270 likes | 579 Views
Android OS Security. Presented By-Nikhil Jain Design of Secure OS CS Department Kent State University. OUTLINE. 1. Introduction 2. Android Story 3. Android Architecture 4. Android Components 5. Component Interaction
E N D
Android OS Security Presented By-Nikhil Jain Design of Secure OS CS Department Kent State University
OUTLINE 1. Introduction 2. Android Story 3. Android Architecture 4. Android Components 5. Component Interaction 6. Security Risk 7. Security Enforcement 8. Security Refinements 9. Rooting (Android OS) 10. References
Introduction • ANDROID: An Open Source Mobile OS by Google. • Easily optimize a single binary for phones, tablets, and other devices. • It provides a base Operation system, Application Middleware Layer, JAVA Software Development Kit & a collection of system application. Who am I
Android Architecture overview Application: Android provides set of core applications which are written in JAVA Application Framework: responsible for enabling and simplifying the reuse of components, very important for security Libraries:shared libraries are all written in C or C++ compiled for the particular hardware architecture used by the phone, and pre- installed by the phone vendor DoI look like this
Android Architecture overview Runtime: Android core libraries provides most of the functionality available in the core libraries of the Java programming language and Dalvik Virtual Machine Provide environment on which every Android application run Kernel: Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack. I feel like an architect
Android Components Activity: Present a visual user interface for one specific endeavor the user can undertake Services: Run in the background for an indefinite period of time Content Providers : Store and retrieve data and make it accessible to all applications Broadcast Receivers: Receive and react to broadcast announcements Intents: Hold the content of a message So much inside my stomach
Application Example Use of Components in Friend-Tracker Application Friend-Tracker-Control (Activity) : defines a user interface for starting and stopping the tracking functionality Friend-Tracker (Service) : polls an external service to discover a friend’s location Friend-Provider (Content provider) : maintains the most recent geographic location of friend. Boot-Receiver (Broadcast receiver) : receive notification from the system once it boots.
Component interaction Component interaction. Android’s application-level interactions let the Friend-Tracker and Friend-Viewer applications communicate with each other and system-provided applications. Interactions occur primarily at the component level.
Security Risk MOMplease help me • Flimsy passwords: If the Androiddevice falls into the wrong hands,more security is needed to prevent thieves from stealing or misusing various services • Naked data: lack of hardware data encryption (although some work has been done after Android 3.0 there still remains a lot of work to be done.) • SMShing: texting to trick Smartphone users into visiting fraudulent or malicious links • Unsafe surfing: is web browsing on your Android safe?
Security Risk I am so Handsome !So many people are jealous ofme • Nosy & fraudulent apps: for a hacker,it is easy to put a Nosy app in such a huge market • Android malware: as it is open source, a single vulnerability can also give ample opportunity forhackers to implement malware • Fake anti-malware: afake app which can kill a security app like antivirus or other security tool • Lack of visibility and control: TheFriend-Tracker app vulnerability is the best example for this
Security Enforcement Call 911 • Protects applications & data through a combination of two enforcement mechanisms • System Level • inter-component communication (ICC) Level (we will discuss about this) • Each application runs as a unique user identity, due to which Android limits the potential damage of programming flaws.
Security Enforcement Example: Access permission logic. The Android middleware implements a reference monitor providing mandatory access control (MAC) enforcement about how applications access components. The basic enforcement model is the same for all component types. Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application 1.
Security Enforcement Save me I am still not done with my final exam • Protection Domain of application is specified by permission labels whereas access policy is regulated by assigning permission to the component, which is responsible of protecting its resources. • Security enforcement policy is mandatory, at installation time permission labels are set and can not be changed until the application gets reinstalled. • Android’s permission label model doesn’t provide a guarantee of information flow it only checks access to components.
Security Refinements Last WarnigDon’t mess with me • Public Vs Private Components : • Restrict access of an application component from another application (like stored password for security) by defining it as a private component. • II. Implicitly Open Components : • If the access permission at application development time is not clear, Android permits any application to access it. • III. Broadcast Intent Permission: • If the broadcast intent is not protected it leads to privacy risk. • Developer control: how information is disseminated by specifying a permission label to restrict access to the intended object.
Security Refinements Any last wish I am no more good for you • Content Provider Permission: • Android allows developer to assigning read and write permission on contents, so that every content can be updated only by its application and be available for reading by other applications. • Protected APIs: • To some system resources, Android provides, direct API access and to protect these APIs, addition permission labels are used. The application has to relay a corresponding permission label in its manifest file.
Security Refinements I beat Mike Tyson • Permission Protection Levels: • This feature controls how the developer can assign permission labels i.ea framework developer can use the specific functionality (for ex. Google app can use telephony or API directly) • Pending intent : • Intent object is defined to perform an action, instead of performing the action the developer passes the intent to a special method which creates the PendingIntent. The PendingIntent object is simply a reference pointer that can pass to another application via ICC. It is included in the framework to work with third party applications.
Rooting (Android OS) • Process of allowing user to haveprivileged control or root access. • Modify system files: themes, core apps, boot images, linux binaries, etc. • Run applications that require • system level access. • Balance the risk with freedom. • Similar as Jail breaking in IOS. Yes!Now I am king of myself
Open Area of Research Run for you PhD • Complex Update Process • Continuous Internet Connection • Operating System Fragmentation • Android: Good for Consumers, Bad for Developers • Security Issues • Advertisements
References Reference Papers: "Understanding Android Security" (Pennsylvania State University) January/February 2009 (vol. 7 no. 1)by: William Enck, MachigarOngtang and Patrick Mcdaniel Wikepedia: Android OS (http://en.wikipedia.org/wiki/Android_(operating_system)) Android Root (http://en.wikipedia.org/wiki/Rooting_(Android_OS)) Research Article: Issues with Android Smatphoneshttp://www.theresearchpedia.com/research-articles/issues-with-android-smatphones Images (http://www.techdrivein.com/2010/06/15-beautiful-android-wallpapers-for.html)
References Official Android website: www.android.com / developer.android.com Forums and blogs : Android security risk http://www.esecurityplanet.com/views/article.php/3928646/Top-10-Android-Security-Risks.htmXDA Developer [x] cube Lab report http://www.cybervally.com/2011/08/android-story-history-android-os-infographic/ http://www.youtube.com/user/androiddevelopers
Thank You Clap Please Thank You Nikhil Jainemail id : njain3(at)kent.edu