Updating Android operating system, is it really safe?
All Android devices at risk of being hacked when installing OS system updates _ Pileup Flaws
By Raunak Chatterjee and Anisha Agarwal
Student of Computer Science and Engineering department of Calcutta Institute of Technology
Email: rnk.chatterjee.cit@gmail.com
-------------------------------------------------
Anishaagarwal1992@gmail.com
Abstract:
Android is a Linux based operating system. Initially developed by Android, Inc., which Google backed financially and later bought in 2005, Android was unveiled in 2007 along with the founding of the Open Handset Alliance—a consortium of hardware, software, and telecommunication companies devoted to advancing open standards for mobile devices. The first publicly available smartphone running Android, the HTC Dream, was released on October 22, 2008. Android's source code is released by Google under the Apache License; this permissive licensing allows the software to be freely modified and distributed by device manufacturers, wireless carriers and enthusiast developers. As of July 2013, Android has the largest number of applications, available for download in Google Play store which has had over 1 million apps published, and over 50 billion downloads. A developer survey conducted in April–May 2013 found that Android is the most used platform among developers: it is used by 71% of the mobile developers’ population. From astro 1.0 to kit Kat android make itself evolved. For evolving in very fast manner its updates are coming out one after another so frequently. Even a particular version of Operating system has different versions. These updates often completely overhaul a running system, replacing and adding tens of thousands of files across android’s complex architecture, in the presence of critical and important user data and applications. To avoid accidental damages to such data and existing applications the upgrade process involves complicated program logics whose security implications are so complex. Focusing on PMS (Package Management Service) there is a new security-critical vulnerability evolved and that is Pileup flaws, through which a malicious application can strategically declare a set of privileges and attributes on a low-version operating system and wait until it is upgraded to escalate its privileges on the new system. Specifically that can be found by exploiting the pileup vulnerabilities, the application can not only acquire a set of newly added system and signature permissions but also determine their settings, and it can further substitute a new system applications with a malicious one, contaminate their data to steal sensitive user information or change security configuration of the system, and prevent the installation of many important system services.

Introduction:
One expect his/her apps and personal data to still be in your Android after an operating system upgrade, but the updating mechanism that allows that has a new class of privilege escalation vulnerabilities, which may defined as “pose serious threats to billions of Android users” who update their systems. Basically flaws in Android's program logic to install updates could allow a bad app to gain godlike permission to take control of your Android device, from hijacking your Google account, sending text messages, accessing voicemail, formatting removable storage, to stealing your passwords for a banking site. When talking about the flaws that affect “all the Android devices worldwide,” The so called ‘Pileup’–short for privilege escalation through updating–lurks inside the Android Package Management Service (PMS) and increases the permissions offered to malicious apps whenever an update occurs, without giving the user any info about the matter. Every few months, an update is released, which causes replacement and addition of tens of thousands of files on a live system. Each of the new apps being installed needs to be carefully configured to set its attributes within its own sandboxes and its privileges in the system, without accidentally damaging existing apps and the user data they keep. This complicates the program logic for installing such mobile updates, making it susceptible to security-critical flaws. Six different Pileup vulnerabilities have been discovered within the Android PMS. These vulnerabilities are present in all Android Open Source Project versions, including all 3,522 source code versions customised by handset OEMs and carriers.

PMS (Package Management Service):
To define properly we have to go through some question and answer series.
What are Package Manager and Package Installer?
PackageInstaller is the default application for Android to interactively install a normal package. PackageInstaller provide user interface to manage applications/packages. PackageInstaller calls InstallAppProgress activity to receive instructions from the user. InstallAppProgress will ask Package Manager Service to install package via installd. Source code is available at <Android Source>/packages/apps/PackageInstaller.
Installd daemon’s primary role is to receive request from Package Manager Service via Linux domain socket / dev/ socket/ installed. installd executes a series of steps to install APK with root permission. [Ref: https://github.com/android/platform_frameworks_base/blob/master/cmds/installd/commands.c]
Package Manage is an API that actually manages application install, uninstall, and upgrade. When we install the APK file, Package Manager parse the package (APK) file and displays confirmation. When the user presses the OK button, Package Manager calls the method named "installPackage" with these four parameters namely uri, installFlags, observer, installPackageName. Package Manager starts one service named "package", and now all fuzzy things happen in this service. You can check "PackageInstallerActivity.java" and "InstallAppProgress.java" in the PackageInstaller source code. Package Manager Service runs in system_service process and install daemon (installd) runs as a native process. Both start at system boot time.
Where are APK Files Stored in Android?
a. Pre-Install (i.e. Camera, Calendar, Browser, etc.) APK is stored in /system/app/ b. User Install (ApiDemo, Any.do, etc.) APK is stored in /data/app/ c. Package Manager creates a data directory /data/data/<package name>/ to store the database, shared preference, native library and cache data. You might see an apk file and *.odex file for the same APK. The ODEX file is totally a different discussion and purpose.
What is the APK Installation Process in Detail?
The following process executes in Package Manager Service. * Waiting * Add a package to the queue for the installation process * Determine the appropriate location of the package installation * Determine installation Install / Update new * Copy the apk file to a given directory * Determine the UID of the app * Request the installd daemon process * Create the application directory and set permissions * Extraction of dex code to the cache directory * To reflect and packages.list / system / data / packages.xml the latest status * Broadcast to the system along with the name of the effect of the installation is complete package * Intent.ACTION_PACKAGE_ADDED: If the new ( Intent.ACTION_PACKAGE_REPLACED): the case of an update

How Does the Package Manager Store Data?
Package Manager stores application information in three files, located in /data/system. The following sample is extracted from Android 4 ICS emulator image. 1. packages.xml: This file contain list of permissions and Packages/Applications. view source print? 01.<packages>
02.<last-platform-version external="15" internal="15">
03.<permission-trees>
04.<permissions>
05.<item name="android.permission.CHANGE_WIFI_MULTICAST_STATE"package="android" protection="1">
06.<item name="android.permission.CLEAR_APP_USER_DATA" package="android"protection="2">
07..
08..
09..
10..
11.</item></item></permissions>
12.
13.
14.
15.
16.<package codepath="/system/app/Contacts.apk" flags="1" ft="136567b3990"it="136567b3990" name="com.android.contacts"nativelibrarypath="/data/data/com.android.contacts/lib"shareduserid="10001" ut="136567b3990" version="15">
17.<sigs count="1">
18.<cert index="2">
19.</cert></sigs>
20.</package>
21..
22..
23..
24..
25.<package codepath="/data/app/com.project.t2i-2.apk" flags="0"ft="13a837c2068" it="13a83704ea3" name="com.project.t2i"nativelibrarypath="/data/data/com.project.t2i/lib" userid="10040"ut="13a837c2ecb" version="1">
26.<sigs count="1">
27.<cert index="3" key="308201e53082014ea0030201020204506825ae300d06092a86
28.4886f70d01010505003037310b30090603550406130255533110300e060355040a13074
29.16e64726f6964311630140603550403130d416e64726f6964204465627567301e170d31
30.32303933303130353735305a170d3432303932333130353735305a3037310b300906035
31.50406130255533110300e060355040a1307416e64726f6964311630140603550403130d
32.416e64726f696420446562756730819f300d06092a864886f70d010101050003818d003
33.08189028181009ce1c5fd64db794fd787887e8a2dccf6798ddd2fd6e1d8ab04cd8cdd9e
34.bf721fb3ed6be1d67c55ce729b1e1d32b200cbcfc91c798ef056bc9b2cbc66a396aed6b
35.a3629a18e4839353314252811412202500f11a11c3bf4eb41b2a8747c3c791c89391443
36.39036345b15b5e080469ac5f536fd9edffcd52dcbdf88cf43c580abd0203010001300d0
37.6092a864886f70d01010505000381810071fa013b4560f16640ed261262f32085a51fca
38.63fa6c5c46fde9a862b56b6d6f17dd49643086a39a06314426ba9a38b784601197246f8
39.d568e349a93bc6af315455de7a8923f40d4051a51e1658ee34aca41494ab94ce978ae38
40.609803dfb3004806634e6e78dd0be26fe75843958711935ffc85f9fcf81523ce23c86bc
41.c5c7a">
42.</cert></sigs>
43.<perms>
44.<item name="android.permission.WRITE_EXTERNAL_STORAGE">
45.</item></perms>
46.</package>
47..
48..
49..
50..
51..
52.</permission-trees></last-platform-version></packages>
This XML file stores two things 1. permissions 2. package (application), permission are store under <permissions> tag. Each Permission has three attributes namely name, package and protection. The name attribute has permission name, which we are using in AndroidManifest.xml, the package attribute indicates permission belonging to package. In most cases "android" is the value, because the <permission> tag contains default permissions and protection indicates level of security.

The package tag contain 10 attributes and a few sub tags. Sr | Attribute Name | Description | 1 | name | package name | 2 | codePath | APK file installation location (/system/app/ or /data/app/) | 3 | nativeLibraryPath | native library (*.so file) default path is /data/data/<package name>/lib/ | 4 | flag | Store ApplicationInfo Flags [http://developer.android.com/reference/android/content/pm/ApplicationInfo.html] | 5 | ft | timestamp in hex format | 6 | lt | timestamp in hex format of first time installation | 7 | ut | timestamp in hex format of last update | 8 | version | Version Code from AndroidManifest.xml file []http://developer.android.com/guide/topics/manifest/manifest-element.html#vcode] | 9 | sharedUserId | The name of Linux user ID that will be shared with other applications, It is same parameter which we define in AndroidManifest.xml [http://developer.android.com/guide/topics/manifest/manifest-element.html#uid] | 10 | userId | The name of a Linux user ID |
Sub Tags a. sigs signature information, count attribute represents the number of cert tag. b. cert contain certification key, index attribute represents the global index of certificate. I have found that it increments when new certificates are installed with the application. c. perms contain permission which developer has set in AndroidManifest.xml
2. packages.list : It is simple text file containing package name, user id, flag and data directory. I can't find any perfect description, but I assume that the packages.list file may provide faster lookup of installed packages, because it keeps important information only. view source print? 1.com.android.launcher 10013 0 /data/data/com.android.launcher
2.com.android.quicksearchbox 10033 0 /data/data/com.android.quicksearchbox
3.com.android.contacts 10001 0 /data/data/com.android.contacts
4.com.android.inputmethod.latin 10006 0 /data/data/com.android.inputmethod.latin
3. packages-stoped.xml : This file contains the package list which has stopped state. Stopped state applications cannot receive any broadcast. Refer to this link for more information about stopped state applications.

view source print? 1.<stopped-packages>
2.<pkg name="com.android.widgetpreview" nl="1"></pkg>
3.<pkg name="com.example.android.livecubes" nl="1"></pkg>
4.<pkg name="com.android.gesture.builder" nl="1"></pkg>
5.<pkg name="com.example.android.softkeyboard" nl="1"></pkg>
6.</stopped-packages>
Source code of PMS: https://android.googlesource.com/platform/frameworks/base/+/483f3b06ea84440a082e21b68ec2c2e54046f5a6/services/java/com/android/server/pm/PackageManagerService.java Android Fragmentation:
Since 2014, 19 Android official versions (from 1.0 to 4.4) have been released. New updates are available almost every three months. In addition to these AOSP versions, phone manufacturers also provide their customized OSes, oftentimes, for different carriers (Verizon, AT&T, T-Mobile, etc.) and different countries. For example, Samsung has so far released over 10,000 different versions to serve its customer’s world wide. Many of them co-exist on today’s Android market, causing what is so called Android fragmentation [3]. On the other hand, these versions are being steadily upgraded to newer ones: it is reported that within the recent 6 months, the market share of Jelly Bean (Android 4.1+) has increased from 25% to 48.6%.
Android Updatation:
After the user clicks on the system update button under Android Setting, an upgrading image (called “Over the Air” or OTA) is downloaded from the device manufacturer’s servers1. The image includes bootloader.img, other system files and a set of Android application package files distributed across different directories. Some of them are patches to the existing files (on the old system), which typically end with “.p” (e.g., radio.img.p). Once receiving the image, the Android device reboots into a recovery mode, where it verifies the authenticity and integrity of the image and then replaces existing system files such as bootloader, Package Manager Service and APKs under the system directory with the new ones. After this is done, the device reboots into the new OS and continues to update other system components through different Android services, including Activity Manager, Service Manager, User Manager Service, Package Manager Service, Input Manager, etc. Of particular interest here is Package Manager Service (PMS), which we investigated in our research. PMS is an Android service for installing, upgrading, configuring and removing application packages. When it comes to upgrading, the service installs or reinstalls all system apps (new and existing ones from the old OS) under /system/directory, and then existing third-party apps (user installed) under /data/app onto the new OS. When installing an app, PMS registers its permissions2, shared UID, activities, intent filters, actions, services and others. What complicates this installation process is the presence of duplicated attributes (e.g., package names, shared UIDs, etc.) and properties (e.g.,permissions). In this case, PMS needs to decide which one to install. For this purpose, it builds a data structure mSettings to record all such information about existing apps on the old OS, which includes a group of lists (in the HashMap type) such as mPackages, mUserIds, mSharedUsers mPermissions, etc. Whenever a new system package is about to be installed or its properties to be registered, PMS first looks up these lists to find out whether another package with the same attributes like package names3 or duplicated properties like permissions already exists in the old system. This happens, for example, when a high-version system app is installed on the old OS to replace its low-version counterpart.
Once a new package or its property is found to be already in the old system, the decision on which one to keep is made case by case, based upon the nature of the package or the property. For example, an app from the updating image will replace an existing one if the former has a higher version number than that of the latter. PMS uses the same program logic for both system upgrading and normal app installation: that is, the decision on whether to install a new system app or register its properties is always made in the same way as when a third-party app to be installed is found in conflict with an existing app.
Pileup flaws:
In this section, we elaborate the Pileup vulnerabilities discovered from Android PMS and our exploits on them. All the problems we found are essentially a type of broadly defined privilege escalation weaknesses, by which we refer to not only the situation where an unauthorized party gains elevated access to protected resources but also when it acquires elevated capabilities to deny authorized parties’ access to the resources. We present those problems below.:
Permission Harvesting and Preempting:
At the center of the Android security architecture is its permission and sandbox model. Each app runs within its own sandbox, separated from other apps. To gain any additional capabilities that would impact other apps or the OS, the app needs to explicitly request a permission (within its manifest.xml) before it is installed. These permissions are used to guard resources such as Internet, camera, storage, etc. They are categorized into protection levels [4], among which most common are normal (automatically granted to apps when requested), dangerous (granted based upon the user’s consent), signature (granted to apps signed with the same certificate as the one that declares the permission), System (granted to system apps on the system image) and a combination signatureOrSystem (granted to system apps or those signed with the same certificate). All the standard (AOSP) permissions are declared by system packages android and others located under /system/. Third-party apps can also define their own permissions, which can be requested by others. As discussed above, right before an app is about to be installed, PMS needs to check the permission it requests, and most of the time, turns to the device user for consent. All such requests are specified in the app’s manifest file. What is interesting here is that when PMS goes through the manifest, it ignores all those it fails to recognize, and never reports them to the user. This design, presumably, is for handling the third-party apps that are not well implemented. The problem is that the adversary can take advantage of this opportunity, letting his malicious app ask for a set of dangerous permissions only declared on a higher Android version without being noticed by the device user. When the OS is being upgraded to the higher version, PMS first installs all new and existing system apps and registers the permissions they declare, and then moves on to install thirdparty apps from the old OS. When it is the malicious app’s turn, this time, PMS recognizes all the permissions it requests, including the ones that come with new system packages and have just been defined. In this case, everything that the app asks for is just silently granted, since these permissions are with an existing app and supposed to have already been approved by the user. However, as we know, the truth is that those new dangerous permissions have never been identified by the system before the updating and are thus never known to the user. Exploiting this weakness, a malicious app can “harvest”permissions (i.e., requesting them on the old system) and wait until an update to get them. Note that this attack can only get the app dangerous level permissions, since signature and system permissions declared by system apps cannot be granted to the third-party app and an attempt to get them will be identified during permission registration. However, there is a way to get the permissions at signature and system level: the malicious app can preempt the permissions from the new system and simply define them when it is installed. Again, since there is no such permissions on the old system, the OS just lets the app declare them, which includes specification of the permissions’ protection levels and descriptions. This process does not need the user’s intervention at all, as all these permissions are used to protect the sources that come with the app. During an update, PMS reads all existing permissions (on the old system) into the list mSettings.mPermissions. When it registers a new permission defined by a new system package, it first goes through the list: once this permission has been found on the list and the package that first defines it (on the old system) is different from the current one, the permission definition part (for the system package) is skipped. As a result, the old permission, which has been declared by the malicious app, is automatically elevated to the one that guards new system resources. That is, whenever any app needs to access the resources, a related Android service will check whether the app has this permission. Note that not only does the malicious app that defines the permission get the permission (even at the signature and system level), it is also the party that specifies the protection-level of the permission and its descriptions. In other words, the adversary can lower a system permission to a normal one and arbitrarily set its descriptions.
Shared UID Grabbing
Android security has been built upon Linux user protection. Each app running on Android is assigned a UID, which prevents it from accessing other apps’ information assets. An exception, however, is provided for those bearing the same shared UID, an attribute that comes with individual app. Specifically, two apps can declare in their manifests an identical shared UID under android: sharedUserID [17], a constant string, which causes the OS to assign them the same UID (a number) when they are installed, if they are also signed by the same party. When this happens, these apps can access each other’s data and even execute in the same process. Note that on the same device, by no means should two apps signed by different parties share their UIDs, which will completely open them to each other in terms of their individual information assets. However, this conservative treatment can be exploited by the adversary, who can craft an app bearing the same package name and shared UID as the system app from a higher-version OS. During upgrading, the app can block the installation of the system app. Interestingly, even in the case that PMS does not identify any package conflict and thus pkgSetting contains the settings from the system package itself, as long as the new package configures a shared UID, Android will retrieve from mSettings all existing packages with the same Shared UID and inspect their signatures to find out any inconsistency with that on the new package. If one such app is signed by a different party, the new package will not be installed. In this way, a malicious app only needs to preempt the new package’s shared UID to knock it out of the system. When the updating process moves Android into the recovery mode, all the APKs files under the system directory are replaced with the new ones. As a result, once a new system app fails to install, it becomes completely missing on the new OS, as its old version under system on the original system (before the upgrading) has already been overwritten. This gives the adversary an opportunity to install a malicious one in its replacement, which can be done by downloading another package through the existing malicious one, making it look like part of the upgrading. As an example an app claimed the shared UID com.google.android.calendar on 4.0.4. After the upgrading, it successfully blocked the installation of the new official calendar app without user’s awareness. Given the original calendar app was already removed, we filled this blank with a malicious calendar downloaded through the attack app, which set a filter for receiving all the intents for adding events to the calendar. This malicious calendar can be made to have the same user interface as the official calendar app.
Reuse of existing data.
Android keeps the data for both system and third-party apps under directory /data/data/PackageName, which is owned by a unique Linux UID in the absence of UID sharing. An app is only allowed to access the information under its own data directory. During an update, PMS will compare the UID recorded within pkgSetting with that of the existing data directory associated with the package name of the new system app being installed, keeping the directory when they match and clear the directory otherwise. The UID within pkgSetting is typically a new one assigned by Linux to the new system app. However, when there is another app installed on the old OS with the same package name and Shared UID. pkgSetting will contain the existing app’s information. The UID within pkgSetting is naturally the owner of its data directory under the inspection. When this happens, if the shared UIDs of the two apps are both empty, the new system app is installed but the data of the existing app is left and incorporated into the new app. Therefore, a malicious app that bears the package name of a new system app when neither has a shared UID, will be able to contaminate the latter’s data through OS upgrading. (Note that the malicious app will not be reinstalled successfully later for the package name conflict which means it will not exist in the new OS). The consequences here are serious and diverse, depending on the natures of the new apps.
Exploiting permission tree.
On Android, a permission typically can only be defined before an app has been installed. An exception is when the app specifies a permission tree [13], which is the base name (root) of a tree of permissions. An app can define such a base name in its manifest file so as to claim the ownership of all permission names within the tree. For example, given a base com.example, permissions like com.example.math1, com.example.math1.add, com.example.math2 etc. all belong to the tree. Once declaring the tree, the app controls the whole name space defined by the root, and can then add individual permission within the tree during its runtime. As discussed before, Android does not allow the existence of two permissions with the same name. What the adversary can do here is to define a permission tree, covering permissions to be added by a new Android version, through his app on a low-version OS. Those permissions are not defined yet but their names are all owned by the malicious app. During an update, PMS checks the mPermissiontrees list under mSettings before registering any new permission.
Whenever a permission’s name is found to be covered by an existing tree declared by a different package from the system package that is registering the permission, its registration process fails. Interestingly, since by default, PMS assigns every permission a signature protection-level before changing it to the actual levels at the end of a registration, this disruption produces a signature permission no one can gets, and thus prevents legitimate apps from accessing the resources the permission guards. As one example, permission.ADD_VOICEMAIL, the permission required to add voicemail became inaccessible to legitimate apps due to our attack when updating from Android 2.3 to 4.0. Also interestingly, we found that even in the presence of a permission tree defined by a system app already on the old system, the malicious app can still prevent the new system from registering any new permissions covered by the existing, legitimate tree. The key issue here is that Android allows our app to define another permission tree that also covers the existing one. For example, even though the system app google.android.gsf on Google Nexus already defines the tree google.apps.permission.GOOGLE_AUTH, our app can still declare a permission tree google.apps. permission. As a result, any related new permissions the new system adds will not be able to register even if they are within the name space of google.apps.permission.GOOGLE_AUTH, as they are also covered by our permission tree. Also note that the device user will not be aware of this problem, as Android never notifies her the failure of the registration. We found that this vulnerability can be exploited on every single Android version, given the large number of new permissions added by each update.
Blocking Google Play Services.
Google Play Services is a critical package introduced by Android 4.0 on Google compatible devices. It is used to update apps from Google Play, offering key supports for authentication, synchronized contacts, access to user private settings and location-based services. Its absence will disable some important system apps and third-party apps. We found that when a device is upgraded from Android 2.3 to 4.0 on Nexus S, this critical service is actually not part of the update image as a system app. Instead, after installing all new and existing apps, Android downloads this package from the Internet and installs it as third-party app. As a result, a malicious app on 2.3.6 using the same package name will stop the installation of the service, simply because PMS cannot have two packages with the same name coexist on the OS.
Malware distribution:
Malicious apps exploiting Pileup flaws can be easily disseminated in practice. If one attempt to upload them to both Google Play and third-party Android marketplaces. It turns out that all the apps relying on the seizure of new permissions, UIDs and content provider names have no problem being added to
Google Play. Therefore, the attack code for most exploits can be conveniently distributed and delivered to Android users. On the other hand, Google does check package names and disallows those having name conflicts with existing packages to be uploaded. However, such a restriction does not exist on third-party marketplaces so one can successfully posted his/her malicious apps using system package names on popular third party markets including Amazon Appstore, appfutura.com, appslib.com, 1mobile.com and others. Also, the adversary can propagate the malware through other channels, for example, by sending a phone user the malicious app in email attachments or just a link to download the app.

Conclusion:
Android devices are frequently upgraded, replacing and adding tens of thousands of files on a live system in the presence of a large amount of user data and existing apps. To ensure that this process goes smoothly without endangering such user assets, the Android update mechanism involves complicated program logic and inevitably becomes error-prone. In this paper, we report the first systematic study on the security implications of this problem. Our research reveals Pileup, a new type of privilege escalation vulnerabilities within the updating logic. Exploiting Pileup flaws, a malicious app can use what it declares on a low-version system to gain system capabilities on the new OS after an upgrade, involving gaining system and signature level permissions, substituting system apps, contaminating browser data and blocking the installation of new system apps. We performed a large-scale measurement study to confirm the presence of such flaws in all Android versions, official or customized.