17
Oct
dan-rosenbergs-presentation-on-android-modding-for-the-security-practitioner-is-a-must-read

We've got an LG Nexus system dump and endless desire to spoil every Googley surprise we can. Today's edition of the Android 4.2 Teardown could be alternatively subtitled "The Super-Serious Security Edition," because we're talking about the sort of stuff that should make your sysadmin jump for joy.

Please keep in mind this is just as forward-facing and time-ambiguous as all my other teardowns. This is a list of new stuff in the 4.2 dump, not a list of "confirmed for 4.2" features. Anything could be cut or not fully implemented by the time 4.2 rolls around; similarly to how bits of Android are currently multi-user aware, yet multi-user functionality isn't accessible. Some of this stuff may make it to 4.2, but probably not all of it. Got it? Good.

Now, get ready for a HUGE security push. I recently revealed the Play Store was getting "App Check," a client-side malware scanner, and Google already has "Bouncer" a server-side malware scanner, but they aren't stopping there.

SELinux

SELinux_Decision_Process

Image credit: Centos.org

Security-Enhanced Linux is a set of kernel add-ons and user-space tools first started by the NSA that brings mandatory access control to Linux, which basically means user programs and system servers only run with the minimum amount of privileges they need to function. Unmodified Linux uses discretionary access control. Users can grant high levels of access to files they own, and malicious software can do anything it wants with the files and controls the user has access to. If you run that malicious app with root privileges, it now has access to everything.

In SELinux, there is no concept of a root user. Security policy is defined by an Administrator and applied to every process and object, and nothing can override it. This means the potential damage a malicious program can cause is minimal. Basically, SELinux is serious lockdown-mode for the hyper-secure enterprise crowd.

So, now that we have a rough idea of what SELinux is, maybe this set of strings will mean something to you:

<string name="selinux_status">SELinux status</string>
<string name="selinux_status_disabled">Disabled</string>
<string name="selinux_status_permissive">Permissive</string>
<string name="selinux_status_enforcing">Enforcing</string>

This was buried in the Settings APK. According to the layout xml, SELinux will have a status readout tacked-on to the current About Phone screen. It will now list "SELinux Status" at the very bottom, right under "Kernel version" and "Build Number." If you're wondering why there are 3 options and not just "on" and "off," "Permissive" is a logging mode, which will tell you when it would have blocked something, but won't actually block things.

The other key piece of information to get from the string file is that this is an optional mode, don't go around saying that Google is shutting down root functionality or anything. This is for security conscious enterprise and government-types and probably won't be enabled on consumer phones.

Always-On VPN

vpn-1

Image Credit: How Stuff Works

A VPN (Virtual Private Network) provides all sorts of benefits, depending on how you set it up. You can use it to beat government or corporate site filtering, access a remote computer, surf anonymously, or just to encrypt all your web traffic.

Right now, you can tell Android to funnel all your data through a VPN, and it will, but if you restart your phone, or if the VPN server ends your session, suddenly all your data will start beaming out over the regular internet. There's no way to say "only send data while connected to a VPN," until now.

<string name="vpn_menu_lockdown">Always-on VPN</string>
<string name="vpn_lockdown_summary">Select a VPN profile to always remain connected to. Network traffic will only be allowed when connected to this VPN.</string>
<string name="vpn_lockdown_none">None</string>
<string name="vpn_lockdown_config_error">Always-on VPN requires an IP address for both server and

The strings are pretty self-explanatory. VPN Lockdown will only allow your data to travel over the VPN. No VPN? No internet. There's a subset of VPN users that probably consider VPN functionality useless without this feature. They'll be happy.

Premium SMS Confirmation

A big incentive for the bad guys to write Android malware is that you can quickly and silently charge money directly to a phone bill with premium SMSs. That's a tempting target, so making it harder for malware writers to get paid would go a long way towards slowing down a virus-filled mobile future.

Google seems to want to do just that, I found these strings in the framework code:

<string name="sms_short_code_confirm_title">Send SMS to short code?</string>
<string name="sms_premium_short_code_confirm_title">Send premium SMS?</string>
<string name="sms_short_code_confirm_message">&lt;b>%1$s&lt;/b> would like to send a text message to &lt;b>%2$s&lt;/b>, which appears to be an SMS short code.&lt;p>Sending text messages to some short codes may cause your mobile account to be billed for premium services.&lt;p>Do you want to allow this app to send the message?</string>
<string name="sms_premium_short_code_confirm_message">&lt;b>%1$s&lt;/b> would like to send a text message to &lt;b>%2$s&lt;/b>, which is a premium SMS short code.&lt;p>&lt;b>Sending a message to this destination will cause your mobile account to be billed for premium services.&lt;/b>&lt;p>Do you want to allow this app to send the message?</string>
<string name="sms_short_code_confirm_allow">Send message</string>
<string name="sms_short_code_confirm_deny">"Don't send"</string>
<string name="sms_short_code_confirm_report">Report malicious app</string>

If you're having a hard time reading through the programming junk, the main message says " would like to send a text message to [number], which is a premium SMS short code. Sending a message to this destination will cause your mobile account to be billed for premium services. Do you want to allow this app to send the message?" It's a nice, clear message that will pop up whenever an app tries to send a text to a short code. You're then allowed three options, "Send message," "Don't send," and "Report malicious app."

Here's the data for it. They basically just have a giant list of premium shortcodes for each country. If you send to a shortcode that isn't in this database, Android will still warn you that this is a shortcode, and that "Sending text messages to some short codes may cause your mobile account to be billed for premium services."

This sounds like it will stop phone billing malware in their tracks, and instant, easy reporting will go a long way too.

We'll be back with more! Next time we've got a sneak peek at the new, work-in-progress Gallery design, and some other stuff. Stay tuned!

Ron Amadeo
Ron loves everything related to technology, design, and Google. He always wants to talk about "the big picture" and what's next for Android, and he's not afraid to get knee-deep in an APK for some details. Expect a good eye for detail, lots of research, and some lamenting about how something isn't designed well enough.
  • http://www.youtube.com/user/no6969el Noel Barcellos

    Once again guys, Brilliant! I love reading these, please keep them coming as it sets you apart from the rest!!

  • http://kennydude.me/ Joe Simpson

    Really awesome things coming soon to Android. I would love along with SELinux to see something like PDroid built-into AOSP (maybe with an API like the device administrators)

  • Mapekz

    That SE Linux stuff is awesome. I've never heard of it before and now plan to do more research. I also have high hopes for the Gallery redesign because that app has been terrible since GB.

    • Swapnil Chitnis

      Actually I've been using SELinux on my desktop machine and frankly I didn't knew this much about it.

    • lbrfabio

      I actually like the JB gallery. It's thousands better than the Gingerbread one.
      It just lack some features but the "design" is pretty good in my opinion.

      I think will probably see a sidebar considering how much popular is these days :D

      • http://www.facebook.com/duckofdeath Hans Pedersen

        I actually think that the JB gallery for movie management is pretty bad. You need to start a video clip to find out what it is. They need to make the file names easily visible there. Not to mention that it's not natural at all for a new user to figure out that you have to start videos through the picture browser.

        • lbrfabio

          I don't really use it for videos so it doesn't bother me, but you have a point

        • Hassan Dibani

          The Samsung touchwiz gallery on the SGS3 actually plays small previews of the videos while browsing the gallery.

  • Charles Clout

    Excellent digging around. Cant wait to see what other treasures it reveals.

  • Joao Miranda

    Wow... Amazing upgrades for corporate uses.

  • http://twitter.com/Twitteninja ZZ

    Thanks for coming through Ron.

    *Injects article directly into bloodstream*

  • Rence12

    I'm kind of surprised the always-on VPN hasn't always been in Android, good to see they're adding it though.

  • derekmorr

    The SE Android code was submitted by the NSA back in January and has been merged in over the course of several months. Initially, Google required that the code was designed so that it could easily be turned off at build time (it was wrapped with ifdefs). This morning, four patches were merged into AOSP that switched SE Android to always-on:

    https://android-review.googlesource.com/#/c/44848/
    https://android-review.googlesource.com/#/c/44869/
    https://android-review.googlesource.com/#/c/44870/
    https://android-review.googlesource.com/#/c/44871/

    • nukeblitz

      This has me torn.

      Wonder what the work around will be. I'm quite sure Google won't block root outright....

      • derekmorr

        It could potentially make jailbreaking a lot harder.

        • http://k3rnel.net Juan Rodriguez

          Which is good for security, but bad for ROM Modders.
          Nexus devices allow unlocking properly and easily though, so I'm not sure if its a win or not.

          • warcaster

            If Google would come out now and say the Nexus program is real and they will push a lot more Nexus devices into the market from now on, and that they will take care of all the upgrades, and they will do it for 2 years, then I wouldn't mind.

            Most people want to use custom ROM's because the companies abandon them so early after they've bought their phones, and long before they get their chance to get a new phone. If Google solves that (huge) consumer problem, then 95% of the ROM users might not need a ROM anymore.

          • http://k3rnel.net Juan Rodriguez

            Regardless of how many Nexus devices Google publishes this year, the Nexus device is still the option. Real "savvy" consumers tend to prefer the Nexus devices for their hackability.

            In fact, if the other devices were actually unhackable (And therefore, unupdateable), I'd bet that the Nexus line would sell a lot more than the few Galaxy Nexus sold.

    • abqnm

      Looking over the code, it looks as though it just means that SELinux will be always included in the build, but still appears to have the option to be disabled. There are quite a few referenced to "if (is_selinux_enabled() > 0)" which would, to me indicate that the libraries will always be included but it still has the ability to be switched off. Maybe I am wrong, but those merges just seem to be there to allow it to function, not forcing it to be enabled.

      • derekmorr

        Ah, yes, good catch.

  • Sqube

    For a second there I thought that Premium SMS Confirmation meant that 4.2 was putting on some big boy pants and challenging iMessage. That would also mean some kind of combining down of SMS/Talk/Messenger into one uber program, which would have made me happy.

    Maybe with 5.0

    • aiden9

      When I read it I thought it would have upgrades for Google Voice. Still a nice and necessary update but really had my hopes up.

    • someone

      Why would you want to do that? All that would do for the normal user is to feed more data to Google (or whoever). Why do you think APL did so without charging it's users and forcing them to use it without any discernable improvement over MMS/SMS?

      • Sqube

        Why would I want an improvement to the current state of technology that would make me feel more confident about my messages being sent and received? Really?

        RIM damn near made half of its business off of BBM, and BBM's claim to fame over everyone else (right now, at least) is that you're confident that a message has been received if RIM tells you it's been received. I just want the same thing.

        Besides, at this point, Google probably knows more about me than I do.

        • http://twitter.com/mike9843 Mike Good

          mysms.com

          • Sqube

            While that does let me text from everywhere, it doesn't seem to give confirmation of receipt like iMessage or BBM. It's a nice step in a good direction. It's just not what I personally want to see.

  • http://profiles.google.com/hephastus Kurleigh Martin

    Amazing work as always! Can't wait for the next installment

  • Tony

    Awesome breakdown. Please don't make us wait 2 days for the next coverage, my refresh button already hates you ;)

  • Jonathan Wong

    This is going to make Android even better for corporate users.

  • http://twitter.com/DanielEran Daniel Eran Dilger

    How does this compare to Apple's "seatbelt" Mandatory Access Controls for iOS (based on the TrustedBSD framework) which first appeared in iOS 2.x in 2008 and has evolved since to become widely adopted in commercial software, and the reason businesses have standardized on iOS?
    And will devices built next year even get an upgrade path to Android 4.2?

  • http://www.facebook.com/people/Adrian-Edioma-Migraso/100000428284639 Adrian Edioma Migraso

    why google?

  • Al McDowall

    Have to say that while SELinux is good news for the fight against malware and virus, it's potentially very bad news for the modding crowd.

    I'm really in two minds about this. One thing that I have worried about, as I watch the reporting of various different code-based attacks on Android, is that we end up with 'iOS is safe, Android gets virus' situation to mirror the Windows experience. Just in terms of protecting the reputation and future of an OS that I am really delighted with, this means the SELinux could be a big step in the right direction.

    However, the ability to root a phone, to make changes to various aspects of the phone's OS - even something as simple as choosing which font to use system-wide, to be able to manually update or rollback the OS version - this is a major pull for me and for many others. Another poster here said that a lot of custom ROMs are installed because users feel left behind by OEMs and carriers and they are absolutely right. But there are also a lot of people who simply like to tinker - to get their hands dirty and make changes to the ROM or parts thereof.

    I'd hate to see an end to rooting and modding in the name of a more secure environment. I understand that this might be an essential consideration as Android blossoms into a mainstream OS of choice instead of the 'geeks best alternative to iOS' and perhaps it's the price of success. I guess I hope that there is some form of choice afforded to the user. That they themselves, only through direct physical interaction with the phone, can 'lock' and 'unlock' the enhanced security features.

    I guess we'll have to wait and see....

    Awesome article by the way. You guys really do lead the way reporting on the Android scene...

    • someone

      Very few malwares will be stopped by this. Most malwareuse granted permissions by the user. The fact of the matter is, people will download pirated garbage ans then complain that they got viruses

  • Ricardo Moura Rocha

    LOVE the Always on VPN!!!!!!!!!!
    I'm in Brazil and I "pretend" to be in the us to google play, but it's a pain having to reconnect to vpn when I reboot!!!

  • Mahesh

    AP, thanks for all the updates. Deep inside I feel that these new features would give that "WOW " moment when it is displayed in the event. If we know all the features beforehand then the whole 29th October event will be damp squib like the Apple event..

  • Abdur Rehman

    we'll be more secure, really!

  • disc order

    Awesome, because I've been manually building in SEandroid. Always on VPN (if it's openvpn) is also great success.

  • Dan

    Ron deserves a raise.