Android Security What is out there in Market? - WordPress.com

flosssnailsΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 6 μήνες)

72 εμφανίσεις

Android Security

What is out there?

Waqar Aziz

Android Market Share
-

I

2

Android Market Share
-

II

3

Android Market Share
-

III

4

Android App Market

Security Model


No formal application screening process.


Any developer can upload an application
.


Android Market relies on community to identify and flag:


Malfunctioning applications


Malicious applications


Inherently, early adopters suffer if the application is
malicious.


Note: Unlike iPhone, Android application can be directly
downloaded and installed from a third party as well.

5

Phishing App Example


Bank Phishing application:


Advertised to do banking activities from phone.


User to give account information and credentials for
the app to facilitate banking activities.


In reality the app did only the following:


Open the banking website in phone’s browser.

That’s it!!


A number of users were scammed before the
application was taken out from Android Market.

6

Android Market Statistics


About
20%
of
48,000
apps in Android Marketplace allow
a third
-
party application access to sensitive or private
information.


5%
apps can place calls to any number without user
interaction.


2%

apps can send text messages without user interaction.


29
apps require the exact same permissions as
applications that are known to be spyware.


383

apps have the ability to read and use the
authentication credentials from another app or service.

7

Android Security Apps
-

I


Both apps are developed by Pittsburgh based security
researcher and hacker who goes by Moxie Marlinspike.


RedPhone


Uses ZRTP, Internet voice cryptography scheme.


It uses two users’ keys to create a passphrase, which is later
displayed at both ends for users to verify.


SecureText


Encrypted text messages.


Both apps generate a new key for every communication
session.

8

Android Security Apps


II


OI Safe


It saves password and other private data with AES
encryption.


No information is kept online.


It works with
OI Notepad
to encrypt notes, and with
Obscura

to encrypt pictures.


Other apps for content encryption:


B
-
folder + sync


Secrets
-
for
-
android

9

Android Manifest
-

I


Android Manifest does the following:


Declares application’s components


Identifies any permissions that the application expects to be
granted:


Access the Internet, read phone contacts, access sensors, etc.


Thus, what an application can and cannot do is constrained by
the total set of permissions that can be granted in a Manifest
file.


Currently, almost all user content and private data can be
accessed from phone’s internal phone and SD card.


However, no permission can be granted to do anything on
system level except for accessing some small number of settings.

10

Android Manifest
-

II

11

Anti
-
malware Apps
-

I


Smobile Security Shield


It does permission
-
based malware detection.


Scans manifest files of apps installed on phone, and
flags them based on suspicious manifest permissions.


Maintains a database of manifest files of all apps on
Android Market & other 3
rd

party sources.


Scans application signatures.


Maintains a database of application signatures.

12

Anti
-
malware Apps
-

II


WaveSecure


Remotely wipes out all user data.


Tracks and locates the phone.


Lock the phone as soon as SIM change is detected.


Protection again application uninstallation.


Backs up and restores private data


SMS, contacts, etc.


Other similar apps


Mobile Defense

13

What you see is what they get
-

I


“Google’s Android OS grants access to
sensors such as cameras and audio inputs
only if their use is disclosed at installation
time. At installation time, a user may not
understand an application well enough to
determine why it would need sensor data
or guage its trustworthiness…”


“…iPhone instead uses standardized OS
interface to prompt the user user to approve
access…”

14

What you see is what they get
-

II


Sensor
-
access widget:


When an application requests access to a sensor,
runtime environment overlays a GUI widget on a
portion of the screen, such as status bar, to notify user
of a sensor access.

15

What you see is what they get
-

III


SWAAID (Show Widget and Allow After Input &
Delay):


Turn sensors from passive into active input devices.


User intervention is required before sensor access.


User can also enable access without any intervention for a
while.


Then the waiting period (or delay) is intended to give
the user sufficient time to notice and respond to the
sensor
access.


_


_



16

I am allowing what?


A paper on Application Authority Disclosure by
Microsoft Research


“…the great majority of participants preferred designs that
used images or icons to represent resources. This great
majority also disliked designs that used paragraphs, the
central design element of Facebook’s disclosures, and
outlines, the central design element of Android’s
disclosures.”

17

Rooting Android


Rooting Android: Gaining root access to Android
operating system.


It can be deemed as similar to iPhone jailbreaking.


Why root Android?


To gain full control over the system.


Modify system files: themes, core apps, boot images,
linux binaries, etc.


Run applications that require system level access




18

Other Findings…


Not a single application currently does user
authentication using accelerometer.


No application attempts to do anything on a system level,
such as access network packets.


Two main reasons for the above findings:


Android Manifest does not permit anything on system level,
such as, replacement of factory default user authentication
mechanism or access to other applications’ traffic.


An application written for rooted Android will not work on
non
-
rooted Android phones.


Apps for rooted Android: Internet tethering, ad
-
hoc network,


19

Questions?


20

Sources

1.
http://developer.android.com/reference/android/Manifest.permission.h
tml

2.
http://threatcenter.smobilesystems.com/wp
-
content/plugins/download
-
monitor/download.php?id=8

3.
http://research.microsoft.com/pubs/131132/devices
-
camera
-
ready.pdf

4.
http://blogs.forbes.com/firewall/2010/05/25/android
-
app
-
aims
-
to
-
allow
-
wiretap
-
proof
-
cell
-
phone
-
calls/

5.
http://research.microsoft.com/pubs/131517/AppAuth.pdf

6.
http://www.openintents.org/en/node/205/

7.
http://www.openintents.org/en/node/231

8.
http://threatcenter.smobilesystems.com/?category_name=news

9.
http://portal.acm.org/citation.cfm?id=1613858.1613878

10.
http://smarterware.org/3189/why
-
and
-
how
-
to
-
root
-
your
-
android
-
phone

11.
http://android
-
dls.com/wiki/index.php?title=Why_Root

12.
http://metrics.admob.com/


21