1Company Proprietary and ConfidentialThe document name can go here

Android OS Security

Omar AlaqlJuly 8, 2013

Kent State UniversityAndroid OS Security

2Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Outline:

• Introduction.• History.• Android Architecture.• Security and privacy.• Vulnerabilities.• Application piracy.• Security Measures.• Conclusion.

3Company Proprietary and ConfidentialThe document name can go here

Introduction• Android is a Linux-based operating system.• Android is open source,

– freely modified and distributed by device manufacturers, wireless carriers and enthusiast developers.

• the world's most widely used smartphone platform, sharing 75% of smartphone market. – Due to the broad range of manufacturers.

Kent State UniversityAndroid OS Security

4Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

5Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

• Initially developed by Android Inc.

• Android, Inc. was founded in Palo alto ,California in October 2003 by Andy Rubin.

• Acquired later by Google in 2005.

• The first commercially available phone to run Android was the HTC Dream, released on October 22, 2008.

History

6Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Android versions

7Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Android Architecture

8Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

• Android device owners are not given root access.– However:

• It can be obtained by exploiting security flaws in Android.

– used frequently by the open source community to enhance the capabilities of their devices.

• by malicious parties to install viruses and malware.

Security and privacy

9Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Security and privacy• Android applications run in a

sandbox.• Sandbox is an isolated area of the

system that does not have access to the rest of the system's resources.– unless access permissions are

granted by the user • Sandboxing

– reduces the impact of vulnerabilities and bugs in applications.

– preventing malicious processes from crossing between applications.

10Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Security and privacy

• Android is becoming the most-targeted mobile platform.

• The open nature of Android and its large user base have made it an attractive and profitable platform to attack.

• Google provides major updates to Android every six to nine months– but a majority of Android users have not been able

to upgrade to the new OS because the process is controlled by the carriers (one of the biggest security threats).

11Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Security and privacy• Has no internal back-up restoration.

– There are many third-party applications for back up.

• Deficiency of hardware data encryption.– Honeycomb operating software has hardware

encryption problems.

• A lot of Android malware and Fake anti-malware.– Increased more than 400% this year.

• Lookout Mobile Security, AVG Technologies and McAfee, have released antivirus software for Android devices

12Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Vulnerabilities• The Android Market:

– a number of malware-infected apps and games being made available to users.

– Google currently uses their Google Bouncer malware scanner to watch over and scan the Google Play store apps.

• Application permissions: – the reality is that many apps request

permission to access sensitive content they have no actual need for.

• Untrusted third party applications.– difficult to identify reputable vendors

13Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Vulnerabilities• Rooting:

– The process of gaining root access.– akin to jail-breaking an iPhone – opens out additional functionality and servicesto

users.– common exploit used by malicious applications.

• Wi-Fi: – compromise on unprotected Wi-Fi networks.– FaceNiff : intercept the social networking logins.

• Last vulnerability was detected last week July 4, 2013– SMS Phishing Scams.

14Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Application piracy• In 2010, Google released a tool for validating

authorized purchases for use within apps.– insufficient and trivial to crack.

• In 2012 Google released a feature in Android 4.1 that encrypted paid applications so that they would only work on the device on which they were purchased.– deactivated due to technical issues.

15Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Security Measures• Permissions management:

– LBE Privacy Guard acts as somewhat of an application firewall. • granting the user the ability to block an application’s

individual permissions– Kirin:

• determine if the requested permissions are relevant or not.

• Installing trusted packages: – The ability to install non-Market applications.– APK : the standard Android install file format.– A program called APK Inspector has recently been

released that will scan the assets, resources, and certificates contained within the APK to ensure it is secure.

16Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Security Measures• Trace and wipe:

– If your Android device is lost or stolen, you can use these applications to remotely ping the device for its location and/or instruct it to delete specific content. • Invisible.• send remote commands.• get the current GPS location. • Activate a loud siren.• Let the phone call you back and listen to what

happens on the other side.

17Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

• Anti-virus: – None of these apps are asking for root access, and

therefore they are failing to search for infections on the area of the device that is most targeted and vulnerable.

– it covers the apps folders, SD card, SMS, and contact.

– DroidSecurity, Lookout.

• Link security: – malicious links are always loitering in the

background waiting to seduce and ensnare hapless users.

– There are a number of vendors that have created link security applications.

Security Measures

18Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Conclusion• There is no one-stop effective security measure

that can be implemented on an Android operating system.

• To be secure:– Use built in security features.– Avoid free-unsecured Wi-Fi access.– Securitize every app you download regardless of

source.– Understand the permissions before accept them.– Use an effective security app.

19Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Reverences• An Android Security Case Study with Bauhaus,

Bernhard J. Berger, Michaela Bunke, and Karsten Sohr

• Understanding Android Security, William Enck, Machigar Ongtang, and Patrick Mcdaniel

• http://en.wikipedia.org/wiki/Mobile_operating_system

• http://www.bitdefender.com/security/android-vulnerability-opens-door-to-sms-phishing-scams.html

• http://www.android-app-market.com/android-architecture.html

20Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security

Reverences• http://techbii.com/security-risks-android/

• http://www.androidpolice.com/2010/11/29/theft-aware-2-0-the-most-ingenious-android-security-solution-with-the-best-root-integration-weve-seen-to-date-really-hands-on-review/