Cover -- Title Page -- Copyright -- Contents -- Chapter 1 Looking at the Ecosystem -- Understanding Android's Roots -- Company History -- Version History -- Examining the Device Pool -- Open Source, Mostly -- Understanding Android Stakeholders -- Google -- Hardware Vendors -- Carriers -- Developers -- Users -- Grasping Ecosystem Complexities -- Fragmentation -- Compatibility -- Update Issues -- Security versus Openness -- Public Disclosures -- Summary -- Chapter 2 Android Security Design and Architecture -- Understanding Android System Architecture -- Understanding Security Boundaries and Enforcement -- Android's Sandbox -- Android Permissions -- Looking Closer at the Layers -- Android Applications -- The Android Framework -- The Dalvik Virtual Machine -- User-Space Native Code -- The Kernel -- Complex Security, Complex Exploits -- Summary -- Chapter 3 Rooting Your Device -- Understanding the Partition Layout -- Determining the Partition Layout -- Understanding the Boot Process -- Accessing Download Mode -- Locked and Unlocked Boot Loaders -- Stock and Custom Recovery Images -- Rooting with an Unlocked Boot Loader -- Rooting with a Locked Boot Loader -- Gaining Root on a Booted System -- NAND Locks, Temporary Root, and Permanent Root -- Persisting a Soft Root -- History of Known Attacks -- Kernel: Wunderbar/asroot -- Recovery: Volez -- Udev: Exploid -- Adbd: RageAgainstTheCage -- Zygote: Zimperlich and Zysploit -- Ashmem: KillingInTheNameOf and psneuter -- Vold: GingerBreak -- PowerVR: levitator -- Libsysutils: zergRush -- Kernel: mempodroid -- File Permission and Symbolic Link-Related Attacks -- Adb Restore Race Condition -- Exynos4: exynos-abuse -- Diag: lit / diaggetroot -- Summary -- Chapter 4 Reviewing Application Security -- Common Issues -- App Permission Issues.

Insecure Transmission of Sensitive Data -- Insecure Data Storage -- Information Leakage Through Logs -- Unsecured IPC Endpoints -- Case Study: Mobile Security App -- Profiling -- Static Analysis -- Dynamic Analysis -- Attack -- Case Study: SIP Client -- Enter Drozer -- Discovery -- Snarfing -- Injection -- Summary -- Chapter 5 Understanding Android's Attack Surface -- An Attack Terminology Primer -- Attack Vectors -- Attack Surfaces -- Classifying Attack Surfaces -- Surface Properties -- Classification Decisions -- Remote Attack Surfaces -- Networking Concepts -- Networking Stacks -- Exposed Network Services -- Mobile Technologies -- Client-side Attack Surface -- Google Infrastructure -- Physical Adjacency -- Wireless Communications -- Other Technologies -- Local Attack Surfaces -- Exploring the File System -- Finding Other Local Attack Surfaces -- Physical Attack Surfaces -- Dismantling Devices -- USB -- Other Physical Attack Surfaces -- Third-Party Modifications -- Summary -- Chapter 6 Finding Vulnerabilities with Fuzz Testing -- Fuzzing Background -- Identifying a Target -- Crafting Malformed Inputs -- Processing Inputs -- Monitoring Results -- Fuzzing on Android -- Fuzzing Broadcast Receivers -- Identifying a Target -- Generating Inputs -- Delivering Inputs -- Monitoring Testing -- Fuzzing Chrome for Android -- Selecting a Technology to Target -- Generating Inputs -- Processing Inputs -- Monitoring Testing -- Fuzzing the USB Attack Surface -- USB Fuzzing Challenges -- Selecting a Target Mode -- Generating Inputs -- Processing Inputs -- Monitoring Testing -- Summary -- Chapter 7 Debugging and Analyzing Vulnerabilities -- Getting All Available Information -- Choosing a Toolchain -- Debugging with Crash Dumps -- System Logs -- Tombstones -- Remote Debugging -- Debugging Dalvik Code -- Debugging an Example App.

Showing Framework Source Code -- Debugging Existing Code -- Debugging Native Code -- Debugging with the NDK -- Debugging with Eclipse -- Debugging with AOSP -- Increasing Automation -- Debugging with Symbols -- Debugging with a Non-AOSP Device -- Debugging Mixed Code -- Alternative Debugging Techniques -- Debug Statements -- On-Device Debugging -- Dynamic Binary Instrumentation -- Vulnerability Analysis -- Determining Root Cause -- Judging Exploitability -- Summary -- Chapter 8 Exploiting User Space Software -- Memory Corruption Basics -- Stack Buffer Overflows -- Heap Exploitation -- A History of Public Exploits -- GingerBreak -- zergRush -- mempodroid -- Exploiting the Android Browser -- Understanding the Bug -- Controlling the Heap -- Summary -- Chapter 9 Return Oriented Programming -- History and Motivation -- Separate Code and Instruction Cache -- Basics of ROP on ARM -- ARM Subroutine Calls -- Combining Gadgets into a Chain -- Identifying Potential Gadgets -- Case Study: Android 4.0.1 Linker -- Pivoting the Stack Pointer -- Executing Arbitrary Code from a New Mapping -- Summary -- Chapter 10 Hacking and Attacking the Kernel -- Android's Linux Kernel -- Extracting Kernels -- Extracting from Stock Firmware -- Extracting from Devices -- Getting the Kernel from a Boot Image -- Decompressing the Kernel -- Running Custom Kernel Code -- Obtaining Source Code -- Setting Up a Build Environment -- Configuring the Kernel -- Using Custom Kernel Modules -- Building a Custom Kernel -- Creating a Boot Image -- Booting a Custom Kernel -- Debugging the Kernel -- Obtaining Kernel Crash Reports -- Understanding an Oops -- Live Debugging with KGDB -- Exploiting the Kernel -- Typical Android Kernels -- Extracting Addresses -- Case Studies -- Summary -- Chapter 11 Attacking the Radio Interface Layer -- Introduction to the RIL.

RIL Architecture -- Smartphone Architecture -- The Android Telephony Stack -- Telephony Stack Customization -- The RIL Daemon (rild) -- The Vendor-RIL API -- Short Message Service (SMS) -- Sending and Receiving SMS Messages -- SMS Message Format -- Interacting with the Modem -- Emulating the Modem for Fuzzing -- Fuzzing SMS on Android -- Summary -- Chapter 12 Exploit Mitigations -- Classifying Mitigations -- Code Signing -- Hardening the Heap -- Protecting Against Integer Overflows -- Preventing Data Execution -- Address Space Layout Randomization -- Protecting the Stack -- Format String Protections -- Read-Only Relocations -- Sandboxing -- Fortifying Source Code -- Access Control Mechanisms -- Protecting the Kernel -- Pointer and Log Restrictions -- Protecting the Zero Page -- Read-Only Memory Regions -- Other Hardening Measures -- Summary of Exploit Mitigations -- Disabling Mitigation Features -- Changing Your Personality -- Altering Binaries -- Tweaking the Kernel -- Overcoming Exploit Mitigations -- Overcoming Stack Protections -- Overcoming ASLR -- Overcoming Data Execution Protections -- Overcoming Kernel Protections -- Looking to the Future -- Official Projects Underway -- Community Kernel Hardening Efforts -- A Bit of Speculation -- Summary -- Chapter 13 Hardware Attacks -- Interfacing with Hardware Devices -- UART Serial Interfaces -- I2C, SPI, and One-Wire Interfaces -- JTAG -- Finding Debug Interfaces -- Identifying Components -- Getting Specifications -- Difficulty Identifying Components -- Intercepting, Monitoring, and Injecting Data -- USB -- I2C, SPI, and UART Serial Interfaces -- Stealing Secrets and Firmware -- Accessing Firmware Unobtrusively -- Destructively Accessing the Firmware -- What Do You Do with a Dump? -- Pitfalls -- Custom Interfaces -- Binary/Proprietary Data -- Blown Debug Interfaces.

Chip Passwords -- Boot Loader Passwords, Hotkeys, and Silent Terminals -- Customized Boot Sequences -- Unexposed Address Lines -- Anti-Reversing Epoxy -- Image Encryption, Obfuscation, and Anti-Debugging -- Summary -- Appendix A Tool Catalog -- Development Tools -- Android SDK -- Android NDK -- Eclipse -- ADT Plug-In -- ADT Bundle -- Android Studio -- Firmware Extraction and Flashing Tools -- Binwalk -- fastboot -- Samsung -- NVIDIA -- LG -- HTC -- Motorola -- Native Android Tools -- BusyBox -- setpropex -- SQLite -- strace -- Hooking and Instrumentation Tools -- ADBI Framework -- ldpreloadhook -- XPosed Framework -- Cydia Substrate -- Static Analysis Tools -- Smali and Baksmali -- Androguard -- apktool -- dex2jar -- jad -- JD-GUI -- JEB -- Radare2 -- IDA Pro and Hex-Rays Decompiler -- Application Testing Tools -- Drozer (Mercury) Framework -- iSEC Intent Sniffer and Intent Fuzzer -- Hardware Hacking Tools -- Segger J-Link -- JTAGulator -- OpenOCD -- Saleae -- Bus Pirate -- GoodFET -- Total Phase Beagle USB -- Facedancer21 -- Total Phase Beagle I2C -- Chip Quik -- Hot air gun -- Xeltek SuperPro -- IDA -- Appendix B Open Source Repositories -- Google -- AOSP -- Gerrit Code Review -- SoC Manufacturers -- AllWinner -- Intel -- Marvell -- MediaTek -- Nvidia -- Texas Instruments -- Qualcomm -- Samsung -- OEMs -- ASUS -- HTC -- LG -- Motorola -- Samsung -- Sony Mobile -- Upstream Sources -- Others -- Custom Firmware -- Linaro -- Replicant -- Code Indexes -- Individuals -- Appendix C References -- Index.