Android. Hacker's guide

Original title: Android Hacker's Handbook
Translation: Andrzej Stefański
ISBN: 978-83-246-9940-7
Date of issue: 2015-01-23
Number of pages: 520
Format: 168x237 mm

Defend your system against attack!

The Android system is an undeniable leader among operating systems for mobile devices. However, being a leader has one major disadvantage - everyone wants to break his security. If you are a specialist responsible for network security, if you are an administrator responsible for the security of mobile devices, then you've come across a book that will become your obligatory reading for the next few days!

Thanks to it, you will learn about the operation of the Android system and the security architecture implemented in it. In the following chapters, you will learn to recognize the details of security implementation and the complications resulting from the fact that Android is an open system. Once you've acquired solid theoretical foundations, you'll go on to analyze the various attack techniques for devices running Android. In addition, you will learn the possible attack planes, publicly available exploits and the weaknesses of the system's kernel. This book must be on the shelf of everyone who is not indifferent to the security of the Android platform!

With this book you will learn:

• Recognize the details of the security implementation and the complications resulting from the openness of Android.
• Avoid frequent security traps and follow the latest smartphone hacking strategies.
• Analyze all kinds of successful attacks on the Android operating system.
• Obtain full access to the device and recognize the partition layout and the device start-up process.
• Understand the complex nature of the Android ecosystem, including the importance of various device manufacturers and software developers

Mandatory reading of specialists responsible for the security of the Android platform!

Table of Contents

About the authors (13)

About the content-related corrector (15)

Thanks (17)

Introduction (19)

• Book and technology overview (20)
• How is this book divided (20)
• Who should read this book (22)
• Tools needed (22)
• What's on the website (23)
• Good luck! (23)

Chapter 1. A Look at the Ecosystem (25)

• The roots of Android (25)
  • Company history (25)
  • Revision history (26)
  • Available devices (28)
  • Open (mostly) sources (29)
• Android shareholders (31)
  • Google (32)
  • Equipment manufacturers (33)
  • Operators (35)
  • Developers (35)
  • Users (36)
• Image of the complexity of the ecosystem (38)
  • Fragmentation (38)
  • Compatibility (40)
  • Problems related to the update (41)
  • Security versus openness (43)
  • Information disclosure (44)
• Summary (45)

Chapter 2. Android security design and architecture (47)

• Android system architecture (47)
• Limitations and protection (49)
  • Android isolated environment (49)
  • Android permissions (52)
• More detailed analysis of layers (55)
  • Android Apps (55)
  • Android Framework (59)
  • Virtual Dalvik machine (60)
  • Native user code (62)
  • Kernel (67)
• Complicated security, a complicated exploit (74)
• Summary (75)

Chapter 3. Unlocking the device (77)

• Partition layout (78)
  • Determining the partition layout (79)
• System startup process (80)
  • Access the download mode (81)
• Blocked and unblocked loading programs (82)
  • Original and modified rescue images (83)
• Getting full access with unlocked loader (85)
• Getting full access when the loader is blocked (87)
  • Accessing on a running system (88)
  • NAND locks, temporary root, persistent root (89)
  • Fixing the software root (91)
• Stories of known attacks (92)
  • Nucleus: Wunderbar / asroot (92)
  • Rescue mode: Volez (93)
  • Udev: Exploid (93)
  • Adbd: RageAgainstTheCage (94)
  • Zygote: Zimperlich and Zysploit (94)
  • Ashmem: KillingInTheNameOf and psneuter (95)
  • Vold: GingerBreak (95)
  • PowerVR: levitator (96)
  • Libsysutils: zergRush (96)
  • Kernel: mempodroid (97)
  • Attacks related to file permissions and symbolic links (97)
  • Adb restore (98)
  • Exynos4: exynos-abuse (99)
  • Diag: lit / diaggetroot (99)
• Summary (100)

Chapter 4. Application security overview (101)

• Common errors (101)
  • Problems with application permissions (102)
  • Unsecured transfer of sensitive data (103)
  • Storage of unsecured data (104)
  • Information leaks through logs (105)
  • Unsecured IPC terminations (106)
• Case study: Mobile Security App (108)
  • Profiling (108)
  • Static analysis (110)
  • Dynamic analysis (124)
  • Attack (132)
• Case study: SIP Client (134)
  • Drozer (134)
  • Diagnosis (134)
  • Snarfing (136)
  • Injecting (138)
• Summary (140)

Chapter 5. Android attack planes (141)

• Basics of terminology (141)
  • Attacks Vectors (142)
  • Attack planes (143)
• Classification of attack surfaces (144)
  • Properties of the plane (144)
  • Classification method (145)
• Attack planes available remotely (145)
  • Network Issues (146)
  • Network stacks (150)
  • Shared network services (151)
  • Mobile technologies (152)
  • Attack level on the user's side (153)
  • Google infrastructure (158)
• Physical neighborhood (164)
  • Wireless communication (164)
  • Other technologies (170)
• Local attack planes (170)
  • Viewing the file system (171)
  • Finding other local attack planes (172)
• Physical attack planes (176)
  • Disassembling the device (177)
  • USB (178)
  • Other physical levels of attacks (181)
• External modifications (182)
• Summary (182)

Chapter 6. Searching for weaknesses using fuzzing (183)

• The origin of fuzzing (183)
  • Identifying the goal (185)
  • Creating distorted input data (185)
  • Processing of input data (186)
  • Monitoring results (187)
• Fuzzing on Android (187)
• Fuzzing recipients of messages (188)
  • Goal identification (189)
  • Generating input data (190)
  • Providing input data (190)
  • Test monitoring (191)
• Fuzzing Chrome for Android (193)
  • Target selection (193)
  • Generating input data (195)
  • Processing of input data (197)
  • Test monitoring (199)
• USB attack plane fuzzing (201)
  • Challenges of USB fuzzing (202)
  • Mode selection (202)
  • Generating input data (203)
  • Processing of input data (205)
  • Test monitoring (206)
• Summary (207)

Chapter 7. Searching for errors and analyzing weaknesses (209)

• Collection of all available information (209)
• Choosing a tool kit (211)
• Debugging erroneous ending (212)
  • System logs (212)
  • Tombstone (213)
• Remote debugging (214)
• Debugging Dalvik Virtual Machine Code (215)
  • Debugging the example application (216)
  • Displaying the Android Framework source code (218)
  • Debugging the existing code (220)
• Debugging the native code (224)
  • Debugging with NDK (224)
  • Debugging with Eclipse (228)
  • Debugging with AOSP (230)
  • Increasing automation (235)
  • Debug with symbols (237)
  • Debug device not supported by AOSP (243)
• Debug in mixed mode (244)
• Alternative debugging techniques (244)
  • Expressions for debugging (244)
  • Debugging on the device (245)
  • Dynamic modification of binaries (246)
• Vulnerability analysis (247)
  • Determining the root cause (247)
  • Assessment of use (260)
• Summary (261)

Chapter 8. Using software running in the user space (263)

• Basics of memory errors (263)
  • Stack buffer overflow (264)
  • Using the heap (267)
• History of publicly known exploits (274)
  • GingerBreak (275)
  • zergRush (278)
  • mempodroid (281)
• Using the Android browser (282)
  • Understanding the error (283)
  • Heap Control (285)
• Summary (288)

Chapter 9. Return Oriented Programming (289)

• History and justification (289)
  • Separate data and instruction cache (290)
• Basis of ROP in ARM (292)
  • Invoking subroutines in ARM (293)
  • Combining gadgets in a chain (295)
  • Identification of potential gadgets (296)
• Case study: Android 4.0.1 linker (297)
  • Stack pointer modification (298)
  • Execution of arbitrary code from allocated memory (300)
• Summary (304)

Chapter 10. Hacking and attacking the kernel (317)

• Linux kernel on Android (317)
• Extracting the kernel (318)
  • Extracting from the factory software (319)
  • Download from device (321)
  • Downloading the kernel from the boot image (323)
  • Unpacking the kernel (323)
• Running the modified kernel code (324)
  • Acquisition of source code (324)
  • Preparing the build environment (327)
  • Configuring the kernel (328)
  • Using your own kernel modules (329)
  • Compilation of the modified kernel (332)
  • Creating a boot image (335)
  • Running a modified kernel (337)
• Debugging the kernel (342)
  • Kernel Error Reports (342)
  • Understanding Oops (344)
  • Live debugging with KGDB (348)
• Using the kernel (352)
  • Typical Android kernels (352)
  • Extracting addresses (354)
  • Case studies (356)
• Summary (367)

Chapter 11. Attacking RIL (311)

• Introduction to RIL (312)
  • RIL architecture (312)
  • Smartphone architecture (313)
  • Phone stack on Android (313)
  • Adjusting the phone stack (315)
  • RIL Services (rild) (315)
  • The vendor-ril API (318)
• SMS (Short Message Service) (319)
  • Sending and receiving SMS messages (319)
  • SMS format (319)
• Communication with the modem (322)
  • Emulation of a modem for fuzzing (322)
  • Fuzzing Android SMS (324)
• Summary (331)

Chapter 12. Mitigation Mechanisms (333)

• Classification (334)
• Code signing (334)
• Heap curing (336)
• Overflow protection of an integer variable (336)
• Preventing the execution of data (338)
• Randomization of the address space (340)
• Stack protection (342)
• Security for formatting strings (343)
• Read-Only Relocations (345)
• Environmental isolation (346)
• Securing the source code (346)
• Access control mechanisms (348)
• Securing the kernel (349)
  • Limits of indicators and logs (350)
  • Zero page protection (351)
  • Read-only memory areas (351)
• Other security features (352)
• Summary of mechanisms limiting the operation of exploits (354)
• Disabling restrictions (356)
  • Change of identity (356)
  • Binary Swap (357)
  • Modifying the Kernel (357)
• Overcoming mechanisms limiting the operation of exploits (358)
  • Overcoming stack security (358)
  • Overcoming ASLR (359)
  • Overcoming security measures against data execution (359)
  • Overcoming kernel limitations (359)
• A look into the future (360)
  • Officially developed projects (360)
  • Community curing of the testicle (361)
  • A bit of speculation (362)
• Summary (362)

Chapter 13. Hardware attacks (363)

• Communication with hardware (364)
  • UART serial interfaces (364)
  • Interfaces I2C, SPI and One-Wire (368)
  • JTAG (370)
  • Finding Interfaces for Debugging (381)
• Component identification (392)
  • Acquiring Specifications (392)
  • Difficulties in identifying components (394)
• Capturing, monitoring and injecting data (395)
  • USB (395)
  • Serial interfaces I2C, SPI and UART (399)
• Data and software theft (404)
  • Getting discreet access (405)
  • Invasive methods of access to software (407)
  • What to do with data dump? (410)
• Traps (414)
  • Unusual interfaces (414)
  • Binary data and closed protocols (414)
  • Defective interfaces for debugging (415)
  • System passwords (415)
  • Loader passwords, key combinations and silent terminals (415)
  • Modified start sequences (416)
  • Hidden address lines (416)
  • Protective resin (416)
  • Image encryption, obfuscation and hindering debugging (417)
• Summary (417)

Appendix A. Tools (419)

• Development tools (419)
  • Android SDK (419)
  • Android NDK (420)
  • Eclipse (420)
  • ADT plugin (420)
  • ADT package (420)
  • Android Studio (420)
• Tools for acquiring factory software and modifying memory (421)
  • Binwalk (421)
  • fastboot (421)
  • Samsung (421)
  • NVIDIA (422)
  • LG (422)
  • HTC (423)
  • Motorola (423)
• Android native tools (424)
  • BusyBox (424)
  • setpropex (425)
  • SQLite (425)
  • strace (425)
• Hooking and modifying tools (425)
  • ADBI framework (425)
  • ldpreloadhook (426)
  • Framework XPosed (426)
  • Cydia Substrate (426)
• Static analysis tools (426)
  • Smali and Baksmali (427)
  • Androguard (427)
  • apktool (427)
  • dex2jar (427)
  • poison (428)
  • JD-GUI (428)
  • JEB (428)
  • Radare2 (428)
  • IDA Pro and Hex-Rays decompiler (429)
• Application testing tools (429)
  • Framework Drozer (Mercury) (429)
  • iSEC Intent Sniffer and Intent Fuzzer (429)
• Hardware hacking tools (430)
  • Segger J-Link (430)
  • JTAGulator (430)
  • OpenOCD (430)
  • Saleae (430)
  • Bus Pirate (430)
  • GoodFET (431)
  • TotalPhase Beagle USB (431)
  • Facedancer21 (431)
  • TotalPhase Aardvark I2C (431)
  • Chip Quik (431)
  • Heat gun (431)
  • Xeltek SuperPro (432)
  • IDA (432)

Appendix B. Open source code repositories (433)

• Google (433)
  • AOSP (433)
  • Gerrit code control system (434)
• SoC manufacturers (434)
  • AllWinner (435)
  • Intel (435)
  • Marvell (435)
  • MediaTek (435)
  • Nvidia (436)
  • Texas Instruments (436)
  • Qualcomm (436)
  • Samsung (437)
• Device manufacturers (OEM) (437)
  • ASUS (438)
  • HTC (438)
  • LG (438)
  • Motorola (439)
  • Samsung (439)
  • Sony Mobile (439)
• Sources of external projects (440)
• Other sources (440)
  • Modified factory software (440)
  • Linaro (441)
  • Replicant (441)
  • Code indexes (441)
  • Freelancers (441)

Appendix C. Sources (443)

Index (501)