Understanding Android Security

24
UNDERSTANDING ANDROID SECURITY Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL

description

Understanding Android Security. WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL. Presented By Abhishek Singh Computer Science Department Kent state University. Outline . Introduction History Android OS Android development structure Android ADT interface Example Application - PowerPoint PPT Presentation

Transcript of Understanding Android Security

Page 1: Understanding  Android Security

UNDERSTANDING ANDROID SECURITY

Presented By Abhishek Singh

Computer Science DepartmentKent state University

WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL

Page 2: Understanding  Android Security

Outline Introduction History Android OS Android development structure Android ADT interface Example Application Security Enforcement Security refinement

Page 3: Understanding  Android Security

Introduction Next generation of open operating

system . Not only complaint with desktops and

mainframe. Now computing is integrating with mobile

open operating system. Increasing data service in cell phones More secure and invulnerable OS is

indispensible.

Page 4: Understanding  Android Security

History Android In was founded in Palo Alto

California United state by Andy Rubin , Rich Miner and Chris White – October 2003

Google acquired Android Inc – August 2006 The Open Handset Alliance , a consortium

of several companies was formed – 5 November 2007

First Android Device , the HTC Dream(G1) , featuring Android 1.0

Page 5: Understanding  Android Security

Android OS Open operating system designed for

mobiles , tablets and other systems. Application middle layer , java software

development tool kit (SDK) and system applications.

Extension to Google Service Integration - Gmail , Calendar , Contacts

and Web Application

Page 6: Understanding  Android Security

Continue… Android officially doesn’t support

application on top of java middleware layer running in a embedded Linux kernel.

Controlled application interaction with its API

Permission label assignment model to restrict to access resources and other application.

Page 7: Understanding  Android Security

Android Application developmentStructure

It doesn’t have main function It doesn’t have single entry point for the

execution of the whole application. Application in android is segmented into

many different components . Like - Main activity , manifest file , XML

file

Page 8: Understanding  Android Security

Android – ADT interface

Page 9: Understanding  Android Security

Example Application

Functionality of an application ramified into two different applications.

Page 10: Understanding  Android Security

Components There are primarily four components 1. Activity - It is the application user

interface , in this each screen for an activity is designed.

2.Service – it is a background processing for using different service(like camera , Bluetooth , internet service etc)

3.Content Provider – It stores data and retrieve using relational database interface .

4.Broadcast receiver- Act as a mailbox for other applications.

Page 11: Understanding  Android Security

Interaction between two components

•Primary mechanism for component interaction is Intent (Message box container) .•To start the Main activity 1. Start Activity (Intent) 2. start Service (Intent) 3. send Broadcast (Intent)

Page 12: Understanding  Android Security

Continue… To execute the main application android

framework invoke these 3 methods Inter component communication(ICC) is

called Action i.e. particular intend to action string.

Each ICC actions depends upon the target component.

Friend Viewer– starts – FriendMap activity (Screen)

Page 13: Understanding  Android Security

Security Enforcement

Page 14: Understanding  Android Security

Security Enforcement Protection : 1. System Level 2. ICC level ICC core security framework Each application – Unique user Identity Restrict damage from programming flaws Which in turn restrict exploitation to

other applications.

Page 15: Understanding  Android Security

MAC(Mandatory Access Control)

Permission labels are assigned to each application.

Restrict from using all resource .

Page 16: Understanding  Android Security

MAC Enforcement

Page 17: Understanding  Android Security

Permissions <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.android.apis"> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission

android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.SET_WALLPAPER" /> <uses-permission

android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.NFC" /> <!-- For android.media.audiofx.Visualizer --> <uses-permission android:name="android.permission.RECORD_AUDIO" /> <uses-sdk android:minSdkVersion="4" android:targetSdkVersion="14" /> <!-- We will request access to the camera, saying we require a camera of some sort but not one with autofocus capability. --> <uses-permission android:name="android.permission.CAMERA" />

Page 18: Understanding  Android Security

Security Enforcement1. Public Vs Private Components : Restrict access of an application component from another

application (like stored password for security) by defining it as private component.

1. II. Implicitly Open Components : If the access permission at the application development

time is not clear Android permits any application to access it.

III. Broadcast Intent Permission: If the broadcast intent is not protected it leads to

privacy risk. Developer control how information is disseminated by

specify a permission label to restrict access to the intent object.

Page 19: Understanding  Android Security

Security Enforcement Content Provider Permission: Android allow developer to assigning read

and write permission on contents, so that every content can be update only by its application

and available to read for other application.

Protected APIs: To some system resources Android provide

direct API access and to protect these APIs, addition permission label is use. Application

has to delayer a corresponding permission label in its manifest file.

Page 20: Understanding  Android Security

Security Enforcement Permission Protection Levels: framework developer can use the specific

functionality (for ex. Google app can use telephony or API directly)

Pending intent : Intent object is define to perform an action,

instead of performing action developer passes the intent to special method which create Pending Intent.

The Pending Intent object is simply a reference pointer that can pass to another application via ICC. It included in framework to work with third party application.

Page 21: Understanding  Android Security

Rooting (Android OS) Processes of allowing user to have

privilege control or root access. Modify system files: themes, core apps,

boot images, linux binaries, etc. Run applications that require system level access. Balance the risk with freedom

Page 22: Understanding  Android Security

Open Area of Research Complex Update Process Continuous

Internet Connection Operating System Fragmentation Android: Good for Consumers, Bad for

Developers Security Issues Advertisements

Page 23: Understanding  Android Security

References Official Android website: www.android.com

/ developer.android.com J.P. Anderson, Computer Security

Technology Planning Study, tech. report ESD-TR-73-51, Mitre, Oct. 1972.

M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, “Protection in Operating Systems,” Comm. ACM,

http://securityevaluators.com/content/case-studies/android/

Wikipedia , Google

Page 24: Understanding  Android Security

Reference http://securityevaluators.com/content/cas

e-studies/android/