java & the android stack: a security analysis
DESCRIPTION
Talk presentedTRANSCRIPT
![Page 1: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/1.jpg)
Java & The Android Stack: A Security Analysis
Pragati Ogal RaiMobile Technology Evangelist
PayPal, eBay Inc.
[email protected]@pragatiogalJava Conference, Bangalore, Dec 8, 2012
![Page 2: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/2.jpg)
Agenda
Java 2 Security Model
Android Security Model
Summarize
![Page 3: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/3.jpg)
Java 2 Security Model
![Page 4: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/4.jpg)
Java
Developed by Sun Microsystems in the
early 1990s
Platform Independent
Compiled to bytecode that runs on a
Virtual Machine
“Java is Secure”
![Page 5: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/5.jpg)
Java 2 Security Model
Platform Security
Crypto APIs
Authentication & Access Control APIs
Secure Communication APIs
Key Management APIs
![Page 6: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/6.jpg)
Java Language Security
Programs cannot access arbitrary memory locations
Variables cannot be used before initialization
Access methods are strictly adhered to
Entities declared final must not be changed
Objects cannot be arbitrarily cast into other objects
Array bounds must be checked on all array accesses
![Page 7: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/7.jpg)
Java 2 Platform Security Model
Remote Class Files
Local Class Files
Signed Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key Database
Operating System
Security ManagerAccess
Controller
![Page 8: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/8.jpg)
Java 2 Sandbox Model
• Fine grained access control
• Configurable Security Policy
• No built-in concept of
trusted local code
![Page 9: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/9.jpg)
Security Policy File Example
// If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; };
// If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; };
// Grant everyone the following permission: grant {
permission java.io.FilePermission "/tmp/pragati/*", "read"; };
…………..……….
![Page 10: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/10.jpg)
Protection Domain
Domain name “Pragati”Pragati’s certificateRead/write access to /temp/pragati/*
Domain name “John”John’s certificateRead/write access to /temp/john/*Read access to /temp/pragati/*
…………..……….Protection Domain = Code Source + Permission
![Page 11: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/11.jpg)
Java 2 Security Model
All code runs in a sandbox
All classes are loaded with full bytecode
verification
All classes are loaded with Java language
features
Signed classes verify the integrity and origination
of Java classes
Security policy provides fine-grained access Crypto APIs
![Page 12: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/12.jpg)
The Android Stack
![Page 13: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/13.jpg)
Android
Open Platform
First phone based on Android came out
in 2009
75% smartphone market share as of
October1
1: idc.com
![Page 14: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/14.jpg)
Android Security Model
Platform Security
Crypto APIs
Secure Communication APIs
Key Management APIs
![Page 15: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/15.jpg)
Install Time User Consent
![Page 16: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/16.jpg)
Android OS Architecture
http://developer.android.com
![Page 17: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/17.jpg)
Linux Kernel Unique UID and GID for each application at install time
Sharing can occur through component interactions
Linux Process Sandbox
![Page 18: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/18.jpg)
Linux Kernel (Cont’d)
include/linux/android_aid.h
AID_NET_BT 3002 Can create Bluetooth Sockets
AID_INET 3003 Can create IPv4 and IPv6 Sockets
![Page 19: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/19.jpg)
Middleware
Libraries for code execution
Libraries for services
Take care of device specific issues
Compiled to machine language
Native and Java code
![Page 20: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/20.jpg)
Java Virtual Machine?
There is no JVM in Android platform
No bytecode is executed
JAR file will not run on Android platform
![Page 21: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/21.jpg)
Dalvik Virtual Machine
Dalvik does not align to Java SE or Java ME
Library built on a subset of the Apache
Harmony Java
Highly optimized VM to support multiple VM
instances
Register based architecture
Shared constant pool
Executes Dalvik executables (.dex)
![Page 22: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/22.jpg)
Dalvik Virtual Machine
No security manager
Permissions are enforced in OS and not in VM
As of Android 2.2 Dalvik has a JIT compiler
Dalvik Bytecode verification mainly for
optimization
GC for each VM instance
![Page 23: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/23.jpg)
Android Application Structure Application is made of components
Activity: Define screens
Service: Background processing
Broadcast Receiver: Mailbox for messages from other
applications
Content Provider: Relational database for sharing information
Applications communicate through Intents
Secure RPC using Binder
AndroidManifest.xml defines policy for application
![Page 24: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/24.jpg)
Permission Protection Levels
Normal
android.permission.VIBRATE
com.android.alarm.permission.SET_ALARM Dangerous
android.permission.SEND_SMS
android.permission.CALL_PHONE Signature
android.permission.FORCE_STOP_PACKAGES
android.permission.INJECT_EVENTS SignatureOrSystem
android.permission.ACCESS_USB
android.permission.SET_TIME
All components are secured by permissionsDevelopers can define their own permissions as well
![Page 25: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/25.jpg)
Application Layer Security
Permissions restrict component interaction
Permission labels defined in AndroidManifest.xml
Applications are self-signed; no CA required
Signatures define persistence and authorship
![Page 26: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/26.jpg)
Android Security Model
Linux process sandbox
Permission based component interaction
Dalvik is not a security boundary
All applications need to be signed
Signature define persistence and authorship
Install time security decisions
Crypto APIs
![Page 27: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/27.jpg)
Summary
![Page 28: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/28.jpg)
Install Time Check
Who are you?
What do you want to do?
![Page 29: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/29.jpg)
Sandbox
Based on permissions, code sources, policy, keystore, protection domains
Process Sandbox
![Page 30: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/30.jpg)
Signature
Identity and Trust
Authorship and Persistence
![Page 31: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/31.jpg)
Permissions
Enforced by VM
Enforced by OS
![Page 32: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/32.jpg)
Protection Domain
Code Sources + Permissions
Process
![Page 33: Java & The Android Stack: A Security Analysis](https://reader035.vdocument.in/reader035/viewer/2022081516/555180a0b4c90596028b481c/html5/thumbnails/33.jpg)
Virtual Machine
Is a security boundary
Is NOT a security boundary