110 likes | 201 Views
Android Declassification Infrastructure. Matan David Yuval Evron Project Advisor: Roei Schuster. A Short Reminder…. Our project involves making Android OS more secure. Android’s built-in permissions are very coarse grained. We aim to provide a better
E N D
Android Declassification Infrastructure Matan David Yuval Evron Project Advisor: Roei Schuster
A Short Reminder… • Our project involves making Android OS more secure. • Android’s built-in permissions are very coarse grained. • We aim to provide a better solution at the application level (without having to change the OS).
A Short Reminder… • Last time we introduced a new permission mechanism – “A Declassifier”.
Android’s Security Model • Android is a Linux-based OS. • Unlike other popular Oses, in Android each app runs as a separate process under a distinct UID. • Android offers several ways for apps to communicate with one another (IPC).
Our Previous Model • After developing a POC that worked, it got us thinking about security issues… • Our previous declassifier model: • Declassifier defines a custom global Action, known to both us and the 3rd party. • 3rd party app sends an Intent to use an Action. • The Declassifier handles the request using an Activity. • This model is not very secure!! Let see why.
The Problem • Intents are insecure. Anyone listening in can recognize them and use them. • How does the declassifier know who is permitted to use the intent, and who isn’t. • How can the 3rd party app be sure that our declassifier is actually the one responding to the intent.
Project Scope • We rely on Android’s mechanism for securing general application activities, and we will not touch on that. • However, protecting apps that use our infrastructure is our responsibility.
The Solution • Introducing: BroadcastReceiver • Utilizes Android’s permissions mechanism (which we discussed last time). • Filters incoming intents by caller permissions. • Filters outgoing intents by recipient permissions. • Enables a callback mechanism which allows sending back the answer in private.
Our New Model • Our declassifier defines a custom Permission for each “small action” it supports (i.e: getting a contact’s phone number by name, etc.). • Upon installing an app, the user is requested to confirm the list of required permissions. • Data transferred remains private and safe.
Pertinent Literature • iSEC Securing Android Apps - Mobile Application Security On Android, Black Hat 2009 – Jesse Burns (www.iSECPartners.com)