《谷歌:度Android系统安全性报告.pdf》由会员分享,可在线阅读,更多相关《谷歌:度Android系统安全性报告.pdf(44页珍藏版)》请在三一文库上搜索。
1、Android Security 2014 Year in Review Google Report 2 Table of Contents Overview New Android Security Features / Capabilities Response to vulnerabilities found in 2014 SSL Vulnerabilities Android (and Linux kernel) vulnerabilities OEM / SOC specific vulnerabilities Application Vulnerabilities Measure
2、s of Ecosystem Security Scope of User Protection and Ecosystem Measurement Classification of Potentially Harmful Applications Occurrence of Potentially Harmful Applications New and Noteworthy PHAs Spyware Ransomware WAP and SMS Fraud Safety Net Statistics Platform API Abuse SMS Confirmation Other AP
3、Is of Interest Security Model Integrity Network Level Abuse SSLv3 downgrade CCS Injection CA Man In The Middle Safe Browsing Statistics 3 We do that by investing in security technology within the core Android platform, developer support, and in the applications and services Google provides for Andro
4、id. We want to share information about what we are doing and how the ecosystem is responding, so this is the first of what we expect will be many reports that will provide in-depth insight into the security of the Android ecosystem. In 2014, the Android platform made numerous significant improvement
5、s in platform security technology, including enabling deployment of full disk encryption, expanding the use of hardware- protected cryptography, and improving the Android application sandbox with an SELinux- based Mandatory Access Control system (MAC). Developers were also provided with improved too
6、ls to detect and react to security vulnerabilities, including the nogotofail project and the SecurityProvider. We provided device manufacturers with ongoing support for fixing security vulnerabilities in devices, including development of 79 security patches, and improved the ability to respond to po
7、tential vulnerabilities in key areas, such as the updateable WebView in Android 5.0. 1. The security industry often uses the term “malware” with little or no definition. To avoid potential confusion, the Android security team instead uses the term Potentially Harmful Application (PHA) to refer to ap
8、plications which pose a security risk to users or their data. More detail on the types of PHAs that have been observed is included in the section titled “Classification of Potentially Harmful Applications”. Overview Google is committed to ensuring that Android is a safe ecosystem for users and devel
9、opers. Googles security services for Android increased protection for users and improved visibility into attempts to exploit Android. Ongoing monitoring by Verify Apps found that efforts to deliver Potentially Harmful Applications (PHAs) continued at low levels throughout 2014, less than 1% of all d
10、evices had a PHA installed. Fewer than 0.15% of devices that download only from Google Play had a PHA installed. Expanded protection in Verify Apps and Safebrowsing also now provides insight into platform, network, and browser vulnerabilities affecting Android devices. Exploitation attempts were tra
11、cked for multiple vulnerabilities, and the data does not show any evidence of widespread exploitation of Android devices. Googles security services for Android increased protection for users and improved visibility into attempts to exploit Android. There were two major updates to Android in the 12 m
12、onths ending Nov 1, 20142: Android 4.4 and the preview of Android 5.0. Both of these platform releases included security improvements as well as patches for newly discovered vulnerabilities. By February 2, 2015, Android 4.4 has become the most widely distributed version of Android with over 41% of A
13、ndroid devices that check in to Google services running Android 4.4 or greater3. Here are a few of the security highlights from those releases: Android sandbox reinforced with SELinux. Android 4.4 required that SELinux be in enforcing mode for select system domains, and Android 5.0 now requires SELi
14、nux in enforcing mode for all domains. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) security model. This new layer provides additional protection against potential security vulnerabilities by reducing exposure
15、of system functionality to applications. New Android Security Features / Capabilities Improved Full Disk Encryption. Full Device Encryption was introduced with Android 3.0, using the Android screen lock secret to wrap a device encryption key that is not sent off the device or exposed to any applicat
16、ion. Starting with Android 5.0, the user password is protected against brute-force attacks using scrypt and, where available, the key is bound to the hardware keystore to prevent off-device password brute-forcing attacks. On devices that ship with Android 5.0 out-of-the-box, full disk encryption can
17、 be enabled by default to improve protection of data on lost or stolen devices. Multi user, restricted profile, and guest modes for phones to prevent unintentional transmission of this code, two categories (Windows Threat and Non-Android Threat) warn users if the application shows evidence of a thre
18、at that exists for other operating systems. More details on the prevalence of each of the categories of PHA will be provided later in this document. The vast majority of application installs are not classified as potentially harmful, so for most installations, the users of Verify Apps will see nothi
19、ng displayed at the time of install. If an application is classified as potentially harmful, then in addition to displaying the warning, Verify Apps may either block the installation or allow the user to decide whether to allow installation to continue. An early design considered blocking all instal
20、lations that were classified as potentially harmful, but user studies found that users might disable the feature if they disagreed with certain classifications. For example, many users will proceed to install Rooting apps after a warning is provided as they likely already knew that it would bypass A
21、ndroid security protections. 16 This section will provide a detailed breakdown of information gathered from Verify Apps on the frequency of occurrence of Potentially Harmful Applications (PHAs). It provides the most complete picture available of the overall state of the Android ecosystem with respec
22、t to PHAs. As noted in the introductory pages of this report, in 2014 less than 1% of all devices had a PHA installed. Fewer than 0.15% of devices that download only from Google Play had a PHA installed. The rate of installation of PHAs from outside Google Play also decreased by nearly 60% between Q
23、1 and Q4 of 2014. Those findings will be explained in detail in the following pages. They will also be broken down by the categories of behavior and using device locale information to better identify relevant trends and variations within the worldwide Android ecosystem. The broadest statistic that V
24、erify Apps is currently tracking is the frequency with which Verify Apps detects an installed Potentially Harmful Application at the time that it does a full-device scan. We refer to this statistic as “device hygiene” and began to collect this statistic in early October 2014. Previously, data collec
25、tion was associated with an install at the time of install and could not be tracked at the device level. During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps). During
26、 that same time period, approximately 0.25% of devices had a non-malicious Rooting application installed. The device hygiene when incorporating all PHA applications is depicted in the following graph. Occurrence of Potentially Harmful Applications6 During October 2014, the lowest level of device hyg
27、iene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps). 99.65% 99.60% 99.55% 99.50% 10-8-1410-10-14 10-13-14 10-15-14 10-17-14 10-20-14 10-22-14 10-24-14 10-27-14 10-29-14 Devices without PHA (Excluding Rooting) 6. A n
28、ote on counting Potentially Harmful Apps (PHAs): Applications may not be classified as PHAs when first identified because later investigation reveals behavior that was hidden or believed to be innocuous which is actually potentially harmful. This means that the discovery of a new PHAs can lead to a
29、restating of previous install statistics. To balance the need for timeliness and accuracy, the final version of this paper paper is being produced on February X, 2015 more than 60 days after 11/1/2014. Since we began collecting data in 2012, our data has shown that most PHAs are identified within 60
30、 days of installation. For “time of install” statistics, this report includes installs of PHAs that were identified as PHA after 11/1/2014 if the install occurred prior to 11/1/2014. It is possible that some installations that occurred later in 2014 will be identified as PHAs in the future, but we d
31、ont expect that will have a significant effect on the overall statistics. Also, as Google does not retain a historical record of apps per device the “device hygiene” statistics do not include applications classified as potentially harmful at a future date. They are the the best information available
32、 on the day of the scan. 17 99.40% 99.35% 99.30% 10-3-14 10-6-14 10-8-14 10-10-1410-13-1410-15-1410-17-1410-20-1410-22-1410-24-1410-27-1410-29-14 Devices without Known PHA Google Play reviews all applications for potential security issues prior to making them available to users. No review process is
33、 perfect, and with over 1 million applications in Google Play, there are a small number of Potentially Harmful Applications that do still manage to be published in Google Play. To monitor all possible use scenarios, we are now tracking relative occurrence of PHAs for (1) devices that install only fr
34、om Google Play, (2) devices that have installed from from outside of Google Play previously, and (3) devices that are currently configured to allow installation of apps from outside of Google Play. 18 This was launched in mid-October 2014, so we currently have only 2 weeks of data prior to 11/1/2014
35、. The blue line indicates devices which have unknown sources enabled and have installed applications from outside of Google Play. The green line represents devices that have only installed applications from Google Play. Worldwide, excluding non-malicious Rooting applications, PHAs are installed on l
36、ess than 0.1% of devices that install applications only from Google Play. Non-rooting PHAs are installed on approximately 0.7% of devices that are configured to permit installation from outside of Google Play. Additionally, the second graph shows devices with any PHA (including Rooting applications)
37、. Rooting applications are installed on about 0.5% of devices that allow sideloading of applications from outside of Google Play. Worldwide, excluding non- malicious Rooting applications, PHAs are installed on less than 0.1% of devices that install applications only from Google Play. 2.00% 1.50% 1.0
38、0% 0.50% 0.00% 10-15-14 10-15-14 10-17-14 10-17-14 10-19-14 10-19-14 10-21-14 10-21-14 10-23-14 10-23-14 10-25-14 10-25-14 10-26-14 10-26-14 10-28-14 10-28-14 10-30-14 10-30-14 Devices with Known PHA (Excluding Rooting) Devices with Known PHA (Including Rooting) Outside of Google Play Outside of Goo
39、gle Play Play Only Play Only 2.00% 1.50% 1.00% 0.50% 0.00% 19 For devices that allow installation of applications from outside of Google Play, there are regional variations in the rate of installing PHAs. For comparison, below is a graph that shows prevalence of installed PHAs (excluding Rooting) by
40、 locale on devices that have been configured to install outside of Google Play for each of the locales that report the most installation events to Verify Apps. During this period of time, US English devices have a PHA installed on about 0.4% of devices, which is about 0.2% below the worldwide averag
41、e. Chinese devices have a higher rate than the worldwide average, with a PHA installed on about 0.8% of devices and Russia has a much higher rate, with approximately 3-4% of devices having an installed PHA. Fraction of Devices with Known PHA (Excluding Rooting), Safety Net users with Sideloading 5.0
42、0% 3.75% 2.50% 1.25% 0.00% 10-15-1410-17-1410-19-1410-21-1410-23-1410-25-1410-26-1410-28-1410-30-14 AE BRFR CN ID GB KR JP US RU 20 There is also regional variation in the prevalence of Rooting applications. The following graph shows the presence of all PHAs, including non-malicious Rooting applicat
43、ions. The basic shape of the graph is similar to the previous graph, with the exception of China. Chinese devices which install apps from outside of Google Play are more likely to have a non-malicious Rooting application than any other region or type of PHA. About 3-4% of Chinese devices have a Root
44、ing application installed. In fact, there are numerous applications from major Chinese corporations that include rooting exploits to provide functionality that is not provided by the Android API. Some of these Rooting applications explicitly describe that they will use an exploit to root the device,
45、 but there are some applications which do not describe this functionality to users. In those cases, Verify Apps may provide the only indication that an exploit is included and that installation of the application may degrade the overall security of the device. Fraction of Devices with Known PHA, Saf
46、ety Net users with Sideloading 10.00% 7.50% 5.00% 2.50% 0.00% 10-15-1410-17-1410-19-1410-21-1410-23-1410-25-1410-26-1410-28-1410-30-14 AE BRFR CN ID GB KR JP US RU 21 Below is a chart that provides the average fraction of devices with a PHA installed during the two weeks preceding 11/1/2014 for the
47、most common locales. Although device-level statistics for PHAs only recently became available for applications installed from outside of Google Play, Verify Apps has been tracking per install ratios since 2012. From November 2012 until June 2013, it was available only on devices running the then cur
48、rent version of Android, Android 4.2. In June 2013 Verify Apps became available for previous versions of Android (specifically, Android 2.3 and above). The graph below shows the overall tracking since June 15, 2013, when Verify Apps became widely available. In the graph, the combined area of the red
49、 and blue curves shows the ratio of PHA installs relative to total installs. The blue curve depicts installs that may occur if a user choses to install an application despite a warning from Verify Apps (for example, they choose to install a rooting application despite a warning). The red curve depicts installation for which a warning was not provided at the time of installation and the application was subsequently determined to be potentially harmful (a false negative at the time of install). Fraction of Installs Outside of Google Play that Result in Known PHA Being Installed 8.00% 6.00%