This week at BSides Las Vegas, zLabs’ security researcher, Tamir Zahavi-Brunner (@tamir_zb) is conducting a session titled “Treble or Trouble: Where Android’s latest security enhancements help, and where they fail.”
Tamir’s work is another example of why zLabs is recognized as the world’s most qualified and talented collection of researchers focused 100% exclusively on mobile
Treble or Trouble: Where Android’s latest security enhancements help, and where they fail.
In today’s security world it is well understood that it is impossible to eliminate all bugs. This is why in order to limit vulnerabilities, security enhancements are introduced as an extra line of defence. Attack surfaces are being narrowed and mitigations are added to make exploitation harder. This is an approach that is well used by Google in Android. They add more security enhancements in each major Android version, including Project Treble, recently added in Android 8.
We decided look deeper into Project Treble and examine how beneficial to security it really is. During our research, we found a very dangerous vulnerability in areas related to Project Treble. Not only did Project Treble do nothing to prevent this vulnerability, it was actually the reason it was introduced.
In this talk we will review the inner works of Project Treble. We will look at the refactoring that Android services went through and point out multiple issues with it. We will also cover the details of the vulnerability we found, and its impact. We found that while Google were keen to announce a new enhancement with a flashy name, its implementation was somewhat neglected.