This document discusses Android security and outlines some of its key features and challenges. It describes how Android extends traditional UNIX security models through permissions and how permissions are enforced at different levels of the software stack, from installation to system calls to services. However, it notes some problems with Android's permission approach including coarse-grained permissions and difficulty updating devices. It proposes possible improvements such as better permission documentation and expanding security scanning.
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.
Shows how a device maker can extend Android to support new devices, while preserving Android compatibility. We demonstrate a joystick & an industrial barcode scanner.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
The past few years have seen a rapid growth of threats targeting the Russian system of RBS (Shiz, Carberp, Hodprot, RDPdoor, Sheldor). Attackers can steal huge amounts of money, estimated at tens of millions monthly. The speaker will describe the study of the most common banking malware, as well as the discovery of interesting vulnerabilities by using two-factor authentication and smart cards. The report also discusses techniques and tricks that are used by hackers to conduct anti-forensics.
Shows how a device maker can extend Android to support new devices, while preserving Android compatibility. We demonstrate a joystick & an industrial barcode scanner.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
Firebase database is no SQL database. Firebase service base on node js so it’s response will be fast compare to web services. If you want to planning fast development of the application then firebase will be a good option for you
Introduction to Firebase services and APIs with hands-on examples from a prototype synchronizing across embedded / IoT devices (Arduino based/C) + web (JavaScript) + Android
How iOS and Android Handle Security WebinarDenim Group
This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.
The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.
This Presentation will give u information about Android :
1. Creating menus- Options Menu.
2. Context Menu Styles and themes Creating dialogs- Alert Dialog,
3. DatePicker Dialog,
4. TimePicker Dialog,
5. Progress Dialog
Firebase database is no SQL database. Firebase service base on node js so it’s response will be fast compare to web services. If you want to planning fast development of the application then firebase will be a good option for you
Introduction to Firebase services and APIs with hands-on examples from a prototype synchronizing across embedded / IoT devices (Arduino based/C) + web (JavaScript) + Android
How iOS and Android Handle Security WebinarDenim Group
This webinar takes a technical look at mobile security in iOS and Android and how each of the platforms handle security differently. During the webinar, Dan will cover numerous mobile security topics including mobile secure development, defeating platform environment restrictions and their respective permission models and how to protect network communications.
The 60-minute webinar will provide actionable information to help build a more secure mobile application development program with time for questions.
This Presentation will give u information about Android :
1. Creating menus- Options Menu.
2. Context Menu Styles and themes Creating dialogs- Alert Dialog,
3. DatePicker Dialog,
4. TimePicker Dialog,
5. Progress Dialog
This Presentation will give u information about Android :
1. Creating an Activity Declaring the activity in the manifest
2. Starting an Activity Starting an activity for a result Shutting
3. Down an Activity Managing the Activity Lifecycle Implementing the lifecycle callbacks Saving
4. activity state Handling configuration changes
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Neuro-symbolic is not enough, we need neuro-*semantic*
Android security model
1. Android
Security
Jesus Cox Richard Rand
Jonathan Heide Luis Rodriguez
2. Overview
• Built on the Linux kernel.
• Android is open source, meaning that developers can
customize the operating system to suit each device.
• As a result, Android has been adapted to a wide array
of mobile devices, with varying hardware, price
points, and market segments.
• Manufacturers have also been able to experiment
with many styles of Graphical User Interfaces.
• This diversity has been a security challenge, because
it takes longer to update the OS to fix security flaws.
3. Permissions
ACCESS_CHECKIN_PROPERTIES Allows read/write access to the "properties" table in the
Traditionally UNIX security checkin database, to change values that get uploaded.
is about protecting users ACCESS_COARSE_LOCATION
location
Allows an application to access coarse (e.g., Cell-ID, WiFi)
from each other and the ACCESS_FINE_LOCATION Allows an application to access fine (e.g., GPS) location
ACCESS_LOCATION_EXTRA_COMMANDS Allows an application to access extra location
operating system from provider commands
ACCESS_MOCK_LOCATION Allows an application to create mock location providers for
users, by limiting the testing
ACCESS_NETWORK_STATE Allows applications to access information about networks
permissions of certain ACCESS_SURFACE_FLINGER Allows an application to use SurfaceFlinger's low level
users. ACCESS_WIFI_STATE
features
Allows applications to access information about Wi-Fi
networks
ACCOUNT_MANAGER Allows applications to call into AccountAuthenticators.
ADD_VOICEMAIL Allows an application to add voicemails into the system.
Android extends this AUTHENTICATE_ACCOUNTS Allows an application to act as an AccountAuthenticator for
concept to protect the BATTERY_STATS
the AccountManager
Allows an application to collect battery statistics
user from apps they BIND_APPWIDGET Allows an application to tell the AppWidget service which
application can access AppWidget's data.
install. BIND_DEVICE_ADMIN Must be required by device administration receiver, to
ensure that only the system can interact with it.
BIND_INPUT_METHOD Must be required by an InputMethodService, to ensure that
only the system can bind to it.
BIND_REMOTEVIEWS Must be required by a RemoteViewsService, to ensure that
only the system can bind to it.
BIND_TEXT_SERVICE Must be required by a TextService (e.g.
BIND_VPN_SERVICE Must be required by an VpnService, to ensure that only the
system can bind to it.
BIND_WALLPAPER Must be required by a WallpaperService, to ensure that
4. Permissions
During installation, each
application requests all the
permissions it may need to run.
If the user chooses to grant the
permissions and install, the
application is assigned a unique
UID and user name (of the form
“app_#”), and a set of groups that
correspond to its permissions.
5. How Zygote Sets UIDS and GIDS:
[android/platform/dalvik.git]/vm/native/dalvik_system_Zygote.cpp
Set by Zygote. How?
static pid_t forkAndSpecializeCommon(const u4* args, bool
isSystemServer)
Before the application is {
run, the spawning process, pid_t pid;
uid_t uid = (uid_t) args[0];
zygote, uses standard UNIX gid_t gid = (gid_t) args[1];
system calls to set its UID ArrayObject* gids = (ArrayObject *)args[2];
……
and GIDs. pid = fork();
if (pid == 0) {
/* The child process */
……
err = setgroupsIntarray(gids);
……
err = setgid(gid);
……
err = setuid(uid);
……
6. How Permissions are Enforced – In the Kernel:
Example: socket()
[android/platform/system/core.git]/include/private/android_filesystem_config.h
Enforced by kernel. How?
/* The 3000 series are intended for use as supplemental group id's
only. */
/* They indicate special Android capabilities that the kernel is aware
On application install, of. */
AID_NET_BT_ADMIN 3001 /* bluetooth: create any socket */
some system permissions AID_NET_BT 3002 /* bluetooth: create sco, rfcomm or l2cap
are mapped to UNIX sockets */
AID_INET 3003 /* can create AF_INET and AF_INET6 sockets */
groups with standardized AID_NET_RAW 3004 /* can create raw INET sockets */
gids.
7. How Permissions are Enforced – In the Kernel:
Example: socket()
Enforced by kernel. How? android-3.3/net/ipv4/af_inet.c
120 #ifdef CONFIG_ANDROID_PARANOID_NETWORK
On application install, some 121 #include <linux/android_aid.h>
system permissions are 122
mapped to UNIX groups 123 static inline int current_has_network(void)
with standardized gids. 124 {
125 return in_egroup_p(AID_INET) ||
capable(CAP_NET_RAW);
The kernel has been 126 }
modified to check the GIDs 127 #else
128 static inline int current_has_network(void)
of the calling process during
129 {
those system calls which 130 return 1;
need protection. 131 }
http://blog.appuarium.com/2011/06/23/ho
132 #endif
w-android-enforces-android-permission-
internet/
8. How Permissions are Enforced – In Services:
Example: Camera
Enforced by the Camera services/camera/libcameraservice/CameraService.cpp
service. How?
status_t CameraService::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
On application install, // Permission checks
switch (code) {
some system permissions case BnCameraService::CONNECT:
are mapped to UNIX const int pid = getCallingPid();
groups with standardized const int self_pid = getpid();
gids. if (pid != self_pid) {
// we're called from a different process, do the real check
if (!checkCallingPermission(
http://www.netmite.com/ String16("android.permission.CAMERA"))) {
android/mydroid/system/c const int uid = getCallingUid();
ore/include/private/androi LOGE("Permission Denial: "
"can't use the camera pid=%d, uid=%d", pid, uid);
d_filesystem_config.h return PERMISSION_DENIED;
…..
9. How Permissions are Enforced – In Activities:
Example: Phone
Enforced by the Phone platform_packages_apps_phone/AndroidManifest.xml
<activity android:name="OutgoingCallBroadcaster"
activity. How?
android:permission="android.permission.CALL_PHONE">
<!-- CALL action intent filters, for the various ways
An XML attribute called of initiating an outgoing call. -->
<intent-filter>
permission: <action android:name="android.intent.action.CALL" />
http://developer.android. <category
com/guide/topics/manife android:name="android.intent.category.DEFAULT" />
st/activity-element.html <data android:scheme="tel" />
……..
11. Other Security Features
• Application signing
• Allows a developer to share resources between their apps
• Bouncer (New)
• Automatically scans and tests apps on the market for suspicious
behavior
• Reporting of Suspicious Apps
• Android Security Team
12.
13. PROBLEMS WITH ANDROID’S
APPROACH
• Many users are unable to weigh potential risks when granting
permissions to an application
• No way to be sure that an application will act appropriately based on
the given permission
• Coarse grained – users must allow all possible permissions for an app
or developers must create multiple versions.
• Developers tend to ask for more permissions than they need because
of sparse documentation.
• Sophisticated users are limited by the standard permissions made
available by Android unless they root the phone.
• “Remote kill“ removes autonomy from the user.
• Difficulty of rolling out OS updates causes vulnerabilities to stick
around on some devices forever.
• Apps can access external storage without permissions.
14. Google was not happy with this report.
http://www.mcafee.com/us/resources/reports/rp-securing-mobile-devices.pdf
15. Possible Improvements
• Some of the fears about malware on Android are generated by
antivirus companies to drum up sales
• Require a new permission to read photos or world_readable files
in general on external storage
• Tighten licensing requirements of Android name and imagery
around security and updates
• Fix documentation so developers have a better idea of what
permissions they need
• Use Stowaway to scan the store for apps that take more
permissions than they need, and inform the developers
• Extend Bouncer to unofficial stores to find more Trojan Horses
and protect more users