SlideShare a Scribd company logo

Android Security

Download as PPTX, PDF
Arqum Ahmad
Arqum Ahmad

The given presentation is a part of my work in field of Smartphone Security. The talk given in IIIT- Naya Raipur on April-2,2016

Mobile
1 of 37
YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
How much unsecure is ANDROID ?
Who is this ?
Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
What do you think about the audience’s response.
They laughed , A LOT.
Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
Smartphone, Android Mobile Security
Smartphone Security App Markets
Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
THE ANDROID PLATFORM
ANDROID Architecture
What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
STOP!
I’m saying Think Again!
OK! Do it on your own risk! You’re the last person I trust 
Device And Data Security
http://xkcd.com/538/
Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com
ITS SHOW TIME!

Recommended

Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 

Recommended

Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
mobile application security
mobile application securitymobile application security
mobile application security-jyothish kumar sirigidi
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android SecurityNational Cheng Kung University
 

More Related Content

What's hot

Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection MechanismsTalha Kabakus
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2Mohammed Adam
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application SecurityEgor Tolstoy
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testingRoshan Kumar Gami
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 

What's hot (20)

Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Android Malware Detection Mechanisms
Android Malware Detection MechanismsAndroid Malware Detection Mechanisms
Android Malware Detection Mechanisms
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Android Penetration testing - Day 2
Android Penetration testing - Day 2 Android Penetration testing - Day 2
Android Penetration testing - Day 2
 
iOS Application Security
iOS Application SecurityiOS Application Security
iOS Application Security
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Android application penetration testing
Android application penetration testingAndroid application penetration testing
Android application penetration testing
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
mobile application security
mobile application securitymobile application security
mobile application security
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 

Viewers also liked

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
 
Android coding standard
Android coding standard Android coding standard
Android coding standard Rakesh Jha
 
Naya raipur chhattisgarh
Naya raipur chhattisgarhNaya raipur chhattisgarh
Naya raipur chhattisgarhDeepakMahadeo
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Android security model
Android security modelAndroid security model
Android security modelrrand1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 

Viewers also liked (15)

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Android coding standard
Android coding standard Android coding standard
Android coding standard
 
Naya raipur chhattisgarh
Naya raipur chhattisgarhNaya raipur chhattisgarh
Naya raipur chhattisgarh
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya RaipurCONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
 
Sdp Aicte
Sdp AicteSdp Aicte
Sdp Aicte
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 

Similar to Android Security

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
android Security
android Security android Security
android Security darkC0de
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 

Similar to Android Security (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Mobile security
Mobile securityMobile security
Mobile security
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
android Security
android Security android Security
android Security
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 

Recently uploaded

Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsChandrakantDivate1
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsChandrakantDivate1
 
Mobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationMobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationChandrakantDivate1
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesChandrakantDivate1
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312wphillips114
 
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...nishasame66
 
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureBromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureamy56318795
 

Recently uploaded (8)

Mobile Application Development-Components and Layouts
Mobile Application Development-Components and LayoutsMobile Application Development-Components and Layouts
Mobile Application Development-Components and Layouts
 
Mobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s ToolsMobile Application Development-Android and It’s Tools
Mobile Application Development-Android and It’s Tools
 
Mobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android InstallationMobile Application Development- Configuration and Android Installation
Mobile Application Development- Configuration and Android Installation
 
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
Obat Penggugur Kandungan Di Apotik Kimia Farma (087776558899)
 
Android Application Components with Implementation & Examples
Android Application Components with Implementation & ExamplesAndroid Application Components with Implementation & Examples
Android Application Components with Implementation & Examples
 
Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312Mobile App Penetration Testing Bsides312
Mobile App Penetration Testing Bsides312
 
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
Satara Call girl escort *74796//13122* Call me punam call girls 24*7hour avai...
 
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pureBromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
Bromazolam CAS 71368-80-4 high quality opiates, Safe transportation, 99% pure
 

Android Security

  • 1. YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
  • 2. Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
  • 3. About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
  • 4. GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
  • 5. How much unsecure is ANDROID ?
  • 7. Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
  • 8. What do you think about the audience’s response.
  • 9. They laughed , A LOT.
  • 10. Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
  • 11. Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
  • 14. Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
  • 17. What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
  • 18. App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
  • 19. Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
  • 20. Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
  • 21. Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
  • 22. Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
  • 23. Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
  • 24. Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
  • 25. Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
  • 26. STOP!
  • 28. OK! Do it on your own risk! You’re the last person I trust 
  • 29. Device And Data Security
  • 31. Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
  • 32. Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
  • 33. Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
  • 34. Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
  • 35. Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
  • 36. Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com