Android OS Security Presented By-Nikhil Jain Design of Secure OS CS Department Kent State University

OUTLINE1. Introduction2. Android Story3. Android Architecture4. Android Components5. Component Interaction6. Security Risk7. Security Enforcement8. Security Refinements9. Rooting (Android OS)10. References

IntroductionANDROID: An Open Source Mobile OS by Google.

Easily optimize a single binary for phones, tablets, and other devices.

It provides a base Operation system, Application Middleware Layer, JAVA Software Development Kit & a collection of system application.Who am

I

3

4

Android Story

Android Story cont.

5

6

Android Story Cont…

Android Story Cont…

7

Market Analysis

8

Android Architecture

9

Android Architecture overviewApplication: Android provides set of core applications which are written in JAVA

Application Framework: responsible for enabling and simplifying the reuse of components, very important for security

Libraries: shared libraries are all written in C or C++ compiled for the particular hardware architecture used by the phone, and pre- installed by the phone vendor

10

Do I look like this

Android Architecture overviewRuntime: Android core libraries provides most of the functionality available in the core libraries of the Java programming language and

Dalvik Virtual Machine Provide environment on which every Android application run

Kernel: Android relies on Linux version 2.6 for core system services such as security, memory management, process management, network stack, and driver model. The kernel also acts as an abstraction layer between the hardware and the rest of the software stack.

11

I feel like an

architect

Android ComponentsActivity: Present a visual user interface

for one specific endeavor the user can undertake

Services: Run in the background for an indefinite period of time

Content Providers : Store and retrieve data and make it accessible to all applications

Broadcast Receivers: Receive and react to broadcast announcements

Intents: Hold the content of a message12

So much inside

my stomac

h

Application Example

Use of Components in Friend-Tracker ApplicationFriend-Tracker-Control (Activity) : defines a user interface for starting and stopping the tracking functionalityFriend-Tracker (Service) : polls an external service to discover a friend’s locationFriend-Provider (Content provider) : maintains the most recent geographic location of friend. Boot-Receiver (Broadcast receiver) : receive notification from the system once it boots.

13

Component interaction

Component interaction. Android’s application-level interactions let the Friend-Tracker and Friend-Viewer applications communicate with each other and system-provided applications. Interactions occur primarily at the component level.

14

Security Risk Flimsy passwords: If the Android

device falls into the wrong hands,more security is needed to prevent thieves from stealing or misusing various services

Naked data: lack of hardware data encryption (although some work has been done after Android 3.0 there still remains a lot of work to be done.)

SMShing: texting to trick Smartphone users into visiting fraudulent or malicious links

Unsafe surfing: is web browsing on your Android safe?

15

MOMplease

help me

Security Risk Nosy & fraudulent apps: for a hacker,

it is easy to put a Nosy app in such a huge market

Android malware: as it is open source, a single vulnerability can also give ample opportunity for hackers to implement malware

Fake anti-malware: a fake app which can kill a security app like antivirus or other security tool

Lack of visibility and control: The Friend-Tracker app vulnerability is the best example for this

16

I am so Handsome !

So many people are jealous of me

Security Enforcement Protects applications & data through a combination of two enforcement mechanisms1. System Level 2. inter-component communication (ICC) Level (we will

discuss about this) Each application runs as a unique user identity, due to

which Android limits the potential damage of programming flaws.

17

Call 911

Security Enforcement

Example: Access permission logic. The Android middleware implements a reference monitor providing mandatory access control (MAC) enforcement about how applications access components. The basic enforcement model is the same for all component types. Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application 1. 18

Security Enforcement Protection Domain of application is

specified by permission labels whereas access policy is regulated by assigning permission to the component, which is responsible of protecting its resources.

Security enforcement policy is mandatory, at installation time permission labels are set and can not be changed until the application gets reinstalled.

Android’s permission label model doesn’t provide a guarantee of information flow it only checks access to components.

19

Save me I am

still not done

with my final exam

Security Refinements1. Public Vs Private Components : Restrict access of an application component

from another application (like stored password for security) by defining it as a private component.

1. II. Implicitly Open Components : If the access permission at application

development time is not clear, Android permits any application to access it.

III. Broadcast Intent Permission: If the broadcast intent is not protected it leads to privacy risk. Developer control: how information is

disseminated by specifying a permission label to restrict access to the intended object.

20

Last Warni

g Don’t mess with me

Security RefinementsContent Provider Permission: Android allows developer to assigning read and write permission on contents, so that every content can be updated only by its application and be available for reading by other applications.

Protected APIs: To some system resources, Android provides, direct API access and to protect these APIs, addition permission labels are used. The application has to relay a corresponding permission label in its manifest file. 21

Any last wish I am no more

good for you

Security RefinementsPermission Protection Levels: This feature controls how the developer

can assign permission labels i.e a framework developer can use the specific functionality (for ex. Google app can use telephony or API directly)

Pending intent : Intent object is defined to perform an action, instead of performing the action the developer passes the intent to a special method which creates the PendingIntent.

The PendingIntent object is simply a reference pointer that can pass to another application via ICC. It is included in the framework to work with third party applications.

22

I beat Mike

Tyson

23

Rooting (Android OS)•Process of allowing user to haveprivileged control or root access.•Modify system files: themes, core apps, boot images, linux binaries, etc.•Run applications that requiresystem level access.•Balance the risk with freedom.

Similar as Jail breaking in IOS.Yes!Now I

am king of

myself

Open Area of Research

Complex Update Process Continuous Internet Connection Operating System Fragmentation Android: Good for Consumers, Bad for

Developers Security Issues Advertisements

24

Run for you PhD

References Reference Papers:1. "Understanding Android Security"

(Pennsylvania State University) January/February 2009 (vol. 7 no. 1)by: William Enck, Machigar Ongtang and Patrick Mcdaniel

2. Wikepedia: Android OS (http://en.wikipedia.org/wiki/Android_(operating_system)) Android Root (http://en.wikipedia.org/wiki/Rooting_(Android_OS))

3. Research Article: Issues with Android Smatphones http://www.theresearchpedia.com/research-articles/issues-with-android-smatphones

4. Images (http://www.techdrivein.com/2010/06/15-beautiful-android-wallpapers-for.html)

25

References 5. Official Android website: www.android.com /

developer.android.com 6. Forums and blogs : Android security risk

http://www.esecurityplanet.com/views/article.php/3928646/Top-10-Android-Security-Risks.htm

XDA Developer7. [x] cube Lab report

http://www.cybervally.com/2011/08/android-story-history-android-os-infographic/

8. http://www.youtube.com/user/androiddevelopers

26

27

THANK YOUThank You

Clap Please

Nikhil Jainemail id : njain3(at)kent.edu