Książki

The first comprehensive guide to discovering and preventing attacks on the Android OSAs the Android operating system continues to increase its share of the smartphone market, smartphone hacking remains a growing threat. Written by experts who rank among the world's foremost Android security researchers, this book presents vulnerability discovery, analysis, and exploitation tools for the good guys. Following a detailed explanation of how the Android OS works and its overall security architecture, the authors examine how vulnerabilities can be discovered and exploits developed for various system components, preparing you to defend against them.If you are a mobile device administrator, security researcher, Android app developer, or consultant responsible for evaluating Android security, you will find this guide is essential to your toolbox.* A crack team of leading Android security researchers explain Android security risks, security design and architecture, rooting, fuzz testing, and vulnerability analysis* Covers Android application building blocks and security as well as debugging and auditing Android apps* Prepares mobile device administrators, security researchers, Android app developers, and security consultants to defend Android systems against attackAndroid Hacker's Handbook is the first comprehensive resource for IT professionals charged with smartphone security.

Android Hacker's Handbook

Introduction xxvChapter 1 Looking at the Ecosystem 1Understanding Android's Roots 1Company History 2Version History 2Examining the Device Pool 4Open Source, Mostly 7Understanding Android Stakeholders 7Google 8Hardware Vendors 10Carriers 12Developers 13Users 14Grasping Ecosystem Complexities 15Fragmentation 16Compatibility 17Update Issues 18Security versus Openness 21Public Disclosures 22Summary 23Chapter 2 Android Security Design and Architecture 25Understanding Android System Architecture 25Understanding Security Boundaries and Enforcement 27Android's Sandbox 27Android Permissions 30Looking Closer at the Layers 34Android Applications 34The Android Framework 39The Dalvik Virtual Machine 40User-Space Native Code 41The Kernel 49Complex Security, Complex Exploits 55Summary 56Chapter 3 Rooting Your Device 57Understanding the Partition Layout 58Determining the Partition Layout 59Understanding the Boot Process 60Accessing Download Mode 61Locked and Unlocked Boot Loaders 62Stock and Custom Recovery Images 63Rooting with an Unlocked Boot Loader 65Rooting with a Locked Boot Loader 68Gaining Root on a Booted System 69NAND Locks, Temporary Root, and Permanent Root 70Persisting a Soft Root 71History of Known Attacks 73Kernel: Wunderbar/asroot 73Recovery: Volez 74Udev: Exploid 74Adbd: RageAgainstTheCage 75Zygote: Zimperlich and Zysploit 75Ashmem: KillingInTheNameOf and psneuter 76Vold: GingerBreak 76PowerVR: levitator 77Libsysutils: zergRush 78Kernel: mempodroid 78File Permission and Symbolic Link-Related Attacks 79Adb Restore Race Condition 79Exynos4: exynos-abuse 80Diag: lit / diaggetroot 81Summary 81Chapter 4 Reviewing Application Security 83Common Issues 83App Permission Issues 84Insecure Transmission of Sensitive Data 86Insecure Data Storage 87Information Leakage Through Logs 88Unsecured IPC Endpoints 89Case Study: Mobile Security App 91Profi ling 91Static Analysis 93Dynamic Analysis 109Attack 117Case Study: SIP Client 120Enter Drozer 121Discovery 121Snarfing 122Injection 124Summary 126Chapter 5 Understanding Android's Attack Surface 129An Attack Terminology Primer 130Attack Vectors 130Attack Surfaces 131Classifying Attack Surfaces 133Surface Properties 133Classification Decisions 134Remote Attack Surfaces 134Networking Concepts 134Networking Stacks 139Exposed Network Services 140Mobile Technologies 142Client-side Attack Surface 143Google Infrastructure 148Physical Adjacency 154Wireless Communications 154Other Technologies 161Local Attack Surfaces 161Exploring the File System 162Finding Other Local Attack Surfaces 163Physical Attack Surfaces 168Dismantling Devices 169USB 169Other Physical Attack Surfaces 173Third-Party Modifi cations 174Summary 174Chapter 6 Finding Vulnerabilities with Fuzz Testing 177Fuzzing Background 177Identifying a Target 179Crafting Malformed Inputs 179Processing Inputs 180Monitoring Results 181Fuzzing on Android 181Fuzzing Broadcast Receivers 183Identifying a Target 183Generating Inputs 184Delivering Inputs 185Monitoring Testing 185Fuzzing Chrome for Android 188Selecting a Technology to Target 188Generating Inputs 190Processing Inputs 192Monitoring Testing 194Fuzzing the USB Attack Surface 197USB Fuzzing Challenges 198Selecting a Target Mode 198Generating Inputs 199Processing Inputs 201Monitoring Testing 202Summary 204Chapter 7 Debugging and Analyzing Vulnerabilities 205Getting All Available Information 205Choosing a Toolchain 207Debugging with Crash Dumps 208System Logs 208Tombstones 209Remote Debugging 211Debugging Dalvik Code 212Debugging an Example App 213Showing Framework Source Code 215Debugging Existing Code 217Debugging Native Code 221Debugging with the NDK 222Debugging with Eclipse 226Debugging with AOSP 227Increasing Automation 233Debugging with Symbols 235Debugging with a Non-AOSP Device 241Debugging Mixed Code 243Alternative Debugging Techniques 243Debug Statements 243On-Device Debugging 244Dynamic Binary Instrumentation 245Vulnerability Analysis 246Determining Root Cause 246Judging Exploitability 260Summary 261Chapter 8 Exploiting User Space Software 263Memory Corruption Basics 263Stack Buffer Overfl ows 264Heap Exploitation 268A History of Public Exploits 275GingerBreak 275zergRush 279mempodroid 283Exploiting the Android Browser 284Understanding the Bug 284Controlling the Heap 287Summary 290Chapter 9 Return Oriented Programming 291History and Motivation 291Separate Code and Instruction Cache 292Basics of ROP on ARM 294ARM Subroutine Calls 295Combining Gadgets into a Chain 297Identifying Potential Gadgets 299Case Study: Android 4.0.1 Linker 300Pivoting the Stack Pointer 301Executing Arbitrary Code from a New Mapping 303Summary 308Chapter 10 Hacking and Attacking the Kernel 309Android's Linux Kernel 309Extracting Kernels 310Extracting from Stock Firmware 311Extracting from Devices 314Getting the Kernel from a Boot Image 315Decompressing the Kernel 316Running Custom Kernel Code 316Obtaining Source Code 316Setting Up a Build Environment 320Confi guring the Kernel 321Using Custom Kernel Modules 322Building a Custom Kernel 325Creating a Boot Image 329Booting a Custom Kernel 331Debugging the Kernel 336Obtaining Kernel Crash Reports 337Understanding an Oops 338Live Debugging with KGDB 343Exploiting the Kernel 348Typical Android Kernels 348Extracting Addresses 350Case Studies 352Summary 364Chapter 11 Attacking the Radio Interface Layer 367Introduction to the RIL 368RIL Architecture 368Smartphone Architecture 369The Android Telephony Stack 370Telephony Stack Customization 371The RIL Daemon (rild) 372The Vendor-RIL API 374Short Message Service (SMS) 375Sending and Receiving SMS Messages 376SMS Message Format 376Interacting with the Modem 379Emulating the Modem for Fuzzing 379Fuzzing SMS on Android 382Summary 390Chapter 12 Exploit Mitigations 391Classifying Mitigations 392Code Signing 392Hardening the Heap 394Protecting Against Integer Overfl ows 394Preventing Data Execution 396Address Space Layout Randomization 398Protecting the Stack 400Format String Protections 401Read-Only Relocations 403Sandboxing 404Fortifying Source Code 405Access Control Mechanisms 407Protecting the Kernel 408Pointer and Log Restrictions 409Protecting the Zero Page 410Read-Only Memory Regions 410Other Hardening Measures 411Summary of Exploit Mitigations 414Disabling Mitigation Features 415Changing Your Personality 416Altering Binaries 416Tweaking the Kernel 417Overcoming Exploit Mitigations 418Overcoming Stack Protections 418Overcoming ASLR 418Overcoming Data Execution Protections 419Overcoming Kernel Protections 419Looking to the Future 420Official Projects Underway 420Community Kernel Hardening Efforts 420A Bit of Speculation 422Summary 422Chapter 13 Hardware Attacks 423Interfacing with Hardware Devices 424UART Serial Interfaces 424I2C, SPI, and One-Wire Interfaces 428JTAG 431Finding Debug Interfaces 443Identifying Components 456Getting Specifi cations 456Difficulty Identifying Components 457Intercepting, Monitoring, and Injecting Data 459USB 459I2C, SPI, and UART Serial Interfaces 463Stealing Secrets and Firmware 469Accessing Firmware Unobtrusively 469Destructively Accessing the Firmware 471What Do You Do with a Dump? 474Pitfalls 479Custom Interfaces 479Binary/Proprietary Data 479Blown Debug Interfaces 480Chip Passwords 480Boot Loader Passwords, Hotkeys, and Silent Terminals 480Customized Boot Sequences 481Unexposed Address Lines 481Anti-Reversing Epoxy 482Image Encryption, Obfuscation, and Anti-Debugging 482Summary 482Appendix A Tool Catalog 485Development Tools 485Android SDK 485Android NDK 486Eclipse 486ADT Plug-In 486ADT Bundle 486Android Studio 487Firmware Extraction and Flashing Tools 487Binwalk 487fastboot 487Samsung 488NVIDIA 489LG 489HTC 489Motorola 490Native Android Tools 491BusyBox 491setpropex 491SQLite 491strace 492Hooking and Instrumentation Tools 492ADBI Framework 492ldpreloadhook 492XPosed Framework 492Cydia Substrate 493Static Analysis Tools 493Smali and Baksmali 493Androguard 493apktool 494dex2jar 494jad 494JD-GUI 495JEB 495Radare2 495IDA Pro and Hex-Rays Decompiler 496Application Testing Tools 496Drozer (Mercury) Framework 496iSEC Intent Sniffer and Intent Fuzzer 496Hardware Hacking Tools 496Segger J-Link 497JTAGulator 497OpenOCD 497Saleae 497Bus Pirate 497GoodFET 497Total Phase Beagle USB 498Facedancer21 498Total Phase Beagle I2C 498Chip Quik 498Hot air gun 498Xeltek SuperPro 498IDA 499Appendix B Open Source Repositories 501Google 501AOSP 501Gerrit Code Review 502SoC Manufacturers 502AllWinner 503Intel 503Marvell 503MediaTek 504Nvidia 504Texas Instruments 504Qualcomm 505Samsung 505OEMs 506ASUS 506HTC 507LG 507Motorola 507Samsung 508Sony Mobile 508Upstream Sources 508Others 509Custom Firmware 509Linaro 510Replicant 510Code Indexes 510Individuals 510Appendix C References 511Index 523