Mobile Application Security on Android

wheatprisonΚινητά – Ασύρματες Τεχνολογίες

10 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

105 εμφανίσεις

Mobile Application Security on Android

Originally presented by Jesse Burns at Black Hat 2009

1

What is Android?


Smart Phone Operating System


Based on the Linux kernel


Expanded to support cellular based
communication


GSM, CMDA


Java like middleware



2

More Android


Open Source


Mostly Apache v2 license


Linux kernel is GPLv2


Free


Open API’s


If Google uses them, so can developers

3

Applications


Built from for “components”


Activity


Service


Content Provider


Broadcast Receiver


Run in own VM sandbox using unique
UID



4

More on Apps


Use explicitly defined permissions


Communicate through Intents


Intents are Inter
-
Process
Communications


Applications register which Intents they
wish to handle


5

Signatures


applications must be signed, but are
usually
self
-
signed


proves no relationship with Google, but


creates chain of trust between updates and
among applications


6

Permissions I


>100 defined by the system


Declared at install time in Manifest.xml


Disclosed by PackageInstaller, protected by
root ownership



7

Permissions II


applications can define arbitrary new
perms


normal


dangerous


signature


signatureOrSystem


8

Permission III


Permissions checked at runtime


SecurityException thrown if permission
denied

9

Intents


Core of Android IPC


Can cross security boundaries


Generally defined as a goal action and
some data


10

Intent II


Used to:


Start an Activity


Broadcast events or changes


Start, stop, or communicate with
background Services


Access data held by ContentProviders


Call backs to handle events

11

Intent Filters


Used to determine recipient of Intent


Can be overridden


Provide no security


Intents can explicitly define receiver

12

Activities


The user interface consists of a series of
Activity

components.


Each Activity is a “screen”.


User actions tell an Activity to
start
another

Activity, possibly with the expectation of a
result.

13

Activity II


The target Activity is not necessarily in
the same

application.


Directly or via Intent “action strings”.



Processing stops when another Activity
is “on

top”.


Must be able to handle malformed intents


Don’t start Intents that contain sensitive data

14

Activity III


Starting an Activity from an Intent

15

Activity IV


Forcing an Activity to start

16

Activity V


Protecting Activities


17

Broadcasts


Act as recievers for multiple components


Provide secure IPC


Done by specifying permissions on
BroadcastReceiver regarding sender


Otherwise, behave like activities in
terms of IPC

18

Broadcast II


Still need to validate input just in case


Sticky Broadcasts


Persistent


Apps require special permissions to
create/destroy sticky broadcasts


No guarantee of persistence


Can’t define permission


Don’t send sensitive data



19

Services


Run in background


Play music, alarm clock, etc


Secured using permissions


Callers may need to verify that Service
is the correct one

20

Services II


Verification:


Check Service’s permissions


res = getPackageManager().checkPermission(permToCheck,
name.getPackageName());

21

ContentProviders


Generally SQL backend


Used to share content between apps


Access controlled through permission
tags

22

ContentProviders II


Apps can be dynamically authorized
access


Possible security hole


Must protect against SQL injection


Sanitize input using parameterization


23

Intent Reflection


Intents may be sent when app is called


App sends Intent as app and not as
caller: reflection


May exceed caller’s permissions


Use PendingIntent instead, intent
correctly identified as coming from caller

24

File System


Internally standard Linux file systems


yaffs2, ext*


Support stand Unix permissions


Vulnerabilities if permissions not set
correctly


Sensitive data could be read


Other programs could write junk/waste
space

25

File System II


Consider what files need what
protections


Config files: not writeable


Log files: not world readable


Mass storage formatted as FAT, no Unix
permissions support


All data world readable


Consider encryption


26

Binder


Kernel module that provides secure IPC
on top of the standard Linux shared
memory architecture


Includes interface to Parceable


Parceable objects are passed by Binder


Can also move file descriptors, and
other Binders

27

Binder II


Efficient, secure IPC


Check caller’s permissions / identity


Only selectively give out interface


Once given out, interface can be disseminated
freely


All Binders are globally unique


28