A comparison of android and ios security models
This presentation is the property of its rightful owner.
Sponsored Links
1 / 41

A Comparison of Android and iOS Security Models PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

A Comparison of Android and iOS Security Models. Trevor L. Buttrey. vs. Reasons for Concern. Smartphones are advancing technologically Have become popular People are growing more dependant upon them Size makes them easy to lose

Download Presentation

A Comparison of Android and iOS Security Models

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A comparison of android and ios security models

A Comparison ofAndroid and iOS Security Models

Trevor L. Buttrey

Computer and Information Sciences


A comparison of android and ios security models

vs.

Computer and Information Sciences


Reasons for concern

Reasons for Concern

  • Smartphones are advancing technologically

  • Have become popular

  • People are growing more dependant upon them

  • Size makes them easy to lose

  • Security problems are becoming more of an issue as users store more and more personal information on them

Computer and Information Sciences


Unsecure devices allow

Unsecure Devices Allow

  • Access to emails and social networking accounts

  • Access to personal messages

  • Access to phone book

  • Access to phone accounts

  • Access to personal and confidential information

Computer and Information Sciences


Unsecure devices allow1

Unsecure Devices Allow

  • Access to bank accounts

  • Access to mobile payments

  • Access to web accounts

  • Access to passwords

  • Knowledge of location

Computer and Information Sciences


The 5 security pillars

The 5 Security Pillars

Traditional Access Controls

Permissions -based Access Control

Encryption

Application Provenance

Isolation

Computer and Information Sciences


A comparison of android and ios security models

Traditional Access Controls

Computer and Information Sciences


Traditional access control

Traditional Access Control

iOS

  • Password and passcode locking mechanisms

  • Touch ID

  • Device self-wipe capabilities

  • Lockout of internal memory if not unlocked

  • Memory is soldered to PCB

Computer and Information Sciences


Traditional access control1

Traditional Access Control

Android

  • Starting with 2.x, password, passcode, and pattern locking mechanism,

  • 4.0 introduced facial recognition

  • Other locking methods include fingerprint readers and pictures.

  • Lockout of internal memory if not unlocked

  • SD card removable

Computer and Information Sciences


A comparison of android and ios security models

Data Encryption

Computer and Information Sciences


Data encryption

Data Encryption

iOS

  • Hierarchy of encryption keys:

  • Passcode Key

  • Hardware Keys: Unique ID (UID) and device group ID (GID)

    • AES 256-bit keys

    • Built Into Hardware and not directly accessible

  • File System Key

    • Generated Randomly and stored in Flash Memory

    • Used to encrypt File Metadata

  • Per File Key

    • Encrypted by Class Key for file’s encryption class

    • Encrypts contents of files on disk

Computer and Information Sciences


Data encryption1

Data Encryption

iOS

  • Encryption Classes

    • Complete Protection

      • Only Decryptablewhen unlocked, unusable when locked

    • Protected Unless Open

      • Uses Asymmetric Elliptic Curves (it’s complicated)

    • Protected Until First User Authentication

      • Similar to FDE

    • No Protection

      • Only protected by UID

Computer and Information Sciences


Data encryption2

Data Encryption

iOS

  • Effaceable Storage

    • Low Level access to storage for secure wiping

    • Used to erase File System Key

Computer and Information Sciences


Data encryption3

Data Encryption

iOS

  • Secure enclave

    • Securely process fingerprints

    • Is given the key to decrypt the complete protection data class when locked.

    • Separate and directly inaccessible to OS

Computer and Information Sciences


Data encryption4

Data Encryption

Android

  • Some data encryption present

  • Android 3.x “Honeycomb” and above support full filesystem encryption (AES128 CBC & ESSIV:SHA256)

  • SD card encryption is not supported on any version in AOSP

  • Device Manufacturers Can implement this themselves

Computer and Information Sciences


Data encryption5

Data Encryption

Android

  • Samsung Knox:

    • Brings android closer to iOS

    • Supports AES-256 encryption of internal storage and SD cards

Computer and Information Sciences


A comparison of android and ios security models

Permissions-based

Access Control

Computer and Information Sciences


Permissions based access control

Permissions-based Access Control

  • After an app is installed, it has access to all permitted resources of that device

  • It can perform any kind of malicious operation using the permissions provided

Computer and Information Sciences


Permissions based access control1

Permissions-based Access Control

iOS

  • Each app is given only certain permissions by iOS

  • Once installed, user has granted app access to any of the devices resources

  • Apps can use most resources without additional permission

  • May access things they don’t need

  • Does not require permission of the user

Computer and Information Sciences


Permissions based access control2

Permissions-based Access Control

Android

  • Follows Capability-Based Security Model

  • App must request specific permissions from OS before access

  • User sees what is being requested and must grant permission before app is installed

  • Once app is granted permission, it could perform malicious activity using those permissions

Computer and Information Sciences


Permissions based access control3

Permissions-based Access Control

Android vs. iOS

  • Android allows more access to the system than iOS does

  • Android only gives explicit permissions to apps while apps installed on iOS can perform any operation as defined by the OS

Computer and Information Sciences


Default app permissions android vs ios

Default App Permissions: Android vs. iOS

iOS

Android

Internet

YouTube History

Phone Number

Read SD Card

WiFi Connection Logs

List of Installed Apps

Address Book

Music/Video Files

Calendar

Safari Search History

Mic and Video Camera

Launch An Installed App

Device UID

Auto-Complete

Computer and Information Sciences


Requestable app permissions android vs ios

Requestable App Permissions: Android vs. iOS

iOS

Android

Location (GPS)

Prevent Phone From Sleeping

Internet

Fine Location (GPS)

Coarse Location (Network)

Record Audio

SMS/MMS Send/Receive

Calendar

Address Book

Push Notifications

Manage Accounts

Make Phone Call

Music/Video/Picture

SD Read/Write

Make and Terminate Calls

Control NFC

Send SMS/MMS

Access Device Logs

Obtain Task List

Make Bluetooth Connections

Computer and Information Sciences


Which is legitimate

Which is Legitimate?

AndroidOS.FakePlayer

Legit Video Player

Computer and Information Sciences


A comparison of android and ios security models

Application Provenance

Computer and Information Sciences


Application provenance

Application Provenance

iOS

  • Robust signing system

  • Apple provides digital certificate only to those who register

  • $100 per year

  • Thorough analysis of apps, takes weeks

Computer and Information Sciences


Application provenance1

Application Provenance

Android

  • Not a robust signing system

  • Anonymous signing certificates can be made without oversight from Google

  • Allows legitimate applications to be repackaged after adding malware

  • Although not signed with the same signature, they will be signed, and can be distributed on the web.

Computer and Information Sciences


A comparison of android and ios security models

Isolation

Computer and Information Sciences


Programming

Programming

iOS:

  • All apps are Objective-C or Swift

    Android:

  • Apps run in Dalvik JVM

  • Android does not use that as main form of isolation as not all code run in the VM

  • Most web browsers use significant amounts of native code

Computer and Information Sciences


Isolation

Isolation

iOS

  • Sandboxed

    • Own home directory

    • Must use APIs to access or modify system settings

    • Cannot communicate with other apps directly

    • Nothing runs as root except kernel

Computer and Information Sciences


Isolation1

Isolation

iOS

  • Declared Entitlements

    • Digitally signed

    • Allow extra permissions

    • Alternative to running as root

Computer and Information Sciences


Isolation2

Isolation

Android

  • Sandboxing

    • Uses native Linux user-based permissions model

    • Each app is it’s own user

    • Secured by the Linux kernel itself

Computer and Information Sciences


Isolation3

Isolation

Android

  • Samsung Knox:

    • Further separates applications

    • Prevents access to Android APIs

    • Reduces API set allows data in, but not out

Computer and Information Sciences


A comparison of android and ios security models

Jailbreaking, Rooting, and Exploits

Computer and Information Sciences


Jailbreaking rooting and exploits

Jailbreaking, Rooting, and Exploits

iOS

  • Jailbreaking: Uses exploits (buffer overflows among other things) to allow unsigned code to run

    Android

  • Rooting: Uses exploits (usually buffer overflows) to load a su binary (usually harder than it sounds) to allow apps to run with elevated privileges

Computer and Information Sciences


Jailbreaking rooting and exploits1

Jailbreaking, Rooting, and Exploits

The Point:

Although the uses for the exploits are usually beneficial for the user, their existence represents flaws in OS’s that can be leveraged by malicious apps.

Computer and Information Sciences


Jailbreaking and rooting

Jailbreaking and Rooting

Advantages:

  • The (hacking) community can push out patches for other exploits faster than the manufactures (iOS PDF)

  • Finer control over the system

Computer and Information Sciences


Jailbreaking and rooting1

Jailbreakingand Rooting

Disadvantages:

  • May cause security vulnerabilities

  • May “brick” the device

  • May void the warranty

Computer and Information Sciences


A comparison of android and ios security models

After running the exploits, the device may become vulnerable in other ways (iPhone.Ikee)

Computer and Information Sciences


Summary

Summary

  • Both have Strong Isolation

  • iOS’s Permission system is static, but due to vetting process harder for apps to abuse them.

  • Android’s Permission system is flexible, but requires user vigilance.

  • Both have Strong Traditional access controls

  • Both have encryption on recent versions, however android 2.x versions don’t have any and 3.x+ encryption pales compared to iOS

  • Apple has a stronger vetting process, but also takes longer for app updates

  • Android has weaker vetting process, but updates get pushed out almost immediately

Computer and Information Sciences


A comparison of android and ios security models

xkcd,com

Computer and Information Sciences


  • Login