Understanding Android Security
description
Transcript of Understanding Android Security
UNDERSTANDING ANDROID SECURITY
Presented By Abhishek Singh
Computer Science DepartmentKent state University
WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL
Outline Introduction History Android OS Android development structure Android ADT interface Example Application Security Enforcement Security refinement
Introduction Next generation of open operating
system . Not only complaint with desktops and
mainframe. Now computing is integrating with mobile
open operating system. Increasing data service in cell phones More secure and invulnerable OS is
indispensible.
History Android In was founded in Palo Alto
California United state by Andy Rubin , Rich Miner and Chris White – October 2003
Google acquired Android Inc – August 2006 The Open Handset Alliance , a consortium
of several companies was formed – 5 November 2007
First Android Device , the HTC Dream(G1) , featuring Android 1.0
Android OS Open operating system designed for
mobiles , tablets and other systems. Application middle layer , java software
development tool kit (SDK) and system applications.
Extension to Google Service Integration - Gmail , Calendar , Contacts
and Web Application
Continue… Android officially doesn’t support
application on top of java middleware layer running in a embedded Linux kernel.
Controlled application interaction with its API
Permission label assignment model to restrict to access resources and other application.
Android Application developmentStructure
It doesn’t have main function It doesn’t have single entry point for the
execution of the whole application. Application in android is segmented into
many different components . Like - Main activity , manifest file , XML
file
Android – ADT interface
Example Application
Functionality of an application ramified into two different applications.
Components There are primarily four components 1. Activity - It is the application user
interface , in this each screen for an activity is designed.
2.Service – it is a background processing for using different service(like camera , Bluetooth , internet service etc)
3.Content Provider – It stores data and retrieve using relational database interface .
4.Broadcast receiver- Act as a mailbox for other applications.
Interaction between two components
•Primary mechanism for component interaction is Intent (Message box container) .•To start the Main activity 1. Start Activity (Intent) 2. start Service (Intent) 3. send Broadcast (Intent)
Continue… To execute the main application android
framework invoke these 3 methods Inter component communication(ICC) is
called Action i.e. particular intend to action string.
Each ICC actions depends upon the target component.
Friend Viewer– starts – FriendMap activity (Screen)
Security Enforcement
Security Enforcement Protection : 1. System Level 2. ICC level ICC core security framework Each application – Unique user Identity Restrict damage from programming flaws Which in turn restrict exploitation to
other applications.
MAC(Mandatory Access Control)
Permission labels are assigned to each application.
Restrict from using all resource .
MAC Enforcement
Permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.android.apis"> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission
android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.SET_WALLPAPER" /> <uses-permission
android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.NFC" /> <!-- For android.media.audiofx.Visualizer --> <uses-permission android:name="android.permission.RECORD_AUDIO" /> <uses-sdk android:minSdkVersion="4" android:targetSdkVersion="14" /> <!-- We will request access to the camera, saying we require a camera of some sort but not one with autofocus capability. --> <uses-permission android:name="android.permission.CAMERA" />
Security Enforcement1. Public Vs Private Components : Restrict access of an application component from another
application (like stored password for security) by defining it as private component.
1. II. Implicitly Open Components : If the access permission at the application development
time is not clear Android permits any application to access it.
III. Broadcast Intent Permission: If the broadcast intent is not protected it leads to
privacy risk. Developer control how information is disseminated by
specify a permission label to restrict access to the intent object.
Security Enforcement Content Provider Permission: Android allow developer to assigning read
and write permission on contents, so that every content can be update only by its application
and available to read for other application.
Protected APIs: To some system resources Android provide
direct API access and to protect these APIs, addition permission label is use. Application
has to delayer a corresponding permission label in its manifest file.
Security Enforcement Permission Protection Levels: framework developer can use the specific
functionality (for ex. Google app can use telephony or API directly)
Pending intent : Intent object is define to perform an action,
instead of performing action developer passes the intent to special method which create Pending Intent.
The Pending Intent object is simply a reference pointer that can pass to another application via ICC. It included in framework to work with third party application.
Rooting (Android OS) Processes of allowing user to have
privilege control or root access. Modify system files: themes, core apps,
boot images, linux binaries, etc. Run applications that require system level access. Balance the risk with freedom
Open Area of Research Complex Update Process Continuous
Internet Connection Operating System Fragmentation Android: Good for Consumers, Bad for
Developers Security Issues Advertisements
References Official Android website: www.android.com
/ developer.android.com J.P. Anderson, Computer Security
Technology Planning Study, tech. report ESD-TR-73-51, Mitre, Oct. 1972.
M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, “Protection in Operating Systems,” Comm. ACM,
http://securityevaluators.com/content/case-studies/android/
Wikipedia , Google
Reference http://securityevaluators.com/content/cas
e-studies/android/