Binder Flaw Threatens to Blow Apart Android Security

Security researchers have warned of a serious security flaw in Android which could potentially leave every device open to attack.

The vulnerability is in the operating system’s ubiquitous inter-process communication (IPC) tool known as Binder, according to a Black Hat Europe presentation on Thursday by Check Point researchers Nitay Artenstein and Idan Revivo.

Binder is the means by which all apps talk to the underlying system layer. It was created thus to reduce the attack surface, however, given it occupies such an important role itself, Binder has become a prime target for Android malware, they argue.

“Subverting this component allows an attacker to see and control almost all important data being transferred within the system,” the two say in their research paper.

Effectively, if an attacker is able to control any link in the chain which leads all the way from Java APIs at one end to the native Binder code at the other they can launch a “Man in the Binder” attack.

This could enable them to steal sensitive data including keylogs, SMS messages, banking transactions and other in-app activities; modify data in transit; and even override any security measures put in place by individual apps, they say.

The flaw does require attackers to be able to run code as root, however, this isn’t a big deal, according to Artenstein.

“We argue that the profusion of root exploits against Android, which guarantees successful remote rooting against many Android versions, means that security companies need to rethink their strategy on how to defend Android users,” he told Infosecurity.

“Effectively, we believe they need to work under the assumption that the device is already rooted.”

Given the importance of Binder to Android’s architecture, it won’t be easy to defend devices against this attack, but Artenstein did provide some best practice advice.

“Each process in Android can control its own memory space,” he explained.

“Given that Man in the Binder attacks will often be directed a specific application, it is up to that application to implement specific defensive techniques. For example, it should scan its own memory space and look for any possible code injections against Binder.”

To guard against the “virtually undetectable” keyloggers Man in the Binder can enable, developers could also think about creating their own in-app keyboards separate to the normal Android keyboard.

Finally, they should consider encrypting any data sent or received from a system service – as it’s all vulnerable to a Binder attack.

“This includes all Intents, all calls to Activity Manager and all calls to the Network Manager,” Artenstein added. “If you're using a system service and passing it some sensitive data, you need to encrypt that data first.”

There is a chance that Google has patched known exploit paths in the just announced Android 5.0 (Lollipop) but that won’t be known till researchers can get their hands on it. Even then, Binder attacks could still work if a new rooting exploit is found for Lollipop, Check Point added.

What’s Hot on Infosecurity Magazine?