Understanding Android Security

Android Security Essentials

Pragati Ogal RaiMobile Technology EvangelistX.commerce (an eBay Inc. Company)

Agenda

Why should I understand Androids Security Model?Android platform security modelAndroid application security modelAndroid device security

2

Why should I understand Androids Security Model?

Smart(er) PhonesOpen PlatformVariety of devicesYOU control your phone

3

Android OS Architecture

http://developer.android.com/guide/basics/what-is-android.html

4

Linux Kernel

Distinct UID and GID for each application at install timeSharing can occur through component interactionsLinux process sandbox

5

Linux Kernel (Contd)

include/linux/android_aid.h

AID_NET_BT3002Can create Bluetooth Sockets

AID_INET3003Can create IPv4 and IPv6 Sockets

6

Middleware

Dalvik VM is not a security boundaryNo security managerPermissions are enforced in OS and not in VMBytecode verification for optimizationNative vs. Java code

7

Application Layer

Permissions restrict component interactionPermission labels defined in AndroidManifest.xmlMAC enforced by Reference MonitorPackageManager and ActivityManager enforce permissions

8

Permission Protection Levels

Normalandroid.permission.VIBRATEcom.android.alarm.permission.SET_ALARMDangerousandroid.permission.SEND_SMSandroid.permission.CALL_PHONESignatureandroid.permission.FORCE_STOP_PACKAGESandroid.permission.INJECT_EVENTSSignatureOrSystemandroid.permission.ACCESS_USBandroid.permission.SET_TIME

9

User Defined Permissions

Developers can define own permissions

10

Components

Activity: Define screensService: Background processingBroadcast Receiver: Mailbox for messages from other applicationsContent Provider: Relational database for sharing informationInstrumentation: Testing

All components are secured with permissions

11

Binder

Synchronous RPC mechanismDefine interface with AIDLSame process or different processestransact() and Binder.onTransact()Data sent as a ParcelSecured by caller permission or identity checking

12

Intents

Inter Component InteractionAsynchronous IPCExplicit or implicit intentsDo not put sensitive data in intentsComponents need not be in same applicationstartActivity(Intent), startBroadcast(Intent)

13

Intent Filters

Activity Manager matches intents against Intent FiltersActivity with Intent Filter enabled becomes exportedActivity with android:exported=true can be started with any intentIntent Filters cannot be secured with permissionsAdd categories to restrict what intent can be called throughandroid.intent.category.BROWSEABLE

14

Pending Intent

Token given to a foreign application to perform an action on your applications behalfUse your applications permissionsEven if its owning application's process is killed, PendingIntent itself will remain usable from other processes Provide component name in base intentPendingIntent.getActivity(Context, int, Intent, int)

15

AndroidManifest.xml

Application ComponentsRules for auto-resolutionPermissionsAccess rulesRuntime dependenciesRuntime libraries

16

Application Signature

Applications are self-signed; no CA requiredSignature define persistenceDetect if the application has changed Application updateSignatures define authorshipEstablish trust between applications Run in same Linux ID

Application Upgrade

Applications can register for auto-updatesApplications should have the same signatureNo additional permissions should be addedInstall location is preserved

System Packages

Come bundled with ROMHave signatureOrSystem PermissionCannot be uninstalled/system/app

External Storage

Starting API 8 (Android 2.2) APKs can be stored on external devicesAPK is stored in encrypted container called asec fileKey is randomly generated and stored on deviceDex files, private data, native shared libraries still reside on internal memoryExternal devices are mounted with noexecVFAT does not support Linux access controlSensitive data should be encrypted before storing

20

Device Security Features

No Default Access to Device MetadataExtensible DRM FrameworkExternal Storage (Android 2.2)No Third Party SIM Card AccessProtected access to cost generating APIsFull File System Encryption (Android 3.0)Password ProtectionRemote Device Administration (Android 2.2)Memory Management Features

Summary

Linux process sandbox Permission based component interactionPermission labels defined in AndroidManifest.xmlApplications need to be signedSignature define persistence and authorshipInstall time security decisions

Thank you!

pragati@x.com@pragatiogalhttp://www.slideshare.net/pragatiogal