Google SafetyNet中Root检测机制安全性研究

Research on the Security of the Root Detection Mechanism in Google SafetyNet

Android系统中的Root是指利用系统漏洞或者通过刷机使得应用能够执行需要Root权限的操作.用户常常出于个性化设备、安装特权应用等目的将设备Root,而对设备Root会引入很大的安全风险.攻击方得到Root权限后可以进行静默安装恶意应用、窃取用户敏感数据及篡改应用程序等恶意操作.由于上述安全风险的存在,Android系统和大多数应用程序不希望设备被Root.为此,Google移动服务框架中的SafetyNet模块提供了平台级的Root检测.但SafetyNet Root检测机制本身的安全性及健壮性尚不完全清晰,突出的问题是此机制是否可能被绕开还不明了.为此,本文使用逆向工程的方法分析了Google移动服务框架中SafetyNet的Root检测机制,并结合Root的技术原理,分析了相关检测机制的实现方式并发现了其中的弱点.通过攻击实验,成功地揭示了Google平台级Root检测机制实现中存在有较高的安全风险,难以检测本文设计的Root方法.

Android Rooting refers to making the target application perform privileged operations(as root user)by exploiting system vulnerabilities or flashing devices.Some user might root their devices to customize devices or run the Apps that require root privileges.Unfortunately,rooting a device will introduce some serious security risks.Attackers'application can perform malicious actions by requesting root privileges,such as installing malicious application stealthy,stealing user sensitive data and tempering the application.Considering the security risks,Android platform vendor(Google)and some sensitive applications developers don't want the device to be rooted.Consequently,Google developed Root detection mechanisms in platform level.However,the security of these Root detection mechanisms is still unclear.To analyze the evadable ability of their detection by sophisticated Root methods,the reverse engineering techniques were employed to investigate the security of the Root detection mechanism.Analyzing the implementation of some popular Root detection mechanisms,the weakness was found based on the Root technical principle.Some attack experiments were carried out to demonstrate a number of Root detection mechanisms.Results show that,the Root detection mechanism developed by Google possesses a high security risk,and the proposed Root methods can evade the attacks successfully.And this work implies that the security of the current Root detection mechanisms should be further improved.