Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Published byJoleen McBride Modified over 8 years ago

Similar presentations

Presentation on theme: "Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base."— Presentation transcript:

1 Android System Security Xinming Ou

2 Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base operating system (Linux), an application middleware, and a Java SDK. – Available since 2007; first Android phone debut in 2008. Currently the most popular smart-phone platform

3 Android System Overview Hardware Linux OS Application Middleware App ……

4 Security Considerations A smart phone is “mostly” a single-user system – The security goal is primarily to protect the user and his/her data – The security goal also includes that critical functions of the phone shall not be hampered The apps a phone runs are from manufacturers and app stores – The origin of the apps could be untrustworthy – apps could be vulnerable or outright malicious

5 Basics Protections Each application runs as a user process in the Linux OS with a unique user ID – At install time, Android gives each package a distinct Linux user ID – Two apps can run under the same user ID if they are signed by the same key – This creates a sandbox for each app, so that Linux isolates applications from each other and from the system.

6 However Apps need to communicate with each other and the system – A restaurant recommender app may need to launch a map app to show a restaurant’s location on map – An email app may need to launch a PDF viewer to open an attachment – A messenger app may need to receive text messages sent to the phone

7 Android Inter-Component Communication (ICC) Each Android app contains one or more components of the following types: – Activity: A GUI screen – Service: background processing – Broadcast Receiver: receives messages from other component – Content Provider: store and share data Each component runs as a separate thread in the OS

8 An Example Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

9 ICC Paths in the Example Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

10 Security Protection for ICC An ICC interface is protected in two ways: – A private component cannot be accessed outside of the app – A component can be protected by permissions A permission is a label defined by the system or app developer to protect an Android component

11 Android Permission Protection Source: Understanding Android Security, Enck, et al., IEEE Security & Privacy, 09

12 Policy Specification Each Android app package contains a “manifest file” that defines all the components in the app, and the permissions needed to access each component The manifest file also contains a list of permissions the app requests from the system and/or user

13 Difficulty in Understanding Policy Policy can be changed dynamically at runtime, in the app’s code – A message can be sent requiring a specific permission at runtime – A runtime permission check can be performed to access a component’s public method

14 Difficulty in Understanding App’s Behaviors An app, when given a set of permissions, may misuse them to harm other apps and the user. It is not trivial to understand how an app will use the given permissions

15 How Android app works Component A Component B Component C App B App A Cellular network, Internet, GPS, etc. Android System User Input Event Send intent or Call some callback method Find the handler System event Event

16 How Android app works Component A Component B Component C App B App A Cellular network, Internet, GPS, etc. Intent i Android System Find the target Intent i

17 A Motivating Example: Sensitive-SMS App onCreate(Bundle …){ … String s1 = getSensitiveData(); Intent i1 = new Intent(); i1.setClass(…, Leaker.class); i1.putExtra(“key”, s1); startActivity(i1); } onCreate(Bundle …){ … String s1 = getSensitiveData(); Intent i1 = new Intent(); i1.setClass(…, Leaker.class); i1.putExtra(“key”, s1); startActivity(i1); } onCreate(Bundle …){ … Intent i2 = getIntent(); String s2 = i2.getStringExtra(“key”); SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(…, s2, …); } onCreate(Bundle …){ … Intent i2 = getIntent(); String s2 = i2.getStringExtra(“key”); SmsManager sms = SmsManager.getDefault(); sms.sendTextMessage(…, s2, …); } DataGrabber Activity Leaker Activity Environment of DataGrabber Intent p1 Environment of Leaker Intent p2 App Android System Model 1 1 2 2 3 3 4 4 5 5

18 Problem 1: Data Leakage Collect sensitive data d Send Intent with d Data leak source sink ICC App X Comp X.1 Comp X.2 Comp X.3 Another App ICC

19 Problem 2: Data Injection Receive Intent Send Intent Receive Intent Send Intent Network I/O source sink App Y Comp Y.1 Comp Y.2 Injecting ill-crafted intent

Download ppt "Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base."

Similar presentations

Android Application Development A Tutorial Driven Course.

Android Application Development A Tutorial Driven Course.
Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.

Google Android Introduction to Mobile Computing. Android is part of the build a better phone process Open Handset Alliance produces Android Comprises.
Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas

Android OS : Core Concepts Dr. Jeyakesavan Veerasamy Sr. Lecturer University of Texas at Dallas
MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.

MOOC on M4D 2013 I NTRODUCTION TO THE A NDROID P LATFORM Ashish Agrawal Indian Institute of Technology Kanpur.
Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.

Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL.
Android architecture overview

Android architecture overview
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.

Building and Deploying Safe and Secure Android Apps for Enterprise Presented by Technology Consulting Group at Endeavour Software Technologies.
Android 101 Application Fundamentals January 29, 2010.

Android 101 Application Fundamentals January 29, 2010.
Google Android as a mobile development platform T-110.7111 Internet Technologies for Mobile Computing Olli Mäkinen.

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.
Security of Mobile Applications Vitaly Shmatikov CS 6431.

Security of Mobile Applications Vitaly Shmatikov CS 6431.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.

Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.

Emerging Platform#4: Android Bina Ramamurthy.  Android is an Operating system.  Android is an emerging platform for mobile devices.  Initially developed.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Presentation By Deepak Katta

Presentation By Deepak Katta
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
About me Yichuan Wang Android Basics Credit goes to Google and UMBC.

About me Yichuan Wang Android Basics Credit goes to Google and UMBC.

Similar presentations

Ads by Google