Download campus.murraystate.edu

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts
no text concepts found
Transcript 
Android Security
Is being Linux good enough?
History of Android
•
•
•
Bought by Google in 2005
First version unveiled 2007
8 major versions
Cupcake (1.5)
o Donut (1.6)
o Eclair (2.0 - 2.1)
o Froyo (2.2 - 2.2.3)
o Gingerbread (2.3 - 2.3.7)
o Honeycomb (3.0 - 3.2)
o Ice cream sandwich (4.0 - 4.0.4)
o Jelly Bean (4.1 - 4.2.2)
o
OEM vs. Third-party ROMs
•
•
Original equipment
manufacturer
o Samsung - Touchwiz
o HTC - Sense
o LG - Optimus UI
Third-party
o Cyanogenmod
o Android Open Kang
Project (AOKP)
o Paranoid Android
Android Open Source Project
(AOSP)
•
•
•
Code developed, maintained and released by
Google.
All code is open source
This code is the base for all OEM and third-party
ROMs
Android Architecture
Android's Linux Kernel
•
•
Cupcake to Honeycomb - 2.6
ICS to JB - 3.0
•
Heavily modified
o
o
•
No X Window System
No GNU libraries
Distro or Fork?
o
Temporarily a fork (hopefully)
Kernel Level Security
•
Key Linux feature leveraged in Android
o
Multi-user support
 Users cannot read another user's files
 Users can't hog all resources
Application Sandbox
•
•
•
•
•
•
Each app is given a UID at install
App runs under that user
Keeps app A from accessing app B's files
Cannot access "costly" hardware or services
directly
Applies to NDK and SDK apps
App is essentially crippled
Android OS Permissions
•
"Costly" functionality
Bluetooth
o Network
o GPS
o SMS/MMS
o
•
Protected APIs
o
•
Give restricted access to
sandboxed processes
App must ask user for
permission before
requesting processes
Interprocess Communication
•
•
Binders
o
Mostly used between system and apps
Intents
o
o
Explicit
 Target it specified
Implicit
 Target is guessed by OS based on filters
Security Flaws
•
Permissions are general
o
•
•
o
Tell what services can be used
Not how services are used
Users must accept/deny all Permissions
o
No à la carte Permissions
Permissions and Intents combined can be
used to gather data more discreetly
o
Distribute Permissions across suite of apps
Security Flaws
•
North Carolina State University - 2012
Analyzed 8 models of Android devices
o Found the OS did not properly enforce the
Permissions model
o Could exploit Permissions without requesting access
o Managed to:
 Wipe user data
 Send SMS messages
 Record user conversations
o
Security Flaws - Play Store
•
Google has a laissez-faire attitude
o
o
•
Just this month, 32 malware infected apps were
found
Many ripoff apps
 https://play.google.com/store/apps/details?id=co
m.gsourcepro.guess.wording
Does not mesh well with Permissions-based security
Security Flaws - Rooting
•
•
Rooting gives the user more control and
flexibility
Undermines sandboxing and permissions
o
o
•
Apps gain Superuser capabilities
Can bypass permissions completely to gain direct
control
User must be VERY careful when installing
apps
Overall
•
•
•
Android has secured the kernel and OS very
well
User data is fairly secure, but can be
accessed through Permissions
It's up to the user to be informed and use
best judgement
Read Permissions
o Read Reviews
o Pay attention to developer
o
Sources
•
•
•
•
•
•
•
•
•
•
•
•
•
http://www.cs.ncsu.edu/faculty/jiang/pubs/NDSS12_WOODPECKER.pdf
http://developer.android.com/guide/components/intents-filters.html
http://developer.android.com/guide/topics/security/permissions.html
http://developer.android.com/reference/android/os/Binder.html
http://www.slideshare.net/marakana/deep-dive-into-android-security-10123665
http://source.android.com/index.html
http://source.android.com/tech/security/index.html
http://www.t3.com/news/32-apps-infected-with-malware-on-google-play-store
http://www.tbray.org/ongoing/When/201x/2010/11/14/What-Android-Is
http://www.telegraph.co.uk/technology/facebook/9108458/Facebook-angrily-denies-spying-on-Android-texts.html
http://www.theinquirer.net/inquirer/news/2238002/google-is-criticised-for-weak-play-store-security
http://www.threatpost.com/android-smishing-vulnerability-found-android-open-source-project-firmware-110512/
http://www.zdnet.com/blog/open-source/linus-torvalds-on-android-the-linux-fork/9426
Related documents
CS499 * Mobile Application Development
CS499 * Mobile Application Development
(Very) Basic Android Programming
(Very) Basic Android Programming
This Course Outline
This Course Outline
Android Architecture
Android Architecture
herbert_josh_NCUR_mobile_sensor_data_analytics
herbert_josh_NCUR_mobile_sensor_data_analytics
Pros
Pros
SOFTWARE
SOFTWARE
A Methodology for Empirical Analysis of Permission
A Methodology for Empirical Analysis of Permission
android - UMBC ebiquity research group
android - UMBC ebiquity research group
Free Android Application Developement
Free Android Application Developement
pptx
pptx
Android permission demystified - CSE
Android permission demystified - CSE
ET32907911
ET32907911
An Empirical Study of Android`s Permission Model
An Empirical Study of Android`s Permission Model