheAndroidOpenSourceProject,thispolicywasrecentlyputinplaceforplatformapps(appssignedbythevendor),butnotyetforthird-partyapps,likelyduetocompatibilityconcerns.
Webelievethecompatibilityconcernsarewell-founded.
InMarch2014,wedownloaded2420ofthemostpopularfreeAndroidappsfromtheGooglePlayStore,chosenbyselectingthetop100freeappsineachofthePlayStore's27categories(someappswerelistedinmultiplecategoriesandsomeappsfailedtodownload).
Wefoundthat71oftheappscontainedatleastonenativeexecutableorsharedlibrarybundledintheapppackageinadirectoryotherthanlib,meaningtheywouldlikelybeincompatiblewiththisproposedpolicy.
Otherappswouldbeincompatibleaswell(buthardertodetectwithsolelystaticchecks)iftheydownloadorextractandthenrunexecutablecodeatrun-time.
Weproposedintroducinganopt-inAndroidappmanifestattributepreventDownloadExecutionwithadefaultvalueoffalse[34].
Whensettotrue,theAndroidappisdeclaringtotheplatformthatitdoesnotintendtoexecuteapp-writablefiles,and5Similarly,applicationscouldalsoplacenativecodeinotherlocationswithintheirapplicationpackage,suchastheresourceorassetsdirectory,inanobfuscatedorencryptedform,andthenextractandexecutethecodeatruntime.
15theplatformwouldexecutetheappinaSELinuxcontextthatprohibitsexecutionofapp-writablefiles.
Themanifestattributecouldbeusedaspartofappinspection(forinstance,byGoogleBouncerorbyanenterprisevettingsystem)todeterminethepotentialriskleveloftheappandtherigorofevaluationthatshouldbeapplied.
Themanifestattributecouldalsobephasedintopotentiallybetruebydefault(orbetteryet,forcedtoalwaystrue)inafutureAndroidreleaseaftergivingappdeveloperstimetoadjusttheirpractices.
Unfortunately,justaswithourproposedisolatedAppDataappmanifestattributediscussedpreviouslyinsection3.
2,ourproposalwasnotaccepted.
WesubmittedanewproposalinJanuary2016tomakeuseofourminTargetSdkVersionproposaldescribedinsection3.
2tophaseinthestricterSELinuxpolicybasedonthetargetSdkVersiondeclaredineachapp'sAndroidManifest.
xml[63]insteadofdefininganewmanifestattribute.
CopperheadSecurity,acompanydevelopinganopensourcehardenedAndroiddistribution,hasnotedthatthisproposal,alongwithourproposaldescribedinSection3.
2,"wouldbemajorgamechangersfortheappsecuritymodel"[51].
Evenifappsarepreventedfromhavingexecuteprivilegeoverapp-writablefiles,appsstillhavetheabilitytomapmemoryasbothwritableandexecutable,anothervectorallowingthemtoexecutedynamiccode.
CopperheadSecurityproposesaddressingthisgapbyaddingW^Xmemoryprotections(requirementsthatthesamememoryregionscannotbebothwritableandexecutable)toAndroidusingthePaXMPROTECTfeature,roughlyequivalenttoremovingSELinuxexecmempermission.
Unfortunately,enforcingW^Xmemoryprotectionsuponapps(whetherusingPaXMPROTECT,removingSELinuxexecmempermission,oranotherapproach)introducescompatibilityissuesduetotheuseofjust-in-time(JIT)compilationintheAndroidOSandpotentiallybyappsthemselves.
Android'sDalvikruntime,useduntilAndroid4.
4,regularlyperformsJITcompilationduringappexecutionofeachapp'sarchitecture-independentDalvikcodeintooptimizednativecode.
StartingwithAndroid4.
4,AndroidswitchedfromDalviktotheAndroidRuntime(ART).
ARTimplementsahead-of-time(AOT)compilation,compilingportionsoftheappbytecodeintooptimizednativecodeatappinstalltimeinsteadofatappruntime,partlyalleviatingtheneedtoallowappstomapmemoryregionsasbothwritableandexecutable.
Unfortunately,twomainchallengescontinuetoexistthatpreventbroadremovalofexecmemprivilegefromapps:Android'sWebViewcapability,commonlyusedbyapps,includesitsownJITcompilerforoptimizingwebpageJavaScriptexecution.
ARTstillincludesaJITcompilerthatcouldpotentiallybeinvokedundersomeconditions.
Additionally,appsmayincludetheirownJITcompilationimplementations.
3.
3.
1.
1AndroidWebViewAndroidWebViewprovidesthecapabilitytoembedbasicwebbrowsingcapabilitiesintoAndroidapps.
AndroidWebViewisbuiltfromChromium,Google'sopensourcewebbrowser,andincludesaJITcompilertooptimizewebpageJavaScriptexecution.
AsshowninAppendixD.
2,anyappthatusesWebViewwithJavaScriptsupportenabledneedstohavetheabilitytomapmemoryasbothwritableandexecutable,makingsuchanappincompatiblewithstrongerexecutablememoryprotections.
16CopperheadSecurityaddressedthiscompatibilityissueinitsopensourcehardenedAndroiddistributionbyautomaticallyscanningappsforcallstosetJavaScriptEnabled()and,iffound,exemptingtheappfromPaXMPROTECT[35].
However,wedonotthinkthisapproachispracticalformainstreamapps.
Wesurveyed1726ofthetopfreeGooglePlayStoreapps(thetop100appsineachofthePlayStore's20categories,onlycountingappsoncethatareinmorethanonecategory,andminusappsthatfailedtodownload).
Weobservedreferencestoandroid.
webkit.
WebViewin1572outofthe1726apps.
JavaScriptisnotenabledinWebViewbydefault,but1518oftheappscallandroid.
webkit.
WebSettings.
setJavaScriptEnabled().
ManyofthesecallswerefoundinappdevelopmentframeworkssuchasAdobeAIRthatarebundledintotheapp,makingitunclearwhethereachapp'srunningfunctionalityactuallyusesWebView(orJavaScriptwithintheWebView).
Regardless,CopperheadSecurity'scurrentapproachwouldexemptalmostallpopularappsfromitsexecutablememoryprotections,severelydecreasingthevalueofthoseprotections.
WebView(anditsJITcompiler)runwiththeprivilegesofthecallingapp.
WebViewusesasingleprocessmodeltoperformallactionsincludingwebpagerenderingandJavaScriptinterpretation[36].
TheChromeappforAndroid,whichsharesthesameunderlyingChromiumcodesinceAndroid4.
4,takesadifferentapproach.
TheChromeappusesAndroid'sisolatedProcessfeaturetorunitsJITcompiler(andotherwebpagerenderingprocessing)inaseparateprocesswithitsownSELinuxsecuritycontext(isolated_app).
InthecaseoftheChromeapp,itappearstobefeasibletoimposeexecutablememoryprotectionsuponthemainapp,allowinganexceptiononlyfortheisolatedrenderingprocess.
AsshowninAppendixD.
1,onlytheChromeprocessesrunningintheisolated_appsecuritycontextappeartomapmemorypagesasbothwritableandexecutable.
Sincetheisolatedrenderingprocessrunswithverylimitedprivileges,thepotentialharmfulimpactofanattackertakingadvantageofitslackofexecutablememoryprotectionswouldbelimited.
WerecommendexploringthefeasibilityofadoptingChrome'sisolatedprocessmodelforAndroidWebView,sothatJITcompilationisisolatedintoitsownprocessrunningwithaverylimitedsecuritycontext.
Thisapproachwouldrequireadoptingthemulti-processmodelusedbytheChromeAndroidappintoWebView.
Alternatively,theperformanceimpactofremovingJITcompilationfromWebViewcouldalsobeexplored.
IfWebView'sJavaScriptperformanceisnotseverelyimpactedbyremovalofJITcompilationcapabilities,thenwewouldrecommendremovingitinordertoimprovethefeasibilityofenforcingstricterexecutablememoryprotections.
UntilthecurrentimplementationofJITwithinWebViewisaddressed,wedonotbelieveitispracticaltoimposeexecutablememoryprotectionsontoarbitraryAndroidapps.
3.
3.
1.
2ARTAsdescribedabove,ARTprimarilyperformsahead-of-timecompilationofappbytecodeintonativecodeatappinstallationtimeandOSupgradetime,partlyalleviatingtheneedforappstomapmemoryregionsasbothwritableandexecutable.
However,forperformancereasons,ARTdoesnotalwaysactuallycompileallcodeahead-of-time.
Optimizationoptionspassedintothedex2oatcommandallowtradeoffsbetweencompilingall,some,ornoneofthecodeahead-of-time.
Bydefault,ARTusesaninterpretertoexecutebytecodethathasnotbeencompiledahead-of-time.
Interpretersdonotpresentaconflictwithexecutablememoryprotections.
However,ARTstillincludesanoptionalJITcompilationcapability,whichdoesconflictwithexecutable17memoryprotections.
ItappearsthatJITcompilationinARTiscurrentlyonlyenabledbydefaultinAndroidengineeringbuilds(specialdebugbuildsoftheOS),sodoesnotpresentacurrentconcern,butwouldpresentaconcernifART'sdefaultbehaviorischangedinthefuture.
AdditionaldetailsareprovidedinAppendixC.
TheAndroidNDeveloperPreviewdocumentationdescribeschangesinthisarea[64].
Wehavenotexaminedthechangesindetailoranalyzedtheimpact.
3.
3.
1.
3DynamicBytecodeExecutionEvenifdynamicexecutionofnativecodefromoutsidethesystemorapp'slibrarydirectoriesweretobeblockedusingSELinuxpolicies,appscouldstilldynamicallydownloadandexecuteDalvikbytecodethroughDexClassLoader.
Appscouldalsoembedtheirowninterpretersdirectlyintotheapp.
Thepotentialimpactisunclear.
Privilegeescalationexploitsappeartogenerallyrequirenativecodeexecutioncapability.
Furtherworkisneededtoassessthepotentialthreatsposedbybytecode.
3.
3.
2LimitingPrivilegesoftheSystemUseridManyaccesscontrolchecksthroughouttheAndroidOSsolelycheckthatthecallerholdsthesystem(1000)Linuxuserid(uid).
ThesystemuidisusedbynumerousAndroidservicesandprivilegedplatformapps.
Currently,gainingmaliciouscodeexecutionasthesystemuidisdisastroustotheoverallsecurityofthedevice,despitethemovementofmanyofthesesystemcomponentsintotheirownSELinuxdomains.
ChangingtheseaccesscontrolcheckstoinsteaduseSELinuxprovidestheabilitytoinstitutefiner-grainedchecks.
Italsoprovidesimprovedvisibilityintoandtheabilitytocentrallyauditsecuritypolicies.
Asanexample,theAndroidKeyChainservicechecksthatthecallerholdsthesystemuidbeforeallowingittoperformcertainprivilegedoperations.
Inreality,mostoftheseprivilegedoperationsonlyneedtobecallablebytheDevicePolicyManagerService(runswithinthesystem_serverdomain),withafewoperationsthatadditionallymaybecalledbythecom.
android.
settingsandcom.
android.
certinstallerapps.
WesubmittedaproposaltotheAndroidOpenSourceProjecttoperformSELinuxaccesscontrolchecksfortheseoperations,alongwithSELinuxpoliciesgrantingtheappropriateaccessestosystem_server,com.
android.
settings,andcom.
android.
certinstaller[45].
Ourproposalisstillunderconsideration.
ThismodelcouldbeappliedtostrengthenaccesscontrolchecksacrosstheAndroidOS.
3.
4KeyChainImprovementsTheAndroidOSprovidesaKeyChainservice[37][38]usedtosecurelystoreprivatekeysandmakethemavailableforusebyinstalledapps.
Whenavailable,devicescanusehardware-backedsecuritycapabilitiessuchasTrustedExecutionEnvironments(TEEs)orTrustedPlatformModules(TPMs)toprotecttheprivatekeysfromdisclosure,eveniftheAndroidOSiscompromised.
Figure4providesanexamplescreenshotofthestrongSwanIPsecVirtualPrivateNetwork(VPN)ClientapprequestingaccesstouseakeystoredintheKeyChain.
18Figure4:ExampleofUsingtheKeyChaintoSelectaKeyUnfortunately,AndroidcurrentlydoesnotprovideAPIcallstogeneratekeyswithintheKeyChain,forcingthekeystobegeneratedelsewhereandimportedin,unnecessarilyincreasingtheriskofexposureofprivatekeys.
WedevelopednewcallstoAndroid'sDevicePolicyManager,theAPIusedbymobiledevicemanagementsystems,toenabletheabilitytogeneratekeypairswithintheAndroidKeyChain,obtainacertificatefromaPKI,andplacetheissuedcertificateintotheKeyChain.
Whenthesecallsareused,theprivatekeyneverexistsoutsideoftheAndroidKeyChain.
WesubmittedourpatchestotheAndroidOpenSourceProjectwheretheyarecurrentlyunderconsideration[39].
WeextendedGoogle'sAndroidBasicManagedProfilesampleapptodemonstrateusingourproposedAndroidOpenSourceProjectenhancements.
WeembeddedCisco'sopensourcelibestlibraryandestclientexampleappbinariesintoourapp.
OurappcallsourproposedDevicePolicyManager.
generateKeyPair()methodtogenerateakeypairwithintheKeyChain,obtainsthepublickey,callsestclienttoconnecttoCisco'sEnrollmentoverSecureTransport(EST,IETFRFC7030)testservertoobtainacertificate,andcallsourproposedDevicePolicyManager.
setCertificate()methodtoplacetheissuedcertificateintotheKeyChain.
WearethenabletodemonstratetheuseofthegeneratedkeypairandissuedcertificatewithKeyChain-awareappssuchastheChromewebbrowserandthestrongSwanInternetProtocolSecurity(IPsec)VPNclient.
WemadeourexampleappavailableasanopensourceprojectonGitHub[40].
194ConclusionandPotentialFutureWorkOurworkdemonstratedtheabilitytoimprovethesecurityoftheAndroidplatformbyaddingstaticanalysischeckstothetoolsregularlyusedbyAndroidappdevelopersinordertohelpdevelopersidentifyandcorrectvulnerabilitiesup-frontintheappdevelopmentlifecycle,andbybuildingupontheAndroid'ssecurityarchitecturetoreduceoreliminateattheoperatingsystemlevelthepotentialimpactofcommonappvulnerabilitiesandmaliciousbehaviors.
Werecommendcontinuedeffortstocontributesecurity-relatedstaticanalysischeckstotheAndroidOpenSourceProject'slinttoolusedbyAndroidStudioandtheAndroidSoftwareDevelopmentKit.
Additionally,werecommendprovidingtoolswithinthedevelopmentenvironmenttohelpandencourageappdeveloperstoleverageemergingAndroidplatformsecurityfeaturessuchastheNetworkSecurityConfigurationfeaturenewlyextendedintheAndroidNDeveloperPreview,whichallowsappdeveloperstodeclarativelyrequestcertificatepinningandothernetworksecurityfeaturesfromtheplatformwithouttheneedtomakeerror-pronesecuritycustomizationswithinappsourcecodeitself.
WealsorecommendcontinuedeffortstoworkwiththeAndroidOpenSourceProjecttostrengthenthesecuritypropertiesenforceduponappsandreducetheimpactofappvulnerabilitiesandmaliciousbehaviors,whetherasdefaultbehaviororthroughinterfacesthatenableappdeveloperstodeclarativelystateeachapp'ssecurityproperties.
Astheseimprovementsaremade,werecommendstreamliningenterpriseappvettingprocessestotakeintoaccountthesecurityprotectionsprovidedbythedeviceplatform.
205References[1](Viewed2July2015).
GartnerSaysTabletSalesContinuetoBeSlowin2015.
Gartner.
Available:http://www.
gartner.
com/newsroom/id/2954317[2](Viewed4November2015).
SecurityTips.
Google.
Available:http://developer.
android.
com/training/articles/security-tips.
html[3](Viewed4November2015).
ImprovingYourCodewithLint.
Google.
Available:http://developer.
android.
com/tools/debugging/improving-w-lint.
html[4]Fahletal.
(October2012).
WhyEveandMalloryLoveAndroid:AnAnalysisofAndroidSSL(In)Security.
ACMCCS'12.
[5]Sounthirarajetal.
(February2014).
LargeScale,AutomatedDetectionofSSL/TLSMan-in-the-MiddleVulnerabilitiesinAndroidApps.
NDSS'14.
[6](August2014).
SSLVulnerabilities:WholistenswhenAndroidapplicationstalkFireEye.
Available:https://www.
fireeye.
com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.
html[7]MontelibanoandDormann.
HowWeDiscoveredThousandsofVulnerableAndroidAppsinOneDay.
RSAConferenceUSA2015.
Available:https://www.
rsaconference.
com/writable/presentations/file_upload/hta-t08-how-we-discovered-thousands-of-vulnerable-android-apps-in-1-day_final.
pdf[8]M.
Graceetal.
UnsafeExposureAnalysisofMoibleIn-AppAdvertisements.
WiSec'12.
Available:http://www4.
ncsu.
edu/~mcgrace/WISEC12_ADRISK.
pdf[9](Viewed6July2015).
RemoteCodeExecutionasSystemUseronSamsungPhones.
NowSecure.
Available:https://www.
nowsecure.
com/blog/2015/06/16/remote-code-execution-as-system-user-on-samsung-phones/[10]M.
Peck.
(4October2015).
AddlintcheckforinsecureX509TrustManagerimplementations.
AndroidOpenSourceProject.
Available:https://android.
googlesource.
com/platform/tools/base/+/c660c577ba072bd94dc20c92f28f9d76102530e1[11]M.
Peck.
(26October2015).
LintchecksforinsecureuseofSSLCertificateSocketFactory.
AndroidOpenSourceProject.
https://android.
googlesource.
com/platform/tools/base/+/b98fb2952479587aa38b4e260feb2bd454ece3b4[12]M.
Peck.
(8October2015).
LintcheckfordeclarationoruseofinsecureHostnameVerifier.
AndroidOpenSourceProject.
https://android.
googlesource.
com/platform/tools/base/+/b669f60e6aded9fb50b9025e56e3a007cc482ad7[13]J.
Case.
(14April2011).
Exclusive:VulnerabilityinSkypeforAndroidIsExposingYourName,PhoneNumber,ChatLogs,AndaLotMore.
AndroidPolice.
Available:http://www.
androidpolice.
com/2011/04/14/exclusive-vulnerability-in-skype-for-android-is-exposing-your-name-phone-number-chat-logs-and-a-lot-more/[14]J.
VanDyke.
(10August2015).
WorldWritableCodeIsBad,MMMMKAY.
NowSecure.
Available:https://www.
nowsecure.
com/blog/2015/08/10/world-writable-code-is-bad-mmmmkay/[15]M.
Peck.
(5October2015).
CheckforcallstogetDirwithinsecurefilepermissions.
AndroidOpenSourceProject.
Available:21https://android.
googlesource.
com/platform/tools/base/+/3adca6769e92362751721c18c649e9e9c94fbb63[16]M.
Peck.
(23October2015).
Lintcheckstoidentifysettingfilesworld-readableorworld-writable.
AndroidOpenSourceProject.
Available:https://android.
googlesource.
com/platform/tools/base/+/87f30697958a693a063169738aa8fb6c369b8a13[17]M.
Peck.
(4October2015).
Addlintchecksforinsecurebroadcastreceivers.
AndroidOpenSourceProject.
Available:https://android.
googlesource.
com/platform/tools/base/+/50bfc95d9945178dc8d3e0112e26c8286d47a1ae[18]E.
Chinetal.
AnalyzingInter-ApplicationCommunicationinAndroid.
MobiSys'11.
Available:https://www.
eecs.
berkeley.
edu/~daw/papers/intents-mobisys11.
pdf[19](6October2013).
SecuredBroadcastsandSMSClients.
TheCommonsBlog.
Available:https://commonsware.
com/blog/2013/10/06/secured-broadcasts-sms-clients.
html[20]A.
Mahajan.
(26May2015).
DeclareSMSbroadcastsasprotectedtoensureonlysystemappssendthose.
AndroidOpenSourceProject.
Available:https://android.
googlesource.
com/platform/packages/services/Telephony/+/dcec1e1471a1d32918b5a2beb239693708c548e7[21](Accessed9November2015).
F-Droid.
Available:https://f-droid.
org/[22](Accessed9November2015).
Android:usesCleartextTraffic.
AndroidOpenSourceProject.
Available:http://developer.
android.
com/guide/topics/manifest/application-element.
html#usesCleartextTraffic[23]J.
Kozyrakis.
(17June2015).
AndroidMandthewaroncleartexttraffic.
Available:https://koz.
io/android-m-and-the-war-on-cleartext-traffic/[24]C.
Brubaker.
(23October2015).
Addinitialnetworksecurityconfigimplementation.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/c/179902/[25]V.
TendulkarandW.
Enck.
(May2014).
AnApplicationPackageConfigurationApproachtoMitigatingAndroidSSLVulnerabilities.
MoST2014.
[26]M.
Peck.
(September2015).
Addabilitytodeclarecertificatepinsinapplicationmanifest.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/Ie357b3e8fd0b5e0f21e1ef9226f94ce945b1cfb8[27]M.
Peck.
(October2015).
AddabilitytopreventapplicationsfromoverridingTrustManager.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/If6ab0ab309488926cdde7fd55539bd059eea964d[28]M.
Peck.
(October2015).
AddabilitytopreventapplicationsfromoverridingHostnameVerifier.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/c/173951/[29]G.
Kini.
(September2015).
Addapp-levelisolatedApplicationDatamanifestattribute.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/I5b9f4f3743f3fa544d14b44ac04549cf87a7ebfe22[30]J.
Oberheide.
(June2010).
AndroidHax.
Summercon10.
Available:https://jon.
oberheide.
org/files/summercon10-androidhax-jonoberheide.
pdf[31]Poeplauetal.
(February2014).
ExecuteThis!
AnalyzingUnsafeandMaliciousDynamicCodeLoadinginAndroidApplications.
NDSS'14.
[32]AllegedHackingTeamAndroidsourcecode.
(Accessed9November2015).
Available:https://github.
com/hackedteam/core-android-marketandhttps://github.
com/hackedteam/core-android/tree/master/RCSAndroid/jni[33]Maieretal.
(September2014).
Divide-and-Conquer:WhyAndroidMalwarecannotbestopped.
ARES2014.
Available:https://www1.
cs.
fau.
de/filepool/projects/android/divide-and-conquer.
pdf[34]G.
Kini.
(September2015).
https://android-review.
googlesource.
com/#/q/Iacc7a5fd7518fcb92d4b029ed4c97c23950038fb[35](25August2015).
AutomatedPaXexceptionsforWebViewJavaScript.
CopperheadSecurity.
Available:https://github.
com/copperhead/android_frameworks_base/commit/84a0f4e9e312eb0d38e7475853804f99bce35fb5[36](November/December2013).
WhydoesChromiumWebViewonAndroidruninsingle-processmodeAvailable:https://groups.
google.
com/a/chromium.
org/forum/#!
topic/chromium-dev/7l4l6LZyFxk[37](Accessed9November2015).
KeyChain.
Google.
Available:http://developer.
android.
com/reference/android/security/KeyChain.
html[38](Accessed9November2015).
AndroidKeyStoreSystem.
Google.
Available:http://developer.
android.
com/training/articles/keystore.
html[39]M.
Peck.
(October2015).
AddabilitytogeneratekeypairswithinKeyChain.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/If41721a58b0d2fd282d194713b828d78a81217ed[40]M.
Peck.
(October2015).
DemonstrategeneratingkeypairswithintheAndroidKeyChain.
TheMITRECorporation.
Available:https://github.
com/mpeck12/android-BasicManagedProfile/tree/keychain[41]M.
Peck.
(October2015).
DemonstrategeneratingkeypairswithintheAndroidKeyChain.
TheMITRECorporation.
Available:https://github.
com/mpeck12/android-BasicManagedProfile/tree/est[42](25September2015).
GooglePlayWarning:SSLErrorHandlerVulnerability.
GitHub.
Available:https://github.
com/liveservices/LiveSDK-for-Android/issues/63[43](17July2015).
GmsCore_OpenSSLcanprovokeapprejectedfromGooglePlaywithallupdatedStackOverflow.
Available:http://stackoverflow.
com/questions/31378617/gmscore-openssl-can-provoke-app-rejected-from-google-play-with-all-updated[44](28August2015).
GooglePlayreminderofdeadlineforresolvingApacheCordovavulnerabilities.
StackOverflow.
Available:http://stackoverflow.
com/questions/32273656/google-play-reminder-of-deadline-for-resolving-apache-cordova-vulnerabilities23[45]M.
Peck.
(November2015).
UseSELinuxtoperformauthorizationchecksforprivilegedKeyChainoperations.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/I70f3324857cf20ef01d718610d766e8395982ffd[46](Accessed9November2015).
AndroidSecurityAcknowledgements.
AndroidOpenSourceProject.
Available:https://source.
android.
com/devices/tech/security/overview/acknowledgements.
html[47]F.
Chung.
(July2011).
CustomClassLoadinginDalvik.
AndroidDevelopersBlog.
Available:http://android-developers.
blogspot.
com/2011/07/custom-class-loading-in-dalvik.
html[48](Accessed9November2015).
Sample:hello-jni.
AndroidNDK.
Available:http://developer.
android.
com/ndk/samples/sample_hellojni.
html[49]A.
PylesandM.
Peck.
(November2015).
CodeExecutionDemonstrationApp.
TheMITRECorporation.
Available:https://github.
com/mpeck12/custom-class-loader[50]M.
Peck.
(November2015).
LintchecktoidentifycallstoRuntime.
load()andSystem.
load().
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/c/179980/[51](November2015).
CopperheadSecurity.
Available:https://twitter.
com/CopperheadSec/status/663443145095442432[52]M.
Franchin.
(22February2015).
HKG15-300:Art'sQuickCompiler:Anunofficialoverview.
Linaro.
Available:https://www.
youtube.
com/watchv=iho-e7EPHk0[53]L.
Armasu.
(4May2015).
AndroidRuntimeToSeeMajorPerformanceBoostThankstoRedesignedCompiler.
Tom'sHardware.
Available:http://www.
tomshardware.
com/news/android-runtime-art-optimizing-compiler,29035.
html[54]N.
Hajdarbegovic.
(May2015).
BraceYourselvesAndroidDevelopers,ANewAndroidCompilerIsComing.
Toptal.
Available:http://www.
toptal.
com/android/brace-yourselves-new-android-compiler-is-coming[55](Accessed9November2015).
ConfiguringART.
AndroidOpenSourceProject.
Available:https://source.
android.
com/devices/tech/dalvik/configure.
html[56]M.
Chartier.
(17February2015).
AddJIT.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/c/123156/[57](Accessed12March2016).
NetworkSecurityConfiguration.
Google.
Available:http://developer.
android.
com/preview/features/security-config.
html[58]J.
Kozyrakis.
(15February2016).
NetworkSecurityPolicyconfigurationforAndroidapps.
Available:https://koz.
io/network-security-policy-configuration-for-android-apps/[59]A.
Ludwig.
(March2016).
BuildinganAndroidScaleIncidentResponseProcess.
RSAConference2016.
Available:https://www.
rsaconference.
com/writable/presentations/file_upload/mbs-r03-building-an-android-scale.
pdf[60](Accessed12March2016).
AndroidtargetSdkVersiondocumentation.
Google.
Available:http://developer.
android.
com/guide/topics/manifest/uses-sdk-element.
html#target24[61](Accessed12March2016).
Androidproviderelementdocumentation.
Google.
Available:http://developer.
android.
com/guide/topics/manifest/provider-element.
html[62]M.
Peck.
(Accessed12March2016).
AddminTargetSdkVersioninputselector.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/q/Ib9f6ded9bd2f426861a6d843861b4074084253b0[63]M.
Peck.
(Accessed12March2016).
Adduntrusted_app_legacydomain,makeuntrusted_appstricter.
AndroidOpenSourceProject.
Available:https://android-review.
googlesource.
com/#/c/195590/[64](Accessed14March2016).
Profile-guidedJIT/AOTcompilation.
Google.
Available:http://developer.
android.
com/preview/api-overview.
html#jit_aot25AppendixAUsingtheNewLintChecksAllofourproposedlintcheckshavenowbeenmergedintotheAndroidOpenSourceProjectandincludedinthecurrentbetareleasesofAndroidStudio2.
0andtheAndroidPluginforGradle.
ThisappendixprovideshistoricalinformationofhowtoseparatelycompilethelintchecksandincludethemintheAndroiddevelopmentenvironmentasajarpluginthroughthefollowingsteps:DownloadthesourcecodeforthedesiredlintchecksfromtheAndroidOpenSourceProject:https://android.
googlesource.
com/platform/tools/base/+log/studio-master-dev/lint/libs/lint-checks/src/main/java/com/android/tools/lint/checksPlacethesourcecodeinitsowndirectorytree,e.
g.
inadirectorycalled"androidlint"Changethepackagenamesinthesourcecodetoreflectthecreateddirectorytree(e.
g.
changethepackageentryatthetopofeachsourcecodefiletoavaluesuchas"packageandroidlint;")CreateaMyIssueRegistry.
javawithcontentssimilartothebelow,withanentryinthearrayforeachIssuedeclaredinthelintchecksourcecode:Compilethelintchecksandissueregistry,e.
g.
javac–cp/tools/lib/lint-api.
jar*.
javawhereistheinstalledlocationoftheAndroidSDKCreateaMANIFEST.
MFfilewithcontentssimilartothebelow:packageandroidlint;importjava.
util.
List;importjava.
util.
Arrays;importcom.
android.
tools.
lint.
client.
api.
IssueRegistry;importcom.
android.
tools.
lint.
detector.
api.
Issue;publicclassMyIssueRegistryextendsIssueRegistry{@OverridepublicListgetIssues(){returnArrays.
asList(TrustAllX509TrustManagerDetector.
ISSUE,UnsafeBroadcastReceiverDetector.
ACTION_STRING);}}Manifest-Version:1.
0Lint-Registry:androidlint.
MyIssueRegistry26Bundlethecompiledlintchecks,issueregistry,andMANIFEST.
MFfileintoajarfilebyrunning:jarcmfMANIFEST.
MFcustom.
jarandroidlint/*.
classCreatean.
android/lintdirectoryundertheuser'shomedirectoryandcopythejarfiletoit,e.
g.
cpcustom.
jar/home//.
android/lint/custom.
jaronmostLinuxdistributions,orcopycustom.
jarC:\Users\\.
android\.
lint\custom.
jaronWindows.
Runlint–listSecurityandverifythatthenewlintchecksappearinthelist.
Theywillnowbeusedbydefaultwhenrunninglintfromthecommandline(e.
g.
withlintorgradlewlint).
Unfortunately,additionalstepsareneededtointegratethelintchecksdirectlyintotheAndroidStudioUI.
27AppendixBDemonstrationApplicationWewroteanapplicationbasedonGoogle'ssamplecustomclassloadingapp[47]andthehello-jnisampleappfoundintheAndroidNativeDevelopmentKit(NDK)[48]thatdemonstratestheabilitytodownloadandexecuteDalvikbytecodeandnativecodefromarbitrarywebsites.
TheappdemonstratesseveralofthesecurityvulnerabilitiesthatareidentifiedbyourAndroidlintchecksand/oraremitigatedbyourproposedAndroidOSsecurityenhancements.
Theappdeliberatelyperformsseveralpoorsecuritypractices:Useofplaintexthttpratherthanhttpstodownloadcode,enablingsusceptibilitytoman-in-the-middleattacksToggle-ableabilitytouseaninsecureX509TrustManagerthatdoesnotvalidatetheserver'sX.
509certificatewhenconnectingoverhttps,enablingsusceptibilitytoman-in-the-middleattacksToggle-ableabilitytostoredownloadedfilesasworld-readableandworld-writable,openingthefilesuptomanipulationbyotherappsinstalledonthedeviceMoreinformation(includinghowtocompileandusetheapp)canbefoundinourGitHubrepository[49].
28AppendixCAndroidRuntime(ART)AdditionalDiscussionC.
1ARTBackgroundInAndroid4.
4,theAndroidruntimeswitchedfromDalviktoAndroidRuntime(ART).
Dalvikusedabytecodeinterpreteralongwithanalways-enabledjust-in-time(JIT)compiler.
ThefocusofARTisahead-of-time(AOT)compilation.
WithAOTcompilation,applicationbytecodeiscompiledpriortoexecutionintoexecutablecodeoptimizedtotheparticulardeviceplatform.
TheAOTcompilationisaccomplishedwiththedex2oatcompilerinstalledonAndroiddevices,whereOATreferstothefileformatoftheoptimizednativeexecutablecodeproducedbythecompiler.
AOTcompilationoccurswhenanewapplicationisinstalledandcanalsooccurwhenanoperatingsystemupdateisinstalled.
Inthecaseofasystemupdatewhereallapplicationsmayneedtoberecompiled,AOTcompilationcanintroduceundesireddelaysatdeviceboottime,particularlyiffulloptimizationisenabled.
Amongthevariousdex2oatcompileroptions,wefocusontwo:--compiler-backendand--compiler-filter.
The--compiler-backendoptionreferstoeither"quick"or"optimized".
Thedefaultoptionis"quick".
The"optimized"compilerappearedtostillbeunderdevelopmentandnotavailableforuseasofAndroidversions5.
0-5.
1[52][53][54].
The"quick"compilerhastwolevelsofIntermediateRepresentations(IR)[52].
ThecompilationflowgoesfromdexcodetoMidLevelIR(MIR),toIRandfinallytoOATformat.
Thismulti-stageprocesscanhavedifferentbehaviordependingupontheoptimizationlevels(compilationtimeanddiskspacearefactors)selected.
SomeoptimizationlevelscanpotentiallyresultinsomemethodsomittedfromthefinalOAToutput.
Additionally,the"quick"compilerhasseveraloptimizationsthatcanbefedinthroughthe--compiler-filteroptions.
Theoptionsrangefromnocompilationtofullcompilationthatcompilesallmethods.
The"interpret-only"optionskipsallcompilationandreliessolelyontheinterpreter,whichisprobablythefastestAOToptionwithrespecttoinstallationtime.
The"everything"optioncompilesalmostallmethodsincludingraremethods.
Thefullrangeofoptionsisdescribedin[55].
TheAOTcompiler'sbehaviorinARTrangesbetweenalongwaittimeatappinstallationandsystemupdatetimeandlargersizeondisk("everything")toquickinstallationwithminimalcompilationoptions("interpret-only"),whichlargelymimicstheolderDalvikbehavior.
ThedefaultoptioninAndroidversion5.
0isthe"speed"option.
Thismethodisdesignedto"compilemostmethodsandmaximizeruntimeperformance"[55].
C.
2JITCompilationinARTWeobservedfromtheAndroidOpenSourceProjectsourcecodecommithistorythatjust-in-time(JIT)compilationwasintroducedintoARTinFebruary2015[56].
JITcompilationiscontrolledbythedalvik.
vm.
usejitsystemproperty,andiscurrentlyonlyenabledbydefaultinengineeringbuilds(thesearespecialbuildsnotusedinproductiondevicedeployments).
ThemotivationbehindtheinclusionofaJITcompileraswellassecurityconcernsareaddressedinthefollowingparagraphs.
C.
2.
1MotivationThe--compiler-filteroptionswithintheARTAOTcompilerprovidearangeofbehaviorsthattheARTruntimehastobeabletohandle.
Forinstance,theruntimebehaviorfor29the"interpreter-only"optionwillperformalotslowerthantheruntimebehaviorforthe"everything"option.
WespeculatethattheJITcompilerwasaddedtoARTtohandlethesecaseswheremajorportions(orall)oftheapplicationcodewerenotincludedintheahead-of-timecompilation.
Theworst-casescenarioforruntimeperformancepresumablywouldbetorunARTwiththe"interpreter-only"flag,whichwithoutJITcompilationwouldrequireallcodetobeinterpretedatruntime.
ItseemslogicalthatJITmayalsoimprovethebehaviorofthedefault"speed"compilationflag.
Asdescribedearlier,mostmethodsarecompiled,butitispossiblethatcertain"hot"methodswhicharemissedwiththeAOTcompilationphasearecalledregularlyandwouldbenefitfromJITcompilation.
C.
2.
2SecurityRisksReintroducingJITintotheARTruntimeposessomesecurityrisks.
UseofJITaddsmemorymappingswithRWXsecuritypermissionstoeveryapplication.
Itmaybepossibleforanattacker(runningwithinthesameapplication)tolocatetheRWXmemoryregionandaddarbitrarycode.
Wewroteproof-of-conceptcodethatrunsasanativelibrarywithinanAndroidapplication.
Thiscode(whichdoesn'tneedanyspecialpermissions)readsfrom/proc/self/mapsandlocatesthemapwithRWXpermissions.
ItisthenstraightforwardtolocatetheJITmappingandalteritarbitrarily.
Additionally,aspreviouslydiscussedinSection3.
3.
1,JITcompilationinterfereswiththeabilitytoimposeexecutablememorysecurityprotectionsuponapplications.
30AppendixDMemoryMappingExamplesThebelowsectionsprovideexamplesofmemorymappingsobservedinAndroidapps.
TheseexamplesaremeanttosupplementthediscussioninSection3.
3.
1.
D.
1MemoryMappingsofChromeAppBelowinFigure5,weshowtheresultsofexaminingthememorymappingsoftheChromewebbrowserAndroidapp.
Theresultsindicatethatthewritableandexecutablemappingsareonlypresentintheprocessesrunningintheisolated_appsecuritycontext.
#ps-Z|grepchromeu:r:untrusted_app:s0u0_a942195263com.
android.
chromeu:r:isolated_app:s0u0_i385911263com.
android.
chrome:sandboxed_process1u:r:isolated_app:s0u0_i406431263com.
android.
chrome:sandboxed_process2u:r:untrusted_app:s0u0_a9425892263com.
android.
chrome:privileged_process2#greprwx/proc/2195/maps#greprwx/proc/5911/maps2700a000-270ff000rwxp0000000000:0002ba0a000-2ba0b000rwxp0000000000:0002c30a000-2c3ff000rwxp0000000000:0002f60a000-2f648000rwxp0000000000:00037a0a000-37a0b000rwxp0000000000:00037f0a000-37fff000rwxp0000000000:0007ab0a000-7ab0b000rwxp0000000000:0007e20a000-7e2ff000rwxp0000000000:0007ee0a000-7eeff000rwxp0000000000:0007f20a000-7f2ff000rwxp0000000000:0007f90a000-7f9ff000rwxp0000000000:0008140a000-814ff000rwxp0000000000:000#greprwx/proc/6431/maps2b10a000-2b10b000rwxp0000000000:00038e0a000-38eff000rwxp0000000000:0003b10a000-3b10b000rwxp0000000000:0003e90a000-3e948000rwxp0000000000:0007a90a000-7a90b000rwxp0000000000:0007ea0a000-7eaff000rwxp0000000000:00080a0a000-80aff000rwxp0000000000:000#greprwx/proc/25892/maps#Figure5:MemoryMappingsofChromeApp31D.
2MemoryMappingsofApplicationUsingWebViewBelowinFigure6,weshowtheresultsofexaminingthememoryregionsofthecom.
audible.
applicationAndroidapp.
ItusesAndroidWebViewwithJavaScriptenabled,causingtheapptomapmemoryregionsasbothwritableandexecutable:#ps-Z|grepaudibleu:r:untrusted_app:s0u0_a23318607263com.
audible.
application#greprwx/proc/18607/maps3810a000-3810b000rwxp0000000000:00038f0a000-38f0b000rwxp0000000000:0008230a000-8230b000rwxp0000000000:0008260a000-8266a000rwxp0000000000:0008560a000-856ff000rwxp0000000000:000Figure6:MemoryMappingsofAudibleApp