Android OS Security - Computer Science

advertisement
WILLIAM ENCK, MACHIGAR ONGTANG,
AND PATRICK MCDANIEL
Presented By
Abhishek Singh
Computer Science Department
Kent state University








Introduction
History
Android OS
Android development structure
Android ADT interface
Example Application
Security Enforcement
Security refinement





Next generation of open operating system .
Not only complaint with desktops and
mainframe.
Now computing is integrating with mobile
open operating system.
Increasing data service in cell phones
More secure and invulnerable OS is
indispensible.




Android In was founded in Palo Alto
California United state by Andy Rubin , Rich
Miner and Chris White – October 2003
Google acquired Android Inc – August 2006
The Open Handset Alliance , a consortium of
several companies was formed – 5 November
2007
First Android Device , the HTC Dream(G1) ,
featuring Android 1.0




Open operating system designed for mobiles ,
tablets and other systems.
Application middle layer , java software
development tool kit (SDK) and system
applications.
Extension to Google Service
Integration - Gmail , Calendar , Contacts and
Web Application



Android officially doesn’t support application
on top of java middleware layer running in a
embedded Linux kernel.
Controlled application interaction with its API
Permission label assignment model to restrict
to access resources and other application.




It doesn’t have main function
It doesn’t have single entry point for the
execution of the whole application.
Application in android is segmented into many
different components .
Like - Main activity , manifest file , XML file

Functionality of an application ramified into
two different applications.

There are primarily four components
1. Activity - It is the application user interface ,
in this each screen for an activity is designed.
2.Service – it is a background processing for
using different service(like camera , Bluetooth ,
internet service etc)
3.Content Provider – It stores data and retrieve
using relational database interface .
4.Broadcast receiver- Act as a mailbox for other
applications.
•Primary mechanism for component interaction is Intent (Message
box container) .
•To start the Main activity
1. Start Activity (Intent)
2. start Service (Intent)
3. send Broadcast (Intent)




To execute the main application android
framework invoke these 3 methods
Inter component communication(ICC) is called
Action i.e. particular intend to action string.
Each ICC actions depends upon the target
component.
Friend Viewer– starts – FriendMap activity
(Screen)





Protection
: 1. System Level
2. ICC level
ICC core security framework
Each application – Unique user Identity
Restrict damage from programming flaws
Which in turn restrict exploitation to other
applications.


Permission labels are assigned to each
application.
Restrict from using all resource .


















<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.example.android.apis">
<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.WRITE_CONTACTS" />
<uses-permission android:name="android.permission.VIBRATE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.SET_WALLPAPER" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.SEND_SMS" />
<uses-permission android:name="android.permission.RECEIVE_SMS" />
<uses-permission android:name="android.permission.NFC" />
<!-- For android.media.audiofx.Visualizer -->
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-sdk android:minSdkVersion="4" android:targetSdkVersion="14" />
<!-- We will request access to the camera, saying we require a camera
of some sort but not one with autofocus capability. -->
<uses-permission android:name="android.permission.CAMERA" />
1.

1.




Public Vs Private Components :
Restrict access of an application component from
another application (like stored password for security)
by defining it as private component.
II. Implicitly Open Components :
If the access permission at the application development
time is not clear Android permits any application to
access it.
III. Broadcast Intent Permission:
If the broadcast intent is not protected it leads to
privacy risk.
Developer control how information is disseminated by
specify a permission label to restrict access to the intent
object.




Content Provider Permission:
Android allow developer to assigning read and write
permission on contents, so that every
content can
be update only by its application and
available to
read for other application.
Protected APIs:
To some system resources Android provide
direct API access and to protect these APIs,
addition permission label is use. Application has
to delayer a corresponding permission label in its
manifest file.




Permission Protection Levels:
framework developer can use the specific functionality
(for ex. Google app can use telephony or API directly)
Pending intent :
Intent object is define to perform an action, instead
of performing action developer passes the intent to
special method which create Pending Intent.
The Pending Intent object is simply a reference
pointer that can pass to another application via ICC. It
included in framework to work with third party
application.





Processes of allowing user to have
privilege control or root access.
Modify system files: themes, core apps, boot images,
linux binaries, etc.
Run applications that require
system level access.
Balance the risk with freedom





Complex Update Process Continuous Internet
Connection
Operating System Fragmentation
Android: Good for Consumers, Bad for Developers
Security Issues
Advertisements





Official Android website: www.android.com /
developer.android.com
J.P. Anderson, Computer Security Technology
Planning Study, tech. report ESD-TR-73-51,
Mitre, Oct. 1972.
M.A. Harrison, W.L. Ruzzo, and J.D. Ullman,
“Protection in Operating Systems,” Comm.
ACM,
http://securityevaluators.com/content/casestudies/android/
Wikipedia , Google

http://securityevaluators.com/content/casestudies/android/
Download