Android securitybyexample

1,380 views
1,201 views

Published on

AnDevCon Boston 2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,380
On SlideShare
0
From Embeds
0
Number of Embeds
27
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Android securitybyexample

  1. 1. Android  Security  by  Example  Praga%  Ogal  Rai  Mobile  Technology  Evangelist,  PayPal  @praga>ogal    @PayPalDev    
  2. 2. Agenda  securitywatch.pcmag.com    www.androidauthority.com    
  3. 3. Why  do  I  care?  500000+ apps on Google Playapplica>onandroid.info    
  4. 4. Why  do  I  care?  I’m free and open!
  5. 5. Why  do  I  care?  You control your phone!
  6. 6. Why  do  I  care?  Security Consumers Developers Carriers OS  Vendors OEMs Services        Infrastructure You only control your phone and your apps!
  7. 7. Architecture  developer.android.com  
  8. 8. Linux  Kernel  Linux  Process  Sandbox  Each  process  get  a  unique  UID  and  a  GID  
  9. 9. Linux  Kernel  (Cont’d)  include/linux/android_aid.hAID_NET_BT            3002                  Can  create  Bluetooth  Sockets  AID_INET                        3003                  Can  create  IPv4  and  IPv6  Sockets  
  10. 10. Dalvik  VM  Photo  by  floheinstein  Dalvik  is  not  a  security  boundary  
  11. 11. Dalvik  VM  G7VJRs  Blog  •  No  security  manager  •  Process  isola>on,  memory  management,  threading  enforced  in  OS    •  Byte  code  verifica>on  for  op>miza>on  •  No  difference  between  na>ve  and  Java  code  
  12. 12. Applica>on  Components  •  Ac%vity:  Define  screens  •  Service:  Background  processing  •  Broadcast  Receiver:  Mailbox  for  messages  from  other  applica>ons  •  Content  Provider:  Rela>onal  database  for  sharing  informa>on      All  components  are  secured  with  permissions  
  13. 13. Ac>vity    Check  out  developer.android.com  
  14. 14. Ac>vity    <ac>vity  android:name=".ExampleAc>vity”                                    android:process=  “:new_process”    android:exported=  “true”    android:permission=  “android.permission.SEND_SMS”>          <intent-­‐filter>                    <ac>on  android:name="android.intent.ac>on.MAIN"  />                    <category  android:name="android.intent.category.LAUNCHER"  />          </intent-­‐filter>  </ac>vity>  
  15. 15. Ac>vity  Intent  intent  =  new  Intent(Intent.ACTION_SEND);  intent.putExtra(Intent.EXTRA_EMAIL,  recipientArray);  startAc>vity(intent);    Onen  run  in  their  UID  Secured  using  permissions  Visibility  can  be  set  Add  categories  to  Intent  Filter  Badly  configured  data  can  be  passed  using  Intent  Do  not  pass  sensi>ve  data  in  intents  
  16. 16. Service  <serviceandroid:enabled=["true" | "false"]android:exported=["true" | "false"]android:icon="drawable resource"android:isolatedProcess=["true" | "false"]android:label="string resource"android:name="string"android:permission="string"android:process="string" >. . . . .</service>
  17. 17. Service  <serviceandroid:name="bookService"android:process=":my_process"android:icon="@drawable/icon"android:label="@string/service_name" >. . . . . . .</service>
  18. 18. Service  •  Component  can  “bind”  to  service  using  bindService()  •  Binder  channel  to  talk  to  service  •  Check  permissions  of  calling  component  against  PERMISSION_DENIED  or  PERMISSION_GRANTED  getPackageManager().checkPermission(  permToCheck,  name.getPackageName())  
  19. 19. Binder  •  Synchronous  RPC  mechanism  •  Define  interface  with  AIDL  •  Same  process  or  different  processes  •  transact() and  Binder.onTransact()•  Data  sent  as  a  Parcel  •  Secured  by  caller  permission  or  iden>ty  checking  
  20. 20. Broadcast  Receiver  I’ve  got  news!  Service  Android  System  Registered  receivers  Receiver  A  Receiver  B  Receiver  C  
  21. 21. Broadcast  Receiver  <receiver  android:enabled=["true"  |  "false"]                      android:exported=["true"  |  "false"]                      android:icon="drawable  resource"                      android:label="string  resource"                      android:name="string"                      android:permission="string"                      android:process="string"  >          .  .  .  </receiver>  
  22. 22. Broadcast  Receiver  <receiver  android:name=".MyListener"  android:permission="android.permission.READ_SMS">                          <intent-­‐filter>                            <ac>on  android:name="android.provider.Telephony.SMS_RECEIVED"  />                    </intent-­‐filter>                    </receiver>  Protec>ng  a  receiver  with  permission  
  23. 23. Broadcast  Receiver  Selec>ng  which  receiver  to  send  an  Intent  Intent  intent  =  new  Intent();  intent.setAc>on(MY_BROADCAST_ACTION);  sendBroadcast(intent,  "android.provider.Telephony.SMS_RECEIVED");  
  24. 24. Broadcasts  •  Sending  Broadcast  Intents  –  For  sensi>ve  data,  pass  manifest  permission  name  •  Receiving  Broadcast  Intents  –  Validate  input  from  intents  –  Intent  Filter  is  not  a  security  boundary  –  Categories  narrow  down  delivery  but  do  not  guarantee  security  –  android:exported=true•  S>cky  broadcasts  s>ck  around  –  Need  special  privilege  BROADCAST_STICKY    
  25. 25. Content  Provider  Remote  Database    SQLite  DB    Internet  Data  Files  Ac>vity  1    Content  Provider    Applica>on  A  Applica>on  B  Ac>vity  Ac>vity    2  Allows  applica>ons  to  share  data  Protected  with  permissions  Content  providers  use  URI  schemes  Content://<authority>/<table>/[<id>]  
  26. 26. Content  Provider  <provider android:authorities="list"android:enabled=["true" | "false"]android:exported=["true" | "false"]android:grantUriPermissions=["true" | "false"]android:icon="drawable resource"android:initOrder="integer"android:label="string resource"android:multiprocess=["true" | "false"]android:name="string"android:permission="string"android:process="string"android:readPermission="string"android:syncable=["true" | "false"]android:writePermission="string" >. . . . . . .</provider>
  27. 27. Content  Provider  <providerandroid:authorities="com.example.android.books.contentprovider"android:name=".contentprovider.MyBooksdoContentProvider"android:readPermission=“com.example.android.books.DB_READ”android:writePermission=“com.example.android.book.DB_WRITE”><grant-uri-permission android:path=“/figures/” /><meta-data android:name="books" android:value="@string/books" /></provider>
  28. 28. Applica>on  Check  tag  declara>on  on  developer.android.com  
  29. 29. Permissions  Permissions  restrict  component  interac>on  Permission  labels  defined  in  AndroidManifest.xml  MAC  enforced  by  Reference  Monitor  PackageManager  and  Ac>vityManager  enforce  permissions  
  30. 30. Applica>on  Permissions  !<uses-­‐permission  android:name="android.permission.CAMERA"  />  <uses-­‐permission  android:name="android.permission.INTERNET"  />  <uses-­‐permission  android:name="android.permission.ACCESS_FINE_LOCATION"  />  
  31. 31. Permissions  for  External  Applica>ons  Defined  in  <applica>on>  tag    Defined  incomponent  tag<ac>vity>,  <provider>,  <receiver>,  <service>  Component  permission  overrides  applica>on  level  permission    
  32. 32. Permissions  for  External  Applica>ons  <applica>on                  android:allowBackup="true"                  android:icon="@drawable/ic_launcher"                  android:label="@string/app_name"                  android:permission="android.permission.ACCESS_COARSE_LOCATION">                                    <service  android:enabled="true"                                    android:name=".MyService"                                                      android:permission="android.permission.WRITE_EXTERNAL_STORAGE">                                          </service>  .  .  .  .  .  .  .  .  </applica>on>  
  33. 33. Permission  Protec>on  Levels  • android.permission.VIBRATE  • com.android.alarm.permission.SET_ALARM  Normal  • android.permission.SEND_SMS  • android.permission.CALL_PHONE  Dangerous  • android.permission.FORCE_STOP_PACKAGES  • android.permission.INJECT_EVENTS  Signature  • android.permission.ACCESS_USB  • android.permission.SET_TIME  SignatureOrSystem  
  34. 34. User  Defined  Permissions  <permission  android:name="com.example.android.book.READ_BOOKSTORE"                          android:descrip>on="@string/perm_read_bookstore"                          android:label="Read  access  to  books  database”                          android:permissionGroup="BOOKSTORE_PERMS"                          android:protec>onLevel="dangerous”/>  <permission-­‐group  android:descrip>on="@string/perm_group_bookstore"                        android:label="@string/perm_group_bookstore_label"                        android:name="BOOKSTORE_PERMS"  />  Create  a  permission  Create  a  permission  group  
  35. 35. User  Defined  Permissions  <permission-­‐tree  android:name="com.example.android.book"                    android:label="@string/perm_tree_book"    />  Create  a  permission  tree  com.example.android.book  com.example.android.book.READ_BOOK  com.example.android.book.bookstore.READ_BOOKSTORE  com.example.android.book.bookstore.WRITE_BOOKSTORE  
  36. 36. Storing  &  Sharing  hyp://blogs.salesforce.com/  Sharing  with  internal  applica>ons  (same  cer>ficate)  Sharing  with  external  applica>ons  
  37. 37. Sharing  with  Internal  Applica>ons  •  sharedUserID  •  Preferences  •  Cache  •  Intents  
  38. 38. sharedUserID  Run  applica>ons  in  same  UID  
  39. 39. SharedUserID  com.example.example1    <manifest  xmlns:android="hyp://schemas.android.com/apk/res/android"          package="com.example.example1"          android:versionCode="1"          android:versionName="1.0"          android:sharedUserId="com.sharedID.example">    com.example.example2    <manifest  xmlns:android="hyp://schemas.android.com/apk/res/android"          package="com.example.example2"          android:versionCode="1"          android:versionName="1.0"          android:sharedUserId="com.sharedID.example">    sharedUserID  follows  package  name  format  Other  naming  conven>on  results  in  error  like  INSTALL_PARSE_FAILED_BAD_SHARED_USER_ID  
  40. 40. Preferences  •  Store  primi>ve  data  in  key-­‐value  format  •  Persistent  storage  •  Sandboxed  with  applica>on  
  41. 41. Cache  //Write  to  the  cache  file  String  myString  =  new  String  (“Hello  World!”);  File  file  =  new  File  (getCacheDir(),  "MyCacheFile");    FileOutputStream  fOut  =  new  FileOutputStream(file);    OutputStreamWriter  osw  =  new  OutputStreamWriter(fOut);        osw.write(myString);        osw.flush();        osw.close();    Cache  file  is  sandboxed  with  applica>on  Can  be  created  on  external  storage:  getExternalCacheDir()  Cache  file  is  deleted  when  system  is  running  low  on  memory    
  42. 42. Sharing  with  External  Applica>ons  •  Content  Providers  •  Files    •  Intents  •  Databases    
  43. 43. Files  •  Applica>ons  have  own  area  for  files  •  Files  are  protected  by  Unix  like  file  permissions  •  Different  modes:  world  readable,  world  writable,  private,  append  File = openFileOutput(“myFile”,Context.MODE_WORLD_READABLE);  
  44. 44. Intents  Intent  Binder  exposed  through  AIDL  Binder  Inter  Component  Interac>on  Asynchronous  IPC  Explicit  or  Implicit  Intents  
  45. 45. Explicit  Intents  I  know  where    you  live! Ac>vity   Applica>on  A  Ac>vity   Applica>on  B  Specify  a  component  name  Do  not  put  sensi>ve  data  in  intents  Components  need  not  be  in  same  applica>on  startActivity(Intent)startBroadcast(Intent)
  46. 46. Implicit  Intent  Ac>vity   Get  me  the  best  match! Ac>vity  Applica>on  B  Applica>on  A  Ac>vity   Applica>on  C  Ac>vity   Applica>on  D  No  component  name  specified  Do  not  put  sensi>ve  data  in  intents  Components  need  not  be  in  same  applica>on  startActivity(Intent)startBroadcast(Intent)
  47. 47. Pending  Intent  •  Token  given  to  a  foreign  applica>on  to  perform  an  ac>on  on  your  applica>on’s  behalf  •  Use  your  applica>on’s  permissions  •  Even  if  its  owning  applica>ons  process  is  killed,  PendingIntent  itself  will  remain  usable  from  other  processes    •  Provide  component  name  in  base  intent  –  PendingIntent.getActivity(Context, int, Intent,int)Ac>vity  A   Ac>vity  B  Use  my  iden>ty  &  permissions  and  get  the  job  done!  
  48. 48. Intent  Filters  •  Ac>vity  Manager  matches  intents  against  Intent  Filters  <receiver android:name=“BootCompletedReceiver”><intent-filter><action android:name=“android.intent.action.BOOT_COMPLETED”/></intent-filter></receiver>•  Ac>vity  with  Intent  Filter  enabled  becomes  “exported”  •  Ac>vity  with  “android:exported=true”  can  be  started  with  any  intent  •  Intent  Filters  cannot  be  secured  with  permissions  •  Add  categories  to  restrict  what  intent  can  be  called  through  android.intent.category.BROWSEABLE
  49. 49. Intent  Filters    <intent-­‐filter>              <ac>on  android:name="android.intent.ac>on.VIEW"  />              <ac>on  android:name="android.intent.ac>on.EDIT"  />              <ac>on  android:name="android.intent.ac>on.PICK"  />              <category  android:name="android.intent.category.DEFAULT"  />              <data  mimeType:name="vnd.android.cursor.dir/vnd.google.note"  />    </intent-­‐filter>  
  50. 50. AndroidManifest.xml  Turn debugging offwww.wpclipart.com    
  51. 51. AndroidManifest.xml  Set component visibility right
  52. 52. AndroidManifest.xml  Protect components by permissions
  53. 53. AndroidManifest.xml  Define access rulesctmls.ctreal.com    
  54. 54. AndroidManifest.xml  Backup and storage decisionsen.wikipedia.org    
  55. 55. External  Storage  •  Star>ng  API  8  (Android  2.2)  APKs  can  be  stored  on  external  devices  –  APK  is  stored  in  encrypted  container  called  asec  file  –  Key  is  randomly  generated  and  stored  on  device  –  Dex  files,  private  data,  na>ve  shared  libraries  s>ll  reside  on  internal  memory  –  External  devices  are  mounted  with  “noexec”  •  VFAT  does  not  support  Linux  access  control  •  Sensi>ve  data  should  be  encrypted  before  storing    
  56. 56. Applica>on  Signature  •  Applica>ons  are  self-­‐signed;  no  CA  required  •  Signature  define  persistence  –  Detect  if  the  applica>on  has  changed    –  Applica>on  update  •  Signatures  define  authorship  –  Establish  trust  between  applica>ons    –  Run  in  same  Linux  ID    
  57. 57. Applica>on  Upgrade  •  Applica>ons  can  register  for  auto-­‐updates  •  Applica>ons    should  have  the  same  signature  •  No  addi>onal  permissions  should  be  added  •  Install  loca>on  is  preserved  
  58. 58. System  Packages  •  Come  bundled  with  ROM  •  Have  signatureOrSystem  Permission  •  Cannot  be  uninstalled  •  /system/app  
  59. 59. Summary  •  Linux  process  sandbox    •  Permission  based  component  interac>on  •  Permission  labels  defined  in  AndroidManifest.xml  •  Applica>ons  need  to  be  signed  •  Signature  define  persistence  and  authorship  •  Install  >me  security  decisions        
  60. 60. battlehack.orgBerlin        New  YorkTel  Aviv      Seattle      Miami          Moscow      Austin    London    BarcelonaWashington  DC    
  61. 61. Thank  You!  developer@paypal.com  @PayPalDev  @praga>ogal  hyp://www.slideshare.net/praga>ogal    

×