Download Nikhil Jain`s presentation onAndroid OS Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
Android OS Security
Presented By-Nikhil Jain
Design of Secure OS
CS Department
Kent State University
OUTLINE
1. Introduction
2. Android Story
3. Android Architecture
4. Android Components
5. Component Interaction
6. Security Risk
7. Security Enforcement
8. Security Refinements
9. Rooting (Android OS)
10. References
2
Introduction
ANDROID: An Open Source Mobile OS by
Google.
Easily optimize a single binary for phones,
tablets, and other devices.
It provides a base Operation system,
Application Middleware Layer, JAVA Software
Development Kit & a collection of system
application.
Who am I
3
Android Story
4
Android Story cont.
5
Android Story Cont…
6
Android Story Cont…
7
Market Analysis
8
Android Architecture
9
Android Architecture overview
Application: Android provides set of core applications
which are written in JAVA
Application Framework: responsible for enabling and
simplifying the reuse of components, very important
for security
Libraries: shared libraries are all written in C or C++
compiled for the particular hardware architecture
used by the phone, and pre- installed by the phone
vendor
Do I look
like this
10
Android Architecture overview
Runtime: Android core libraries provides most of the
functionality available in the core libraries of the Java
programming language and
Dalvik Virtual Machine Provide environment on which
every Android application run
Kernel: Android relies on Linux version 2.6 for core system
services such as security, memory management, process
management, network stack, and driver model. The kernel
also acts as an abstraction layer between the hardware and
the rest of the software stack.
I feel like an
architect 
11
Android Components
 Activity:
Present a visual user interface for one
specific endeavor the user can undertake
 Services: Run in the background for an indefinite
period of time
 Content Providers : Store and retrieve data and
make it accessible to all applications
 Broadcast Receivers: Receive and react to broadcast
announcements
 Intents: Hold the content of a message
So much
inside my
stomach
12
Application Example
Use of Components in Friend-Tracker Application
Friend-Tracker-Control (Activity) : defines a user interface for starting
and stopping the tracking functionality
Friend-Tracker (Service) :
polls an external service to discover a
friend’s location
Friend-Provider (Content provider) : maintains the most recent geographic
location of friend.
Boot-Receiver (Broadcast receiver) : receive notification from the system
once it boots.
13
Component interaction
Component interaction. Android’s application-level interactions let the FriendTracker and Friend-Viewer applications communicate with each other and
system-provided applications. Interactions occur primarily at the component
level.
14
Security Risk
MOM
please help
me 
Flimsy passwords: If the Android
device falls into the wrong hands,
more security is needed to prevent thieves
from stealing or misusing various services
 Naked data: lack of hardware data
encryption (although some work has been
done after Android 3.0 there still remains a
lot of work to be done.)
 SMShing: texting to trick Smartphone users
into visiting fraudulent or malicious links
 Unsafe surfing: is web browsing on your
Android safe?

15
Security Risk




I am so Handsome !
So many people are jealous of
me
Nosy & fraudulent apps: for a hacker,
it is easy to put a Nosy app in such a huge
market
Android malware: as it is open source, a
single vulnerability can also give ample
opportunity for hackers to implement
malware
Fake anti-malware: a fake app which can
kill a security app like antivirus or other
security tool
Lack of visibility and control: The FriendTracker app vulnerability is the best
example for this
16
Security Enforcement
Call 911

Protects applications & data through a combination
of two enforcement mechanisms
1. System Level
2. inter-component communication (ICC) Level (we will discuss about this)
 Each application runs as a unique user identity, due to which Android
limits the potential damage of programming flaws.
17
Security Enforcement
Example: Access permission logic. The Android middleware implements a
reference monitor providing mandatory access control (MAC) enforcement
about how applications access components. The basic enforcement model is
the same for all component types. Component A’s ability to access
components B and C is determined by comparing the access permission
labels on B and C to the collection of labels assigned to application 1.
18
Security Enforcement
Save me  I
am still not
done with my
final exam
 Protection
Domain of application is
specified by permission labels whereas
access policy is regulated by assigning
permission to the component, which is
responsible of protecting its resources.
 Security
enforcement policy is mandatory, at
installation time permission labels are set and can
not be changed until the application gets
reinstalled.
 Android’s
permission label model doesn’t provide a
guarantee of information flow it only checks access
to components.
19
Security Refinements
Last
Warnig
Don’t mess
with me
1. Public Vs Private Components :
 Restrict access of an application component from
another application (like stored password for
security) by defining it as a private component.
1. II. Implicitly Open Components :
 If the access permission at application
development time is not clear, Android permits
any application to access it.
III. Broadcast Intent Permission:
 If the broadcast intent is not protected it leads to
privacy risk.
 Developer control: how information is
disseminated by specifying a permission label to
restrict access to the intended object.
20
Security Refinements
Any last wish
I am no more
good for you
Content Provider Permission:

Android allows developer to assigning read
and
and write permission on contents, so that every
content can be updated only by its application
be available for reading by other applications.
Protected APIs:
To some system resources, Android provides,
direct API access and to protect these APIs,
addition permission labels are used.
The
application has to relay a corresponding
permission label in its manifest file.

21
Security Refinements
I beat Mike Tyson

Permission Protection Levels:

This feature controls how the developer can assign
permission labels i.e a framework developer can use the
specific functionality (for ex. Google app can use
telephony or API directly)
Pending intent :

Intent object is defined to perform an action, instead
of performing the action the developer passes the intent to a
special method which creates the PendingIntent.
The PendingIntent object is simply a reference pointer
that can pass to another application via ICC. It is included in
the framework to work with third party applications.
22
Rooting (Android OS)
•Process of allowing user to have
privileged control or root access.
•Modify system files: themes, core apps, boot
images, linux binaries, etc.
•Run applications that require
system level access.
•Balance the risk with freedom.
Similar as Jail breaking in IOS.
Yes!
Now I am king
of myself
23
Open Area of Research
 Complex
Update Process
 Continuous Internet Connection
 Operating System Fragmentation
 Android: Good for Consumers, Bad for
Developers
Run for you PhD
 Security Issues

 Advertisements
24
References
Reference Papers:
1. "Understanding Android Security" (Pennsylvania
State University) January/February 2009 (vol. 7 no. 1)
by: William Enck, Machigar Ongtang and Patrick
Mcdaniel
2. Wikepedia: Android OS
(http://en.wikipedia.org/wiki/Android_(operating_sy
stem)) Android Root
(http://en.wikipedia.org/wiki/Rooting_(Android_OS))
3. Research Article: Issues with Android Smatphones
http://www.theresearchpedia.com/researcharticles/issues-with-android-smatphones
4. Images (http://www.techdrivein.com/2010/06/15beautiful-android-wallpapers-for.html)
25
References
5. Official Android website: www.android.com /
developer.android.com
6. Forums and blogs : Android security risk
http://www.esecurityplanet.com/views/article.php/3
928646/Top-10-Android-Security-Risks.htm
XDA Developer
7. [x] cube Lab report
http://www.cybervally.com/2011/08/android-storyhistory-android-os-infographic/
8. http://www.youtube.com/user/androiddevelopers
26
Clap Please
Thank You
THANK YOU
Nikhil Jain
email id : njain3(at)kent.edu
27