3 Android Filesystem Layout The mounts of interest/ - root of the filesystem hierarchy/system - the ROM that holds all system binaries/data - RW location for user applications/cache - transient data space for user applications/efs - phone specific information like IMEI number/mnt/sdcard - fat32 filesystem with no inbuilt security
4 Application locations System applications/system/app/<AppName>.apkUser applications/data/app/<AppName>.apk (preloaded)/data/app/<AppPkgName>-1.apk (downloaded)/mnt/secure/asec/<AppPkgName>-1.apk (sdcard)
5 App SigningAll apps are signed with a key to provide android with the ability to distinguish distributors of softwarePossible to group applications in the same security context when two applications are signed with same key giving identical digital signature
6 Android Debug BridgeAndroid Debug Bridge allows the developer access to the Android device connected via usb or IPOnce connected to a device, ADB provides developers an interface to interact with a rich suite of tools to manage the device
7 ADB Push / PullUsing ADB we are able to transfer files from/to the devicePull test.txt off the device and place in pwdadb pull /mnt/sdcard/test.txt [local location]Push local test.txt to sdcard on the deviceadb push ./test.txt /mnt/sdcard
8 Android Manual Install Manually install applicationadb push com.myapp.hello.apk /data/app/(Permissions need to be changed to 0644)adb install com.myapp.hello.apkManually uninstall applicationadb uninstall com.myapp.hello
9 Package Managerpm is a tool that is provided to manage and provide details about applications and permissions.List all applicationspm list packagesFind location of an applicationpm path com.myapp.helloworldList available permissionspm list permissions -f
10 Activity Manager: Sending Intents The activity manager provides the mechanism to start an instance of a graphic applicationusing adb we are able to start applications viaam start -a android.intent.action.CALL -d tel:
11 Service ManagerThe service manager can also be invoked via command line to send messagesservice call isms 5 s16 "+??????????" i32 0 i32 0 s16 "SMS TEXT HERE"
13 init (1)Responsible for creating mounts and file permissions associated with mountReads initrc file which contains these directories, mounts and file permissionsResponsible for further starting other processes/daemons
14 daemons (2)Native linux daemons such as the following are started by initnetd (manages network connections)vold (manages volumes such as sdcard)usbd (manages USB connections)debuggerd (debug processes - coredump)rild (manages communication with the radio)zygote
15 zygote (3)init launches zygote which loads classes and listen for requests to spawn new applications through an instance of a dalvik virtual machineUtilises copy-on-write memory references when forking its process to reduce memory footprint
16 Runtime/Service Manager (4a/b) init starts android runtime process which initialises the Service ManagerService Manager is the context manager for binder that is responsible for service registration and lookupsAndroid runtime then sends a start signal for zygote to create an instance of System Service (Android Services)
17 dalvik (5)Zygote has received a signal to instantiate a dalvik virtual machine instance for the Android System Server
18 System Server (6)Zygote forks itself with appropriate permissions and starts the System Server instanceIts role is to bootstrap all the android services required by the android framework which provide services to applications
19 Native System Services (7) Native System Services are services that integrate with the operating system to provide low latency and high availability services such as the audio and surface flingerAudio Slinger provides audio management and multiplexing while Surface Flinger is the composition framework to display graphics
20 Native System Services (7) continued Native System Services register themselves with Service Manager allowing them to be available through IPC for other applications or processes
21 Android System Services (8) Android System Services provide high level framework services for applicationsThese services like Native System Services register themselves with Service Manager allowing for IPC communication from Android applications and other services
22 Android DevelopmentAndroid provides users familiar with Java an easy route to build mobile applications. Google provides a SDK and NDK which enable the developer to call upon rich libraries and tools.
23 Software Development Kit (SDK) The android Software development kit provides libraries and tools to develop standard java applications. Some of the tools allow for automatic installation of various android platforms and their associated libraries - eg. Ice Cream Sandwich.Included in the ADT bundle is the SDK and an eclipse environment configured and setup for building/developing Android applications.
24 Native Development Kit (NDK) Android allows for native libraries to be used with the android environment.These libraries are C/C++ based and give developers greater performance gains for intensive hardware operations.
25 Repackaging howto: reverse engineering an application – open the apk archive to access smali-$ apktool d com.hello outORrun dedexer (convert apk to jar archive)run a java decompiler or use jdgui
26 Insert the payload Still have key signing issue But users can be unaware of the dangers
31 NotesThese attacks were aimed at Samsung devices which have been known to implement their own sdk libraries for android.These have not been tested as vigorously as would be liked and have been proven to provide further vulnerabilities.
32 Permissions Concerns android.permission.SEND_SMS / RECEIVE_SMS android.permission.SYSTEM_ALERT_WINDOWandroid.permission.READ_CONTACTS / WRITE_CONTACTS android.permission.READ_CALENDAR / WRITE_CALENDARandroid.permission.CALL_PHONEandroid.permission.READ_LOGSandroid.permission.ACCESS_FINE_LOCATIONandroid.permission.GET_TASKSandroid.permission.RECEIVE_BOOT_COMPLETEDandroid.permission.CHANGE_WIFI_STATEcom.android.browser.permission.READ_HISTORY_BOOKMARKS /WRITE_HISTORY_BOOKMARKSSourced from Google IO 2012 and marakana.com
33 References Android: http://developer.android.com/index.html Google IO: https://sites.google.com/site/io/Marakana:Genome project