Anil Android
-
Upload
anil-sanga -
Category
Documents
-
view
258 -
download
0
Transcript of Anil Android
-
8/3/2019 Anil Android
1/23
Understanding Android
Security
Yinshu Wu
William Enck, Machigar Ongtang, and PatrickMcDanielPennsylvania State University
-
8/3/2019 Anil Android
2/23
I. Introduction
II. Android Applications
III. Security Enforcement
IV. Security RefinementsV. Lessons in Defining Policy
Outline
-
8/3/2019 Anil Android
3/23
Introduction
Next generation open operation system willbe developed on small mobile devices.
Android (Google)-a widely anticipated open source operatingsystem for mobile devices
-it provide base operation system,application middleware layer, Javasoftware development kit and a collection ofsystem applications.
-
8/3/2019 Anil Android
4/23
Introduction (cont.)
Feature of Android
1.Doesnt support applications developed for
other platforms
2.Restricts application interaction to itsspecial APIs by running each application asits own user identity
3.Uses a simple permission label assignment
model to restrict access to resources andother applications
-
8/3/2019 Anil Android
5/23
Android Applications ---Example
Example of location-sensitive social networking application formobile phones in which users can discover their friends locations.
Activities provide a user interface, Services execute backgroundprocessing, Content providers are data storage facilities, andBroadcast receivers act as mailboxes for messages from otherapplications.
-
8/3/2019 Anil Android
6/23
Android Applications ---Example Application(cont.)
Take FriendTracker application for example,
FriendTracker (Service) polls an external service to discover friendslocations
FriendProvider (Content provider) maintains the most recent
geographic coordinates for friendsFriendTrackerControl (Activity) defines a user interface for startingand stopping the tracking functionality
BootReceiver (Broadcast receiver) gets a notification from thesystem once it boots (the application uses this to automatically startthe FriendTracker service).
-
8/3/2019 Anil Android
7/23
Android Applications---Component Interaction
Intent - is the primary mechanism forcomponent interaction, which is simply
a message object containing adestination component address anddata
Action - the process of inter-components communication
-
8/3/2019 Anil Android
8/23
Android Applications---Component Interaction (cont.)
Example: Interaction between components in applications and withcomponents in system applications. Interactions occur primarily at thecomponent level.
-
8/3/2019 Anil Android
9/23
Android Applications---Component Interaction (cont.)
Each component type supports interaction specific to its type. Forexample, Service components support start , stop, and bind actions,so the FriendTrackerControl (Activity) can start and stop theFriendTracker (Service) that runs in the background.
-
8/3/2019 Anil Android
10/23
Security Enforcement
Android protect application at system leveland at the Inter-component communication(ICC) level. This article focus on the ICClevel enforcement.
Each application runs as a unique user
identity, which lets Android limit the potential
damage of programming flaws.
-
8/3/2019 Anil Android
11/23
Security Enforcement (cont.)
Example: Protection. Security enforcement in Android occurs in two places:each application executes as its own user identity, allowing the underlyingLinux system to provide system-level isolation; and the Android middlewarecontains a reference monitor that mediates the establishment of inter-component communication (ICC).
-
8/3/2019 Anil Android
12/23
Security Enforcement (cont.)
Core idea of Android security enforcement -labels assignment to applications andcomponents
A reference monitor provides mandatory accesscontrol (MAC) enforcement of how applications
access components. Access to each component is restricted by
assigning it an access permission label;applications are assigned collections ofpermission labels.
When a component initiates ICC, the referencemonitor looks at the permission labels assignedto its containing application and if the targetcomponents access permission label is in thatcollection allows ICC establishment to
proceed.
-
8/3/2019 Anil Android
13/23
Security Enforcement (cont.)
Example: Access permission logic. The Android middleware implementsa reference monitor providing mandatory access control (MAC)
enforcement about how applications access components. The basicenforcement model is the same for all component types. Component As
ability to access components B and C is determined by comparing theaccess permission labels on B and C to the collection of labels assignedto application 1.
-
8/3/2019 Anil Android
14/23
Security Enforcement -Conclusion Assigning permission labels to an application
specifies its protection domain. Assigningpermissions to the components in anapplicationspecifies an access policy to protect itsresources.
Androids policy enforcement is mandatory,all permission labels are set at install time
and cant change until the application isreinstalled.
Androids permission label model only
restricts access to components and doesntcurrently provide information flow guarantees.
-
8/3/2019 Anil Android
15/23
Security Refinements --- Publicvs. Private Components
Applications often contain components
that another application should neveraccess. For example, component related
to password storing. The solution is todefine privatecomponent.
This significantly reduces the attack surfacefor many applications.
-
8/3/2019 Anil Android
16/23
Security Refinements ---Implicitly Open Components At development time, if the decision of
access permission is unclear, Thedeveloper can permit the functionality bynot assigning an access permission to it.
If a public component doesnt explicitly have
an access permission listed in its manifest
definition, Android permits any applicationto access it.
-
8/3/2019 Anil Android
17/23
Security Refinements ---Broadcast Intent Permissions Sending the unprotected intent is a
privacy risk.
Android API for broadcasting intentsoptionally allows the developer tospecify a permission label to restrict
access to the intent object.
-
8/3/2019 Anil Android
18/23
Security Refinements ---Content Provider Permissions If the developer want his application to
be the only one to update the contentsbut for other applications to be able to
read them.
Android allows such a security policy
assigning read or write permissions.
-
8/3/2019 Anil Android
19/23
Security Refinements ---Protected APIs Not all system resources(for example,
network) are accessed throughcomponentsinstead, Android
provides direct API access.
Android protects these sensitive APIswith additional permission labelchecks: an application must declare acorresponding
permission label in its manifest file to
use them.
S it R fi t
-
8/3/2019 Anil Android
20/23
Security Refinements ---Permission
Protection Levels The permission protection levelsprovide a means of controlling howdevelopers assign permission labels.
Signature permissions ensure thatonly the framework developer can usethe specific functionality (only Google
applications can directly interface thetelephony API, for
example).
-
8/3/2019 Anil Android
21/23
Security Refinements ---Pending Intents Pending intent - a developer defines an
intent object to perform an action.However, instead of performing theaction, the developer passes the intent to
a special method that creates aPendingIntent object corresponding tothe desired action. The PendingIntentobject is simply a reference pointer thatcan pass to another application.
Pending intents allow applicationsincluded with the framework to integratebetter with third-party applications.
-
8/3/2019 Anil Android
22/23
Lessons in Defining Policy
Android security policy begins with arelatively easy-to-understand MACenforcement model, but the number
and subtlety of refinements make itdifficult to discover an applications
policy.
The label itself is merely a text string,but its assignment to an applicationprovides access to potentially limitlessresources.
-
8/3/2019 Anil Android
23/23
Thanks!