=======================[ Readings ]======================= Android boot sequence: http://learnlinuxconcepts.blogspot.com/2014/02/android-boot-sequence.html Android's variant of Trusted Boot: https://source.android.com/security/verifiedboot/ (in more detail: https://source.android.com/security/verifiedboot/verified-boot) Trusted Boot is probably the most impactful technology of the past decade in mass computing. The idea of this technology is that each stage of the boot sequence is executed only if its code is cryptographically signed and the signature matches a set of platform keys that are hard for the attacker to replace without the user noticing. For example, the boot ROM checks the signature on the bootloader, the bootloader checks the signatures of every software module it loads, and of the OS kernel. To continue this chain, the kernel may also refuse to load and execute any software that is not signed. Microsoft introduced this technology in Windows 8: https://blogs.msdn.microsoft.com/olivnie/2013/01/09/windows-8-trusted-boot-secure-boot-measured-boot/ (UEFI is the PC's new bootloader standard, formerly known as the BIOS). Trusted Boot prevents malware from replacing your kernel or your bootloader with an untrustworthy one capable of defeating any security tools you might want to run on the system, such as an antivirus or anti-rootkit scanner. But it also has a darker side: the owner of the signing keys may refuse to allow any kind of independently developed software (such as free software like Linux) from running on the device. For decades, a "computer" meant a device you could program if you so chose; a system using trusted boot may completely deny you the ability to program it if the owner of the platform keys so chooses. Some general discussion here: https://www.pcworld.com/article/2901262/microsoft-tightens-windows-10s-secure-boot-screws-where-does-that-leave-linux.html This blog has the details: https://mjg59.dreamwidth.org/9844.html ================[ Unlocked & Rooted Androids ]==================== Many telecom or phone vendors do just this: prohibit any unsigned updates to the operating system. Their bootloaders will refuse to load any kernel that is not signed by the vendor. Such phones are referred to as locked. Installing your own kernel software on them is only possible by exploiting a bug in their own signed kernels. Signed does not mean bug-free; even the iPhone's iOS has had a series of bugs that were used to "jailbreak" them. For the history of such jailbreaks see, e.g., https://www.theiphonewiki.com/wiki/Jailbreak Google's Nexus line of phones can be unlocked, so that custom OS images can be installed, such as lineageOS (formerly Cyanogen, which you saw me boot in class). In the same platform-tools directory as adb (on MacOS, ~/Library/Android/sdk/platform-tools/) you will find the tool "fastboot" that can reconfigure the bootloader to allow loading custom images. There's a cost to this: unlocking your phone with fastboot will wipe the device. The likely reason for this is DRM; there is no technical necessity for mandating it. DRM is a controversial topic; see, e.g., the Free Software Foundation's criticisms of DRM: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management After your phone is unlocked, you can use a variety of tools to install a new OS such as LineageOS. The typical process of unlocking a phone looks as follows: https://wiki.lineageos.org/devices/shamu/install (these instructions are for LineageOS on Nexus 6). One benefit of a custom OS is getting a much powerful debugger with the "root" superuser privileges. In class you saw that my phone did not allow me to neither list the directory /data, where apps keep their data, not access package descriptions in /data/system/packages.xml. It is so annoying to not be able to manipulate your own data even while in developer mode! A rooted phone allows you to "su" and become the root user, by providing the rights commands and privileges. See the above link for how a custom image is "rooted". Rooting makes possible apps like BinderExplorer which you saw in the class demo, http://www.opersys.com/blog/exploring-binder-relations ================[ Android Malware, dissected ]==================== Now that you've seen some tools for dissecting Android apps, you can follow along with analysis of some Android malware: The Zeus trojan: https://www.strazzere.com/blog/2012/08/android-zitmo-analysis-now-you-see-my-now-you-dont/ So-called nation-state malware, from the Hacking Team: https://rednaga.io/2016/11/14/hackingteam_back_for_your_androids/