1 company proprietary and confidentialthe document name can go here android os security omar alaql...
TRANSCRIPT
1
Company Proprietary and ConfidentialThe document name can go here
Android OS Security
Omar Alaql
July 8, 2013
Kent State UniversityAndroid OS Security
2
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Outline:
• Introduction.• History.• Android Architecture.• Security and privacy.• Vulnerabilities.• Application piracy.• Security Measures.• Conclusion.
3
Company Proprietary and ConfidentialThe document name can go here
Introduction
• Android is a Linux-based operating system.• Android is open source,
– freely modified and distributed by device manufacturers, wireless carriers and enthusiast developers.
• the world's most widely used smartphone platform, sharing 75% of smartphone market. – Due to the broad range of manufacturers.
Kent State UniversityAndroid OS Security
4
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
5
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
• Initially developed by Android Inc.
• Android, Inc. was founded in Palo alto ,California in October 2003 by Andy Rubin.
• Acquired later by Google in 2005.
• The first commercially available phone to run Android was the HTC Dream, released on October 22, 2008.
History
6
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Android versions
7
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Android Architecture
8
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
• Android device owners are not given root access.– However:
• It can be obtained by exploiting security flaws in Android.
– used frequently by the open source community to enhance the capabilities of their devices.
• by malicious parties to install viruses and malware.
Security and privacy
9
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Security and privacy• Android applications run in a
sandbox.• Sandbox is an isolated area of the
system that does not have access to the rest of the system's resources.– unless access permissions are
granted by the user • Sandboxing
– reduces the impact of vulnerabilities and bugs in applications.
– preventing malicious processes from crossing between applications.
10
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Security and privacy
• Android is becoming the most-targeted mobile platform.
• The open nature of Android and its large user base have made it an attractive and profitable platform to attack.
• Google provides major updates to Android every six to nine months– but a majority of Android users have not been able
to upgrade to the new OS because the process is controlled by the carriers (one of the biggest security threats).
11
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Security and privacy• Has no internal back-up restoration.
– There are many third-party applications for back up.
• Deficiency of hardware data encryption.– Honeycomb operating software has hardware
encryption problems.
• A lot of Android malware and Fake anti-malware.– Increased more than 400% this year.
• Lookout Mobile Security, AVG Technologies and McAfee, have released antivirus software for Android devices
12
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Vulnerabilities
• The Android Market: – a number of malware-infected apps and
games being made available to users.– Google currently uses their Google Bouncer
malware scanner to watch over and scan the Google Play store apps.
• Application permissions: – the reality is that many apps request
permission to access sensitive content they have no actual need for.
• Untrusted third party applications.– difficult to identify reputable vendors
13
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Vulnerabilities• Rooting:
– The process of gaining root access.– akin to jail-breaking an iPhone – opens out additional functionality and servicesto
users.– common exploit used by malicious applications.
• Wi-Fi: – compromise on unprotected Wi-Fi networks.– FaceNiff : intercept the social networking logins.
• Last vulnerability was detected last week July 4, 2013– SMS Phishing Scams.
14
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Application piracy
• In 2010, Google released a tool for validating authorized purchases for use within apps.– insufficient and trivial to crack.
• In 2012 Google released a feature in Android 4.1 that encrypted paid applications so that they would only work on the device on which they were purchased.– deactivated due to technical issues.
15
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Security Measures
• Permissions management: – LBE Privacy Guard acts as somewhat of an
application firewall. • granting the user the ability to block an application’s
individual permissions– Kirin:
• determine if the requested permissions are relevant or not.
• Installing trusted packages: – The ability to install non-Market applications.– APK : the standard Android install file format.– A program called APK Inspector has recently been
released that will scan the assets, resources, and certificates contained within the APK to ensure it is secure.
16
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Security Measures
• Trace and wipe: – If your Android device is lost or stolen, you can use
these applications to remotely ping the device for its location and/or instruct it to delete specific content. • Invisible.• send remote commands.• get the current GPS location. • Activate a loud siren.• Let the phone call you back and listen to what
happens on the other side.
17
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
• Anti-virus: – None of these apps are asking for root access, and
therefore they are failing to search for infections on the area of the device that is most targeted and vulnerable.
– it covers the apps folders, SD card, SMS, and contact.
– DroidSecurity, Lookout.
• Link security: – malicious links are always loitering in the
background waiting to seduce and ensnare hapless users.
– There are a number of vendors that have created link security applications.
Security Measures
18
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Conclusion
• There is no one-stop effective security measure that can be implemented on an Android operating system.
• To be secure:– Use built in security features.– Avoid free-unsecured Wi-Fi access.– Securitize every app you download regardless of
source.– Understand the permissions before accept them.– Use an effective security app.
19
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Reverences• An Android Security Case Study with Bauhaus,
Bernhard J. Berger, Michaela Bunke, and Karsten Sohr
• Understanding Android Security, William Enck, Machigar Ongtang, and Patrick Mcdaniel
• http://en.wikipedia.org/wiki/Mobile_operating_system
• http://www.bitdefender.com/security/android-vulnerability-opens-door-to-sms-phishing-scams.html
• http://www.android-app-market.com/android-architecture.html
20
Company Proprietary and ConfidentialThe document name can go here Kent State UniversityAndroid OS Security
Reverences
• http://techbii.com/security-risks-android/
• http://www.androidpolice.com/2010/11/29/theft-aware-2-0-the-most-ingenious-android-security-solution-with-the-best-root-integration-weve-seen-to-date-really-hands-on-review/