Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Published byWilfrid McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "Android Security What is out there? Waqar Aziz. Android Market Share - I 2."— Presentation transcript:

1 Android Security What is out there? Waqar Aziz

2 Android Market Share - I 2

3 Android Market Share - II 3

4 Android Market Share - III 4

5 Android App Market Security Model No formal application screening process. Any developer can upload an application. Android Market relies on community to identify and flag: Malfunctioning applications Malicious applications Inherently, early adopters suffer if the application is malicious. Note: Unlike iPhone, Android application can be directly downloaded and installed from a third party as well. 5

6 Phishing App Example Bank Phishing application: Advertised to do banking activities from phone. User to give account information and credentials for the app to facilitate banking activities. In reality the app did only the following: Open the banking website in phone’s browser. That’s it!! A number of users were scammed before the application was taken out from Android Market. 6

7 Android Market Statistics About 20% of 48,000 apps in Android Marketplace allow a third-party application access to sensitive or private information. 5% apps can place calls to any number without user interaction. 2% apps can send text messages without user interaction. 29 apps require the exact same permissions as applications that are known to be spyware. 383 apps have the ability to read and use the authentication credentials from another app or service. 7

8 Android Security Apps - I Both apps are developed by Pittsburgh based security researcher and hacker who goes by Moxie Marlinspike. RedPhone Uses ZRTP, Internet voice cryptography scheme. It uses two users’ keys to create a passphrase, which is later displayed at both ends for users to verify. SecureText Encrypted text messages. Both apps generate a new key for every communication session. 8

9 Android Security Apps – II OI Safe It saves password and other private data with AES encryption. No information is kept online. It works with OI Notepad to encrypt notes, and with Obscura to encrypt pictures. Other apps for content encryption: B-folder + sync Secrets-for-android 9

10 Android Manifest - I Android Manifest does the following: Declares application’s components Identifies any permissions that the application expects to be granted: Access the Internet, read phone contacts, access sensors, etc. Thus, what an application can and cannot do is constrained by the total set of permissions that can be granted in a Manifest file. Currently, almost all user content and private data can be accessed from phone’s internal phone and SD card. However, no permission can be granted to do anything on system level except for accessing some small number of settings. 10

11 Android Manifest - II 11

12 Anti-malware Apps - I Smobile Security Shield It does permission-based malware detection. Scans manifest files of apps installed on phone, and flags them based on suspicious manifest permissions. Maintains a database of manifest files of all apps on Android Market & other 3 rd party sources. Scans application signatures. Maintains a database of application signatures. 12

13 Anti-malware Apps - II WaveSecure Remotely wipes out all user data. Tracks and locates the phone. Lock the phone as soon as SIM change is detected. Protection again application uninstallation. Backs up and restores private data – SMS, contacts, etc. Other similar apps Mobile Defense 13

14 What you see is what they get - I “Google’s Android OS grants access to sensors such as cameras and audio inputs only if their use is disclosed at installation time. At installation time, a user may not understand an application well enough to determine why it would need sensor data or guage its trustworthiness…” “…iPhone instead uses standardized OS interface to prompt the user user to approve access…” 14

15 What you see is what they get - II Sensor-access widget: When an application requests access to a sensor, runtime environment overlays a GUI widget on a portion of the screen, such as status bar, to notify user of a sensor access. 15

16 What you see is what they get - III SWAAID (Show Widget and Allow After Input & Delay): Turn sensors from passive into active input devices. User intervention is required before sensor access. User can also enable access without any intervention for a while. Then the waiting period (or delay) is intended to give the user sufficient time to notice and respond to the sensor access. _ 16

17 I am allowing what? A paper on Application Authority Disclosure by Microsoft Research “…the great majority of participants preferred designs that used images or icons to represent resources. This great majority also disliked designs that used paragraphs, the central design element of Facebook’s disclosures, and outlines, the central design element of Android’s disclosures.” 17

18 Rooting Android Rooting Android: Gaining root access to Android operating system. It can be deemed as similar to iPhone jailbreaking. Why root Android? To gain full control over the system. Modify system files: themes, core apps, boot images, linux binaries, etc. Run applications that require system level access … 18

19 Other Findings… Not a single application currently does user authentication using accelerometer. No application attempts to do anything on a system level, such as access network packets. Two main reasons for the above findings: Android Manifest does not permit anything on system level, such as, replacement of factory default user authentication mechanism or access to other applications’ traffic. An application written for rooted Android will not work on non-rooted Android phones. Apps for rooted Android: Internet tethering, ad-hoc network, … 19

20 Questions? 20

21 Sources 1.http://developer.android.com/reference/android/Manifest.permission.h tml 2.http://threatcenter.smobilesystems.com/wp-content/plugins/download- monitor/download.php?id=8 3.http://research.microsoft.com/pubs/131132/devices-camera-ready.pdf 4.http://blogs.forbes.com/firewall/2010/05/25/android-app-aims-to-allow- wiretap-proof-cell-phone-calls/ 5.http://research.microsoft.com/pubs/131517/AppAuth.pdf 6.http://www.openintents.org/en/node/205/ 7.http://www.openintents.org/en/node/231 8.http://threatcenter.smobilesystems.com/?category_name=news 9.http://portal.acm.org/citation.cfm?id=1613858.1613878 10.http://smarterware.org/3189/why-and-how-to-root-your-android-phone 11.http://android-dls.com/wiki/index.php?title=Why_Roothttp://android-dls.com/wiki/index.php?title=Why_Root 12.http://metrics.admob.com/ 21

Download ppt "Android Security What is out there? Waqar Aziz. Android Market Share - I 2."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Kadra Alvaro April,2010. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future.

Kadra Alvaro April,2010. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,

1 Alcatel Onetouch Antivirus. 2 Thinking about security on your smartphone Alcatel OneTouch? We have the solution. Among the applications on your smartphone,
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.
Apple iPhone I-224 March 21, 2007 I-224 March 21, 2007.

Apple iPhone I-224 March 21, 2007 I-224 March 21, 2007.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
ENCRYPTION Coffee Hour for August 2014. HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.

ENCRYPTION Coffee Hour for August HISTORY OF ENCRYPTION Scytale Ciphers – paper wrapped around rod, receiver needed same size rod to get the message.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Presentation By Deepak Katta

Presentation By Deepak Katta
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security

Similar presentations

Ads by Google