Joshua J. Drake, Zach Lanier, Collin Mulliner, Pau Oliva, Stephen A. Ridley, Georg Wicherski
Android Hacker's Handbook
Joshua J. Drake, Zach Lanier, Collin Mulliner, Pau Oliva, Stephen A. Ridley, Georg Wicherski
Android Hacker's Handbook
- Broschiertes Buch
- Merkliste
- Auf die Merkliste
- Bewerten Bewerten
- Teilen
- Produkt teilen
- Produkterinnerung
- Produkterinnerung
Written by the world's foremost Android security researchers, Android Hacker's Handbook is the first comprehensive book on detecting and preventing hacks and exploits to the Android operating system. Covering both implementation details as well as complexities introduced by the open nature of the Android OS, the book explains how the operating system works, security risks associated with it, and the overall security architecture of the operating system. This landmark guide for IT professionals and Android developers also explains how vulnerabilities can be found in, and exploits developed for,…mehr
Andere Kunden interessierten sich auch für
- Dafydd StuttardThe Web Application Hacker's Handbook42,99 €
- Chris AnleyThe Shellcoder's Handbook36,99 €
- Kevin D. MitnickThe Art of Deception39,99 €
- Ross AndersonSecurity Engineering49,99 €
- Adam ShostackThreat Modeling67,99 €
- Troy McMillanCCNA Security Study Guide41,99 €
- Zahir TariData Exfiltration Threats and Prevention Techniques139,99 €
-
-
-
Written by the world's foremost Android security researchers, Android Hacker's Handbook is the first comprehensive book on detecting and preventing hacks and exploits to the Android operating system. Covering both implementation details as well as complexities introduced by the open nature of the Android OS, the book explains how the operating system works, security risks associated with it, and the overall security architecture of the operating system. This landmark guide for IT professionals and Android developers also explains how vulnerabilities can be found in, and exploits developed for, various components of the system.
The first comprehensive guide to discovering and preventing attacks on the Android OS
As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written by experts who rank among the world's foremost Android security researchers, this book presents vulnerability discovery, analysis, and exploitation tools for the good guys. Following a detailed explanation of how the Android OS works and its overall security architecture, the authors examine how vulnerabilities can be discovered and exploits developed for various system components, preparing you to defend against them.
If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you will find this guide is essential to your toolbox.
A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulnerability analysis
Covers Android application building blocks and security as well as debugging and auditing Android apps
Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against attack
Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
The first comprehensive guide to discovering and preventing attacks on the Android OS
As the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written by experts who rank among the world's foremost Android security researchers, this book presents vulnerability discovery, analysis, and exploitation tools for the good guys. Following a detailed explanation of how the Android OS works and its overall security architecture, the authors examine how vulnerabilities can be discovered and exploits developed for various system components, preparing you to defend against them.
If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you will find this guide is essential to your toolbox.
A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulnerability analysis
Covers Android application building blocks and security as well as debugging and auditing Android apps
Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against attack
Android Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.
Produktdetails
- Produktdetails
- Verlag: Wiley & Sons
- Artikelnr. des Verlages: 1W118608640
- 1. Auflage
- Seitenzahl: 576
- Erscheinungstermin: 31. März 2014
- Englisch
- Abmessung: 235mm x 191mm x 31mm
- Gewicht: 958g
- ISBN-13: 9781118608647
- ISBN-10: 111860864X
- Artikelnr.: 37781511
- Verlag: Wiley & Sons
- Artikelnr. des Verlages: 1W118608640
- 1. Auflage
- Seitenzahl: 576
- Erscheinungstermin: 31. März 2014
- Englisch
- Abmessung: 235mm x 191mm x 31mm
- Gewicht: 958g
- ISBN-13: 9781118608647
- ISBN-10: 111860864X
- Artikelnr.: 37781511
JOSHUA J. DRAKE is a Director of Research Science at Accuvant LABS. PAU OLIVA FORA is a Mobile Security Engineer with viaForensics. ZACH LANIER is a Senior Security Researcher at Duo Security. COLLIN MULLINER is a postdoctoral researcher at Northeastern University. STEPHEN A. RIDLEY is a Principal Researcher with Xipiter. GEORG WICHERSKI is a Senior Security Researcher with CrowdStrike.
Introduction xxv Chapter 1 Looking at the Ecosystem 1 Understanding
Android's Roots 1 Company History 2 Version History 2 Examining the Device
Pool 4 Open Source, Mostly 7 Understanding Android Stakeholders 7 Google 8
Hardware Vendors 10 Carriers 12 Developers 13 Users 14 Grasping Ecosystem
Complexities 15 Fragmentation 16 Compatibility 17 Update Issues 18 Security
versus Openness 21 Public Disclosures 22 Summary 23 Chapter 2 Android
Security Design and Architecture 25 Understanding Android System
Architecture 25 Understanding Security Boundaries and Enforcement 27
Android's Sandbox 27 Android Permissions 30 Looking Closer at the Layers 34
Android Applications 34 The Android Framework 39 The Dalvik Virtual Machine
40 User-Space Native Code 41 The Kernel 49 Complex Security, Complex
Exploits 55 Summary 56 Chapter 3 Rooting Your Device 57 Understanding the
Partition Layout 58 Determining the Partition Layout 59 Understanding the
Boot Process 60 Accessing Download Mode 61 Locked and Unlocked Boot Loaders
62 Stock and Custom Recovery Images 63 Rooting with an Unlocked Boot Loader
65 Rooting with a Locked Boot Loader 68 Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70 Persisting a Soft Root 71
History of Known Attacks 73 Kernel: Wunderbar/asroot 73 Recovery: Volez 74
Udev: Exploid 74 Adbd: RageAgainstTheCage 75 Zygote: Zimperlich and
Zysploit 75 Ashmem: KillingInTheNameOf and psneuter 76 Vold: GingerBreak 76
PowerVR: levitator 77 Libsysutils: zergRush 78 Kernel: mempodroid 78 File
Permission and Symbolic Link-Related Attacks 79 Adb Restore Race Condition
79 Exynos4: exynos-abuse 80 Diag: lit / diaggetroot 81 Summary 81 Chapter 4
Reviewing Application Security 83 Common Issues 83 App Permission Issues 84
Insecure Transmission of Sensitive Data 86 Insecure Data Storage 87
Information Leakage Through Logs 88 Unsecured IPC Endpoints 89 Case Study:
Mobile Security App 91 Profi ling 91 Static Analysis 93 Dynamic Analysis
109 Attack 117 Case Study: SIP Client 120 Enter Drozer 121 Discovery 121
Snarfing 122 Injection 124 Summary 126 Chapter 5 Understanding Android's
Attack Surface 129 An Attack Terminology Primer 130 Attack Vectors 130
Attack Surfaces 131 Classifying Attack Surfaces 133 Surface Properties 133
Classification Decisions 134 Remote Attack Surfaces 134 Networking Concepts
134 Networking Stacks 139 Exposed Network Services 140 Mobile Technologies
142 Client-side Attack Surface 143 Google Infrastructure 148 Physical
Adjacency 154 Wireless Communications 154 Other Technologies 161 Local
Attack Surfaces 161 Exploring the File System 162 Finding Other Local
Attack Surfaces 163 Physical Attack Surfaces 168 Dismantling Devices 169
USB 169 Other Physical Attack Surfaces 173 Third-Party Modifi cations 174
Summary 174 Chapter 6 Finding Vulnerabilities with Fuzz Testing 177 Fuzzing
Background 177 Identifying a Target 179 Crafting Malformed Inputs 179
Processing Inputs 180 Monitoring Results 181 Fuzzing on Android 181 Fuzzing
Broadcast Receivers 183 Identifying a Target 183 Generating Inputs 184
Delivering Inputs 185 Monitoring Testing 185 Fuzzing Chrome for Android 188
Selecting a Technology to Target 188 Generating Inputs 190 Processing
Inputs 192 Monitoring Testing 194 Fuzzing the USB Attack Surface 197 USB
Fuzzing Challenges 198 Selecting a Target Mode 198 Generating Inputs 199
Processing Inputs 201 Monitoring Testing 202 Summary 204 Chapter 7
Debugging and Analyzing Vulnerabilities 205 Getting All Available
Information 205 Choosing a Toolchain 207 Debugging with Crash Dumps 208
System Logs 208 Tombstones 209 Remote Debugging 211 Debugging Dalvik Code
212 Debugging an Example App 213 Showing Framework Source Code 215
Debugging Existing Code 217 Debugging Native Code 221 Debugging with the
NDK 222 Debugging with Eclipse 226 Debugging with AOSP 227 Increasing
Automation 233 Debugging with Symbols 235 Debugging with a Non-AOSP Device
241 Debugging Mixed Code 243 Alternative Debugging Techniques 243 Debug
Statements 243 On-Device Debugging 244 Dynamic Binary Instrumentation 245
Vulnerability Analysis 246 Determining Root Cause 246 Judging
Exploitability 260 Summary 261 Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263 Stack Buffer Overfl ows 264 Heap Exploitation
268 A History of Public Exploits 275 GingerBreak 275 zergRush 279
mempodroid 283 Exploiting the Android Browser 284 Understanding the Bug 284
Controlling the Heap 287 Summary 290 Chapter 9 Return Oriented Programming
291 History and Motivation 291 Separate Code and Instruction Cache 292
Basics of ROP on ARM 294 ARM Subroutine Calls 295 Combining Gadgets into a
Chain 297 Identifying Potential Gadgets 299 Case Study: Android 4.0.1
Linker 300 Pivoting the Stack Pointer 301 Executing Arbitrary Code from a
New Mapping 303 Summary 308 Chapter 10 Hacking and Attacking the Kernel 309
Android's Linux Kernel 309 Extracting Kernels 310 Extracting from Stock
Firmware 311 Extracting from Devices 314 Getting the Kernel from a Boot
Image 315 Decompressing the Kernel 316 Running Custom Kernel Code 316
Obtaining Source Code 316 Setting Up a Build Environment 320 Confi guring
the Kernel 321 Using Custom Kernel Modules 322 Building a Custom Kernel 325
Creating a Boot Image 329 Booting a Custom Kernel 331 Debugging the Kernel
336 Obtaining Kernel Crash Reports 337 Understanding an Oops 338 Live
Debugging with KGDB 343 Exploiting the Kernel 348 Typical Android Kernels
348 Extracting Addresses 350 Case Studies 352 Summary 364 Chapter 11
Attacking the Radio Interface Layer 367 Introduction to the RIL 368 RIL
Architecture 368 Smartphone Architecture 369 The Android Telephony Stack
370 Telephony Stack Customization 371 The RIL Daemon (rild) 372 The
Vendor-RIL API 374 Short Message Service (SMS) 375 Sending and Receiving
SMS Messages 376 SMS Message Format 376 Interacting with the Modem 379
Emulating the Modem for Fuzzing 379 Fuzzing SMS on Android 382 Summary 390
Chapter 12 Exploit Mitigations 391 Classifying Mitigations 392 Code Signing
392 Hardening the Heap 394 Protecting Against Integer Overfl ows 394
Preventing Data Execution 396 Address Space Layout Randomization 398
Protecting the Stack 400 Format String Protections 401 Read-Only
Relocations 403 Sandboxing 404 Fortifying Source Code 405 Access Control
Mechanisms 407 Protecting the Kernel 408 Pointer and Log Restrictions 409
Protecting the Zero Page 410 Read-Only Memory Regions 410 Other Hardening
Measures 411 Summary of Exploit Mitigations 414 Disabling Mitigation
Features 415 Changing Your Personality 416 Altering Binaries 416 Tweaking
the Kernel 417 Overcoming Exploit Mitigations 418 Overcoming Stack
Protections 418 Overcoming ASLR 418 Overcoming Data Execution Protections
419 Overcoming Kernel Protections 419 Looking to the Future 420 Official
Projects Underway 420 Community Kernel Hardening Efforts 420 A Bit of
Speculation 422 Summary 422 Chapter 13 Hardware Attacks 423 Interfacing
with Hardware Devices 424 UART Serial Interfaces 424 I2C, SPI, and One-Wire
Interfaces 428 JTAG 431 Finding Debug Interfaces 443 Identifying Components
456 Getting Specifi cations 456 Difficulty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459 USB 459 I2C, SPI, and UART
Serial Interfaces 463 Stealing Secrets and Firmware 469 Accessing Firmware
Unobtrusively 469 Destructively Accessing the Firmware 471 What Do You Do
with a Dump? 474 Pitfalls 479 Custom Interfaces 479 Binary/Proprietary Data
479 Blown Debug Interfaces 480 Chip Passwords 480 Boot Loader Passwords,
Hotkeys, and Silent Terminals 480 Customized Boot Sequences 481 Unexposed
Address Lines 481 Anti-Reversing Epoxy 482 Image Encryption, Obfuscation,
and Anti-Debugging 482 Summary 482 Appendix A Tool Catalog 485 Development
Tools 485 Android SDK 485 Android NDK 486 Eclipse 486 ADT Plug-In 486 ADT
Bundle 486 Android Studio 487 Firmware Extraction and Flashing Tools 487
Binwalk 487 fastboot 487 Samsung 488 NVIDIA 489 LG 489 HTC 489 Motorola 490
Native Android Tools 491 BusyBox 491 setpropex 491 SQLite 491 strace 492
Hooking and Instrumentation Tools 492 ADBI Framework 492 ldpreloadhook 492
XPosed Framework 492 Cydia Substrate 493 Static Analysis Tools 493 Smali
and Baksmali 493 Androguard 493 apktool 494 dex2jar 494 jad 494 JD-GUI 495
JEB 495 Radare2 495 IDA Pro and Hex-Rays Decompiler 496 Application Testing
Tools 496 Drozer (Mercury) Framework 496 iSEC Intent Sniffer and Intent
Fuzzer 496 Hardware Hacking Tools 496 Segger J-Link 497 JTAGulator 497
OpenOCD 497 Saleae 497 Bus Pirate 497 GoodFET 497 Total Phase Beagle USB
498 Facedancer21 498 Total Phase Beagle I2C 498 Chip Quik 498 Hot air gun
498 Xeltek SuperPro 498 IDA 499 Appendix B Open Source Repositories 501
Google 501 AOSP 501 Gerrit Code Review 502 SoC Manufacturers 502 AllWinner
503 Intel 503 Marvell 503 MediaTek 504 Nvidia 504 Texas Instruments 504
Qualcomm 505 Samsung 505 OEMs 506 ASUS 506 HTC 507 LG 507 Motorola 507
Samsung 508 Sony Mobile 508 Upstream Sources 508 Others 509 Custom Firmware
509 Linaro 510 Replicant 510 Code Indexes 510 Individuals 510 Appendix C
References 511 Index 523
Android's Roots 1 Company History 2 Version History 2 Examining the Device
Pool 4 Open Source, Mostly 7 Understanding Android Stakeholders 7 Google 8
Hardware Vendors 10 Carriers 12 Developers 13 Users 14 Grasping Ecosystem
Complexities 15 Fragmentation 16 Compatibility 17 Update Issues 18 Security
versus Openness 21 Public Disclosures 22 Summary 23 Chapter 2 Android
Security Design and Architecture 25 Understanding Android System
Architecture 25 Understanding Security Boundaries and Enforcement 27
Android's Sandbox 27 Android Permissions 30 Looking Closer at the Layers 34
Android Applications 34 The Android Framework 39 The Dalvik Virtual Machine
40 User-Space Native Code 41 The Kernel 49 Complex Security, Complex
Exploits 55 Summary 56 Chapter 3 Rooting Your Device 57 Understanding the
Partition Layout 58 Determining the Partition Layout 59 Understanding the
Boot Process 60 Accessing Download Mode 61 Locked and Unlocked Boot Loaders
62 Stock and Custom Recovery Images 63 Rooting with an Unlocked Boot Loader
65 Rooting with a Locked Boot Loader 68 Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70 Persisting a Soft Root 71
History of Known Attacks 73 Kernel: Wunderbar/asroot 73 Recovery: Volez 74
Udev: Exploid 74 Adbd: RageAgainstTheCage 75 Zygote: Zimperlich and
Zysploit 75 Ashmem: KillingInTheNameOf and psneuter 76 Vold: GingerBreak 76
PowerVR: levitator 77 Libsysutils: zergRush 78 Kernel: mempodroid 78 File
Permission and Symbolic Link-Related Attacks 79 Adb Restore Race Condition
79 Exynos4: exynos-abuse 80 Diag: lit / diaggetroot 81 Summary 81 Chapter 4
Reviewing Application Security 83 Common Issues 83 App Permission Issues 84
Insecure Transmission of Sensitive Data 86 Insecure Data Storage 87
Information Leakage Through Logs 88 Unsecured IPC Endpoints 89 Case Study:
Mobile Security App 91 Profi ling 91 Static Analysis 93 Dynamic Analysis
109 Attack 117 Case Study: SIP Client 120 Enter Drozer 121 Discovery 121
Snarfing 122 Injection 124 Summary 126 Chapter 5 Understanding Android's
Attack Surface 129 An Attack Terminology Primer 130 Attack Vectors 130
Attack Surfaces 131 Classifying Attack Surfaces 133 Surface Properties 133
Classification Decisions 134 Remote Attack Surfaces 134 Networking Concepts
134 Networking Stacks 139 Exposed Network Services 140 Mobile Technologies
142 Client-side Attack Surface 143 Google Infrastructure 148 Physical
Adjacency 154 Wireless Communications 154 Other Technologies 161 Local
Attack Surfaces 161 Exploring the File System 162 Finding Other Local
Attack Surfaces 163 Physical Attack Surfaces 168 Dismantling Devices 169
USB 169 Other Physical Attack Surfaces 173 Third-Party Modifi cations 174
Summary 174 Chapter 6 Finding Vulnerabilities with Fuzz Testing 177 Fuzzing
Background 177 Identifying a Target 179 Crafting Malformed Inputs 179
Processing Inputs 180 Monitoring Results 181 Fuzzing on Android 181 Fuzzing
Broadcast Receivers 183 Identifying a Target 183 Generating Inputs 184
Delivering Inputs 185 Monitoring Testing 185 Fuzzing Chrome for Android 188
Selecting a Technology to Target 188 Generating Inputs 190 Processing
Inputs 192 Monitoring Testing 194 Fuzzing the USB Attack Surface 197 USB
Fuzzing Challenges 198 Selecting a Target Mode 198 Generating Inputs 199
Processing Inputs 201 Monitoring Testing 202 Summary 204 Chapter 7
Debugging and Analyzing Vulnerabilities 205 Getting All Available
Information 205 Choosing a Toolchain 207 Debugging with Crash Dumps 208
System Logs 208 Tombstones 209 Remote Debugging 211 Debugging Dalvik Code
212 Debugging an Example App 213 Showing Framework Source Code 215
Debugging Existing Code 217 Debugging Native Code 221 Debugging with the
NDK 222 Debugging with Eclipse 226 Debugging with AOSP 227 Increasing
Automation 233 Debugging with Symbols 235 Debugging with a Non-AOSP Device
241 Debugging Mixed Code 243 Alternative Debugging Techniques 243 Debug
Statements 243 On-Device Debugging 244 Dynamic Binary Instrumentation 245
Vulnerability Analysis 246 Determining Root Cause 246 Judging
Exploitability 260 Summary 261 Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263 Stack Buffer Overfl ows 264 Heap Exploitation
268 A History of Public Exploits 275 GingerBreak 275 zergRush 279
mempodroid 283 Exploiting the Android Browser 284 Understanding the Bug 284
Controlling the Heap 287 Summary 290 Chapter 9 Return Oriented Programming
291 History and Motivation 291 Separate Code and Instruction Cache 292
Basics of ROP on ARM 294 ARM Subroutine Calls 295 Combining Gadgets into a
Chain 297 Identifying Potential Gadgets 299 Case Study: Android 4.0.1
Linker 300 Pivoting the Stack Pointer 301 Executing Arbitrary Code from a
New Mapping 303 Summary 308 Chapter 10 Hacking and Attacking the Kernel 309
Android's Linux Kernel 309 Extracting Kernels 310 Extracting from Stock
Firmware 311 Extracting from Devices 314 Getting the Kernel from a Boot
Image 315 Decompressing the Kernel 316 Running Custom Kernel Code 316
Obtaining Source Code 316 Setting Up a Build Environment 320 Confi guring
the Kernel 321 Using Custom Kernel Modules 322 Building a Custom Kernel 325
Creating a Boot Image 329 Booting a Custom Kernel 331 Debugging the Kernel
336 Obtaining Kernel Crash Reports 337 Understanding an Oops 338 Live
Debugging with KGDB 343 Exploiting the Kernel 348 Typical Android Kernels
348 Extracting Addresses 350 Case Studies 352 Summary 364 Chapter 11
Attacking the Radio Interface Layer 367 Introduction to the RIL 368 RIL
Architecture 368 Smartphone Architecture 369 The Android Telephony Stack
370 Telephony Stack Customization 371 The RIL Daemon (rild) 372 The
Vendor-RIL API 374 Short Message Service (SMS) 375 Sending and Receiving
SMS Messages 376 SMS Message Format 376 Interacting with the Modem 379
Emulating the Modem for Fuzzing 379 Fuzzing SMS on Android 382 Summary 390
Chapter 12 Exploit Mitigations 391 Classifying Mitigations 392 Code Signing
392 Hardening the Heap 394 Protecting Against Integer Overfl ows 394
Preventing Data Execution 396 Address Space Layout Randomization 398
Protecting the Stack 400 Format String Protections 401 Read-Only
Relocations 403 Sandboxing 404 Fortifying Source Code 405 Access Control
Mechanisms 407 Protecting the Kernel 408 Pointer and Log Restrictions 409
Protecting the Zero Page 410 Read-Only Memory Regions 410 Other Hardening
Measures 411 Summary of Exploit Mitigations 414 Disabling Mitigation
Features 415 Changing Your Personality 416 Altering Binaries 416 Tweaking
the Kernel 417 Overcoming Exploit Mitigations 418 Overcoming Stack
Protections 418 Overcoming ASLR 418 Overcoming Data Execution Protections
419 Overcoming Kernel Protections 419 Looking to the Future 420 Official
Projects Underway 420 Community Kernel Hardening Efforts 420 A Bit of
Speculation 422 Summary 422 Chapter 13 Hardware Attacks 423 Interfacing
with Hardware Devices 424 UART Serial Interfaces 424 I2C, SPI, and One-Wire
Interfaces 428 JTAG 431 Finding Debug Interfaces 443 Identifying Components
456 Getting Specifi cations 456 Difficulty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459 USB 459 I2C, SPI, and UART
Serial Interfaces 463 Stealing Secrets and Firmware 469 Accessing Firmware
Unobtrusively 469 Destructively Accessing the Firmware 471 What Do You Do
with a Dump? 474 Pitfalls 479 Custom Interfaces 479 Binary/Proprietary Data
479 Blown Debug Interfaces 480 Chip Passwords 480 Boot Loader Passwords,
Hotkeys, and Silent Terminals 480 Customized Boot Sequences 481 Unexposed
Address Lines 481 Anti-Reversing Epoxy 482 Image Encryption, Obfuscation,
and Anti-Debugging 482 Summary 482 Appendix A Tool Catalog 485 Development
Tools 485 Android SDK 485 Android NDK 486 Eclipse 486 ADT Plug-In 486 ADT
Bundle 486 Android Studio 487 Firmware Extraction and Flashing Tools 487
Binwalk 487 fastboot 487 Samsung 488 NVIDIA 489 LG 489 HTC 489 Motorola 490
Native Android Tools 491 BusyBox 491 setpropex 491 SQLite 491 strace 492
Hooking and Instrumentation Tools 492 ADBI Framework 492 ldpreloadhook 492
XPosed Framework 492 Cydia Substrate 493 Static Analysis Tools 493 Smali
and Baksmali 493 Androguard 493 apktool 494 dex2jar 494 jad 494 JD-GUI 495
JEB 495 Radare2 495 IDA Pro and Hex-Rays Decompiler 496 Application Testing
Tools 496 Drozer (Mercury) Framework 496 iSEC Intent Sniffer and Intent
Fuzzer 496 Hardware Hacking Tools 496 Segger J-Link 497 JTAGulator 497
OpenOCD 497 Saleae 497 Bus Pirate 497 GoodFET 497 Total Phase Beagle USB
498 Facedancer21 498 Total Phase Beagle I2C 498 Chip Quik 498 Hot air gun
498 Xeltek SuperPro 498 IDA 499 Appendix B Open Source Repositories 501
Google 501 AOSP 501 Gerrit Code Review 502 SoC Manufacturers 502 AllWinner
503 Intel 503 Marvell 503 MediaTek 504 Nvidia 504 Texas Instruments 504
Qualcomm 505 Samsung 505 OEMs 506 ASUS 506 HTC 507 LG 507 Motorola 507
Samsung 508 Sony Mobile 508 Upstream Sources 508 Others 509 Custom Firmware
509 Linaro 510 Replicant 510 Code Indexes 510 Individuals 510 Appendix C
References 511 Index 523
Introduction xxv Chapter 1 Looking at the Ecosystem 1 Understanding
Android's Roots 1 Company History 2 Version History 2 Examining the Device
Pool 4 Open Source, Mostly 7 Understanding Android Stakeholders 7 Google 8
Hardware Vendors 10 Carriers 12 Developers 13 Users 14 Grasping Ecosystem
Complexities 15 Fragmentation 16 Compatibility 17 Update Issues 18 Security
versus Openness 21 Public Disclosures 22 Summary 23 Chapter 2 Android
Security Design and Architecture 25 Understanding Android System
Architecture 25 Understanding Security Boundaries and Enforcement 27
Android's Sandbox 27 Android Permissions 30 Looking Closer at the Layers 34
Android Applications 34 The Android Framework 39 The Dalvik Virtual Machine
40 User-Space Native Code 41 The Kernel 49 Complex Security, Complex
Exploits 55 Summary 56 Chapter 3 Rooting Your Device 57 Understanding the
Partition Layout 58 Determining the Partition Layout 59 Understanding the
Boot Process 60 Accessing Download Mode 61 Locked and Unlocked Boot Loaders
62 Stock and Custom Recovery Images 63 Rooting with an Unlocked Boot Loader
65 Rooting with a Locked Boot Loader 68 Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70 Persisting a Soft Root 71
History of Known Attacks 73 Kernel: Wunderbar/asroot 73 Recovery: Volez 74
Udev: Exploid 74 Adbd: RageAgainstTheCage 75 Zygote: Zimperlich and
Zysploit 75 Ashmem: KillingInTheNameOf and psneuter 76 Vold: GingerBreak 76
PowerVR: levitator 77 Libsysutils: zergRush 78 Kernel: mempodroid 78 File
Permission and Symbolic Link-Related Attacks 79 Adb Restore Race Condition
79 Exynos4: exynos-abuse 80 Diag: lit / diaggetroot 81 Summary 81 Chapter 4
Reviewing Application Security 83 Common Issues 83 App Permission Issues 84
Insecure Transmission of Sensitive Data 86 Insecure Data Storage 87
Information Leakage Through Logs 88 Unsecured IPC Endpoints 89 Case Study:
Mobile Security App 91 Profi ling 91 Static Analysis 93 Dynamic Analysis
109 Attack 117 Case Study: SIP Client 120 Enter Drozer 121 Discovery 121
Snarfing 122 Injection 124 Summary 126 Chapter 5 Understanding Android's
Attack Surface 129 An Attack Terminology Primer 130 Attack Vectors 130
Attack Surfaces 131 Classifying Attack Surfaces 133 Surface Properties 133
Classification Decisions 134 Remote Attack Surfaces 134 Networking Concepts
134 Networking Stacks 139 Exposed Network Services 140 Mobile Technologies
142 Client-side Attack Surface 143 Google Infrastructure 148 Physical
Adjacency 154 Wireless Communications 154 Other Technologies 161 Local
Attack Surfaces 161 Exploring the File System 162 Finding Other Local
Attack Surfaces 163 Physical Attack Surfaces 168 Dismantling Devices 169
USB 169 Other Physical Attack Surfaces 173 Third-Party Modifi cations 174
Summary 174 Chapter 6 Finding Vulnerabilities with Fuzz Testing 177 Fuzzing
Background 177 Identifying a Target 179 Crafting Malformed Inputs 179
Processing Inputs 180 Monitoring Results 181 Fuzzing on Android 181 Fuzzing
Broadcast Receivers 183 Identifying a Target 183 Generating Inputs 184
Delivering Inputs 185 Monitoring Testing 185 Fuzzing Chrome for Android 188
Selecting a Technology to Target 188 Generating Inputs 190 Processing
Inputs 192 Monitoring Testing 194 Fuzzing the USB Attack Surface 197 USB
Fuzzing Challenges 198 Selecting a Target Mode 198 Generating Inputs 199
Processing Inputs 201 Monitoring Testing 202 Summary 204 Chapter 7
Debugging and Analyzing Vulnerabilities 205 Getting All Available
Information 205 Choosing a Toolchain 207 Debugging with Crash Dumps 208
System Logs 208 Tombstones 209 Remote Debugging 211 Debugging Dalvik Code
212 Debugging an Example App 213 Showing Framework Source Code 215
Debugging Existing Code 217 Debugging Native Code 221 Debugging with the
NDK 222 Debugging with Eclipse 226 Debugging with AOSP 227 Increasing
Automation 233 Debugging with Symbols 235 Debugging with a Non-AOSP Device
241 Debugging Mixed Code 243 Alternative Debugging Techniques 243 Debug
Statements 243 On-Device Debugging 244 Dynamic Binary Instrumentation 245
Vulnerability Analysis 246 Determining Root Cause 246 Judging
Exploitability 260 Summary 261 Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263 Stack Buffer Overfl ows 264 Heap Exploitation
268 A History of Public Exploits 275 GingerBreak 275 zergRush 279
mempodroid 283 Exploiting the Android Browser 284 Understanding the Bug 284
Controlling the Heap 287 Summary 290 Chapter 9 Return Oriented Programming
291 History and Motivation 291 Separate Code and Instruction Cache 292
Basics of ROP on ARM 294 ARM Subroutine Calls 295 Combining Gadgets into a
Chain 297 Identifying Potential Gadgets 299 Case Study: Android 4.0.1
Linker 300 Pivoting the Stack Pointer 301 Executing Arbitrary Code from a
New Mapping 303 Summary 308 Chapter 10 Hacking and Attacking the Kernel 309
Android's Linux Kernel 309 Extracting Kernels 310 Extracting from Stock
Firmware 311 Extracting from Devices 314 Getting the Kernel from a Boot
Image 315 Decompressing the Kernel 316 Running Custom Kernel Code 316
Obtaining Source Code 316 Setting Up a Build Environment 320 Confi guring
the Kernel 321 Using Custom Kernel Modules 322 Building a Custom Kernel 325
Creating a Boot Image 329 Booting a Custom Kernel 331 Debugging the Kernel
336 Obtaining Kernel Crash Reports 337 Understanding an Oops 338 Live
Debugging with KGDB 343 Exploiting the Kernel 348 Typical Android Kernels
348 Extracting Addresses 350 Case Studies 352 Summary 364 Chapter 11
Attacking the Radio Interface Layer 367 Introduction to the RIL 368 RIL
Architecture 368 Smartphone Architecture 369 The Android Telephony Stack
370 Telephony Stack Customization 371 The RIL Daemon (rild) 372 The
Vendor-RIL API 374 Short Message Service (SMS) 375 Sending and Receiving
SMS Messages 376 SMS Message Format 376 Interacting with the Modem 379
Emulating the Modem for Fuzzing 379 Fuzzing SMS on Android 382 Summary 390
Chapter 12 Exploit Mitigations 391 Classifying Mitigations 392 Code Signing
392 Hardening the Heap 394 Protecting Against Integer Overfl ows 394
Preventing Data Execution 396 Address Space Layout Randomization 398
Protecting the Stack 400 Format String Protections 401 Read-Only
Relocations 403 Sandboxing 404 Fortifying Source Code 405 Access Control
Mechanisms 407 Protecting the Kernel 408 Pointer and Log Restrictions 409
Protecting the Zero Page 410 Read-Only Memory Regions 410 Other Hardening
Measures 411 Summary of Exploit Mitigations 414 Disabling Mitigation
Features 415 Changing Your Personality 416 Altering Binaries 416 Tweaking
the Kernel 417 Overcoming Exploit Mitigations 418 Overcoming Stack
Protections 418 Overcoming ASLR 418 Overcoming Data Execution Protections
419 Overcoming Kernel Protections 419 Looking to the Future 420 Official
Projects Underway 420 Community Kernel Hardening Efforts 420 A Bit of
Speculation 422 Summary 422 Chapter 13 Hardware Attacks 423 Interfacing
with Hardware Devices 424 UART Serial Interfaces 424 I2C, SPI, and One-Wire
Interfaces 428 JTAG 431 Finding Debug Interfaces 443 Identifying Components
456 Getting Specifi cations 456 Difficulty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459 USB 459 I2C, SPI, and UART
Serial Interfaces 463 Stealing Secrets and Firmware 469 Accessing Firmware
Unobtrusively 469 Destructively Accessing the Firmware 471 What Do You Do
with a Dump? 474 Pitfalls 479 Custom Interfaces 479 Binary/Proprietary Data
479 Blown Debug Interfaces 480 Chip Passwords 480 Boot Loader Passwords,
Hotkeys, and Silent Terminals 480 Customized Boot Sequences 481 Unexposed
Address Lines 481 Anti-Reversing Epoxy 482 Image Encryption, Obfuscation,
and Anti-Debugging 482 Summary 482 Appendix A Tool Catalog 485 Development
Tools 485 Android SDK 485 Android NDK 486 Eclipse 486 ADT Plug-In 486 ADT
Bundle 486 Android Studio 487 Firmware Extraction and Flashing Tools 487
Binwalk 487 fastboot 487 Samsung 488 NVIDIA 489 LG 489 HTC 489 Motorola 490
Native Android Tools 491 BusyBox 491 setpropex 491 SQLite 491 strace 492
Hooking and Instrumentation Tools 492 ADBI Framework 492 ldpreloadhook 492
XPosed Framework 492 Cydia Substrate 493 Static Analysis Tools 493 Smali
and Baksmali 493 Androguard 493 apktool 494 dex2jar 494 jad 494 JD-GUI 495
JEB 495 Radare2 495 IDA Pro and Hex-Rays Decompiler 496 Application Testing
Tools 496 Drozer (Mercury) Framework 496 iSEC Intent Sniffer and Intent
Fuzzer 496 Hardware Hacking Tools 496 Segger J-Link 497 JTAGulator 497
OpenOCD 497 Saleae 497 Bus Pirate 497 GoodFET 497 Total Phase Beagle USB
498 Facedancer21 498 Total Phase Beagle I2C 498 Chip Quik 498 Hot air gun
498 Xeltek SuperPro 498 IDA 499 Appendix B Open Source Repositories 501
Google 501 AOSP 501 Gerrit Code Review 502 SoC Manufacturers 502 AllWinner
503 Intel 503 Marvell 503 MediaTek 504 Nvidia 504 Texas Instruments 504
Qualcomm 505 Samsung 505 OEMs 506 ASUS 506 HTC 507 LG 507 Motorola 507
Samsung 508 Sony Mobile 508 Upstream Sources 508 Others 509 Custom Firmware
509 Linaro 510 Replicant 510 Code Indexes 510 Individuals 510 Appendix C
References 511 Index 523
Android's Roots 1 Company History 2 Version History 2 Examining the Device
Pool 4 Open Source, Mostly 7 Understanding Android Stakeholders 7 Google 8
Hardware Vendors 10 Carriers 12 Developers 13 Users 14 Grasping Ecosystem
Complexities 15 Fragmentation 16 Compatibility 17 Update Issues 18 Security
versus Openness 21 Public Disclosures 22 Summary 23 Chapter 2 Android
Security Design and Architecture 25 Understanding Android System
Architecture 25 Understanding Security Boundaries and Enforcement 27
Android's Sandbox 27 Android Permissions 30 Looking Closer at the Layers 34
Android Applications 34 The Android Framework 39 The Dalvik Virtual Machine
40 User-Space Native Code 41 The Kernel 49 Complex Security, Complex
Exploits 55 Summary 56 Chapter 3 Rooting Your Device 57 Understanding the
Partition Layout 58 Determining the Partition Layout 59 Understanding the
Boot Process 60 Accessing Download Mode 61 Locked and Unlocked Boot Loaders
62 Stock and Custom Recovery Images 63 Rooting with an Unlocked Boot Loader
65 Rooting with a Locked Boot Loader 68 Gaining Root on a Booted System 69
NAND Locks, Temporary Root, and Permanent Root 70 Persisting a Soft Root 71
History of Known Attacks 73 Kernel: Wunderbar/asroot 73 Recovery: Volez 74
Udev: Exploid 74 Adbd: RageAgainstTheCage 75 Zygote: Zimperlich and
Zysploit 75 Ashmem: KillingInTheNameOf and psneuter 76 Vold: GingerBreak 76
PowerVR: levitator 77 Libsysutils: zergRush 78 Kernel: mempodroid 78 File
Permission and Symbolic Link-Related Attacks 79 Adb Restore Race Condition
79 Exynos4: exynos-abuse 80 Diag: lit / diaggetroot 81 Summary 81 Chapter 4
Reviewing Application Security 83 Common Issues 83 App Permission Issues 84
Insecure Transmission of Sensitive Data 86 Insecure Data Storage 87
Information Leakage Through Logs 88 Unsecured IPC Endpoints 89 Case Study:
Mobile Security App 91 Profi ling 91 Static Analysis 93 Dynamic Analysis
109 Attack 117 Case Study: SIP Client 120 Enter Drozer 121 Discovery 121
Snarfing 122 Injection 124 Summary 126 Chapter 5 Understanding Android's
Attack Surface 129 An Attack Terminology Primer 130 Attack Vectors 130
Attack Surfaces 131 Classifying Attack Surfaces 133 Surface Properties 133
Classification Decisions 134 Remote Attack Surfaces 134 Networking Concepts
134 Networking Stacks 139 Exposed Network Services 140 Mobile Technologies
142 Client-side Attack Surface 143 Google Infrastructure 148 Physical
Adjacency 154 Wireless Communications 154 Other Technologies 161 Local
Attack Surfaces 161 Exploring the File System 162 Finding Other Local
Attack Surfaces 163 Physical Attack Surfaces 168 Dismantling Devices 169
USB 169 Other Physical Attack Surfaces 173 Third-Party Modifi cations 174
Summary 174 Chapter 6 Finding Vulnerabilities with Fuzz Testing 177 Fuzzing
Background 177 Identifying a Target 179 Crafting Malformed Inputs 179
Processing Inputs 180 Monitoring Results 181 Fuzzing on Android 181 Fuzzing
Broadcast Receivers 183 Identifying a Target 183 Generating Inputs 184
Delivering Inputs 185 Monitoring Testing 185 Fuzzing Chrome for Android 188
Selecting a Technology to Target 188 Generating Inputs 190 Processing
Inputs 192 Monitoring Testing 194 Fuzzing the USB Attack Surface 197 USB
Fuzzing Challenges 198 Selecting a Target Mode 198 Generating Inputs 199
Processing Inputs 201 Monitoring Testing 202 Summary 204 Chapter 7
Debugging and Analyzing Vulnerabilities 205 Getting All Available
Information 205 Choosing a Toolchain 207 Debugging with Crash Dumps 208
System Logs 208 Tombstones 209 Remote Debugging 211 Debugging Dalvik Code
212 Debugging an Example App 213 Showing Framework Source Code 215
Debugging Existing Code 217 Debugging Native Code 221 Debugging with the
NDK 222 Debugging with Eclipse 226 Debugging with AOSP 227 Increasing
Automation 233 Debugging with Symbols 235 Debugging with a Non-AOSP Device
241 Debugging Mixed Code 243 Alternative Debugging Techniques 243 Debug
Statements 243 On-Device Debugging 244 Dynamic Binary Instrumentation 245
Vulnerability Analysis 246 Determining Root Cause 246 Judging
Exploitability 260 Summary 261 Chapter 8 Exploiting User Space Software 263
Memory Corruption Basics 263 Stack Buffer Overfl ows 264 Heap Exploitation
268 A History of Public Exploits 275 GingerBreak 275 zergRush 279
mempodroid 283 Exploiting the Android Browser 284 Understanding the Bug 284
Controlling the Heap 287 Summary 290 Chapter 9 Return Oriented Programming
291 History and Motivation 291 Separate Code and Instruction Cache 292
Basics of ROP on ARM 294 ARM Subroutine Calls 295 Combining Gadgets into a
Chain 297 Identifying Potential Gadgets 299 Case Study: Android 4.0.1
Linker 300 Pivoting the Stack Pointer 301 Executing Arbitrary Code from a
New Mapping 303 Summary 308 Chapter 10 Hacking and Attacking the Kernel 309
Android's Linux Kernel 309 Extracting Kernels 310 Extracting from Stock
Firmware 311 Extracting from Devices 314 Getting the Kernel from a Boot
Image 315 Decompressing the Kernel 316 Running Custom Kernel Code 316
Obtaining Source Code 316 Setting Up a Build Environment 320 Confi guring
the Kernel 321 Using Custom Kernel Modules 322 Building a Custom Kernel 325
Creating a Boot Image 329 Booting a Custom Kernel 331 Debugging the Kernel
336 Obtaining Kernel Crash Reports 337 Understanding an Oops 338 Live
Debugging with KGDB 343 Exploiting the Kernel 348 Typical Android Kernels
348 Extracting Addresses 350 Case Studies 352 Summary 364 Chapter 11
Attacking the Radio Interface Layer 367 Introduction to the RIL 368 RIL
Architecture 368 Smartphone Architecture 369 The Android Telephony Stack
370 Telephony Stack Customization 371 The RIL Daemon (rild) 372 The
Vendor-RIL API 374 Short Message Service (SMS) 375 Sending and Receiving
SMS Messages 376 SMS Message Format 376 Interacting with the Modem 379
Emulating the Modem for Fuzzing 379 Fuzzing SMS on Android 382 Summary 390
Chapter 12 Exploit Mitigations 391 Classifying Mitigations 392 Code Signing
392 Hardening the Heap 394 Protecting Against Integer Overfl ows 394
Preventing Data Execution 396 Address Space Layout Randomization 398
Protecting the Stack 400 Format String Protections 401 Read-Only
Relocations 403 Sandboxing 404 Fortifying Source Code 405 Access Control
Mechanisms 407 Protecting the Kernel 408 Pointer and Log Restrictions 409
Protecting the Zero Page 410 Read-Only Memory Regions 410 Other Hardening
Measures 411 Summary of Exploit Mitigations 414 Disabling Mitigation
Features 415 Changing Your Personality 416 Altering Binaries 416 Tweaking
the Kernel 417 Overcoming Exploit Mitigations 418 Overcoming Stack
Protections 418 Overcoming ASLR 418 Overcoming Data Execution Protections
419 Overcoming Kernel Protections 419 Looking to the Future 420 Official
Projects Underway 420 Community Kernel Hardening Efforts 420 A Bit of
Speculation 422 Summary 422 Chapter 13 Hardware Attacks 423 Interfacing
with Hardware Devices 424 UART Serial Interfaces 424 I2C, SPI, and One-Wire
Interfaces 428 JTAG 431 Finding Debug Interfaces 443 Identifying Components
456 Getting Specifi cations 456 Difficulty Identifying Components 457
Intercepting, Monitoring, and Injecting Data 459 USB 459 I2C, SPI, and UART
Serial Interfaces 463 Stealing Secrets and Firmware 469 Accessing Firmware
Unobtrusively 469 Destructively Accessing the Firmware 471 What Do You Do
with a Dump? 474 Pitfalls 479 Custom Interfaces 479 Binary/Proprietary Data
479 Blown Debug Interfaces 480 Chip Passwords 480 Boot Loader Passwords,
Hotkeys, and Silent Terminals 480 Customized Boot Sequences 481 Unexposed
Address Lines 481 Anti-Reversing Epoxy 482 Image Encryption, Obfuscation,
and Anti-Debugging 482 Summary 482 Appendix A Tool Catalog 485 Development
Tools 485 Android SDK 485 Android NDK 486 Eclipse 486 ADT Plug-In 486 ADT
Bundle 486 Android Studio 487 Firmware Extraction and Flashing Tools 487
Binwalk 487 fastboot 487 Samsung 488 NVIDIA 489 LG 489 HTC 489 Motorola 490
Native Android Tools 491 BusyBox 491 setpropex 491 SQLite 491 strace 492
Hooking and Instrumentation Tools 492 ADBI Framework 492 ldpreloadhook 492
XPosed Framework 492 Cydia Substrate 493 Static Analysis Tools 493 Smali
and Baksmali 493 Androguard 493 apktool 494 dex2jar 494 jad 494 JD-GUI 495
JEB 495 Radare2 495 IDA Pro and Hex-Rays Decompiler 496 Application Testing
Tools 496 Drozer (Mercury) Framework 496 iSEC Intent Sniffer and Intent
Fuzzer 496 Hardware Hacking Tools 496 Segger J-Link 497 JTAGulator 497
OpenOCD 497 Saleae 497 Bus Pirate 497 GoodFET 497 Total Phase Beagle USB
498 Facedancer21 498 Total Phase Beagle I2C 498 Chip Quik 498 Hot air gun
498 Xeltek SuperPro 498 IDA 499 Appendix B Open Source Repositories 501
Google 501 AOSP 501 Gerrit Code Review 502 SoC Manufacturers 502 AllWinner
503 Intel 503 Marvell 503 MediaTek 504 Nvidia 504 Texas Instruments 504
Qualcomm 505 Samsung 505 OEMs 506 ASUS 506 HTC 507 LG 507 Motorola 507
Samsung 508 Sony Mobile 508 Upstream Sources 508 Others 509 Custom Firmware
509 Linaro 510 Replicant 510 Code Indexes 510 Individuals 510 Appendix C
References 511 Index 523