Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat 2009 1.
-
Upload
kathlyn-griffin -
Category
Documents
-
view
218 -
download
4
Transcript of Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat 2009 1.
Mobile Application Security on Android
Originally presented by Jesse Burns at Black Hat 2009
1
What is Android?
Smart Phone Operating System Based on the Linux kernel Expanded to support cellular based
communicationGSM, CMDA
Java like middleware
2
More Android
Open SourceMostly Apache v2 licenseLinux kernel is GPLv2
Free Open API’s
If Google uses them, so can developers
3
Applications
Built from for “components”ActivityServiceContent ProviderBroadcast Receiver
Run in own VM sandbox using unique UID
4
More on Apps
Use explicitly defined permissions Communicate through Intents Intents are Inter-Process
Communications Applications register which Intents they
wish to handle
5
Signatures
applications must be signed, but are usually self-signedproves no relationship with Google, butcreates chain of trust between updates and
among applications
6
Permissions I >100 defined by the system Declared at install time in Manifest.xml Disclosed by PackageInstaller, protected by
root ownership
7
Permissions II
applications can define arbitrary new permsnormaldangeroussignaturesignatureOrSystem
8
Permission III
Permissions checked at runtime SecurityException thrown if permission
denied
9
Intents
Core of Android IPC Can cross security boundaries Generally defined as a goal action and
some data
10
Intent II
Used to:Start an ActivityBroadcast events or changesStart, stop, or communicate with
background ServicesAccess data held by ContentProvidersCall backs to handle events
11
Intent Filters
Used to determine recipient of Intent Can be overridden Provide no security
Intents can explicitly define receiver
12
Activities The user interface consists of a series of Activity
components. Each Activity is a “screen”. User actions tell an Activity to start another
Activity, possibly with the expectation of a result.
13
Activity II
The target Activity is not necessarily in the same application.
Directly or via Intent “action strings”. Processing stops when another Activity
is “on top”. Must be able to handle malformed intents Don’t start Intents that contain sensitive data
14
Activity III
Starting an Activity from an Intent
15
Activity IV
Forcing an Activity to start
16
Activity V
Protecting Activities
17
Broadcasts
Act as recievers for multiple components Provide secure IPC Done by specifying permissions on
BroadcastReceiver regarding sender Otherwise, behave like activities in
terms of IPC
18
Broadcast II
Still need to validate input just in case Sticky Broadcasts
PersistentApps require special permissions to
create/destroy sticky broadcasts No guarantee of persistenceCan’t define permission
○ Don’t send sensitive data
19
Services
Run in background Play music, alarm clock, etc Secured using permissions Callers may need to verify that Service
is the correct one
20
Services II
Verification:Check Service’s permissionsres = getPackageManager().checkPermission(permToCheck, name.getPackageName());
21
ContentProviders
Generally SQL backend Used to share content between apps Access controlled through permission
tags
22
ContentProviders II
Apps can be dynamically authorized accessPossible security hole
Must protect against SQL injectionSanitize input using parameterization
23
Intent Reflection
Intents may be sent when app is called App sends Intent as app and not as
caller: reflectionMay exceed caller’s permissions
Use PendingIntent instead, intent correctly identified as coming from caller
24
File System
Internally standard Linux file systems – yaffs2, ext*
Support stand Unix permissions Vulnerabilities if permissions not set
correctlySensitive data could be readOther programs could write junk/waste
space
25
File System II
Consider what files need what protectionsConfig files: not writeableLog files: not world readable
Mass storage formatted as FAT, no Unix permissions supportAll data world readableConsider encryption
26
Binder
Kernel module that provides secure IPC on top of the standard Linux shared memory architecture
Includes interface to ParceableParceable objects are passed by Binder
Can also move file descriptors, and other Binders
27
Binder II
Efficient, secure IPCCheck caller’s permissions / identityOnly selectively give out interface
○ Once given out, interface can be disseminated freely
All Binders are globally unique
28