Your SlideShare is downloading. ×

Android Vulnerabilities

669

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
669
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Question - Have you ever thought of how security is implemented in OS? 2 levels Describe figure and MAC model
  • Transcript

    • 1. Vulnerability Study  of the Android Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson (Group 8)
    • 2.  
    • 3. Overview
        • Architecture of the Android
        • Scope of Vulnerabilities for the Android
        • Known Vulnerabilities for the Android
        • General Vulnerabilities of Mobile Devices
        • Organizations Supporting the Android
    • 4. Architecture
        • It is a software stack which performs several OS functions.
      •  
        • The Linux kernel is the base of the software stack.  
      •  
        •   Core Java libraries are on the same level as other libraries.
      •  
        •   The virtual machine called the Dalvik Virtual Machine is on this layer as well.
        • The application framework is the next level.
      •  
    • 5.  
    • 6. Parts of Applications
        • Activity An activity is needed to create a screen for a user application.  
      •  
        • Intents Intents are used to transfer control from one activity to another.
      •  
        • Services It doesn't need a user interface. It continues running in the background with other processes run in the foreground.
    • 7.  
        • Content Provider This component allows the application to share information with other applications.
    • 8. Security Architecture - Overview
    • 9. Scope of Vulnerabilities
      • Refinements to MAC Model
        • Delegation
        • Public and Private Components
        • Provision - No Security Access to Public Elements
        • Permission Granting Using User's Confirmation
      •     Solutions ???
      •            Precautions by Developers
      •   Special Tools for Users
    • 10. Known Vulnerabilities
        • Image Vulnerablities
          • GIF
          • PNG
          • BMP
        • Web Browser
    • 11. GIF Image Vulnerability
        • Decode function uses logical screen width and height to allocate heap
        • Data is calculated using actual screen width and height
        • Can overflow the heap buffer allowing hacker can allow a hacker to control the phone
    • 12. PNG Image Vulnerability
        • Uses an old libpng file
        • This file can allow hackers to cause a Denial of Service (crash)
    • 13. BMP Image Vulnerability
        • Negative offset integer overflow
        • Offset field in the image header used to allocate a palette
        • With a negative value carefully chosen you can overwrite the address of a process redirecting flow
    • 14. Web Browser Vulnerability
        • Vulnerability is in the multimedia subsystem made by PacketVideo
        • Due to insufficient boundary checking when playing back an MP3 file, it is possible to corrupt the process's heap and execute arbitrary code on the device
        • Can allow a hacker to see data saved on the phone by the web browser and to peek at ongoing traffic
        • Confined to the "sandbox"
    • 15. General Mobile Phone Vulnerabilities
        • GSM
          • SMS
          • MMS
        • CDMA
        • Bluetooth
        • Wireless vulnerabilities
    • 16. GSM Vulnerabilities
        • GSM
          • Largest Mobile network in the world
          • 3.8 billion phones on network
        • David Hulton and Steve Muller
          • Developed method to quickly crack GSM encryption
          • Can crack encryption in under 30 seconds
          • Allows for undetectable evesdropping
        • Similar exploits available for CDMA phones
    • 17. SMS Vulnerabilities
        • SMS
          • Short Messaging System
          • Very commonly used protocol
          • Used to send "Text Messages"
        • GSM uses 2 signal bands, 1 for "control", the other for "data".
        • SMS operates entirely on the "control" band.
        • High volume text messaging can disable the "control" band, which also disables voice calls.
        • Can render entire city 911 services unresponsive.
    • 18. MMS Vulnerabilities
        • MMS
          • Unsecure data protocol for GSM
          • Extends SMS, allows for WAP connectivity
        • Exploit of MMS can drain battery 22x faster
          • Multiple UDP requests are sent concurrently, draining the battery as it responds to request
        • Does not expose data
        • Does make phone useless
    • 19. Bluetooth Vulnerabilities
        • Bluetooth
          • Short range wireless communication protocol
          • Used in many personal electronic devices
          • Requires no authentication
        • An attack, if close enough, could take over Bluetooth device.
        • Attack would have access to all data on the Bluetooth enabled device
        • Practice known as bluesnarfing
    • 20. Organizations Supporting Android
        • Google
        • Open Handset Alliance
        • 3rd Parties (ex: Mocana)
        • Users
        • Hackers
    • 21. Organizations Supporting Android
      •  
    • 22. Open Handset Alliance
      •  
    • 23. Open Handset Alliance
      • Objective:
      •  
      •        To build a better mobile phone to enrich
      •        the lives of countless people across the globe.
    • 24. 3rd Party Partners
      • Mocana -- NanoPhone
        • Secure Web Browser
        • VPN
        • FIPS Encryption
        • Virus & Malware Protection
        • Secure Firmware Updating
        • Robust Certificate Authentication
      •  
      •  
      •  
    • 25. Hackers for Android
        • Hackers make Android stronger
        • White hats want to plug holes
        • Example
          • Browser Threat reported by Independent Security Evaluators
          • Jailbreak hole fixed by Google over-the-air
      •  
      •  
      •  
    • 26. Conclusion
        • Android is New & Evolving
        • Openness of Android
          • Good in the long-run
          • Strong Community
        • Robust Architecture
        • Powerful Computing Platform
      •  
      •  
      •  

    ×