SESSION ID: MBS-R09 Challenges in Android Supply Chain Analysis Łukasz Siewierski (@maldr0id) Reverse Engineer, Android Security (Google) #RSAC #RSAC Agenda • What does an Android device and system updates go through before its first public sale? • What are technical challenges in analysing Android system images? • Case studies 2 #RSAC The journey of an Android device #RSAC The journey of an Android device 4 #RSAC Approval process for Android devices CTS (Compatibility Test Suite) Ensuring compatibility with AOSP GTS (GMS Requirements Test Suite) Requirements for any devices that want to license Google apps VTS (Vendor Test Suite) Compatibility with the Hardware Abstraction Layer (HAL) STS (Security Test Suite) Checks if security patches have been applied correctly BTS (Build Test Suite) Security review for malware and other harmful behaviors in binaries / framework 5 #RSAC Android Compatibility Definition Document List of requirements that must be met in order for devices to be compatible with the latest version of Android. For example section 9 deals with “Security Model Compatibility” and contains subsections relating to: • Permissions • Premium SMS warning • Security Features (e.g. SELinux) • Data Storage Encryption • Automotive Vehicle System Isolation 6 #RSAC Android system image analysis challenges #RSAC Case study #1 Device monitoring and dynamic analysis challenges #RSAC It started with an application <receiver android:name="com.[redacted].receiver.AppMonitorReceiver"> <intent-filter> <action android:name="com.[redacted].appmonitor.app_onCreate"/> <action android:name="com.[redacted].appmonitor.app_onResume"/> Odd intent names? <action android:name="com.[redacted].appmonitor.load_url"/> </intent-filter> </receiver> public void onReceive(android.content.Context context, android.content.Intent intent) { String action = intent.getAction(); if (action.equals(this.load_url_intent)) { addsURLAndPackNameToDatabase(context, intent); } public void addsURLAndPackNameToDatabase(android.content.Context context, android.content.Intent intent) { String url = intent.getStringExtra("url"); Expects two extra fields String packname = intent.getStringExtra("packname"); Adds data to the database addURLInfoToDatabase(context, url, packname); } 9 #RSAC Additional (unused) method in the AOSP Activity class private void sendNewAppBroadcast() { String lastpkg = System.getString(this.getContentResolver(), "lastpkg"); String curpkg = this.mActivityInfo.applicationInfo.packageName; if(lastpkg == null || !lastpkg.equals(curpkg)) { Intent it = new Intent(); it.setAction("com.[redacted].app_onResume"); it.putExtra("packname", curpkg); this.sendBroadcast(it); } } 10 #RSAC Additional (used) method in the AOSP WebView class public void loadUrl(String url) { this.checkThread(); Regular code Log.d("WebView", "loadUrl=" + url); this.mProvider.loadUrl(url); Application initialApplication = AppGlobals.getInitialApplication(); if(initialApplication != null && (URLUtil.isNetworkUrl(url))) { Intent it = new Intent(); it.setAction("com.[redacted].load_url"); it.putExtra("url", url); it.putExtra("packname", initialApplication.getPackageName()); initialApplication.getApplicationContext().sendBroadcast(it); } } 11 Appended code #RSAC We worked with the OEM to provide a system update which removes the additional code. To protect users before they get the system update, the app that gathers information is disabled by Play Protect. #RSAC Dynamic analysis - challenges • • • The apps need specific AOSP modifications in order to work The apps need specific devices / drivers in order to work The apps that you’re trying to install are already on the device (see below) $ adb install com.android.systemui.apk adb: failed to install com.android.systemui.apk: Failure [INSTALL_FAILED_VERSION_DOWNGRADE] $ adb install com.android.systemui.apk Failure [INSTALL_FAILED_OLDER_SDK] $ adb install com.android.systemui.apk adb: failed to install com.android.systemui.apk: Failure [INSTALL_FAILED_UPDATE_INCOMPATIBLE: Package com.android.systemui signatures do not match the previously installed version; ignoring!] 13 #RSAC Is there a way to make dynamic analysis work? You have to use some of the same methods OEMs use: • Have your own modified Android image on the emulator • Sign apps with your own “platform” key • Install them in /system by moving the APK files to the /system partition However, if the Android