MAN IN THE BINDER: HE WHO CONTROLS IPC, CONTROLS THE DROID

Everything Goes Through The Binder

A Hack in Three Acts

Act I – Know Your DroidAct II – Attack Your DroidAct III – Prepare Your Droid

Meet The Cast

The Authors

Nitay Artenstein Idan Revivo Michael Shalyt

Victim AppName: Kitty BankOccupation: Bank Application

“U want KitCoins – we haz it”

n00b attackerName: Kitty-ninjaOccupation: Script kiddy

“Mommy, can I rob this bank?”

Ninja AttackerName: Paw of DeathOccupation: Black belt ninja hacker

“To rob a bank, you must first become the bank”

System ServicesName: System ServiceOccupation: Sitting and waiting to serve your needs These things run Android!

The Linux KernelName: $ echo `uname –r`Occupation: Holding the world on its shoulders since 1.1.1970

Feeling neglected now that system services get all the attention on Android

The BinderName: The BinderOccupation: All Powerful Mystery Character ?

Everything Goes Through The Binder

Act IKnow Your Droid

An Application’s Life On Windows

Syscalls

An Application’s Life On Android

Syscalls

Syscalls

Syscalls

?

Android – The Real Picture

Syscalls

Syscalls

Everything Goes Through The Binder

?

/dev/binder /dev/tty0

libbinder.solibbinder.so

kernel/system/libbinder.so/system/libbinder.so

/system/lib*.so/system/lib*.so

DalvikVM DalvikVM

syscallparcel parcel

Bank Application Process System Service Process

applicationapplication

System services proxy

System services proxy

libandroid_runtime.solibandroid_runtime.so

libandroid_runtime.solibandroid_runtime.so

System ServiceSystem Service

• Binder has a userland component and a kernel one

• The driver receives the Parcel via an ioctl syscall and sends it to the target processes

What’s a Parcel?

A Short Recap

libbinder.solibbinder.so

DalvikVM

Kitty Bank Process

Parcels

Syscalls

Parcels

Audio Manager

Everything Goes Through The Binder

Act IIAttack Your Droid

Round IKey Logging

A n00b Attacker’s View of The System

?

What Would The n00b Attacker Do?

!

What Would The n00b Attacker Do?

!

What Would The n00b Attacker Do?

!@#$

A Ninja Attacker’s View of The System

?

Everything Goes Through The Binder

What Would The Ninja Attacker Do?

!

Key Logger Demo

What Would The Ninja Attacker Do?

w00t

Round IIData Manipulation

A n00b Attacker’s View of The System

?Activity Activity Activity

What Would The n00b Attacker Do?

Bye Kitty Bank , Hello Shi**y Bank!

What Would The n00b Attacker Do?

Bye Kitty Bank , Hello Shi**y Bank!@#$

A Ninja Attacker’s View of The System

?

Everything Goes Through The Binder

Activity Manager

In-app data goes through Binder???

A Ninja Attacker’s View of The System

?Activity Manager

What Would The Ninja Attacker Do?

!Activity Manager

A trillion dollars, anyone?

Data Manipulation Demo

What Would The Ninja Attacker Do?

w00t

Round IIIIntercepting SMS

A n00b Attacker’s View of The System

? Telephony Manager

What Would The n00b Attacker Do?

!Just Ask Politely

What Would The n00b Attacker Do?

!@#$Just Ask Politely

A Ninja Attacker’s View of The System

?

Everything Goes Through The Binder

Telephony Manager

What Would The Ninja Attacker Do?

!

SMS internals• The Telephony Manager notifies the SMS app

whenever an SMS is received

• The app queries the TM’s database via Binder:

SMS internals• But what’s a Cursor object?

• It’s a messy abstraction of a response to a query

SMS internals• Surprise: Under the hood, it’s just a Unix fd

• Now we’re in business!

What Would The Ninja Attacker Do?

w00t

SummaryWhat Just Happened?

Attacking The Binder

• Hook libbinder.so at the point where it sends an ioctl to the kernel

• Stealth: dozens of places to hook• But don’t you need root?

Attacking The Binder

Vulnerable to known rooting exploits

Consider The Possibilities

SummaryFeatures:• Versatility: one hook – multiple functionalities.• App agnostic: no need to RE apps.• Stealth: the Android security model limits 3rd

party security apps just like any other app.

Summary• This is NOT a vulnerability. It’s like man-in-the-

browser, but for literally everything on Android.• Root is assumed. Rooting won’t go away any

time soon.

Rumors(You didn’t hear it from me…)

What are you trying to tell me? That I can get all permissions on

a device?

No.I’m trying to tell you that when you’re ready, you won’t have to

Act IIIPreparing Your Droid

Solutions – for developers • Take control of your own process memory

space.

• Minimize the amount of data going to IPC, and encrypt what has to go.

Solutions – for security industry• Scan files like it’s the 90’s.• Be brave – get root yourself:• Runtime process scanning and monitoring.• Software firewall (like Avast).• Binder firewall/anomaly detection.• Etc.

Further Reading[1] White paper: “Man in the Binder”, Artenstein and Revivo

[2] “On the Reconstruction of Android Malware Behaviors”, Fatori, Tam et al

[3] “Binderwall: Monitoring and Filtering Android Interprocess Communication”, Hausner