WILLIAM ENCK, MACHIGAR ONGTANG, AND PATRICK MCDANIEL Presented By Abhishek Singh Computer Science Department Kent state University Introduction History Android OS Android development structure Android ADT interface Example Application Security Enforcement Security refinement Next generation of open operating system . Not only complaint with desktops and mainframe. Now computing is integrating with mobile open operating system. Increasing data service in cell phones More secure and invulnerable OS is indispensible. Android In was founded in Palo Alto California United state by Andy Rubin , Rich Miner and Chris White – October 2003 Google acquired Android Inc – August 2006 The Open Handset Alliance , a consortium of several companies was formed – 5 November 2007 First Android Device , the HTC Dream(G1) , featuring Android 1.0 Open operating system designed for mobiles , tablets and other systems. Application middle layer , java software development tool kit (SDK) and system applications. Extension to Google Service Integration - Gmail , Calendar , Contacts and Web Application Android officially doesn’t support application on top of java middleware layer running in a embedded Linux kernel. Controlled application interaction with its API Permission label assignment model to restrict to access resources and other application. It doesn’t have main function It doesn’t have single entry point for the execution of the whole application. Application in android is segmented into many different components . Like - Main activity , manifest file , XML file Functionality of an application ramified into two different applications. There are primarily four components 1. Activity - It is the application user interface , in this each screen for an activity is designed. 2.Service – it is a background processing for using different service(like camera , Bluetooth , internet service etc) 3.Content Provider – It stores data and retrieve using relational database interface . 4.Broadcast receiver- Act as a mailbox for other applications. •Primary mechanism for component interaction is Intent (Message box container) . •To start the Main activity 1. Start Activity (Intent) 2. start Service (Intent) 3. send Broadcast (Intent) To execute the main application android framework invoke these 3 methods Inter component communication(ICC) is called Action i.e. particular intend to action string. Each ICC actions depends upon the target component. Friend Viewer– starts – FriendMap activity (Screen) Protection : 1. System Level 2. ICC level ICC core security framework Each application – Unique user Identity Restrict damage from programming flaws Which in turn restrict exploitation to other applications. Permission labels are assigned to each application. Restrict from using all resource . <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.example.android.apis"> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.WRITE_CONTACTS" /> <uses-permission android:name="android.permission.VIBRATE" /> <uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" /> <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.SET_WALLPAPER" /> <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" /> <uses-permission android:name="android.permission.SEND_SMS" /> <uses-permission android:name="android.permission.RECEIVE_SMS" /> <uses-permission android:name="android.permission.NFC" /> <!-- For android.media.audiofx.Visualizer --> <uses-permission android:name="android.permission.RECORD_AUDIO" /> <uses-sdk android:minSdkVersion="4" android:targetSdkVersion="14" /> <!-- We will request access to the camera, saying we require a camera of some sort but not one with autofocus capability. --> <uses-permission android:name="android.permission.CAMERA" /> 1. 1. Public Vs Private Components : Restrict access of an application component from another application (like stored password for security) by defining it as private component. II. Implicitly Open Components : If the access permission at the application development time is not clear Android permits any application to access it. III. Broadcast Intent Permission: If the broadcast intent is not protected it leads to privacy risk. Developer control how information is disseminated by specify a permission label to restrict access to the intent object. Content Provider Permission: Android allow developer to assigning read and write permission on contents, so that every content can be update only by its application and available to read for other application. Protected APIs: To some system resources Android provide direct API access and to protect these APIs, addition permission label is use. Application has to delayer a corresponding permission label in its manifest file. Permission Protection Levels: framework developer can use the specific functionality (for ex. Google app can use telephony or API directly) Pending intent : Intent object is define to perform an action, instead of performing action developer passes the intent to special method which create Pending Intent. The Pending Intent object is simply a reference pointer that can pass to another application via ICC. It included in framework to work with third party application. Processes of allowing user to have privilege control or root access. Modify system files: themes, core apps, boot images, linux binaries, etc. Run applications that require system level access. Balance the risk with freedom Complex Update Process Continuous Internet Connection Operating System Fragmentation Android: Good for Consumers, Bad for Developers Security Issues Advertisements Official Android website: www.android.com / developer.android.com J.P. Anderson, Computer Security Technology Planning Study, tech. report ESD-TR-73-51, Mitre, Oct. 1972. M.A. Harrison, W.L. Ruzzo, and J.D. Ullman, “Protection in Operating Systems,” Comm. ACM, http://securityevaluators.com/content/casestudies/android/ Wikipedia , Google http://securityevaluators.com/content/casestudies/android/