This document provides an overview of the Android operating system and its security features. It discusses Android's architecture, including its use of the Linux kernel and Dalvik virtual machine. Key security aspects are summarized, such as the permission model and limitations of running apps within a sandbox. The document also introduces an exploit execution framework that can test Android devices for vulnerabilities. It concludes by discussing how malware may propagate on Android devices and potential future threats.
ABSTRACT
Shoreline monitoring is important to overcome the problems in the measurement of the shoreline. Recently,
many researchers have directed attention to methods of predicting shoreline changes by the use of
multispectral images. However, the images being captured tend to have several problems due to the weather.
Therefore, identification of multi class features which includes vegetation and shoreline using multispectral
satellite image is one of the challenges encountered in the detection of shoreline. An efficient framework
using the near infrared–histogram equalisation and improved filtering method is proposed to enhance the
detection of the shoreline in Tanjung Piai, Malaysia, by using SPOT-5 images. Sub-pixel edge detection and
the Wallis filter are used to compute the edge location with the subpixel accuracy and reduce the noise. Then,
the image undergoes image classification process by using Support Vector Machine. The proposed method
performed more effectively and reliable in preserving the missing line of the shoreline edge in the SPOT-5
images.
To protect sensitive resources from unauthorized use, modern mobile systems, such a Android and iOS,
design a permission-based access control model. However, current model could not enforce fine-grained control
over the dynamic permission use contexts, causing two severe security problems. First, any code package in an
application could use the granted permissions, inducing attackers to embed malicious payloads into benign apps.
Second, the permissions granted to a benign application may be utilized by an attacker through vulnerable
application interactions. Although ad hoc solutions have been proposed, none could systematically solve these
two issues within a unified framework. The first such framework to provide context-sensitive permission
enforcement that regular’s permission use policies according to system-wide application contexts, which cover
both intra-application context and inter-application context. We build a prototype system on Android , named
FineDroid, to track such context during the applicaton execution. To flexibly regulate the context-sensitive
permission rules, FineDroid features a policy framework that could express generic application contexts. We
demonstrate the benefits of FineDroid by instantiating several security extensions based on the policy
framework, for three potential users: end users, administrators and developers. Furthermore, FineDroid is
showed to introduce a minor overhead
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...IJNSA Journal
Millions of developers and third-party organizations have flooded into the Android ecosystem due to Android’s open-source feature and low barriers to entry for developers. .However, that also attracts many attackers. Over 90 percent of mobile malware is found targeted on Android. Though Android provides multiple security features and layers to protect user data and system resources, there are still some overprivileged applications in Google Play Store or third-party Android app stores at wild. In this paper, we proposed an approach to map system level behavior and Android APIs, based on the observation that system level behaviors cannot be avoidedbut sensitive Android APIs could be evaded.To the best of our knowledge, our approach provides the first work to decompose Android application behaviors based on system-level behaviors. We then map system level behaviors and Android APIs through System Call Dependence Graphs. The study also shows that our approach can effectively identify potential permission abusing, with an almost negligible performance impact.
ABSTRACT
Shoreline monitoring is important to overcome the problems in the measurement of the shoreline. Recently,
many researchers have directed attention to methods of predicting shoreline changes by the use of
multispectral images. However, the images being captured tend to have several problems due to the weather.
Therefore, identification of multi class features which includes vegetation and shoreline using multispectral
satellite image is one of the challenges encountered in the detection of shoreline. An efficient framework
using the near infrared–histogram equalisation and improved filtering method is proposed to enhance the
detection of the shoreline in Tanjung Piai, Malaysia, by using SPOT-5 images. Sub-pixel edge detection and
the Wallis filter are used to compute the edge location with the subpixel accuracy and reduce the noise. Then,
the image undergoes image classification process by using Support Vector Machine. The proposed method
performed more effectively and reliable in preserving the missing line of the shoreline edge in the SPOT-5
images.
To protect sensitive resources from unauthorized use, modern mobile systems, such a Android and iOS,
design a permission-based access control model. However, current model could not enforce fine-grained control
over the dynamic permission use contexts, causing two severe security problems. First, any code package in an
application could use the granted permissions, inducing attackers to embed malicious payloads into benign apps.
Second, the permissions granted to a benign application may be utilized by an attacker through vulnerable
application interactions. Although ad hoc solutions have been proposed, none could systematically solve these
two issues within a unified framework. The first such framework to provide context-sensitive permission
enforcement that regular’s permission use policies according to system-wide application contexts, which cover
both intra-application context and inter-application context. We build a prototype system on Android , named
FineDroid, to track such context during the applicaton execution. To flexibly regulate the context-sensitive
permission rules, FineDroid features a policy framework that could express generic application contexts. We
demonstrate the benefits of FineDroid by instantiating several security extensions based on the policy
framework, for three potential users: end users, administrators and developers. Furthermore, FineDroid is
showed to introduce a minor overhead
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...IJNSA Journal
Millions of developers and third-party organizations have flooded into the Android ecosystem due to Android’s open-source feature and low barriers to entry for developers. .However, that also attracts many attackers. Over 90 percent of mobile malware is found targeted on Android. Though Android provides multiple security features and layers to protect user data and system resources, there are still some overprivileged applications in Google Play Store or third-party Android app stores at wild. In this paper, we proposed an approach to map system level behavior and Android APIs, based on the observation that system level behaviors cannot be avoidedbut sensitive Android APIs could be evaded.To the best of our knowledge, our approach provides the first work to decompose Android application behaviors based on system-level behaviors. We then map system level behaviors and Android APIs through System Call Dependence Graphs. The study also shows that our approach can effectively identify potential permission abusing, with an almost negligible performance impact.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
With the advent of IoT and connected devices, there is an urgent need for a security framework that addresses major security goals of embedded devices. Security has to be an exercise built into the product development process instead of adding as an add-on feature.
This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
With the advent of IoT and connected devices, there is an urgent need for a security framework that addresses major security goals of embedded devices. Security has to be an exercise built into the product development process instead of adding as an add-on feature.
Beyond the Operating System: Red Hat's Open Strategy for the Modern EnterpriseJames Falkner
23 years ago, Red Hat began selling CDs of Linux. Today, Red Hat leads or participates in more than 500 open source projects in container infrastructure, middleware, cloud, storage, mobile and more. Many of these are available as enterprise-supported products and open platforms that power thousands of small and large businesses. In this presentation we'll take a closer look at several innovative projects beyond the OS and Red Hat's strategy for providing them as open source solutions to modern enterprise challenges.
Presented at @OpenSourceNorth June 2016, www.opensourcenorth.com
ABSTRACT
Smartphones are used by billions of people that means the applications of the smartphone is increasing, it is out of control for applications marketplaces to completely validate if an application is malicious or legitimate. Therefore, it is up to users to choose for themselves whether an application is safe to use or not. It is important to say that there are differences between mobile devices and PC machines in resource management mechanism, the security solutions for computer malware are not compatible with mobile devices. Consequently, the anti-malware organizations and academic researchers have produced and proposed many security methods and mechanisms in order to recognize and classify the security threat of the Android operating system. By means of the proposed methods are different from one to another, they can be arranged into various classifications. In this review paper, the present Android security threats is discussed and present security proposed solutions and attempt to classify the proposed solutions and evaluate them.
The dependence of users on smartphones to accomplish their daily works is growing increasingly. Every day many mobile applications are downloaded and installed by the users to perform different desirable tasks for them. Before it can be installed in the smartphone, the mobile application requests from the user granting some sort of permissions, which may include the access right to users’ sensitive resources. In absence of a security mechanism that can enforce fine-grained permission control, the application may abuse the granted permissions and thus violates the security of sensitive resources. This paper proposes an attribute-based permission model ABP for Android smartphones to control how the mobile application can exercise the granted permissions. The finer granularity of the permission language used by ABP model ensures that the mobile application cannot violate the user’s security. By using ABP model, the users can enjoy the useful tasks the mobile applications provide while protecting sensitive resources from unauthorized use.
Android mobile operating system, Google developed, Linux Kernel based with basic motive to serve for
devices with touchscreen like tablets and smartphones. Due
to weak OS security it is vulnerable to various security attacks therefor to restrict access of third-party applications
off critical resources the security has been built upon a permission based mechanism. Permissions are declarations by
developers and user is demanded to accept. This paper
highlights Share User ID permission misuse following two factor authentication failure etc
A case study of malware detection and removal in android appsijmnct
With the proliferation of smart phone users, android malware variants is increasing in terms of numbers
and amount of new victim android apps. The traditional malware detection focuses on repackage,
obfuscate and/or other transformable executable code from malicious apps. This paper presented a case
study on existing android malware detection through a sequence of steps and well developed encoding SMS
message. Our result has demonstrated a solid testify of our approach in the effectiveness of malware
detection and removal.
Write a scholarly review on the following topic. This assignment ilorindajamieson
Write a scholarly review on the following topic. This assignment is to be scholarly; it is not enough for you to simply post your article and add cursory reviews. CITED REFERENCES ARE REQUIRED. Your submission for topic must be at least 320 words. In addition to submission for topic, provide responses for 3 postings listed in this assignment. Replies should be at least 150 words.
Topic: Computerized Operating Systems (OS) are almost everywhere. We encounter them when we use our laptop or desktop computer. We use them when we use our phone or tablet. Find articles that describe UNIX and also LINUX operating systems. Write a scholarly review of comparing UNIX and LINUX operating systems.
NOTE: NO ARTICLE PUBLISHED ON THE INTERNET THAT IS NOT DIRECTLY CONNECTED TO AN ESTABLISHED PEER-REVIEWED PROFESSIONAL CONFERENCE, JOURNAL OR MAGAZINE IS ACCEPTABLE AS A CITED REFERENCE SOURCE.
Reply to following posts with at least 150 words and a 1 citation
Post 1:
With the emerging trends in technology, phones were updated to smart phones, there are two major type of OS leading in the phone market. One is Android and other is iOS. Each OS has their own pros and cons. Android is an Open Source software which belongs to Linux family whereas iOS is closed source model belongs to OS X, UNIX family and is used in Apple devices. It is difficult to transfer a file from a non-apple device like iPad and iPhone, the transfer has to go through iTunes or cloud. Communication between apple eco system is easier, faster with a feature called Airdrop which is available in all iOS and OS X [1]. Coming to the security part, iOS is more secure than Android because, iOS doesn’t reveal source code to developers where as android releases source code to its developers. The vulnerabilities can be easily found and can put the phone and tablet to risk.
On a whole, I would say that Android has huge popularity due to the number of apps available in the google play store. As lot of developers are there for open source applications, android devices get to customize more according to user’s wish. Android owners can change the source code according to their preferences [2]. This appears to have both pros and cons. Pro is that use can customize and see changes while con is that cybercriminals can alter the source code if there is an open end while editing the source code. On the other hand, Apple’s iOS has more difficult controls and review process to add an app is difficult. iOS users can’t customize ROMs on their devices and it is controlled by Apple alone. It has better security than android devices.
References:
1. Goadrich, M. H., & Rogers, M. P. (2011, March). Smart smartphone development: iOS versus Android. In Proceedings of the 42nd ACM technical symposium on Computer science education (pp. 607-612). ACM.
2. Ahmad, M. S., Musa, N. E., Nadarajah, R., Hassan, R., & Othman, N. E. (2013, July). Comparison between android and iOS Operating System in terms of sec ...
Comparative Study on Intrusion Detection Systems for Smartphonesiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
When developer's api simplify user mode rootkits developing.Yury Chemerkin
This is a series of articles about shell extensions that enhance high-level features of any operation system. However, such possibilities not only enrich platform but simplify developing trojans, exploits that leads to the new security holes. Mostly this kind of extensions are known as usermode rootkits.
http://hakin9.org/theultimat/
Similar to Android open-source operating System for mobile devices (20)
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Quality defects in TMT Bars, Possible causes and Potential Solutions.PrashantGoswami42
Maintaining high-quality standards in the production of TMT bars is crucial for ensuring structural integrity in construction. Addressing common defects through careful monitoring, standardized processes, and advanced technology can significantly improve the quality of TMT bars. Continuous training and adherence to quality control measures will also play a pivotal role in minimizing these defects.
Event Management System Vb Net Project Report.pdfKamal Acharya
In present era, the scopes of information technology growing with a very fast .We do not see any are untouched from this industry. The scope of information technology has become wider includes: Business and industry. Household Business, Communication, Education, Entertainment, Science, Medicine, Engineering, Distance Learning, Weather Forecasting. Carrier Searching and so on.
My project named “Event Management System” is software that store and maintained all events coordinated in college. It also helpful to print related reports. My project will help to record the events coordinated by faculties with their Name, Event subject, date & details in an efficient & effective ways.
In my system we have to make a system by which a user can record all events coordinated by a particular faculty. In our proposed system some more featured are added which differs it from the existing system such as security.
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Immunizing Image Classifiers Against Localized Adversary Attacksgerogepatton
This paper addresses the vulnerability of deep learning models, particularly convolutional neural networks
(CNN)s, to adversarial attacks and presents a proactive training technique designed to counter them. We
introduce a novel volumization algorithm, which transforms 2D images into 3D volumetric representations.
When combined with 3D convolution and deep curriculum learning optimization (CLO), itsignificantly improves
the immunity of models against localized universal attacks by up to 40%. We evaluate our proposed approach
using contemporary CNN architectures and the modified Canadian Institute for Advanced Research (CIFAR-10
and CIFAR-100) and ImageNet Large Scale Visual Recognition Challenge (ILSVRC12) datasets, showcasing
accuracy improvements over previous techniques. The results indicate that the combination of the volumetric
input and curriculum learning holds significant promise for mitigating adversarial attacks without necessitating
adversary training.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
COLLEGE BUS MANAGEMENT SYSTEM PROJECT REPORT.pdfKamal Acharya
The College Bus Management system is completely developed by Visual Basic .NET Version. The application is connect with most secured database language MS SQL Server. The application is develop by using best combination of front-end and back-end languages. The application is totally design like flat user interface. This flat user interface is more attractive user interface in 2017. The application is gives more important to the system functionality. The application is to manage the student’s details, driver’s details, bus details, bus route details, bus fees details and more. The application has only one unit for admin. The admin can manage the entire application. The admin can login into the application by using username and password of the admin. The application is develop for big and small colleges. It is more user friendly for non-computer person. Even they can easily learn how to manage the application within hours. The application is more secure by the admin. The system will give an effective output for the VB.Net and SQL Server given as input to the system. The compiled java program given as input to the system, after scanning the program will generate different reports. The application generates the report for users. The admin can view and download the report of the data. The application deliver the excel format reports. Because, excel formatted reports is very easy to understand the income and expense of the college bus. This application is mainly develop for windows operating system users. In 2017, 73% of people enterprises are using windows operating system. So the application will easily install for all the windows operating system users. The application-developed size is very low. The application consumes very low space in disk. Therefore, the user can allocate very minimum local disk space for this application.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Water Industry Process Automation and Control Monthly - May 2024.pdf
Android open-source operating System for mobile devices
1. IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 11, Issue 5 (May. - Jun. 2013), PP 25-29
www.iosrjournals.org
www.iosrjournals.org 25 | Page
Android open-source operating System for mobile devices.
Navnath S.Bagal, Prof.N.D.Kale
1(PG Student), Computer Engineering, Padmabhooshan Vasantdada Patil Institute Of Technology Pune
Maharashtra, India;
2(Associate Professor), Computer Engineering, Padmabhooshan Vasantdada Patil Institute Of Technology
Pune Maharashtra, India;
Abstract: The number of Android based smart phones is growing rapidly. They are increasingly used for
security critical private and business applications, such as online banking or to access corporate networks. This
makes them a very valuable target for an adversary. Up to date, significant or large scale attacks have failed,
but attacks are becoming more sophisticated and successful. Thus, security is of paramount importance for both
private and corporate users. In this paper, we give an overview of the current state of the art of Android security
and present our extensible automated exploit execution framework. First, we provide a summary of the Android
platform, current attack techniques, and publicly known exploits. Then, we introduce our extensible exploit
execution framework which is capable of performing automated vulnerability tests of Android smart phones. It
incorporates currently known exploits, but can be easily extended to integrate future exploits. Finally, we
discuss how malware can propagate to Android smart phones today and in the future, and which possible
threats arise. For example, Device to device infections are possible if physical access is given.
I. Introduction
During recent years, the share of smart phones in overall handheld mobile communication device sales
has drastically increased. Among them, the Android operating system by the Open Handset Alliance,
prominently led by Google Inc., is market dominating. In Q3 2011, 52.5% of all devices sold were Android
devices, followed by Symbian (16.9%) and Apple’s iOS (15.0%), according to Gartner analysis with the
widespread use of smart phones both in private and work related areas, securing these devices has become of
paramount importance. Owners use their smart phones to perform tasks ranging from everyday communication
with friends and family to the management of banking accounts and accessing sensitive work related data. These
factors, combined with limitations in administrative device control through owners and security critical
applications like the Mobile TAN for banking transactions, make Android based
Smart phones a very attractive target for attackers and malware authors of any kind and motivation. Up
until recently, the Android Operating System’s security model has succeeded in preventing any significant
attacks by malware. This can be attributed to a lack of attack vectors which could be used for self spreading
infections and low sophistication of malicious applications.
However, emerging malware deploys advanced attacks on operating system components to assume full
device control. We developed an extensible exploit execution framework to test existing and future exploits in a
controlled environment. This framework can also serve to analyze exploitability of devices with specific test
sets and payloads. Additionally, common malware behavior is emulated, such as dynamic configuration and
exploit download from a remote web server. This paper gives a short, yet comprehensive overview of the major
Android security mechanisms. It also discusses possibilities to successfully infiltrate Android based Smart
phones through recent attack means. Both pre infection (propagation) and post infection (threat) scenarios will
be illuminated. We will also take a look at the implications by current developments for future propagation
mechanisms.
II. Android and Android Security
Mobile operating systems preinstalled on all currently sold smart phones need to meet different criteria
than desktop and server operating systems, both in functionality and security. Mobile platforms often contain
strongly interconnected, small and less well controlled applications from various single developers, whereas
desktop and server platforms obtain largely independent software from trusted sources. Also, users typically
have full access to administrative functions on non mobile platforms. Mobile platforms, however, restrict
administrative control through users. As a consequence, different approaches are deployed by the Android
platform to maintain security. This chapter briefly introduces the Android platform and its major security
measures, also giving an overview on the measures’ limits, weaknesses and even exploitability. Discussion will
be limited to those functions related to threats elaborated on in this paper.
2. Android open-source operating System for mobile devices.
www.iosrjournals.org 26 | Page
2.1 Android Platform
The Android operating system is illustrated in Figure 2.1. Apps for Android are developed in Java and
executed in a virtual machine, called Dalvik VM. They are supported by the application framework, which
provides frequently used functionality through a unified interface. Various libraries enable apps to implement
graphics, encrypted communication or databases easily. The Standard Library (“bionic”) is a BSD derived libc
for embedded devices. The respective Android releases’ kernels are stripped down from Linux 2.6 versions.
Basic services such as memory, process and user management are all provided by the Linux kernel in a mostly
unmodified form. However, for several Android versions, the deployed kernel’s version was already out of date
at the time of release. This has lead to a strong increase in vulnerability, as exploits were long publicly available
before the respective Android version’s release. Detailed information on all security features can be retrieved
from the Android Security Overview on the official Android Open Source Project website.
Figure 2.1: Android System Architecture
2.2 File System and User/Group Permissions
As in any Unix/Linux like operating system, basic access control is implemented through a three class
permission model. It distinguishes between the owner ofm a file system resource, the owner’s group and others.
For each of these three entities, distinct permissions can be set to read, write or execute. This system provides a
means of controlling access to files and resources. For example, only a file’s owner may write (alter) a
document, while members of the owner’s group may read it and others may not even view it at all. In traditional
desktop and server environments, many processes often share the same group or even user ID (namely the user
ID of the user who started a program). As a result, they are granted access to all files belonging to the other
programs started by that same ID. In traditional environments with largely trusted software sources this may
suffice, though Mandatory Access Control approaches trying to establish a more fine grained model do exist,
such as App Armor and SELinux.
However, for mobile operating systems this is not sufficient. Finer permission distinction is needed, as
an open app market is not a strongly monitored and trustworthy software source. With the traditional approach,
any app executed
Under the device owner’s user ID would be able to access any other app’s data. Hence, the Android
kernel assigns each app its own user ID on installation. This ensures that an app can only access its own files,
the temporary directory and nothing else – system resources are available through API calls. This establishes
permission based
File system sandbox.
2.3 Android API Permission Model and Manifest File
On installation, the user is presented with a dialog listing all permissions requested by the app to be
installed. These permission requests are defined in the Manifest File AndroidManifest.xml, which is obligatory
for shipping with every Android app. However, this system has a few flaws:
3. Android open-source operating System for mobile devices.
www.iosrjournals.org 27 | Page
• All or none policy:
A user cannot decide to grant single permissions, while denying others. Many users, although an app
might request a suspicious permission among much seemingly legitimate permission, will still confirm the
installation.
• Often, users cannot judge the appropriateness of permissions for the app in question. In some cases it may be
obvious, for example when a game app requests the privilege to reboot the smart phone or to send text
messages. In many cases, however, users will simply be incapable of assessing Permission appropriateness.
• Circumvention: Functionality, which is supposed to be executable only given the appropriate permissions, can
still be accessed with fewer permissions or even with none at all. This point will be explained in detail in the
chapter on attack vectors.
2.4 Apps and Native Code
Android apps are developed in Java and executed inside the Dalvik Virtual Machine, a register based
Java Virtual Machine. Each app receives its own Dalvik VM instance and user ID, hence separating process
memory and files through means of the Linux kernel. Apps authored by the same developer may share the same
user ID, if chosen by the developer. System resources may only be accessed by apps through API methods
provided by the Dalvik VM. These limitations make attacks on the underlying operating system from Android
apps nearly impossible. However, native ARM architecture code can be compiled for Android devices; both the
Linux kernel and essential libraries are implemented in C fig.2.1). Native code may even be called from within
Android apps, be it for user desired or malicious usage. As native code is executed outside the Dalvik VM, it is
not limited to API methods, thus receiving more direct and uncontrolled access to the operating system core.
Fraunhofer AISEC
III. Android system services
Android provides the services expected in a modern operating system such as virtual
memory,multiprogramming, and threads, all on a mobile platform. Many of Android’s services are a result of
including the Linux kernel. However the Android team has added the telephony stack in return.
The Linux CPU scheduling algorithm
Linux employs a number of different methods for scheduling its processes and its algorithm is very
nontraditional in the big picture. There are three scheduling schemes for Linux. Each process is assigned a
scheduling scheme depending on the type of task it presents. Real time tasks will often run in the SCHED FIFO
or SCHED RR scheme. All other tasks will run in SCHED NORMAL [?]. SCHED NORMAL tasks are handled
by a special algorithm and are preempted by SCHED RR and SCHED FIFO tasks. In a few words the algorithm
behaves like a hybrid priority queue that rewards process which are not CPU-greedy. CPU time is divided up
into epochs, which are equal slices of time in which the processes can run and use up some of their allotted time,
or times lice. At the end of every epoch, each process’ remaining times lice is halved. More time is added
proportional to the processes’ nice value, a value specified by the user or by the system’s default nice value. The
interesting rollover time has a rewarding effect to I/O bound processes. Since I/O bound processes will likely
spend a lot of time waiting, the scheduling algorithm rewards it by letting it keep some of its timeslice. This way
processes which are likely being used by the user are very responsive and will often preempt more non-
interactive, CPU-bound processes like batch commands. SCHED RR tasks will preempt SCHED NORMAL
tasks and are preempted by SCHED FIFO tasks. These tasks are scheduled according to round-robin rules
within their own priority bracket. SCHED FIFO tasks behave quite like the name would suggest. Tasks in this
queue are scheduled by priority and arrival time, will preempt any other processes trying to run, and will
execute for as long as they please.
Android and file systems
Android makes use of a multiplicity of file system types, namely due to the expectation of external
memory with unsure file system types. As a result Android relies on the standard Linux package to provide for
file systems such as ext2 and ext3, vfat, and ntfs. Android itself uses the yaffs2 filesystem, which is not a part of
the standard Linux kernel, as its primary file system. YAFFS is a file system optimized for NAND and NOR
flash memory. At the time when it was developed, file systems did exist for flash memory but most of them
catered toward chips which were small enough to use small block sizes. This was unsuitable for large NAND
flash chips. YAFFS attempts to solve this by abstracting storage to ”chunks” which scale according to the page
size. To scale the method up for considerably large NAND devices, YAFFS has a tweak in the way that it
addresses pages. For instance, we might use a page address size of 216 and we may have 218 chunks to address.
We do not have sufficient capabilities to address pages individually, but we can address groups of four pages
and search for the desired page from there. The useful
4. Android open-source operating System for mobile devices.
www.iosrjournals.org 28 | Page
Thing about this is that now we have the option of neglecting to use RAM at all to augment our file system. We
can pretty easily used some sort of indexed referencing scheme to build a file from a string of chunk IDs, and
any scanning for particular pages within that chunk will be a limited set of a size equal to the number of chunks
divided by the address size. (218 ÷ 216 = 4). This linear probing may seem like a bad idea. In practice, the
inefficiency is too small to notice on such a small set of chunks [?]. YAFFS is preferable as a file system in
Android since it optimizes the use of NAND devices as storage and also has great efficiency in memory usage.
The radio interface layer
Consistent with the rest of the design of Android, the Android team has created a way to abstract a
phone call. Since the way that handset manufacturers implement the radio device on cellular devices will
inevitably vary, Android has to remain ignorant to the way software interacts with hardware to place the call.
The Android team solves this problem by creating the Radio Interface Layer Daemon (RILD), which is the way
that the applications framework interfaces with the shared libraries. The RILD’s main function is to provide
event-driven middle ground between the applications framework and the radio drivers. The RILD is part of the
Radio Interface Layer (RIL), which consists of two major parts: the Android RIL and the Vendor RIL. The
Android RIL includes the applications framework which makes the request to the RILD to place a phone call,
while the Vendor RIL is the part that is up to the vendor to implement [?]. The Vendor RIL includes the driver
that the vendor ships for the hardware implementation of the radio antenna. This model allows any hardware to
be implemented for placing phone calls so long as the vendor writes drivers which follow the model.
IV. Similarities to iPhone OS
In many ways, it seems as if Android was designed to compete directly with the iPhone OS.
TheAndroid team saw that iPhone OS presents an intimidating level of excellence in user interfacing that
Android would inevitably have to compete with.
The touch screen
Android has the full capabilities of interfacing with a touch screen-enabled device, and Android is
multi touch-capable[?] but is unimplemented. Many believe this is for Google to remain in good stead with
Apple. In any case, the Android implementation on the HTC Dream does show some similarity to the iPhone in
the touch-gesture design, such as flicking your finger across the screen to flip to the next page of items. A
notable gesture that Android lacks compared to iPhone OS is the zooming gesture, where two fingers are
touched on the screen and moved away or toward each other to zoom in and out of the image. In the iPhone
implementation of Google Maps, this gesture is available, but in the Android version,”zoom in” and ”zoom out”
buttons take its place.
Modular application design
The iPhone is heralded for its multitude of stand-alone ”apps” that are available. Android seems to
have mirrored this model exactly. However Android differs in its underlying design for Android offers third-
party applications unbridled access to the applications framework layer. Modular applications tend to ease the
process of understanding to the user and help the user visualize the application as a single, contained unit rather
than a string of dependent software.
The Android Market vs. The App Store
Similarly both operating systems offer a way for developers to publish their applications either for free
or for a price. Also users can visit and download applications from the store. Many of the popular apps on the
iPhone store are beginning to pop up on the Android Market as well.
V. Pushing for standardization
Android was designed with openness in mind. It would become the first widespread general purpose
open operating system designed specifically for the mobile device. In the spirit of keeping the entire project
open, the Android team has a few design goals to help support this ideal.
Design goals
The Android team often lists these four main points[?] as the main ideas of Android: Open: Android
tries to be especially developer-friendly, thereby making the device completely open for their applications to
utilize. As well, Android is open-source and open to implement on most any hardware. All applications are
created equal: Android’s core applications and third-party applications are on equal playing ground. They share
the same API, have the same levels of access, and can do anything that the other does. Any core application can
be replaced by any third-party application. Breaking down applications boundaries: Android does not try to
5. Android open-source operating System for mobile devices.
www.iosrjournals.org 29 | Page
hide any functionality from the developer. The developer should easily be able to tap into the telephony system,
GPS system, or essentially anything that has been implemented in the applications framework. Fast and easy
application development: The applications framework makes it very easy to do
some fairly sophisticated tricks like reporting the phone’s current location and much more.
This speeds up the development process for the developer and makes it easier to focus on design rather
than implementation details.
B. Target hardware
Android makes no attempt at being specific to any one hardware and ships with drivers for many of the
common types of hardware seen on the mobile phone. Android is not specific to any one type of mobile device
but it is specific to the mobile device in general. However it is most likely that the next line of Android phones
will be produced by members of the Open Handset Alliance and that Android will be well-suited to run on these
platforms. The operating system itself does not have any preferences.
VI. An open business model
Android is fronted by a coalition of 47 technology and mobile companies, the Open Handset Alliance,
many of them with extremely high revenue as it is. Money is not the primary interest In the development of
Android as it is free and open-source. However, Android presents a mutual interest between all these companies
to create a mobile operating system that is extremely viable and widespread so that it becomes easy to
concentrate a business model around some sort of standard. Since Windows, Mac OSX, and Linux are the
biggest operating systems in the home computer and server market, they have well-cultivated developer bases.
The Android team hopes Android will take off in the same way. It would be beneficial for a company to focus
on developing software for one operating system that nearly everyone uses rather than several operating systems
which have equal parts in user base. There is room for profit in the Android Market. Currently, the Android
Market charges 25 USD to be a registered developer. As well, a developer can purchase and Android
Developer’s Phone for almost 400 USD. Royalties could potentially be charged for non-free applications on the
Android Market as well.
References
[1] Ben Elgin, “Google buys android for its mobile arsenal,” http://www.businessweek.com/
technology/content/aug2005/tc20050817_0949_tc024.htm, August 2005.
[2] John Cox, “Why google’s gphone won’t kill apple’s iphone,” http://www.networkworld.com/ news/2007/100807-google-gphone-iphone.html,
October 2007
[3] Mike Cleron, “Androidology: Architecture overview,” http://www.youtube.com/watch?v=Mm6Ju0xhUW8, November 2007.
[4] Josh Aas, “Understanding the linux 2.6.8.1 cpu scheduler,” Retrieved from http://www.angelfire.com/folk/citeseer/linux_scheduler.pdf, February
2005.
[5] Charles Manning and Wookey, YAFFS Specifications, Aleph One, Bottisham, UK, version 0.3 edition, February 2002, Retrieved from
http://www.yaffs.net/yaffs-spec.
[6] Google, Mountain View, CA, Radio Layer Interface, March 2009, See path ’/development/pdk/docs/telephony.html’ in Android source tree.
[7] Ryan Gardner, “Multi-touch proof-of-concept,” htttp://ryebrye.com/files/multitouch_archive.zip, November 2008, With instructions at
http://www.ryebrye.com/blog/2008/11/30/g1-multitouch-proof-of-concept-soure-code-posted/.
[8] Open Handset Alliance, “Android overview,” http://www.openhandsetalliance.com/
[9] Gartner, “Mobile Device Sales Q3 2011,” November 2011. http://www.gartner.com/it/page.jsp?id=1848514.
[10] Android Security Team, “Android Security Overview,” December 2011. http://source.android.com/tech/security/index.html.
[11] Android Team, “What is Android?” February 2012. http://developer.android.com/guide/basics/whatisandroid.html.
[12] National Security Agency, “SELinux,” January 2009. http://www.nsa.gov/research/selinux/.
[13] C. Mullaney, “Android.Bmaster: A MillionDollar Mobile Botnet,” February 2012.
http://www.symantec.com/connect/blogs/androidbmastermilliondollarmobilebotnet.
[14] H. Lockheimer, “Android and Security,” February 2012. http://googlemobile.blogspot.com/2012/02/androidandsecurity. html.
[15] J. Oberheide, “remote kill and install on google android,” June 2010.
http://jon.oberheide.org/blog/2010/06/25/remotekillandinstallongoogleandroid/.
[16] T. Bray, “Exercising Our Remote Application Removal Feature,” June 2010. http://androiddevelopers. blogspot.com/2010/06/exercising
gourremote application. html.
[17] T. Vidas, D. Votipka and N. Christin, “All your droid are belong to us: A survey of current android attacks,” in 5th USENIX Workshop on
Offensive Technologies, Carnegie Mellon University, August 2011. http://www.usenix.org/event/woot/tech/final_files/Vidas.pdf.
[18] S. Smalley, “SE Android release.” SELinux Mailing List, Mailing List Archives (marc.info), January 2012.
http://marc.info/?l=selinux&m=132588456202123&w=2.
[19] National Security Agency, “SEAndroid Project Page,” January 2012. http://selinuxproject.org/page/SEAndroid.
[20] S. Smalley, “The Case for SE Android,” January 2012. http://selinuxproject.org/~jmorris/lss2011.