security analysis of android factory resets
play

Security Analysis of Android Factory Resets Laurent Simon - PowerPoint PPT Presentation

Aug 05, 2023 •355 likes •636 views

Security Analysis of Android Factory Resets Laurent Simon lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/ Talk outline Background Methodology Results Practical recovery FR alternatives 21/05/15 Laurent Simon - MoST'15 -

  1. Security Analysis of Android Factory Resets Laurent Simon lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/

  2. Talk outline ● Background ● Methodology ● Results ● Practical recovery ● FR alternatives 21/05/15 Laurent Simon - MoST'15 - USA 3

  3. Background ● Second-hand phone market growth ● 57M, 2014 (Gartner) ● 2/3 second life, 2015 (Gartner) ● 150-250M traded by 2018 ● Data recovery success reported ● Avast, BBC news, etc 21/05/15 Laurent Simon - MoST'15 - USA 4

  4. Secure Deletion ● Logical Sanitisation : data cannot be recovered via standard hardware interfaces like standard eMMC commands ● Digital Sanitisation : data cannot be recovered via any digital means, including the bypass or compromise of the device’s controller or firmware, or via undocumented drive commands ● This talk: logical sanitisation 21/05/15 Laurent Simon - MoST'15 - USA 5

  5. Data Storage Locations ● Data partition mounted on /data ● Sensitive info, ext4 (eMMC), yaffs2 ("raw flash") ● Internal (primary) "SD card" : mounted on /sdcard ● Music, pictures, FAT, emulated (FUSE) ● External SD card : removable ● Same as internal one, FAT ● Secondary SD card, or primary if no internal one 21/05/15 Laurent Simon - MoST'15 - USA 6

  6. Data Storage Locations ● (secondary) ● (primary) ● (secondary) 21/05/15 Laurent Simon - MoST'15 - USA 7

  7. Flash Memory - Overview ● Unlike HDDs, Solid State Storage (SSD) supports a limited number of erase cycles (10000) => memory management, wear-leveling algo 21/05/15 Laurent Simon - MoST'15 - USA 8

  8. Flash Memory - Overview ● Unlike HDD, Solid State Storage (SSD) support a limited number of erase cycles (10000) => memory management, wear-leveling algo 21/05/15 Laurent Simon - MoST'15 - USA 9

  9. Flash Memory – File Systems ● Software: flash-aware file system yaffs2 ● Hardware: eMMC (logical view for OS) 21/05/15 Laurent Simon - MoST'15 - USA 10

  10. How to securely delete? ● Yaffs2: Exposed via ioctl(fd,MEMERASE,blk_num) ● eMMC: special commands to send to the chip Exposed via: ● ioctl(fd, BLKDISCARD, blknum) ● ioctl(fd, BLKSECDISCARD, blknum) 21/05/15 Laurent Simon - MoST'15 - USA 11

  11. Talk outline ● Background ● Methodology ● Results ● Practical recovery ● FR alternatives 21/05/15 Laurent Simon - MoST'15 - USA 13

  12. Phone Acquisition 21/05/15 Laurent Simon - MoST'15 - USA 15

  13. Setup ● Overwrite "bit-by-bit" partitions (data, primary and secondary SD card) with identifying patterns ● Bit-by-bit = lower level possible (dd-like) ● Identifying patterns = unique ID ● Factory Reset ● Pattern recovery and identification 21/05/15 Laurent Simon - MoST'15 - USA 16

  14. ● Background ● Methodology ● Results ● Practical recovery ● FR alternatives 21/05/15 Laurent Simon - MoST'15 - USA 19

  15. Results: Data partition 21/05/15 Laurent Simon - MoST'15 - USA 20

  16. Results: Data partition (Cont'ed) ● Upgrade from GB (2.3.x) to ICS (4.0.x) ● ioctl(BLKSECDISCARD) return errno 95 EOPNOTSUPP ● 2007 eMMC standard has compulsory support for logical sanitisation ● HTC Sensation XE correctly wipes data partition in Bootloader mode but not for Android Factory Reset 21/05/15 Laurent Simon - MoST'15 - USA 21

  17. Results: Data partition 21/05/15 Laurent Simon - MoST'15 - USA 22

  18. Results: Primary SD card format() f o r m a t ( ) ioctl(BLKDISCARD) ioctl(BLKDISCARD) 21/05/15 Laurent Simon - MoST'15 - USA 23

  19. Results: Secondary SD card N o t s u p p o r t e d in AOSP code 21/05/15 Laurent Simon - MoST'15 - USA 24

  20. Talk outline ● Background ● Methodology ● Results ● Practical recovery ● FR alternatives 21/05/15 Laurent Simon - MoST'15 - USA 26

  21. Practical Recovery ● Contact (Facebook, Phonebook, WhatsApp, etc) ● Conversation (emails, SMSs, Facebook & WhatsApp chats, etc) ● Browsing history ● Credentials (Facebook cookies, etc) ● Multimedia 21/05/15 Laurent Simon - MoST'15 - USA 27

  22. Practical Recovery (Cont'ed) ● Android (master) auth token(s) ● Master token can be used to get other tokens from Google ● Tokens recovered 100% of the time, master one 80% 21/05/15 Laurent Simon - MoST'15 - USA 28

  23. Talk outline ● Background ● Methodology ● Results ● Practical recovery ● FR alternatives 21/05/15 Laurent Simon - MoST'15 - USA 29

  24. Alternatives to built-in FR ● Overwrite bit-by-bit: one pass enough to provide logical sanitisation ● Filling unallocated space (create files) to overwrite: discarded because: ● Extra level of indirection ● File systems vary (ext4, FAT, FUSE, Samsung's proprietary RFS) 21/05/15 Laurent Simon - MoST'15 - USA 30

  25. Alternatives to built-in FR (Cont'ed) ● Full Disk Encryption (FDE), >= ICS only (v4.0.x) => not possible on GB (2.3.x) vulnerable devices ● Ony support for data partition ● Encryption key stored encrypted using user's PIN in so called "crypto footer" ● Cryptp footer not sanitised with flawed FR ● Crypto footer allows PIN brute-force ● Android lollipop (5.x): default encryption has hardcoded password "default_password" 21/05/15 Laurent Simon - MoST'15 - USA 31

  26. Conclusion ● Android FR in messy state ● Android code, vendors' customisations and lack of proper testing ● Mostly available on the second-hand market NOW ● Paper provides engineering design suggestions to reduce this problem in future handsets. Have a look! 21/05/15 Laurent Simon - MoST'15 - USA 32

  27. Thanks! L a u r e n t S i m o n lmrs2@cam.ac.uk https://www.cl.cam.ac.uk/~lmrs2/ 21/05/15 Laurent Simon - MoST'15 - USA 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Security Analysis of Android for Work Research Project #1 Tom Curran & Ruben de Vries RP1

Security Analysis of Android for Work Research Project #1 Tom Curran & Ruben de Vries RP1

Security Analysis of Android for Work Research Project #1 Tom Curran & Ruben de Vries RP1 project presentation, 2016 Tom Curran & Ruben de Vries (University of Amsterdam) Security Analysis of Android for Work RP1 project presentation,

183 views • 17 slides
BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September

BLOWING THE COVER: HANDS-ON ANALYSIS OF HANDCRAFTED ANDROID MALWARE Alex Reshetniak | September 26 2018 About Me Senior Security Researcher @ Lookout B.S. in Information Security More than 5 years working in Information Security

663 views • 31 slides
CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis

CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, Engin Kirda 02/23/2016 Android 2015 Q3 Market Share Android iOS

774 views • 26 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Apps

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Apps

StaDynA: Addressing the Problem of Dynamic Code Updates in the Security Analysis of Android Apps Yury Zhauniarovich, MaqsoodAhmad, Olga Gadyatskaya, Bruno Crispo, Fabio Massacci yury.zhauniarovich, maqsood.ahmad, bruno.crispo,

427 views • 24 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
The heavy metal that poisoned the droid Tyrone Erasmus Introduction Android Security Model

The heavy metal that poisoned the droid Tyrone Erasmus Introduction Android Security Model

The heavy metal that poisoned the droid Tyrone Erasmus Introduction Android Security Model Static vs. Dynamic analysis Mercury: New framework on the block Finding OEM problems Techniques for malware How do we fix this?

576 views • 56 slides
Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 ,

Scalable and Precise Taint Analysis for Android Wei Huang 12 , Yao Dong 1 , Ana Milanova 1 , Julian Dolby 3 1 Rensselaer Polytechnic Institute 2 Google 3 IBM Research 1 Taint Analysis for Android Tracks flow of private data Controlled at

629 views • 35 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
UAV Factory Ltd 29 November 2019 What is UAV Factory? UAV Factory Ltd. is one of the worlds

UAV Factory Ltd 29 November 2019 What is UAV Factory? UAV Factory Ltd. is one of the worlds

UAV Factory Ltd 29 November 2019 What is UAV Factory? UAV Factory Ltd. is one of the worlds leading developers and manufacturers of fixed wing composite airframes, subsystems and accessories for small fixed wing unmanned aircraft industry.

646 views • 26 slides
The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu

The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu

The Firewall Android Deserves: A Context-aware Kernel Message Filter and Modifier David Wu Agenda Overview of project Android security background Binder IPC BinderFilter Logging and analysis tools Picky Demos

631 views • 51 slides
CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Android Security Table of Contents Android

562 views • 15 slides
Counting walks and the resulting polynomials Marsha Kleinbauer TU Kaiserslautern, Germany Graph

Counting walks and the resulting polynomials Marsha Kleinbauer TU Kaiserslautern, Germany Graph

Counting Closed Walks Extensions for 4-Regular Bipartite Graphs Extensions for Regular Graphs Counting walks and the resulting polynomials Marsha Kleinbauer TU Kaiserslautern, Germany Graph Polynomials: Towards a Comparative Theory, 2016

594 views • 25 slides
How to test OpenGL glBeginTransformFeedback(GL_POINTS); glDrawArrays(GL_POINTS, 0, 1); for (i =

How to test OpenGL glBeginTransformFeedback(GL_POINTS); glDrawArrays(GL_POINTS, 0, 1); for (i =

glGenVertexArrays(1, &vao); glBindVertexArray(vao); /* Draw and record */ How to test OpenGL glBeginTransformFeedback(GL_POINTS); glDrawArrays(GL_POINTS, 0, 1); for (i = 0; i < STREAMS; i++) { glEndQueryIndexed(GL_PRIMITIVES_GENERATED,

882 views • 40 slides
Routing to every destination in the network Suppose you want to connect to Antarctica from

Routing to every destination in the network Suppose you want to connect to Antarctica from

What is it? Process of finding a path from a source Routing to every destination in the network Suppose you want to connect to Antarctica from your desktop An Engineering Approach to what route should you take? Computer

826 views • 34 slides
tr rtrt

tr rtrt

Prrs tr trt s rs tr rtrt

650 views • 37 slides
APAC 2007, session 7 Accelerator Technology RRCAT, Indore, India, Jan 28 - Feb 2, 2007

APAC 2007, session 7 Accelerator Technology RRCAT, Indore, India, Jan 28 - Feb 2, 2007

Lo w-lev el RF Con trol System Design and Ar hiteture La wrene R. Do olittle, LBNL, Berk eley , CA 94720, USA APAC 2007, session 7 Accelerator Technology RRCAT, Indore, India, Jan 28 - Feb 2, 2007

462 views • 17 slides
Fault-Tolerant Broadcast of Routing Information Radia Perlman Digital Equipment Corp. Computer

Fault-Tolerant Broadcast of Routing Information Radia Perlman Digital Equipment Corp. Computer

Fault-Tolerant Broadcast of Routing Information Radia Perlman Digital Equipment Corp. Computer Networks (1983) Presented by: Yusuf Sarwar 1 ARPANET routing Uses Link State Routing protocol link information (link state packets) to

1k views • 23 slides
CS519: Computer Networks Lecture 4, Part 3: Feb 23, 2004 Internet Routing: Distance-vector (DV)

CS519: Computer Networks Lecture 4, Part 3: Feb 23, 2004 Internet Routing: Distance-vector (DV)

CS519: Computer Networks Lecture 4, Part 3: Feb 23, 2004 Internet Routing: Distance-vector (DV) and Path- vector (PV) scaling CS519 DV scales as the number of destinations N Path-vector scales approx as N(1/2D), where D is the network

435 views • 28 slides
(Modal) Logics for Semistructured Data (bis) Stphane Demri Laboratoire Spcification et

(Modal) Logics for Semistructured Data (bis) Stphane Demri Laboratoire Spcification et

(Modal) Logics for Semistructured Data (bis) Stphane Demri Laboratoire Spcification et Vrification CNRS UMR 8643 & INRIA Futurs Proj. SECSI & ENS de Cachan (Modal) Logics for Semistructured Data (bis) p. 1 Plan of the talk

780 views • 61 slides

More recommend