How to ensure the security of Android open environment

In order to achieve integration with the Internet, the pace of home appliances adopting Android is accelerating. For manufacturers developing home appliances, Sony's information leak is a negative lesson. Enterprises must not only explore ways to coexist peacefully with hackers, but also equip the system with multiple defense functions.

TVs, car navigation systems, e-books , etc., are now adopting open embedded software development platforms for various home appliances. Among them, Android is attracting much attention. The reason is that "if you plan to strengthen the linkage function with Internet services more than before, Android will naturally be one of the options" (Jiro Kaneyama, general manager of the development headquarters of Eflow, a Japanese embedded system developer).

For manufacturers who intend to equip home appliances with Android, the illegal attacks on "PlayStation Network (PSN)" and "Qriocity" are not unrelated. This is because after adopting Android in home appliances, "close linkage with Internet services" and "an environment for adding new services by installing application software (hereinafter referred to as applications)" can be achieved, which are the same as PlayStation 3 (PS3). Therefore, it is not surprising that the same situation as Sony occurs, including the DRM mechanism being exposed, or the communication method and password with the server being leaked, resulting in illegal access to the server.

To prevent such incidents, we need to learn from the Sony information leak incident. In other words, the key is to avoid repeating the mistakes Sony made, including "making the entire hacker community the enemy" and "relying entirely on the PS3 mechanism for security" (Figure 1). On the other hand, if we take two actions in the future, namely "establishing a coordinated relationship with the hacker community" and "being prepared for the possibility that the security mechanism will be breached sooner or later, no matter how powerful it is, and taking multiple security measures", then there is a high probability that incidents that affect the company's survival will be avoided.

Android security environment

Not only do we need to try to establish good relationships with the hacker community, but we also need to implement multiple defenses for important information that cannot be leaked.

The goal is to coexist peacefully with hackers

The first point is to avoid confrontation with hackers. To do this, you must understand how hackers think and find ways to coexist peacefully with them.

Sony has always taken the attitude of "PS3 is a product we sell to provide services, so of course we should control it" towards hackers. However, many PS3 users believe that "how to use the product you paid for is a personal freedom." Sony adopted a tough approach without understanding the difference in thinking between itself and its users, which led to the situation where the two sides had opposing views.

To avoid things from developing into a confrontation of ideas, the key is for the relevant personnel of the manufacturer to have regular dialogues with the hacker community, respect each other's opinions to a certain extent, and develop products based on this. " Network intrusion is a special talent that not everyone can master. It is necessary to discover this talent as early as possible and try to pull people with this ability into your camp to prevent them from taking extraordinary actions" (Shinji Yamane, a researcher at Aoyama Gakuin University in Japan).

Take multiple defensive measures

Another key point is "multiple defenses," which is a very important way of thinking when defending under the assumption of being attacked. Specifically, even if the first barrier is breached, a second or even a third barrier should be prepared to prevent decisive damage.

This kind of thinking is particularly important when developing home appliances that use Android. The reason is that with an open platform, "anyone can easily obtain design information and build a debugging environment, making network intrusion easier" (Eflow's Kingsoft) (Figure 2).

Figure 2: Development environment shifts from black box to open

When an open development environment is adopted, hardware and software development is simplified, but the risk of cyber attacks also increases.

In fact, a mobile phone manufacturer that adopted the Android platform before home appliance retailers said when introducing the differences between Android phones, "Traditional mobile phones can ensure security through the autonomy of product and software installation, but smartphones equipped with Android have to consider security issues due to the credibility of the OS" (Takashi Yanagisawa, Director of Security Promotion of the Smart Communications Service Department of NTT DoCoMo).

Prevent administrator privileges from being deprived

So, what issues must be considered when adopting Android?

The first thing to consider is to prevent the administrator's rights from being deprived, so as to prevent the system files such as device drivers and OS libraries from being tampered with. If the system files are tampered with, the system will be cracked from this point (Figure 3).

Figure 3: Problems when administrator privileges are taken away

Most of the data exchanged internally can be stolen. In addition, illegal applications can be embedded. Encrypted files can also be opened.

Although these are all attacks that have been considered for embedded devices, previous products have many restrictions to prevent external applications from being added in addition to the black box nature of the platform, so they are not easily targeted. However, Android's file structure is public, and applications can be added at will, making it easy to attack.

Android only provides users with user rights, and it is impossible to modify system files. However, if there is an "escalation" vulnerability in the Linux kernel, program libraries, and drivers that can increase user rights to administrator rights, then it is a different matter. As long as an application is written to attack the vulnerability and run on Android, administrator rights can be seized.

The solution to this problem is to patch the vulnerability as soon as it is discovered. But this is not a simple matter. This is because the Android source code is provided to the manufacturer, and the installation work is completed by the manufacturer. The collection of vulnerability information and the operation verification after the patch is installed must also be completed by the manufacturer.

There is a set of data that clearly reveals how difficult this task is. This is the report "Threats and Countermeasures Facing Smartphones" released by the Information Processing Promotion Agency (IPA) of Japan in June 2011. The report investigated whether the malware "Droid Dream" that exploits vulnerabilities in the Linux kernel and other systems to seize administrator privileges has infected smartphones on the market. Droid Dream can exploit two vulnerabilities. Although these two vulnerabilities were disclosed in April 2009 and August 2010, respectively, as of March 2011, 11 of the 14 mobile phones investigated had not yet been equipped with complete countermeasures (Table 1).

Table 1: IPA survey on “Droid Dream” responses

Droid Dream can exploit one of two vulnerabilities in the Linux kernel and Android components to seize administrator privileges. The table marks models that block one of the vulnerabilities as "partially addressed."

This is true even for smartphones produced by companies with a high level of security awareness. If other home appliances use Android, it is questionable whether patches can be provided in a timely manner. Home appliances need to adopt a mechanism to prevent administrator privileges from being deprived when vulnerabilities are attacked, or to prevent important security parts from being cracked when administrator privileges are deprived.

Java can be easily disassembled

In addition to preventing administrator privileges from being deprived, there are other issues that need to be addressed. That is, program files or setting files are cracked, illegally copied, or important algorithms and data related to the foundation of the service are discovered.

This problem has become increasingly serious on smartphones, where game apps written by Japanese developers are arbitrarily translated into Chinese and sold, or worse, are implanted with malware and distributed to users (Figure 4).

Figure 4: Methods for embedding malware in applications

Purchase legitimate apps through the Android app store and implant malicious code through disassembly.

Droid Dream, which was introduced above, was also a malware created using this method. The apps sold in the Android online store were randomly modified and implanted with programs that could seize administrator privileges and steal user personal information.

An expert familiar with illegal software copying said, "Although Android is generally written in Java, it is very easy to tamper with it by disassembling it and then reprocessing the data packets" (Hideaki Ogawa, representative director of HyperTech Japan). In other words, if any company does not prepare for the possibility of its program being cracked and take measures, it is possible that it will fall into crisis.

Changing the system has no effect

Some manufacturers have adopted open software platforms such as Android and have restricted functions to protect programs or information from network intrusion. However, security experts have warned that this approach should not be taken (Ishiro Nishimoto, director and chief technology officer of Japan LAC).

If an open platform is adopted and then it is “closed”, it will stimulate hackers’ desire to “use it freely.” Moreover, “since it is an open system, it is easy to guess the internal structure, and the effect of closing it is limited” (Nishimoto).

Take the NOOK Color, the electronic bookstore launched by Barnes & Noble, the largest bookstore chain in the United States, in November 2010. Although the product uses the Android 2.2 platform, the only applications that can be used are those pre-installed by Barnes & Noble and those provided by the online store operated by the company. In the second month after the NOOK Color was launched, a tool that can rewrite the NOOK Color system and use applications at will appeared (Figure 5).

Figure 5: A closed Android can also be rooted

Although Barnes & Noble's e-reader "NOOK" is based on Android, the app store only stocks apps developed by the company itself, and users cannot install apps at will (a). However, third parties have begun to distribute tools that allow anyone to root and install apps at will (b).

So if you plan to use an open system, you must be prepared to be cracked by hackers using various means.