(In)Secure Android Debugging: Security analysis and lessons learned
Krzysztof Opasiak , Wojciech Mazurczyk
AbstractUniversal Serial Bus (USB) is currently one of the most popular standards that controls communication between personal computers (PCs) and their peripheral devices. Thus, it is important to establish whether such connections are properly secured especially when USB is used to connect devices like smartphones, tablets, etc. where sensitive user data can be potentially stored. For this reason, this paper evaluates security of the recent Android versions with respect to the USB-related attacks. In particular, we present a novel approach to compromise Android-based devices by exploiting Android Debug Bridge (ADB) protocol using Man in the Middle (MitM) attacks. Comprehensive analysis of those types of attacks have revealed five novel security vulnerabilities in the Android OS. Security gaps found in this paper cannot only be used to bypass the lock screen security and to gain unauthorized access to the user’s private data but also to enable future ADB attacks by incorporating a backdoor to bypass phone security at any time. We also developed a tool which exploits all discovered vulnerabilities and can serve as a security mean to assess current ADB implementations as well as future protocol improvements. By disclosing new security weaknesses we want to raise security awareness of the users, researches, security professionals, and developers related to the USB-related attacks and to the threat they pose not only to PCs but also to the USB devices.
|Journal series||Computers & Security, ISSN 0167-4048, (A 30 pkt)|
|Publication size in sheets||0.9|
|Keywords in English||Mobile security, Android, USB, ADB, MITM|
|Score|| = 30.0, ArticleFromJournal|
= 30.0, ArticleFromJournal
|Publication indicators||: 2016 = 2.217; : 2017 = 2.65 (2) - 2017=2.862 (5)|
* presented citation count is obtained through Internet information analysis and it is close to the number calculated by the Publish or Perish system.