谷歌：度Android系统安全性报告.pdf

Android Security 2014 Year in Review Google Report 2 Table of Contents Overview New Android Security Features / Capabilities Response to vulnerabilities found in 2014 SSL Vulnerabilities Android (and Linux kernel) vulnerabilities OEM / SOC specific vulnerabilities Application Vulnerabilities Measures of Ecosystem Security Scope of User Protection and Ecosystem Measurement Classification of Potentially Harmful Applications Occurrence of Potentially Harmful Applications New and Noteworthy PHAs Spyware Ransomware WAP and SMS Fraud Safety Net Statistics Platform API Abuse SMS Confirmation Other APIs of Interest Security Model Integrity Network Level Abuse SSLv3 downgrade CCS Injection CA Man In The Middle Safe Browsing Statistics 3 We do that by investing in security technology within the core Android platform, developer support, and in the applications and services Google provides for Android. We want to share information about what we are doing and how the ecosystem is responding, so this is the first of what we expect will be many reports that will provide in-depth insight into the security of the Android ecosystem. In 2014, the Android platform made numerous significant improvements in platform security technology, including enabling deployment of full disk encryption, expanding the use of hardware- protected cryptography, and improving the Android application sandbox with an SELinux- based Mandatory Access Control system (MAC). Developers were also provided with improved tools to detect and react to security vulnerabilities, including the nogotofail project and the SecurityProvider. We provided device manufacturers with ongoing support for fixing security vulnerabilities in devices, including development of 79 security patches, and improved the ability to respond to potential vulnerabilities in key areas, such as the updateable WebView in Android 5.0. 1. The security industry often uses the term “malware” with little or no definition. To avoid potential confusion, the Android security team instead uses the term Potentially Harmful Application (PHA) to refer to applications which pose a security risk to users or their data. More detail on the types of PHAs that have been observed is included in the section titled “Classification of Potentially Harmful Applications”. Overview Google is committed to ensuring that Android is a safe ecosystem for users and developers. Googles security services for Android increased protection for users and improved visibility into attempts to exploit Android. Ongoing monitoring by Verify Apps found that efforts to deliver Potentially Harmful Applications (PHAs) continued at low levels throughout 2014, less than 1% of all devices had a PHA installed. Fewer than 0.15% of devices that download only from Google Play had a PHA installed. Expanded protection in Verify Apps and Safebrowsing also now provides insight into platform, network, and browser vulnerabilities affecting Android devices. Exploitation attempts were tracked for multiple vulnerabilities, and the data does not show any evidence of widespread exploitation of Android devices. Googles security services for Android increased protection for users and improved visibility into attempts to exploit Android. There were two major updates to Android in the 12 months ending Nov 1, 20142: Android 4.4 and the preview of Android 5.0. Both of these platform releases included security improvements as well as patches for newly discovered vulnerabilities. By February 2, 2015, Android 4.4 has become the most widely distributed version of Android with over 41% of Android devices that check in to Google services running Android 4.4 or greater3. Here are a few of the security highlights from those releases: Android sandbox reinforced with SELinux. Android 4.4 required that SELinux be in enforcing mode for select system domains, and Android 5.0 now requires SELinux in enforcing mode for all domains. SELinux is a mandatory access control (MAC) system in the Linux kernel used to augment the existing discretionary access control (DAC) security model. This new layer provides additional protection against potential security vulnerabilities by reducing exposure of system functionality to applications. New Android Security Features / Capabilities Improved Full Disk Encryption. Full Device Encryption was introduced with Android 3.0, using the Android screen lock secret to wrap a device encryption key that is not sent off the device or exposed to any application. Starting with Android 5.0, the user password is protected against brute-force attacks using scrypt and, where available, the key is bound to the hardware keystore to prevent off-device password brute-forcing attacks. On devices that ship with Android 5.0 out-of-the-box, full disk encryption can be enabled by default to improve protection of data on lost or stolen devices. Multi user, restricted profile, and guest modes for phones to prevent unintentional transmission of this code, two categories (Windows Threat and Non-Android Threat) warn users if the application shows evidence of a threat that exists for other operating systems. More details on the prevalence of each of the categories of PHA will be provided later in this document. The vast majority of application installs are not classified as potentially harmful, so for most installations, the users of Verify Apps will see nothing displayed at the time of install. If an application is classified as potentially harmful, then in addition to displaying the warning, Verify Apps may either block the installation or allow the user to decide whether to allow installation to continue. An early design considered blocking all installations that were classified as potentially harmful, but user studies found that users might disable the feature if they disagreed with certain classifications. For example, many users will proceed to install Rooting apps after a warning is provided as they likely already knew that it would bypass Android security protections. 16 This section will provide a detailed breakdown of information gathered from Verify Apps on the frequency of occurrence of Potentially Harmful Applications (PHAs). It provides the most complete picture available of the overall state of the Android ecosystem with respect to PHAs. As noted in the introductory pages of this report, in 2014 less than 1% of all devices had a PHA installed. Fewer than 0.15% of devices that download only from Google Play had a PHA installed. The rate of installation of PHAs from outside Google Play also decreased by nearly 60% between Q1 and Q4 of 2014. Those findings will be explained in detail in the following pages. They will also be broken down by the categories of behavior and using device locale information to better identify relevant trends and variations within the worldwide Android ecosystem. The broadest statistic that Verify Apps is currently tracking is the frequency with which Verify Apps detects an installed Potentially Harmful Application at the time that it does a full-device scan. We refer to this statistic as “device hygiene” and began to collect this statistic in early October 2014. Previously, data collection was associated with an install at the time of install and could not be tracked at the device level. During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps). During that same time period, approximately 0.25% of devices had a non-malicious Rooting application installed. The device hygiene when incorporating all PHA applications is depicted in the following graph. Occurrence of Potentially Harmful Applications6 During October 2014, the lowest level of device hygiene was 99.5% and the highest level was 99.65%, so less than 0.5% of devices had a PHA installed (excluding non-malicious Rooting apps). 99.65% 99.60% 99.55% 99.50% 10-8-1410-10-14 10-13-14 10-15-14 10-17-14 10-20-14 10-22-14 10-24-14 10-27-14 10-29-14 Devices without PHA (Excluding Rooting) 6. A note on counting Potentially Harmful Apps (PHAs): Applications may not be classified as PHAs when first identified because later investigation reveals behavior that was hidden or believed to be innocuous which is actually potentially harmful. This means that the discovery of a new PHAs can lead to a restating of previous install statistics. To balance the need for timeliness and accuracy, the final version of this paper paper is being produced on February X, 2015 more than 60 days after 11/1/2014. Since we began collecting data in 2012, our data has shown that most PHAs are identified within 60 days of installation. For “time of install” statistics, this report includes installs of PHAs that were identified as PHA after 11/1/2014 if the install occurred prior to 11/1/2014. It is possible that some installations that occurred later in 2014 will be identified as PHAs in the future, but we dont expect that will have a significant effect on the overall statistics. Also, as Google does not retain a historical record of apps per device the “device hygiene” statistics do not include applications classified as potentially harmful at a future date. They are the the best information available on the day of the scan. 17 99.40% 99.35% 99.30% 10-3-14 10-6-14 10-8-14 10-10-1410-13-1410-15-1410-17-1410-20-1410-22-1410-24-1410-27-1410-29-14 Devices without Known PHA Google Play reviews all applications for potential security issues prior to making them available to users. No review process is perfect, and with over 1 million applications in Google Play, there are a small number of Potentially Harmful Applications that do still manage to be published in Google Play. To monitor all possible use scenarios, we are now tracking relative occurrence of PHAs for (1) devices that install only from Google Play, (2) devices that have installed from from outside of Google Play previously, and (3) devices that are currently configured to allow installation of apps from outside of Google Play. 18 This was launched in mid-October 2014, so we currently have only 2 weeks of data prior to 11/1/2014. The blue line indicates devices which have unknown sources enabled and have installed applications from outside of Google Play. The green line represents devices that have only installed applications from Google Play. Worldwide, excluding non-malicious Rooting applications, PHAs are installed on less than 0.1% of devices that install applications only from Google Play. Non-rooting PHAs are installed on approximately 0.7% of devices that are configured to permit installation from outside of Google Play. Additionally, the second graph shows devices with any PHA (including Rooting applications). Rooting applications are installed on about 0.5% of devices that allow sideloading of applications from outside of Google Play. Worldwide, excluding non- malicious Rooting applications, PHAs are installed on less than 0.1% of devices that install applications only from Google Play. 2.00% 1.50% 1.00% 0.50% 0.00% 10-15-14 10-15-14 10-17-14 10-17-14 10-19-14 10-19-14 10-21-14 10-21-14 10-23-14 10-23-14 10-25-14 10-25-14 10-26-14 10-26-14 10-28-14 10-28-14 10-30-14 10-30-14 Devices with Known PHA (Excluding Rooting) Devices with Known PHA (Including Rooting) Outside of Google Play Outside of Google Play Play Only Play Only 2.00% 1.50% 1.00% 0.50% 0.00% 19 For devices that allow installation of applications from outside of Google Play, there are regional variations in the rate of installing PHAs. For comparison, below is a graph that shows prevalence of installed PHAs (excluding Rooting) by locale on devices that have been configured to install outside of Google Play for each of the locales that report the most installation events to Verify Apps. During this period of time, US English devices have a PHA installed on about 0.4% of devices, which is about 0.2% below the worldwide average. Chinese devices have a higher rate than the worldwide average, with a PHA installed on about 0.8% of devices and Russia has a much higher rate, with approximately 3-4% of devices having an installed PHA. Fraction of Devices with Known PHA (Excluding Rooting), Safety Net users with Sideloading 5.00% 3.75% 2.50% 1.25% 0.00% 10-15-1410-17-1410-19-1410-21-1410-23-1410-25-1410-26-1410-28-1410-30-14 AE BRFR CN ID GB KR JP US RU 20 There is also regional variation in the prevalence of Rooting applications. The following graph shows the presence of all PHAs, including non-malicious Rooting applications. The basic shape of the graph is similar to the previous graph, with the exception of China. Chinese devices which install apps from outside of Google Play are more likely to have a non-malicious Rooting application than any other region or type of PHA. About 3-4% of Chinese devices have a Rooting application installed. In fact, there are numerous applications from major Chinese corporations that include rooting exploits to provide functionality that is not provided by the Android API. Some of these Rooting applications explicitly describe that they will use an exploit to root the device, but there are some applications which do not describe this functionality to users. In those cases, Verify Apps may provide the only indication that an exploit is included and that installation of the application may degrade the overall security of the device. Fraction of Devices with Known PHA, Safety Net users with Sideloading 10.00% 7.50% 5.00% 2.50% 0.00% 10-15-1410-17-1410-19-1410-21-1410-23-1410-25-1410-26-1410-28-1410-30-14 AE BRFR CN ID GB KR JP US RU 21 Below is a chart that provides the average fraction of devices with a PHA installed during the two weeks preceding 11/1/2014 for the most common locales. Although device-level statistics for PHAs only recently became available for applications installed from outside of Google Play, Verify Apps has been tracking per install ratios since 2012. From November 2012 until June 2013, it was available only on devices running the then current version of Android, Android 4.2. In June 2013 Verify Apps became available for previous versions of Android (specifically, Android 2.3 and above). The graph below shows the overall tracking since June 15, 2013, when Verify Apps became widely available. In the graph, the combined area of the red and blue curves shows the ratio of PHA installs relative to total installs. The blue curve depicts installs that may occur if a user choses to install an application despite a warning from Verify Apps (for example, they choose to install a rooting application despite a warning). The red curve depicts installation for which a warning was not provided at the time of installation and the application was subsequently determined to be potentially harmful (a false negative at the time of install). Fraction of Installs Outside of Google Play that Result in Known PHA Being Installed 8.00% 6.00%