Android Security Presented By Abhishek Singh Computer Science Department Kent state University WILLIAM ENCK MACHIGAR ONGTANG AND PATRICK MCDANIEL Outline Introduction History Android OS ID: 379415
Download Presentation The PPT/PDF document "Understanding" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Understanding Android Security
Presented By Abhishek SinghComputer Science DepartmentKent state University
WILLIAM ENCK, MACHIGAR ONGTANG,
AND PATRICK MCDANIELSlide2
Outline IntroductionHistory
Android OSAndroid development structureAndroid ADT interfaceExample ApplicationSecurity EnforcementSecurity refinementSlide3
IntroductionNext generation of open operating system .Not only complaint with desktops and mainframe.
Now computing is integrating with mobile open operating system.Increasing data service in cell phonesMore secure and invulnerable OS is indispensible. Slide4
HistoryAndroid In was founded in Palo Alto California United state by Andy Rubin , Rich Miner and Chris White – October 2003
Google acquired Android Inc – August 2006The Open Handset Alliance , a consortium of several companies was formed – 5 November 2007 First Android Device , the HTC Dream(G1) , featuring Android 1.0Slide5
Android OSOpen operating system designed for mobiles , tablets and other systems.Application middle layer , java software development tool kit (SDK) and system applications.
Extension to Google ServiceIntegration - Gmail , Calendar , Contacts and Web Application Slide6
Continue…Android officially doesn’t support application on top of java middleware layer running in a embedded Linux kernel.Controlled application interaction with its API
Permission label assignment model to restrict to access resources and other application.Slide7
Android Application developmentStructure
It doesn’t have main function It doesn’t have single entry point for the execution of the whole application.Application in android is segmented into many different components .Like - Main activity , manifest file , XML file Slide8
Android – ADT interfaceSlide9
Example ApplicationFunctionality of an application ramified into two different applications. Slide10
ComponentsThere are primarily four components
1. Activity - It is the application user interface , in this each screen for an activity is designed. 2.Service – it is a background processing for using different service(like camera , Bluetooth , internet service etc) 3.Content Provider – It stores data and retrieve using relational database interface . 4.Broadcast receiver- Act as a mailbox for other applications.Slide11
Interaction between two components
Primary mechanism for component interaction is Intent (Message box container) .To start the Main activity 1. Start Activity (Intent) 2. start Service (Intent)
3. send Broadcast (Intent)Slide12
Continue…To execute the main application android framework invoke these 3 methodsInter component communication(ICC) is called Action i.e. particular intend to action string.
Each ICC actions depends upon the target component.Friend Viewer– starts – FriendMap activity (Screen) Slide13
Security EnforcementSlide14
Security EnforcementProtection : 1. System Level
2. ICC level ICC core security frameworkEach application – Unique user IdentityRestrict damage from programming flawsWhich in turn restrict exploitation to other applications.Slide15
MAC(Mandatory Access Control)
Permission labels are assigned to each application.Restrict from using all resource .Slide16
MAC EnforcementSlide17
Permissions<manifest xmlns:android
="http://schemas.android.com/apk/res/android" package="com.example.android.apis"> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name
=
"
android.permission.WRITE_CONTACTS
" />
<uses-permission
android:name
=
"
android.permission.VIBRATE
" />
<uses-permission
android:name
=
"
android.permission.ACCESS_COARSE_LOCATION
" />
<uses-permission
android:name
=
"
android.permission.INTERNET
" />
<uses-permission
android:name
=
"
android.permission.SET_WALLPAPER
" />
<uses-permission
android:name
=
"
android.permission.WRITE_EXTERNAL_STORAGE
" />
<uses-permission
android:name
=
"
android.permission.SEND_SMS
" />
<uses-permission
android:name
=
"
android.permission.RECEIVE_SMS
" />
<uses-permission
android:name
=
"
android.permission.NFC
" />
<!-- For
android.media.audiofx.Visualizer
-->
<uses-permission
android:name
=
"
android.permission.RECORD_AUDIO
" />
<uses-sdk android:minSdkVersion=
"4" android:targetSdkVersion="14" />
<!-- We will request access to the camera, saying we require a camera
of some sort but not one with
autofocus capability. -->
<uses-permission
android:name
=
"
android.permission.CAMERA
" />Slide18
Security Enforcement
Public Vs Private Components : Restrict access of an application component from another application (like stored password for security) by defining it as private component.II. Implicitly Open Components
:
If the access permission at the application development time is not clear Android permits any application to access it.
III. Broadcast Intent Permission
:
If the broadcast intent is not protected it leads to privacy risk.
Developer control how information is disseminated by specify a permission label to restrict access to the intent object. Slide19
Security Enforcement
Content Provider Permission: Android allow developer to assigning read and write permission on contents, so that every content can be update only by its application and available to read for other application.
Protected APIs:
To some system resources Android provide direct API access and to protect these APIs, addition permission label is use. Application has to delayer a corresponding permission label in its manifest file
.Slide20
Security Enforcement
Permission Protection Levels: framework developer can use the specific functionality (for ex. Google app can use telephony or API directly)
Pending intent :
Intent object is define to perform an action, instead of performing action developer passes the intent to special method which create Pending Intent.
The Pending Intent object is simply a reference pointer that can pass to another application via ICC. It included in framework to work with third party application.Slide21
Rooting (Android OS)
Processes of allowing user to haveprivilege control or root access.Modify system files: themes, core apps, boot images, linux
binaries, etc.
Run applications that require
system level access.
Balance the risk with freedomSlide22
Open Area of Research
Complex Update Process Continuous Internet ConnectionOperating System Fragmentation Android: Good for Consumers, Bad for Developers
Security Issues
AdvertisementsSlide23
ReferencesOfficial Android website:
www.android.com / developer.android.com J.P. Anderson, Computer Security Technology Planning Study, tech. report ESD-TR-73-51, Mitre, Oct. 1972. M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, “Protection in Operating Systems,” Comm. ACM, http://securityevaluators.com/content/case-studies/android/Wikipedia , G
oogle Slide24
Referencehttp://securityevaluators.com/content/case-studies/android/