Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android System Security

Published byBenedict Boyd Modified over 7 years ago

Similar presentations

Presentation on theme: "Android System Security"— Presentation transcript:

1 Android System Security
Xinming Ou

2 Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) Consists of a base operating system (Linux), an application middleware, and a Java SDK. Available since 2007; first Android phone debut in 2008. Currently the most popular smart-phone platform

3 Android System Overview
App App App …… Application Middleware Linux OS Hardware

4 Security Considerations
A smart phone is “mostly” a single-user system The security goal is primarily to protect the user and his/her data The security goal also includes that critical functions of the phone shall not be hampered The apps a phone runs are from manufacturers and app stores The origin of the apps could be untrustworthy – apps could be vulnerable or outright malicious

5 Basic Protection – Android Sandbox
Each application runs as a user process in the Linux OS with a unique user ID At install time, Android gives each package a distinct Linux user ID Two apps can run under the same user ID if they are signed by the same key This creates a sandbox for each app, so that Linux isolates applications from each other and from the system. An app cannot directly access resources owned by another app if they have different user ids. It does not matter how the app is built

6 However Apps need to communicate with each other and the system
A restaurant recommender app may need to launch a map app to show a restaurant’s location on map An app may need to launch a PDF viewer to open an attachment A messenger app may need to receive text messages sent to the phone

7 Android App Components
Each Android app contains one or more components of the following types: Activity: A GUI screen Service: background processing Broadcast Receiver: receives messages from other component Content Provider: store and share data

8 An Example Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

9 Inter-Component Communication (ICC)
Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

10 Security Protection for ICC
An ICC interface is protected in two ways: A private component cannot be accessed outside of the app A component can be protected by permissions A permission is a label defined by the system or app developer to protect an Android component

11 Android Permission Protection
Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

12 Policy Specification Each Android app package contains a “manifest file” that defines all the components in the app, and the permissions needed to access each component The manifest file also contains a list of permissions the app requests from the system and/or user

13 Difficulty in Understanding Policy
Policy can be changed dynamically at runtime, in the app’s code A message can be sent requiring a specific permission to receive it at runtime A runtime permission check can be performed to access a component’s public method

14 Difficulty in Understanding App’s Behaviors
An app, when given a set of permissions, may misuse them to harm other apps and the user. It is not trivial to understand how an app will use the given permissions

15 Cellular network, Internet, GPS, etc.
How Android app works Cellular network, Internet, GPS, etc. Event User Android System Event System event Input Find the handler Send intent or Call some callback method Component C Component A Component B App B App A

16 Cellular network, Internet, GPS, etc.
How Android app works Cellular network, Internet, GPS, etc. Android System Find the target Intent i Intent i Intent i Component C Component A Component B App B App A

17 A Motivating Example: Sensitive-SMS App
DataGrabber Activity Leaker Activity onCreate(Bundle …){ String s1 = getSensitiveData(); Intent i1 = new Intent(); i1.setClass(…, Leaker.class); i1.putExtra(“key”, s1); startActivity(i1); } onCreate(Bundle …){ Intent i2 = getIntent(); String s2 = i2.getStringExtra(“key”); SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(…, s2, …); } 4 5 2 App 3 Environment of DataGrabber Environment of Leaker Intent p1 Intent p2 Android System Model 1

18 Collect sensitive data d
Problem 1: Data Leakage Collect sensitive data d Send Intent with d Data leak source sink ICC App X Comp X.1 Comp X.2 Comp X.3 Another App X.1 sends an explicit intent to X.2. X.2 sends an implicit intent which can possibly reach another app.

19 Problem 2: Data Injection
Receive Intent Send Intent Network I/O source sink App Y Comp Y.1 Comp Y.2 Injecting ill-crafted intent

Download ppt "Android System Security"

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Application Fundamentals Android Development. Announcements Posting in D2L Tutorials.

Application Fundamentals Android Development. Announcements Posting in D2L Tutorials.
MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.

MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
Mobile Programming Pertemuan 6 Presented by Mulyono Poltek NSC Surabaya.

Mobile Programming Pertemuan 6 Presented by Mulyono Poltek NSC Surabaya.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
Presentation By Deepak Katta

Presentation By Deepak Katta
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
About me Yichuan Wang Android Basics Credit goes to Google and UMBC.

About me Yichuan Wang Android Basics Credit goes to Google and UMBC.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
2015. 4. 28 박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,
Introduction to Android Swapnil Pathak www.SecurityXploded.com Advanced Malware Analysis Training Series.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.

Similar presentations

Ads by Google