Android	  Security	  by	  Example	  Praga%	  Ogal	  Rai	  Mobile	  Technology	  Evangelist,	  PayPal	  @praga>ogal	  	  @P...
Agenda	  securitywatch.pcmag.com	  	  www.androidauthority.com	  	  
Why	  do	  I	  care?	  500000+ apps on Google Playapplica>onandroid.info	  	  
Why	  do	  I	  care?	  I’m free and open!
Why	  do	  I	  care?	  You control your phone!
Why	  do	  I	  care?	  Security	Consumers	Developers	Carriers	OS	  Vendors	OEMs	Services		  	  	  	  Infrastructure	You on...
Architecture	  developer.android.com	  
Linux	  Kernel	  Linux	  Process	  Sandbox	  Each	  process	  get	  a	  unique	  UID	  and	  a	  GID	  
Linux	  Kernel	  (Cont’d)	  include/linux/android_aid.hAID_NET_BT	  	  	  	  	  	  3002	  	  	  	  	  	  	  	  	  Can	  cr...
Dalvik	  VM	  Photo	  by	  floheinstein	  Dalvik	  is	  not	  a	  security	  boundary	  
Dalvik	  VM	  G7VJRs	  Blog	  •  No	  security	  manager	  •  Process	  isola>on,	  memory	  management,	  threading	  enf...
Applica>on	  Components	  •  Ac%vity:	  Define	  screens	  •  Service:	  Background	  processing	  •  Broadcast	  Receiver:...
Ac>vity	  	  Check	  out	  developer.android.com	  
Ac>vity	  	  <ac>vity	  android:name=".ExampleAc>vity”	  	  	  	  	  	  	  	  	  	  	  	  	  	  	  	  	  	  android:proces...
Ac>vity	  Intent	  intent	  =	  new	  Intent(Intent.ACTION_SEND);	  intent.putExtra(Intent.EXTRA_EMAIL,	  recipientArray);...
Service	  <serviceandroid:enabled=["true" | "false"]android:exported=["true" | "false"]android:icon="drawable resource"and...
Service	  <serviceandroid:name="bookService"android:process=":my_process"android:icon="@drawable/icon"android:label="@stri...
Service	  •  Component	  can	  “bind”	  to	  service	  using	  bindService()	  •  Binder	  channel	  to	  talk	  to	  serv...
Binder	  •  Synchronous	  RPC	  mechanism	  •  Define	  interface	  with	  AIDL	  •  Same	  process	  or	  different	  proce...
Broadcast	  Receiver	  I’ve	  got	  news!	  Service	  Android	  System	  Registered	  receivers	  Receiver	  A	  Receiver	...
Broadcast	  Receiver	  <receiver	  android:enabled=["true"	  |	  "false"]	  	  	  	  	  	  	  	  	  	  	  android:exported...
Broadcast	  Receiver	  <receiver	  android:name=".MyListener"	  android:permission="android.permission.READ_SMS">	  	  	  ...
Broadcast	  Receiver	  Selec>ng	  which	  receiver	  to	  send	  an	  Intent	  Intent	  intent	  =	  new	  Intent();	  int...
Broadcasts	  •  Sending	  Broadcast	  Intents	  –  For	  sensi>ve	  data,	  pass	  manifest	  permission	  name	  •  Recei...
Content	  Provider	  Remote	  Database	  	  SQLite	  DB	  	  Internet	  Data	  Files	  Ac>vity	  1	  	  Content	  Provider...
Content	  Provider	  <provider android:authorities="list"android:enabled=["true" | "false"]android:exported=["true" | "fal...
Content	  Provider	  <providerandroid:authorities="com.example.android.books.contentprovider"android:name=".contentprovide...
Applica>on	  Check	  tag	  declara>on	  on	  developer.android.com	  
Permissions	  Permissions	  restrict	  component	  interac>on	  Permission	  labels	  defined	  in	  AndroidManifest.xml	  ...
Applica>on	  Permissions	  !<uses-­‐permission	  android:name="android.permission.CAMERA"	  />	  <uses-­‐permission	  andr...
Permissions	  for	  External	  Applica>ons	  Defined	  in	  <applica>on>	  tag	  	  Defined	  incomponent	  tag<ac>vity>,	  ...
Permissions	  for	  External	  Applica>ons	  <applica>on	  	  	  	  	  	  	  	  	  android:allowBackup="true"	  	  	  	  	...
Permission	  Protec>on	  Levels	  • android.permission.VIBRATE	  • com.android.alarm.permission.SET_ALARM	  Normal	  • and...
User	  Defined	  Permissions	  <permission	  android:name="com.example.android.book.READ_BOOKSTORE"	  	  	  	  	  	  	  	  ...
User	  Defined	  Permissions	  <permission-­‐tree	  android:name="com.example.android.book"	  	  	  	  	  	  	  	  	  	  an...
Storing	  &	  Sharing	  hyp://blogs.salesforce.com/	  Sharing	  with	  internal	  applica>ons	  (same	  cer>ficate)	  Shari...
Sharing	  with	  Internal	  Applica>ons	  •  sharedUserID	  •  Preferences	  •  Cache	  •  Intents	  
sharedUserID	  Run	  applica>ons	  in	  same	  UID	  
SharedUserID	  com.example.example1	  	  <manifest	  xmlns:android="hyp://schemas.android.com/apk/res/android"	  	  	  	  ...
Preferences	  •  Store	  primi>ve	  data	  in	  key-­‐value	  format	  •  Persistent	  storage	  •  Sandboxed	  with	  app...
Cache	  //Write	  to	  the	  cache	  file	  String	  myString	  =	  new	  String	  (“Hello	  World!”);	  File	  file	  =	  n...
Sharing	  with	  External	  Applica>ons	  •  Content	  Providers	  •  Files	  	  •  Intents	  •  Databases	  	  
Files	  •  Applica>ons	  have	  own	  area	  for	  files	  •  Files	  are	  protected	  by	  Unix	  like	  file	  permission...
Intents	  Intent	  Binder	  exposed	  through	  AIDL	  Binder	  Inter	  Component	  Interac>on	  Asynchronous	  IPC	  Expl...
Explicit	  Intents	  I	  know	  where	  	  you	  live!	Ac>vity	  	Applica>on	  A	  Ac>vity	  	Applica>on	  B	  Specify	  a...
Implicit	  Intent	  Ac>vity	  	Get	  me	  the	  best	  match!	Ac>vity	  Applica>on	  B	  Applica>on	  A	  Ac>vity	  	Appli...
Pending	  Intent	  •  Token	  given	  to	  a	  foreign	  applica>on	  to	  perform	  an	  ac>on	  on	  your	  applica>on’s...
Intent	  Filters	  •  Ac>vity	  Manager	  matches	  intents	  against	  Intent	  Filters	  <receiver android:name=“BootCom...
Intent	  Filters	  	  <intent-­‐filter>	  	  	  	  	  	  	  <ac>on	  android:name="android.intent.ac>on.VIEW"	  />	  	  	  ...
AndroidManifest.xml	  Turn debugging offwww.wpclipart.com	  	  
AndroidManifest.xml	  Set component visibility right
AndroidManifest.xml	  Protect components by permissions
AndroidManifest.xml	  Define access rulesctmls.ctreal.com	  	  
AndroidManifest.xml	  Backup and storage decisionsen.wikipedia.org	  	  
External	  Storage	  •  Star>ng	  API	  8	  (Android	  2.2)	  APKs	  can	  be	  stored	  on	  external	  devices	  –  APK	...
Applica>on	  Signature	  •  Applica>ons	  are	  self-­‐signed;	  no	  CA	  required	  •  Signature	  define	  persistence	 ...
Applica>on	  Upgrade	  •  Applica>ons	  can	  register	  for	  auto-­‐updates	  •  Applica>ons	  	  should	  have	  the	  ...
System	  Packages	  •  Come	  bundled	  with	  ROM	  •  Have	  signatureOrSystem	  Permission	  •  Cannot	  be	  uninstall...
Summary	  •  Linux	  process	  sandbox	  	  •  Permission	  based	  component	  interac>on	  •  Permission	  labels	  defin...
battlehack.orgBerlin        New  YorkTel  Aviv      Seattle      Miami          Moscow      Austin    London    BarcelonaW...
Thank	  You!	  developer@paypal.com	  @PayPalDev	  @praga>ogal	  hyp://www.slideshare.net/praga>ogal	  	  
Upcoming SlideShare
Loading in...5

Android securitybyexample


Published on

AnDevCon Boston 2013

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Transcript of "Android securitybyexample"

  1. 1. Android  Security  by  Example  Praga%  Ogal  Rai  Mobile  Technology  Evangelist,  PayPal  @praga>ogal    @PayPalDev    
  2. 2. Agenda  securitywatch.pcmag.com    www.androidauthority.com    
  3. 3. Why  do  I  care?  500000+ apps on Google Playapplica>onandroid.info    
  4. 4. Why  do  I  care?  I’m free and open!
  5. 5. Why  do  I  care?  You control your phone!
  6. 6. Why  do  I  care?  Security Consumers Developers Carriers OS  Vendors OEMs Services        Infrastructure You only control your phone and your apps!
  7. 7. Architecture  developer.android.com  
  8. 8. Linux  Kernel  Linux  Process  Sandbox  Each  process  get  a  unique  UID  and  a  GID  
  9. 9. Linux  Kernel  (Cont’d)  include/linux/android_aid.hAID_NET_BT            3002                  Can  create  Bluetooth  Sockets  AID_INET                        3003                  Can  create  IPv4  and  IPv6  Sockets  
  10. 10. Dalvik  VM  Photo  by  floheinstein  Dalvik  is  not  a  security  boundary  
  11. 11. Dalvik  VM  G7VJRs  Blog  •  No  security  manager  •  Process  isola>on,  memory  management,  threading  enforced  in  OS    •  Byte  code  verifica>on  for  op>miza>on  •  No  difference  between  na>ve  and  Java  code  
  12. 12. Applica>on  Components  •  Ac%vity:  Define  screens  •  Service:  Background  processing  •  Broadcast  Receiver:  Mailbox  for  messages  from  other  applica>ons  •  Content  Provider:  Rela>onal  database  for  sharing  informa>on      All  components  are  secured  with  permissions  
  13. 13. Ac>vity    Check  out  developer.android.com  
  14. 14. Ac>vity    <ac>vity  android:name=".ExampleAc>vity”                                    android:process=  “:new_process”    android:exported=  “true”    android:permission=  “android.permission.SEND_SMS”>          <intent-­‐filter>                    <ac>on  android:name="android.intent.ac>on.MAIN"  />                    <category  android:name="android.intent.category.LAUNCHER"  />          </intent-­‐filter>  </ac>vity>  
  15. 15. Ac>vity  Intent  intent  =  new  Intent(Intent.ACTION_SEND);  intent.putExtra(Intent.EXTRA_EMAIL,  recipientArray);  startAc>vity(intent);    Onen  run  in  their  UID  Secured  using  permissions  Visibility  can  be  set  Add  categories  to  Intent  Filter  Badly  configured  data  can  be  passed  using  Intent  Do  not  pass  sensi>ve  data  in  intents  
  16. 16. Service  <serviceandroid:enabled=["true" | "false"]android:exported=["true" | "false"]android:icon="drawable resource"android:isolatedProcess=["true" | "false"]android:label="string resource"android:name="string"android:permission="string"android:process="string" >. . . . .</service>
  17. 17. Service  <serviceandroid:name="bookService"android:process=":my_process"android:icon="@drawable/icon"android:label="@string/service_name" >. . . . . . .</service>
  18. 18. Service  •  Component  can  “bind”  to  service  using  bindService()  •  Binder  channel  to  talk  to  service  •  Check  permissions  of  calling  component  against  PERMISSION_DENIED  or  PERMISSION_GRANTED  getPackageManager().checkPermission(  permToCheck,  name.getPackageName())  
  19. 19. Binder  •  Synchronous  RPC  mechanism  •  Define  interface  with  AIDL  •  Same  process  or  different  processes  •  transact() and  Binder.onTransact()•  Data  sent  as  a  Parcel  •  Secured  by  caller  permission  or  iden>ty  checking  
  20. 20. Broadcast  Receiver  I’ve  got  news!  Service  Android  System  Registered  receivers  Receiver  A  Receiver  B  Receiver  C  
  21. 21. Broadcast  Receiver  <receiver  android:enabled=["true"  |  "false"]                      android:exported=["true"  |  "false"]                      android:icon="drawable  resource"                      android:label="string  resource"                      android:name="string"                      android:permission="string"                      android:process="string"  >          .  .  .  </receiver>  
  22. 22. Broadcast  Receiver  <receiver  android:name=".MyListener"  android:permission="android.permission.READ_SMS">                          <intent-­‐filter>                            <ac>on  android:name="android.provider.Telephony.SMS_RECEIVED"  />                    </intent-­‐filter>                    </receiver>  Protec>ng  a  receiver  with  permission  
  23. 23. Broadcast  Receiver  Selec>ng  which  receiver  to  send  an  Intent  Intent  intent  =  new  Intent();  intent.setAc>on(MY_BROADCAST_ACTION);  sendBroadcast(intent,  "android.provider.Telephony.SMS_RECEIVED");  
  24. 24. Broadcasts  •  Sending  Broadcast  Intents  –  For  sensi>ve  data,  pass  manifest  permission  name  •  Receiving  Broadcast  Intents  –  Validate  input  from  intents  –  Intent  Filter  is  not  a  security  boundary  –  Categories  narrow  down  delivery  but  do  not  guarantee  security  –  android:exported=true•  S>cky  broadcasts  s>ck  around  –  Need  special  privilege  BROADCAST_STICKY    
  25. 25. Content  Provider  Remote  Database    SQLite  DB    Internet  Data  Files  Ac>vity  1    Content  Provider    Applica>on  A  Applica>on  B  Ac>vity  Ac>vity    2  Allows  applica>ons  to  share  data  Protected  with  permissions  Content  providers  use  URI  schemes  Content://<authority>/<table>/[<id>]  
  26. 26. Content  Provider  <provider android:authorities="list"android:enabled=["true" | "false"]android:exported=["true" | "false"]android:grantUriPermissions=["true" | "false"]android:icon="drawable resource"android:initOrder="integer"android:label="string resource"android:multiprocess=["true" | "false"]android:name="string"android:permission="string"android:process="string"android:readPermission="string"android:syncable=["true" | "false"]android:writePermission="string" >. . . . . . .</provider>
  27. 27. Content  Provider  <providerandroid:authorities="com.example.android.books.contentprovider"android:name=".contentprovider.MyBooksdoContentProvider"android:readPermission=“com.example.android.books.DB_READ”android:writePermission=“com.example.android.book.DB_WRITE”><grant-uri-permission android:path=“/figures/” /><meta-data android:name="books" android:value="@string/books" /></provider>
  28. 28. Applica>on  Check  tag  declara>on  on  developer.android.com  
  29. 29. Permissions  Permissions  restrict  component  interac>on  Permission  labels  defined  in  AndroidManifest.xml  MAC  enforced  by  Reference  Monitor  PackageManager  and  Ac>vityManager  enforce  permissions  
  30. 30. Applica>on  Permissions  !<uses-­‐permission  android:name="android.permission.CAMERA"  />  <uses-­‐permission  android:name="android.permission.INTERNET"  />  <uses-­‐permission  android:name="android.permission.ACCESS_FINE_LOCATION"  />  
  31. 31. Permissions  for  External  Applica>ons  Defined  in  <applica>on>  tag    Defined  incomponent  tag<ac>vity>,  <provider>,  <receiver>,  <service>  Component  permission  overrides  applica>on  level  permission    
  32. 32. Permissions  for  External  Applica>ons  <applica>on                  android:allowBackup="true"                  android:icon="@drawable/ic_launcher"                  android:label="@string/app_name"                  android:permission="android.permission.ACCESS_COARSE_LOCATION">                                    <service  android:enabled="true"                                    android:name=".MyService"                                                      android:permission="android.permission.WRITE_EXTERNAL_STORAGE">                                          </service>  .  .  .  .  .  .  .  .  </applica>on>  
  33. 33. Permission  Protec>on  Levels  • android.permission.VIBRATE  • com.android.alarm.permission.SET_ALARM  Normal  • android.permission.SEND_SMS  • android.permission.CALL_PHONE  Dangerous  • android.permission.FORCE_STOP_PACKAGES  • android.permission.INJECT_EVENTS  Signature  • android.permission.ACCESS_USB  • android.permission.SET_TIME  SignatureOrSystem  
  34. 34. User  Defined  Permissions  <permission  android:name="com.example.android.book.READ_BOOKSTORE"                          android:descrip>on="@string/perm_read_bookstore"                          android:label="Read  access  to  books  database”                          android:permissionGroup="BOOKSTORE_PERMS"                          android:protec>onLevel="dangerous”/>  <permission-­‐group  android:descrip>on="@string/perm_group_bookstore"                        android:label="@string/perm_group_bookstore_label"                        android:name="BOOKSTORE_PERMS"  />  Create  a  permission  Create  a  permission  group  
  35. 35. User  Defined  Permissions  <permission-­‐tree  android:name="com.example.android.book"                    android:label="@string/perm_tree_book"    />  Create  a  permission  tree  com.example.android.book  com.example.android.book.READ_BOOK  com.example.android.book.bookstore.READ_BOOKSTORE  com.example.android.book.bookstore.WRITE_BOOKSTORE  
  36. 36. Storing  &  Sharing  hyp://blogs.salesforce.com/  Sharing  with  internal  applica>ons  (same  cer>ficate)  Sharing  with  external  applica>ons  
  37. 37. Sharing  with  Internal  Applica>ons  •  sharedUserID  •  Preferences  •  Cache  •  Intents  
  38. 38. sharedUserID  Run  applica>ons  in  same  UID  
  39. 39. SharedUserID  com.example.example1    <manifest  xmlns:android="hyp://schemas.android.com/apk/res/android"          package="com.example.example1"          android:versionCode="1"          android:versionName="1.0"          android:sharedUserId="com.sharedID.example">    com.example.example2    <manifest  xmlns:android="hyp://schemas.android.com/apk/res/android"          package="com.example.example2"          android:versionCode="1"          android:versionName="1.0"          android:sharedUserId="com.sharedID.example">    sharedUserID  follows  package  name  format  Other  naming  conven>on  results  in  error  like  INSTALL_PARSE_FAILED_BAD_SHARED_USER_ID  
  40. 40. Preferences  •  Store  primi>ve  data  in  key-­‐value  format  •  Persistent  storage  •  Sandboxed  with  applica>on  
  41. 41. Cache  //Write  to  the  cache  file  String  myString  =  new  String  (“Hello  World!”);  File  file  =  new  File  (getCacheDir(),  "MyCacheFile");    FileOutputStream  fOut  =  new  FileOutputStream(file);    OutputStreamWriter  osw  =  new  OutputStreamWriter(fOut);        osw.write(myString);        osw.flush();        osw.close();    Cache  file  is  sandboxed  with  applica>on  Can  be  created  on  external  storage:  getExternalCacheDir()  Cache  file  is  deleted  when  system  is  running  low  on  memory    
  42. 42. Sharing  with  External  Applica>ons  •  Content  Providers  •  Files    •  Intents  •  Databases    
  43. 43. Files  •  Applica>ons  have  own  area  for  files  •  Files  are  protected  by  Unix  like  file  permissions  •  Different  modes:  world  readable,  world  writable,  private,  append  File = openFileOutput(“myFile”,Context.MODE_WORLD_READABLE);  
  44. 44. Intents  Intent  Binder  exposed  through  AIDL  Binder  Inter  Component  Interac>on  Asynchronous  IPC  Explicit  or  Implicit  Intents  
  45. 45. Explicit  Intents  I  know  where    you  live! Ac>vity   Applica>on  A  Ac>vity   Applica>on  B  Specify  a  component  name  Do  not  put  sensi>ve  data  in  intents  Components  need  not  be  in  same  applica>on  startActivity(Intent)startBroadcast(Intent)
  46. 46. Implicit  Intent  Ac>vity   Get  me  the  best  match! Ac>vity  Applica>on  B  Applica>on  A  Ac>vity   Applica>on  C  Ac>vity   Applica>on  D  No  component  name  specified  Do  not  put  sensi>ve  data  in  intents  Components  need  not  be  in  same  applica>on  startActivity(Intent)startBroadcast(Intent)
  47. 47. Pending  Intent  •  Token  given  to  a  foreign  applica>on  to  perform  an  ac>on  on  your  applica>on’s  behalf  •  Use  your  applica>on’s  permissions  •  Even  if  its  owning  applica>ons  process  is  killed,  PendingIntent  itself  will  remain  usable  from  other  processes    •  Provide  component  name  in  base  intent  –  PendingIntent.getActivity(Context, int, Intent,int)Ac>vity  A   Ac>vity  B  Use  my  iden>ty  &  permissions  and  get  the  job  done!  
  48. 48. Intent  Filters  •  Ac>vity  Manager  matches  intents  against  Intent  Filters  <receiver android:name=“BootCompletedReceiver”><intent-filter><action android:name=“android.intent.action.BOOT_COMPLETED”/></intent-filter></receiver>•  Ac>vity  with  Intent  Filter  enabled  becomes  “exported”  •  Ac>vity  with  “android:exported=true”  can  be  started  with  any  intent  •  Intent  Filters  cannot  be  secured  with  permissions  •  Add  categories  to  restrict  what  intent  can  be  called  through  android.intent.category.BROWSEABLE
  49. 49. Intent  Filters    <intent-­‐filter>              <ac>on  android:name="android.intent.ac>on.VIEW"  />              <ac>on  android:name="android.intent.ac>on.EDIT"  />              <ac>on  android:name="android.intent.ac>on.PICK"  />              <category  android:name="android.intent.category.DEFAULT"  />              <data  mimeType:name="vnd.android.cursor.dir/vnd.google.note"  />    </intent-­‐filter>  
  50. 50. AndroidManifest.xml  Turn debugging offwww.wpclipart.com    
  51. 51. AndroidManifest.xml  Set component visibility right
  52. 52. AndroidManifest.xml  Protect components by permissions
  53. 53. AndroidManifest.xml  Define access rulesctmls.ctreal.com    
  54. 54. AndroidManifest.xml  Backup and storage decisionsen.wikipedia.org    
  55. 55. External  Storage  •  Star>ng  API  8  (Android  2.2)  APKs  can  be  stored  on  external  devices  –  APK  is  stored  in  encrypted  container  called  asec  file  –  Key  is  randomly  generated  and  stored  on  device  –  Dex  files,  private  data,  na>ve  shared  libraries  s>ll  reside  on  internal  memory  –  External  devices  are  mounted  with  “noexec”  •  VFAT  does  not  support  Linux  access  control  •  Sensi>ve  data  should  be  encrypted  before  storing    
  56. 56. Applica>on  Signature  •  Applica>ons  are  self-­‐signed;  no  CA  required  •  Signature  define  persistence  –  Detect  if  the  applica>on  has  changed    –  Applica>on  update  •  Signatures  define  authorship  –  Establish  trust  between  applica>ons    –  Run  in  same  Linux  ID    
  57. 57. Applica>on  Upgrade  •  Applica>ons  can  register  for  auto-­‐updates  •  Applica>ons    should  have  the  same  signature  •  No  addi>onal  permissions  should  be  added  •  Install  loca>on  is  preserved  
  58. 58. System  Packages  •  Come  bundled  with  ROM  •  Have  signatureOrSystem  Permission  •  Cannot  be  uninstalled  •  /system/app  
  59. 59. Summary  •  Linux  process  sandbox    •  Permission  based  component  interac>on  •  Permission  labels  defined  in  AndroidManifest.xml  •  Applica>ons  need  to  be  signed  •  Signature  define  persistence  and  authorship  •  Install  >me  security  decisions        
  60. 60. battlehack.orgBerlin        New  YorkTel  Aviv      Seattle      Miami          Moscow      Austin    London    BarcelonaWashington  DC    
  61. 61. Thank  You!  developer@paypal.com  @PayPalDev  @praga>ogal  hyp://www.slideshare.net/praga>ogal    
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.