Android Overview - 國立高雄大學資訊工程學系

publicyardΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 4 χρόνια και 5 μήνες)

73 εμφανίσεις

CSF665–Advanced OperatingSystems
•System Overview
–Applications, Development, Platform
•Android System Security
–Kernel and System Level Security
–Security Enhancements
•Android Application Security
–Unveiled by Google along with the founding of Open Handset
Alliance to advance open standards for mobile devices
•Early SDK was released on 12 November 2007
–iPhonefirstly announced on January 9 2007
•Google acquired Android Inc. on August 17, 2005
•The first Android-powered phone was sold in October 2008
–Designed primarily for touchscreenmobile devices such as
smartphonesand tablet computers•As of Q3 2012, there were 500 million devices activated and 1.3 million
activations per day
–Building on open-source Linux
•Android code released as open source, under the Apache License
System Overview
Android Applications
•Applications are usually developed in the Java language using
the Android Software Development Kit
–Native Development Kit for applications or extensions in C or C++
–Installed from a single file with the .apkfile extension
•Android applications run in a sandbox
–An isolated area of the OS that does not have access to the restof the
system's resources, unless access permissions are granted by theuser
when the application is installed
•However, applications routinely requesting unnecessary permissions, reducing
its effectiveness
•The complexity of inter-application communication implies Android may have
opportunities to run unauthorized code
•Two primary sources for applications
–Pre-Installed Applications
–User-Installed Applications
•Either through a store such as Google Play or the Amazon Appstore, or by
•Downloading and installing the application's APK file from a third-party site
Android Development
•Android consists of
–A kernel based on the Linux kernel 2.6 and Linux Kernel 3.x (Android 4.0
•Does not have a native X Window System nor does it support the full set of
standard GNU libraries
•a power management feature called wakelocks
•The flash storage is split into several partitions, such as "/system" for the
operating system itself and "/data" for user data and app installations
•Android device owners are not given root access
–With middleware, libraries and APIs written in C and
•Dalvikvirtual machine with just-in-time compilation to run Dalvikdex-code
(DalvikExecutable), which is usually translated from Java bytecode
–Application software running on an application framework which includes
Java-compatible libraries based on Apache Harmony
–The main hardware platform for Android is the ARM architecture
Android Platform Building Blocks
•Device Hardware
–Including smart phones, tablets, and set-top-boxes
–Processor-agnostic, but taking advantage of some hardware-specific
security capabilities such as ARM v6 eXecute-Never
•Android Operating System
–The core operating system is built on top of the Linux kernel
–All device resources, like camera functions, GPS data, Bluetoothfunctions,
telephony functions, network connections, etc. are accessed through the
operating system
•Android Application Runtime
–Most often written in the Java programming language and run in the
Dalvikvirtual machine
–But core Android services and applications are native applications or
include native libraries
–Both Dalvikand native applications run within the same security
environment, contained within the Application Sandbox
•Applications get a dedicated part of the filesystemin which they can write private
data, including databases and raw files
Architecture Diagram
Main Android Application Building Blocks
•AndroidManifest.xml: the control file that
–Tells the system what to do with all the top-level components
in an application
•specifically activities, services, broadcast receivers, and content
–Also specifies which permissions are required
•Activities: An Activity is the code for a single, user-
focused task
–Usually includes displaying a UI to the user
•some Activities never display UIs
–Typically, one of the application's Activities is the entry point
to an application
Main Android Application Building Blocks (cont.)
•Services: A Service is a body of code that runs in the
–It can run in its own process, or in the context of another application's
–Other components "bind" to a Service and invoke methods on it via
remote procedure calls
–An example of a Service is a media player
•even when the user quits the media-selection UI, the user probably still intends
for music to keep playing
•A Service keeps the music going even when the UI has completed
•Broadcast Receiver
–A BroadcastReceiveris an object that is instantiated when an IPC
mechanism known as an Intent is issued by the operating system or
another application
–For example, an application may register a receiver for the low battery
message and change its behavior based on that information
Android Versions
7October 26, 20092.0, 2.1 Eclair
4September 15, 20091.6 Donut
3April 30, 20091.5 Cupcake
8May 20, 20102.2 Froyo
9-10December 6, 20102.3.x Gingerbread
11-13February 22, 20113.x.x Honeycomb
14-15October 19, 20114.0.x Ice Cream Sandwich
16July 9, 20124.1.x Jelly Bean
API levelRelease dateVersion
Android Security Overview
•Security objectives
–Protect user data
–Protect system resources (including the network)
–Provide application isolation
•Key security features
–Linux security
•Secure interprocesscommunication
–Mandatory application sandbox for all applications
•Exception of a small amount of Android OS code running as root, all
code above the Linux Kernel is restricted by the Application Sandbox
–Application signing
–Application-defined and user-granted permissions
Kernel and System Level Security
•Linux fundamental security features
–Prevents user A from reading user B's files
–Ensures that user A does not exhaust user B's memory
–Ensures that user A does not exhaust user B's CPU
–Ensures that user A does not exhaust user B's devices (e.g.
telephony, GPS, bluetooth)
•Android security features
–A user-based permissions model
–Process isolation
–Extensible mechanism for secure IPC
–The ability to remove unnecessary and potentially insecure
parts of the kernel
Android Security Enhancements
•Application Sandbox
•System Partition and Safe Mode
•Device Administration
•Password Protection
•Memory Management Security Enhancements
Application Sandbox
•Assign a unique user ID (UID) to each Android
–runs it as that user in a separate process
•A kernel-level Application Sandbox
–The kernel enforces security between applications and the
system at the process level through standard Linux facilities,
such as user and group IDs that are assigned to applications
–By default, applications cannot interact with each other and
applications have limited access to the operating system
•Explicit user-granted permissions required
System Partition and Safe Mode
•System Partition
–Set to read-only
–Containing Android's kernel as well as the operating
system libraries, application runtime, application
framework, and applications
•Safe Mode
•When a user boots the device into Safe Mode, only core Android
applications are available
Filesystem:Permissionsand Encryption
–Each application runs as its own user
–Files created by one application cannot be read or altered by another
applicationunless the developer explicitly exposes files to other
–Android 3.0 and later provides full filesystemencryption
•All user data can be encrypted in the kernel using the dmcryptimplementation of
AES128 with CBC and ESSIV:SHA256
–Filesystemencryption requires the use of a user password
•The encryption key is protected by AES128
•A key derived from the user password, preventing unauthorized access to
stored data without the user device password
•The password is combined with a random salt and hashed repeatedly with
SHA1 using the standard PBKDF2 algorithm
Device Administrationand Password Protection
•Device Administration API
–Android 2.2 and later provide device administration features at the system
–A system administrator writes the device admin application to be installed
on users’devices•Administrators can enforce password policies —including alphanumeric
passwords or numeric PINs—across devices
•Administrators can also remotely wipe (that is, restore factory defaults on) lost or
stolen handsets
•Password Protection
–Can be configured to verify a user-supplied password prior to providing
access to a device
•This password protects the cryptographic key for full filesystemencryption
–Use of a password and/or password complexity rules can be required by a
device administrator
Memory Management Security Enhancements
•Android 1.5+
–ProPoliceto prevent stack buffer overruns (-fstack-protector)
–safe_iopto reduce integer overflows
–Extensions to OpenBSDdlmallocto prevent double free() vulnerabilities and to
prevent chunk consolidation attacks. Chunk consolidation attacksare a common
way to exploit heap corruption.
–OpenBSDcallocto prevent integer overflows during memory allocation
•Android 2.3+
–Format string vulnerability protections (-Wformat-security -Werror=format-security)
–Hardware-based No eXecute(NX) to prevent code execution on the stack and heap
–Linux mmap_min_addrto mitigate null pointer dereference privilege escalation
(further enhanced in Android 4.1)
•Android 4.0+
–Address Space Layout Randomization (ASLR) to randomize key locations in
•Android 4.1+
–PIE (Position Independent Executable) support
–Read-only relocations / immediate binding (-Wl,-z,relro-Wl,-z,now)
–dmesg_restrictenabled (avoid leaking kernel addresses)
–kptr_restrictenabled (avoid leaking kernel addresses)
Android Application Security
•Protected API: only accessible through the OS
–Camera functionsLocation data (GPS)
–Bluetooth functionsTelephony functions
–SMS/MMS functionsNetwork/data connections
1.An application defines the capabilities it needs in its manifest
2.When preparing to install an application, the system displays a dialog to the user
that indicates the permissions requested and asks whether to install
3.If continues, the user has granted all
of the requested permissions
•The user must grant or deny all of the requested permissions as a block
•Applications included in the core OS or bundled by an OEM do notrequest permissions
from the user
4.Once granted, the permissions are applied to the application as long as it is
•Some device capabilities, such as the ability to send SMS broadcast intents,
that are not available to third-party applications
–That may be used by applications pre-installed by the OEM
–These permissions use the signatureOrSystempermission
•Processes can communicate using traditional UNIX-type
–For examples, filesystem, local sockets, or signals
–The Linux permissions still apply
•New IPC mechanisms
–Binder: A lightweight capability-based RPC mechanism designed for high
performance when performing in-process and cross-process calls
•Implemented using a custom Linux driver
–Services: provide interfaces directly accessible using binder
–Intents: An Intent is a simple message object that represents an
"intention" to do something. For example, to display a web page
•An app expresses its "Intent" by creating an Intent instance to view the URL
•The system locates some other piece of code (in this case, the Browser) that
knows how to handle that Intent, and runs it
–ContentProviders: A ContentProvideris a data storehouse that provides
access to data on the device
•An application can access data that other applications have exposed via a
ContentProvider, and
•An application can define its own ContentProvidersto expose data of its own
Cost-Sensitive APIs
•A cost sensitive API is any function that might generate a cost
for the user or the network
–In-App Billing
–NFC Access
•Placed in the list of protected APIs controlled by the OS
•The user will have to grant explicit permission to third-party
applications requesting use of cost sensitive APIs
SIM Card and Sensitive User Data
•SIM Card Access
–Low level access to SIM card not available to third-party apps
–Cannot access AT commands
•Sensitive User Data Accessed Only byProtected APIs
–Sensitive input devices: i.e. GPS, camera
–Device metadata: i.e. system logs, browser history, phone number, or
hardware / network identification information
Digital Rights Management
•Two architectural layers
–A DRM framework API, which is exposed to applications through the
Android application framework and runs through the DalvikVM for
standard applications
–A native code DRM manager, which implements the DRM framework and
exposes an interface for DRM plug-ins (agents) to handle rights
management and decryption for various DRM schemes