SlideShare a Scribd company logo

Android Security

Download as PPTX, PDF
Arqum Ahmad
Arqum Ahmad

The given presentation is a part of my work in field of Smartphone Security. The talk given in IIIT- Naya Raipur on April-2,2016

Mobile
1 of 37
YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
How much unsecure is ANDROID ?
Who is this ?
Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
What do you think about the audience’s response.
They laughed , A LOT.
Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
Smartphone, Android Mobile Security
Smartphone Security App Markets
Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
THE ANDROID PLATFORM
ANDROID Architecture
What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
STOP!
I’m saying Think Again!
OK! Do it on your own risk! You’re the last person I trust 
Device And Data Security
http://xkcd.com/538/
Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com
ITS SHOW TIME!

Recommended

Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 

Recommended

Android security
Android securityAndroid security
Android security
Midhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Mobile security
Mobile securityMobile security
Mobile security
priyanka pandey
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
Ishan Girdhar
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
Tandhy Simanjuntak
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
Sina Manavi
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
Anusha Chavan
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
Jose Manuel Ortega Candel
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
Sam Bowne
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Bug bounty
Bug bountyBug bounty
Bug bounty
n|u - The Open Security Community
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Mobile security
Mobile securityMobile security
Mobile security
Tapan Khilar
 
Mobile security
Mobile securityMobile security
Mobile security
dilipdubey5
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
Jimmy Software
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
Pawel Rzepa
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Ajin Abraham
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
National Cheng Kung University
 

More Related Content

What's hot

AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
Ajin Abraham
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
Confiz
 

What's hot (20)

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSFAppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
AppSec EU 2016: Automated Mobile Application Security Assessment with MobSF
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
1. Mobile Application (In)security
1. Mobile Application (In)security1. Mobile Application (In)security
1. Mobile Application (In)security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Mobile security
Mobile securityMobile security
Mobile security
 
Mobile security
Mobile securityMobile security
Mobile security
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Owasp mobile top 10
Owasp mobile top 10Owasp mobile top 10
Owasp mobile top 10
 
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...Automated Security Analysis of Android & iOS Applications with Mobile Securit...
Automated Security Analysis of Android & iOS Applications with Mobile Securit...
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 

Viewers also liked

Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
Anika Tasnim Hafiz
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
Ontico
 
Android security model
Android security modelAndroid security model
Android security model
rrand1
 

Viewers also liked (15)

Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Android coding standard
Android coding standard Android coding standard
Android coding standard
 
Naya raipur chhattisgarh
Naya raipur chhattisgarhNaya raipur chhattisgarh
Naya raipur chhattisgarh
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya RaipurCONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
 
Sdp Aicte
Sdp AicteSdp Aicte
Sdp Aicte
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 

Similar to Android Security

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
Denim Group
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
Ravishankar Kumar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
Stephan Chenette
 

Similar to Android Security (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Mobile security
Mobile securityMobile security
Mobile security
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
android Security
android Security android Security
android Security
 

Recently uploaded

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
nishasame66
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Cara Menggugurkan Kandungan 087776558899
 

Recently uploaded (6)

Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 

Android Security

  • 1. YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
  • 2. Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
  • 3. About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
  • 4. GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
  • 5. How much unsecure is ANDROID ?
  • 7. Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
  • 8. What do you think about the audience’s response.
  • 9. They laughed , A LOT.
  • 10. Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
  • 11. Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
  • 14. Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
  • 17. What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
  • 18. App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
  • 19. Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
  • 20. Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
  • 21. Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
  • 22. Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
  • 23. Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
  • 24. Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
  • 25. Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
  • 26. STOP!
  • 28. OK! Do it on your own risk! You’re the last person I trust 
  • 29. Device And Data Security
  • 31. Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
  • 32. Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
  • 33. Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
  • 34. Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
  • 35. Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
  • 36. Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com