1 / 24

Understanding Android Security

Understanding Android Security. WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL. Presented By Abhishek Singh Computer Science Department Kent state University. Outline . Introduction History Android OS Android development structure Android ADT interface Example Application

mircea
Download Presentation

Understanding Android Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understanding Android Security WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL Presented By Abhishek Singh Computer Science Department Kent state University

  2. Outline • Introduction • History • Android OS • Android development structure • Android ADT interface • Example Application • Security Enforcement • Security refinement

  3. Introduction • Next generation of open operating system . • Not only complaint with desktops and mainframe. • Now computing is integrating with mobile open operating system. • Increasing data service in cell phones • More secure and invulnerable OS is indispensible.

  4. History • Android In was founded in Palo Alto California United state by Andy Rubin , Rich Miner and Chris White – October 2003 • Google acquired Android Inc – August 2006 • The Open Handset Alliance , a consortium of several companies was formed – 5 November 2007 • First Android Device , the HTC Dream(G1) , featuring Android 1.0

  5. Android OS • Open operating system designed for mobiles , tablets and other systems. • Application middle layer , java software development tool kit (SDK) and system applications. • Extension to Google Service • Integration - Gmail , Calendar , Contacts and Web Application

  6. Continue… • Android officially doesn’t support application on top of java middleware layer running in a embedded Linux kernel. • Controlled application interaction with its API • Permission label assignment model to restrict to access resources and other application.

  7. Android Application developmentStructure • It doesn’t have main function • It doesn’t have single entry point for the execution of the whole application. • Application in android is segmented into many different components . • Like - Main activity , manifest file , XML file

  8. Android – ADT interface

  9. Example Application • Functionality of an application ramified into two different applications.

  10. Components • There are primarily four components 1. Activity - It is the application user interface , in this each screen for an activity is designed. 2.Service – it is a background processing for using different service(like camera , Bluetooth , internet service etc) 3.Content Provider – It stores data and retrieve using relational database interface . 4.Broadcast receiver- Act as a mailbox for other applications.

  11. Interaction between two components • Primary mechanism for component interaction is Intent (Message box container) . • To start the Main activity • 1. Start Activity (Intent) • 2. start Service (Intent) • 3. send Broadcast (Intent)

  12. Continue… • To execute the main application android framework invoke these 3 methods • Inter component communication(ICC) is called Action i.e. particular intend to action string. • Each ICC actions depends upon the target component. • Friend Viewer– starts – FriendMap activity (Screen)

  13. Security Enforcement

  14. Security Enforcement • Protection : 1. System Level 2. ICC level • ICC core security framework • Each application – Unique user Identity • Restrict damage from programming flaws • Which in turn restrict exploitation to other applications.

  15. MAC(Mandatory Access Control) • Permission labels are assigned to each application. • Restrict from using all resource .

  16. MAC Enforcement

  17. Permissions • <manifest xmlns:android="http://schemas.android.com/apk/res/android" • package="com.example.android.apis"> • <uses-permission android:name="android.permission.READ_CONTACTS" /> • <uses-permission android:name="android.permission.WRITE_CONTACTS" /> • <uses-permission android:name="android.permission.VIBRATE" /> • <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> • <uses-permission android:name="android.permission.INTERNET" /> • <uses-permission android:name="android.permission.SET_WALLPAPER" /> • <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> • <uses-permission android:name="android.permission.SEND_SMS" /> • <uses-permission android:name="android.permission.RECEIVE_SMS" /> • <uses-permission android:name="android.permission.NFC" /> • <!-- For android.media.audiofx.Visualizer --> • <uses-permission android:name="android.permission.RECORD_AUDIO" /> • <uses-sdk android:minSdkVersion="4" android:targetSdkVersion="14" /> • <!-- We will request access to the camera, saying we require a camera • of some sort but not one with autofocus capability. --> • <uses-permission android:name="android.permission.CAMERA" />

  18. Security Enforcement • Public Vs Private Components : • Restrict access of an application component from another application (like stored password for security) by defining it as private component. • II. Implicitly Open Components : • If the access permission at the application development time is not clear Android permits any application to access it. • III. Broadcast Intent Permission: • If the broadcast intent is not protected it leads to privacy risk. • Developer control how information is disseminated by specify a permission label to restrict access to the intent object.

  19. Security Enforcement • Content Provider Permission: • Android allow developer to assigning read and write permission on contents, so that every content can be update only by its application and available to read for other application. • Protected APIs: • To some system resources Android provide direct API access and to protect these APIs, addition permission label is use. Application has to delayer a corresponding permission label in its manifest file.

  20. Security Enforcement • Permission Protection Levels: • framework developer can use the specific functionality (for ex. Google app can use telephony or API directly) • Pending intent : • Intent object is define to perform an action, instead of performing action developer passes the intent to special method which create Pending Intent. The Pending Intent object is simply a reference pointer that can pass to another application via ICC. It included in framework to work with third party application.

  21. Rooting (Android OS) • Processes of allowing user to haveprivilege control or root access. • Modify system files: themes, core apps, boot images, linux binaries, etc. • Run applications that require • system level access. • Balance the risk with freedom

  22. Open Area of Research • Complex Update Process Continuous Internet Connection • Operating System Fragmentation • Android: Good for Consumers, Bad for Developers • Security Issues • Advertisements

  23. References • Official Android website: www.android.com / developer.android.com • J.P. Anderson, Computer Security Technology Planning Study, tech. report ESD-TR-73-51, Mitre, Oct. 1972. • M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, “Protection in Operating Systems,” Comm. ACM, • http://securityevaluators.com/content/case-studies/android/ • Wikipedia , Google

  24. Reference • http://securityevaluators.com/content/case-studies/android/

More Related