Treble or Trouble: Where Android's latest security enhancements help, and where they fail

In today’s security world it is well understood that it is impossible to eliminate all bugs. This is why in order to limit vulnerabilities, security enhancements are introduced as an extra line of defence. Attack surfaces are being narrowed and mitigations are added to make exploitation harder. This is an approach that is well used by Google in Android. They add more security enhancements in each major Android version, including Project Treble, recently added in Android 8.We decided look deeper into Project Treble and examine how beneficial to security it really is. During our research, we found a very dangerous vulnerability in areas related to Project Treble. Not only did Project Treble do nothing to prevent this vulnerability, it was actually the reason it was introduced.In this talk we will review the inner works of Project Treble. We will look at the refactoring that Android services went through and point out multiple issues with it. We will also cover the details of the vulnerability we found, and its impact. We found that while Google were keen to announce a new enhancement with a flashy name, its implementation was somewhat neglected.

Presented by