Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Android Security Is being Linux good enough? History of Android • • • Bought by Google in 2005 First version unveiled 2007 8 major versions Cupcake (1.5) o Donut (1.6) o Eclair (2.0 - 2.1) o Froyo (2.2 - 2.2.3) o Gingerbread (2.3 - 2.3.7) o Honeycomb (3.0 - 3.2) o Ice cream sandwich (4.0 - 4.0.4) o Jelly Bean (4.1 - 4.2.2) o OEM vs. Third-party ROMs • • Original equipment manufacturer o Samsung - Touchwiz o HTC - Sense o LG - Optimus UI Third-party o Cyanogenmod o Android Open Kang Project (AOKP) o Paranoid Android Android Open Source Project (AOSP) • • • Code developed, maintained and released by Google. All code is open source This code is the base for all OEM and third-party ROMs Android Architecture Android's Linux Kernel • • Cupcake to Honeycomb - 2.6 ICS to JB - 3.0 • Heavily modified o o • No X Window System No GNU libraries Distro or Fork? o Temporarily a fork (hopefully) Kernel Level Security • Key Linux feature leveraged in Android o Multi-user support Users cannot read another user's files Users can't hog all resources Application Sandbox • • • • • • Each app is given a UID at install App runs under that user Keeps app A from accessing app B's files Cannot access "costly" hardware or services directly Applies to NDK and SDK apps App is essentially crippled Android OS Permissions • "Costly" functionality Bluetooth o Network o GPS o SMS/MMS o • Protected APIs o • Give restricted access to sandboxed processes App must ask user for permission before requesting processes Interprocess Communication • • Binders o Mostly used between system and apps Intents o o Explicit Target it specified Implicit Target is guessed by OS based on filters Security Flaws • Permissions are general o • • o Tell what services can be used Not how services are used Users must accept/deny all Permissions o No à la carte Permissions Permissions and Intents combined can be used to gather data more discreetly o Distribute Permissions across suite of apps Security Flaws • North Carolina State University - 2012 Analyzed 8 models of Android devices o Found the OS did not properly enforce the Permissions model o Could exploit Permissions without requesting access o Managed to: Wipe user data Send SMS messages Record user conversations o Security Flaws - Play Store • Google has a laissez-faire attitude o o • Just this month, 32 malware infected apps were found Many ripoff apps https://play.google.com/store/apps/details?id=co m.gsourcepro.guess.wording Does not mesh well with Permissions-based security Security Flaws - Rooting • • Rooting gives the user more control and flexibility Undermines sandboxing and permissions o o • Apps gain Superuser capabilities Can bypass permissions completely to gain direct control User must be VERY careful when installing apps Overall • • • Android has secured the kernel and OS very well User data is fairly secure, but can be accessed through Permissions It's up to the user to be informed and use best judgement Read Permissions o Read Reviews o Pay attention to developer o Sources • • • • • • • • • • • • • http://www.cs.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf http://developer.android.com/guide/components/intents-filters.html http://developer.android.com/guide/topics/security/permissions.html http://developer.android.com/reference/android/os/Binder.html http://www.slideshare.net/marakana/deep-dive-into-android-security-10123665 http://source.android.com/index.html http://source.android.com/tech/security/index.html http://www.t3.com/news/32-apps-infected-with-malware-on-google-play-store http://www.tbray.org/ongoing/When/201x/2010/11/14/What-Android-Is http://www.telegraph.co.uk/technology/facebook/9108458/Facebook-angrily-denies-spying-on-Android-texts.html http://www.theinquirer.net/inquirer/news/2238002/google-is-criticised-for-weak-play-store-security http://www.threatpost.com/android-smishing-vulnerability-found-android-open-source-project-firmware-110512/ http://www.zdnet.com/blog/open-source/linus-torvalds-on-android-the-linux-fork/9426