Abhishek Singh's presentation on Android Security - Computer ...

crookpatedhatΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 4 μήνες)

88 εμφανίσεις

Presented By

Abhishek

Singh

Computer Science Department

Kent state University



WILLIAM ENCK, MACHIGAR ONGTANG,

AND PATRICK MCDANIEL


Introduction


History


Android OS


Android development structure


Android ADT interface


Example Application


Security Enforcement


Security refinement



Next generation of open operating system .


Not only complaint with desktops and
mainframe.


Now computing is integrating with mobile
open operating system.


Increasing data service in cell phones


More secure and invulnerable OS is
indispensible.



Android In was founded in Palo Alto
California United state by Andy Rubin , Rich
Miner and Chris White


October 2003


Google acquired Android Inc


August 2006


The Open Handset Alliance , a consortium of
several companies was formed


5 November
2007



First Android Device , the HTC Dream(G1) ,
featuring Android 1.0



Open operating system designed for mobiles ,
tablets and other systems.


Application middle layer , java software
development tool kit (SDK) and system
applications.


Extension to Google Service


Integration
-

Gmail , Calendar , Contacts and
Web
A
pplication


Android officially doesn’t support application
on top of java middleware layer running in a
embedded Linux kernel.


Controlled application interaction with its API


Permission label assignment model to restrict
to access resources and other application.


It doesn’t have main function


It doesn’t have single entry point for the
execution of the whole application.


Application in android is segmented into many
different components .


Like
-

Main activity , manifest file , XML file


Functionality of an application ramified into
two different applications.


There are primarily four components



1. Activity
-

It is the application user interface ,
in this each screen for an activity is designed.



2.Service


it is a background processing for
using different service(like camera , Bluetooth ,
internet service etc)


3.Content Provider


It stores data and retrieve
using relational database interface .


4.Broadcast receiver
-

Act as a mailbox for other
applications.


Primary mechanism for component interaction is Intent (Message
box container) .


To start the Main activity



1. Start Activity (Intent)



2. start Service (Intent)



3. send Broadcast (Intent)



To execute the main application android
framework invoke these 3 methods


Inter component communication(ICC) is called
Action i.e. particular intend to action string.


Each ICC actions depends upon the target
component.


Friend Viewer


starts


FriendMap

activity
(Screen)



Protection : 1. System Level



2. ICC level


ICC core security framework


Each application


Unique user Identity


Restrict damage from programming flaws


Which in turn restrict exploitation to other
applications.


Permission labels are assigned to each
application.


Restrict from using all resource .



<
manifest
xmlns:android
=
"http://schemas.android.com/apk/res/android"



package=
"
com.example.android.apis
">



<uses
-
permission
android:name
=
"
android.permission.READ_CONTACTS
" />



<uses
-
permission
android:name
=
"
android.permission.WRITE_CONTACTS
" />



<uses
-
permission
android:name
=
"
android.permission.VIBRATE
" />



<uses
-
permission
android:name
=
"
android.permission.ACCESS_COARSE_LOCATION
" />



<uses
-
permission
android:name
=
"
android.permission.INTERNET
" />



<uses
-
permission
android:name
=
"
android.permission.SET_WALLPAPER
" />



<uses
-
permission
android:name
=
"
android.permission.WRITE_EXTERNAL_STORAGE
" />



<uses
-
permission
android:name
=
"
android.permission.SEND_SMS
" />



<uses
-
permission
android:name
=
"
android.permission.RECEIVE_SMS
" />



<uses
-
permission
android:name
=
"
android.permission.NFC
" />



<!
--

For
android.media.audiofx.Visualizer

--
>



<uses
-
permission
android:name
=
"
android.permission.RECORD_AUDIO
" />



<uses
-
sdk android:minSdkVersion=
"4" android:targetSdkVersion="14" />



<!
--

We will request access to the camera, saying we require a camera



of some sort but not one with
autofocus capability.
--
>



<uses
-
permission
android:name
=
"
android.permission.CAMERA
" />

1.
Public Vs Private Components
:



Restrict access of an application component from
another application (like stored password for security)
by defining it as
private
component.

1.
II. Implicitly Open Components
:


If the access permission at the application development
time is not clear Android permits any application to
access it.


III. Broadcast Intent Permission
:



If the broadcast intent is not protected it leads to

privacy risk.


Developer control how information is disseminated by
specify a permission label to restrict access to the intent
object.



Content Provider Permission
:




Android allow developer to assigning read and

write
permission on contents, so that every

content can
be update only by its application and

available to
read for other application.



Protected APIs:




To some system resources Android provide

direct API access and to protect these APIs,

addition permission label is use. Application has

to delayer a corresponding permission label in its

manifest file
.



Permission Protection Levels:




framework developer can use the specific functionality
(for ex. Google app can use telephony or API directly)



Pending intent :




Intent object is define to perform an action, instead
of performing action developer passes the intent to
special method which create Pending Intent.


The Pending Intent object is simply a reference
pointer that can pass to another application via ICC. It
included in framework to work with third party
application.



Processes of allowing user to have

privilege control or root access.


Modify system files: themes, core apps, boot images,
linux

binaries, etc.


Run applications that require


system level access.


Balance the risk with freedom


Complex Update Process Continuous Internet
Connection


Operating System Fragmentation



Android: Good for Consumers, Bad for Developers


Security Issues



Advertisements



Official Android website:
www.android.com

/
developer.android.com


J.P. Anderson, Computer Security Technology
Planning Study, tech. report ESD
-
TR
-
73
-
51,
Mitre
, Oct. 1972.



M.A. Harrison, W.L.
Ruzzo
, and J.D.
Ullman
,
“Protection in Operating Systems,” Comm.
ACM,


http://securityevaluators.com/content/case
-
studies/android/


Wikipedia ,
G
oogle


http://securityevaluators.com/content/case
-
studies/android/