SlideShare a Scribd company logo

Android Security

Lars Jacobs
Lars Jacobs

This presentation on Android Security was given for the course "Cryptography & Network Security" at the KU Leuven

Technology
1 of 32
Download to read offline
ANDROID SECURITY Robin De Croon Lars Jacobs |H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege prof. dr. Ir. Bart Preneel
Content • Introduction • System and Kernel Level Security • User Security Features • AndroidApplication Security • Recent Security Problems • Demo May 8, 2013 2 http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
INTRODUCTION Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 3
Introduction • All data located on your smartphone • Passwords • Photos • (Text) messages • Medical records • … • Smartphone cannot trust anyone • Android secure? • Open Source  Safer (Hoepman et al.) May 8, 2013 4
Distribution of mobile malware by platform in 2012 May 8, 2013 5
Mobile threats motivated by profit by year May 8, 2013 6
AndroidVersions May 8, 2013 7
Android Software Stack May 8, 2013 8
SYSTEM AND KERNEL LEVEL SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 9
Apps & Processes • Own Linux Process + user ID  Sandbox! •Data is protected from other apps •Secure IPC • API calls are authorized according to permissions • Hardware access is authorized by Group Membership • Java, Native,WebKit May 8, 2013 10
Bootloader • Bootloader is locked by default • Boot process • Signature check May 8, 2013 11
Memory management • A lot of memory corruption bugs  Attacker can control the program • Improvements •No eXecute (NX) (since Android 2.3) •Address Space Layout Randomization (since Android 4.0) •Position Independent Executables (since Android 4.1) •FORTIFY_SOURCE (since Android 4.2) May 8, 2013 12
Randomization in Android 2.3 May 8, 2013 13
Randomization in Android 4.0 May 8, 2013 14
Randomization in Android 4.1 May 8, 2013 15
Rooting •Default no root access •Possible through ‘su’ binary Bootloader unsafe Root apps can do ANYTHING Latest versions of Android May 8, 2013 16 http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
USER SECURITY FEATURES Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 17
Device protection • Screen lock •Face unlock, Pattern, PIN, Passcode, … • File Encryption • 128AES with CBC and ESSIV:SHA256 • Master key encrypted with 128 bit AES via openssl library May 8, 2013 18
Passwords are hashed •Salt saved on device •/data/data/com.android.providers.settings.databases •/data/system/locksettings.db •‘Easily’ brute forced with salt •Keys are stored in software! May 8, 2013 20
Android source code May 8, 2013 21
ANDROID APPLICATION SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 22
Android Permissions • Accessing protected APIs •Location (GPS), Camera, Bluetooth,Telephony, SMS/MMS, Network/data • Defined in AndroidManifest.xml May 8, 2013 23
Play Store security • App is self signed • Bouncer •Online version •Local version (since Android 4.2) • App encryption •Introduced in Android 4.1 •Shutdown due to bugs May 8, 2013 24
Cryptographic APIs • Primitives •AES, DSA, RSA, SHA • Higher level •SSL, HTTPS • Virtual Private Network •IPsec May 8, 2013 25
RECENT SECURITY PROBLEMS Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 26
SMS problems • Smishing •http://www.youtube.com/watch?v=baWeMbGatfs • SMS to premium services •F-secure MobileThreat Report Q4 2012 •Kaspersky Security Bulletin 2012 May 8, 2013 27
Exynos Exploit • Exynos 4210 and 4412 processor •Sprint Galaxy S II, Galaxy S II, Galaxy S3, Galaxy Note, Galaxy Note 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera •Kernel: /dev/exynos-mem  R/W by all users  access to all physical memory • ExynosAbuse.apk May 8, 2013 28
DEMO Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 29
References (I) • F-secure MobileThreat Report Q4 2012, http://www.f- secure.com/static/doc/labs_global/Research/Mobile%20Thre at%20Report%20Q4%202012.pdf • Google, “Android PlatformVersions.”, http://developer.android.com/about/dashboards/index.html #Platform • Google, “Android Security Overview”, http://source.android.com/tech/security/#android- application-security • S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, (NewYork, NewYork, USA), p. 50, ACM Press, 2012. May 8, 2013 30
References (II) • J.-H. Hoepman and B. Jacobs, “Increased security through open source”, Communications of the ACM, vol. 50, pp. 79– 83, Jan. 2007. • Matthias Lange, “State of the Union: Android security overview – Is Android the new XP?, http://de.droidcon.com/2013/sessnio/state-union-android- security-overview-android-new-xp • Xuxian Jiang, “SmishingVulnerability in Multiple Android Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html • A. Shabtai, “Google Android: A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010 May 8, 2013 31
References (III) • A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY •Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kas persky_Security_Bulletin_2012_The_overall_statistics_f or_2012 May 8, 2013 32
http://2.bp.blogspot.com/-gZjNR3XVULs/T_ZOVgE-5lI/AAAAAAAAAg8/6YVmd5Q064o/s1600/questions11.jpg May 8, 2013 33

Recommended

Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 

Recommended

Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for MobileAppvigil - Mobile App Security Scanner
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Mobile application testing report
Mobile application testing reportMobile application testing report
Mobile application testing reportQA Madness
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Android app development ppt
Android app development pptAndroid app development ppt
Android app development pptsaitej15
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android StudioSuyash Srijan
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android AppsAbdelhamid Limami
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testingn|u - The Open Security Community
 
Android pentesting
Android pentestingAndroid pentesting
Android pentestingMykhailo Antonishyn
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile HackingNovizul Evendi
 
Mobile security
Mobile securityMobile security
Mobile securityCyberoamAcademy
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 

More Related Content

What's hot

Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android ApplicationsCláudio André
 
Mobile application testing report
Mobile application testing reportMobile application testing report
Mobile application testing reportQA Madness
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017TecsyntSolutions
 
Android app development ppt
Android app development pptAndroid app development ppt
Android app development pptsaitej15
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android StudioSuyash Srijan
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting Sina Manavi
 

What's hot (20)

OWASP Top 10 for Mobile
OWASP Top 10 for MobileOWASP Top 10 for Mobile
OWASP Top 10 for Mobile
 
Mobile security
Mobile securityMobile security
Mobile security
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Pentesting Android Applications
Pentesting Android ApplicationsPentesting Android Applications
Pentesting Android Applications
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile application testing report
Mobile application testing reportMobile application testing report
Mobile application testing report
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
 
Android app development ppt
Android app development pptAndroid app development ppt
Android app development ppt
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android Studio
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Pentesting Android Apps
Pentesting Android AppsPentesting Android Apps
Pentesting Android Apps
 
Android Hacking + Pentesting
Android Hacking + Pentesting Android Hacking + Pentesting
Android Hacking + Pentesting
 
iOS Application Penetration Testing
iOS Application Penetration TestingiOS Application Penetration Testing
iOS Application Penetration Testing
 
Android pentesting
Android pentestingAndroid pentesting
Android pentesting
 
Mobile Hacking
Mobile HackingMobile Hacking
Mobile Hacking
 
Mobile security
Mobile securityMobile security
Mobile security
 

Viewers also liked

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating systemSalma Begum
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsHariharan Ganesan
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android seminar-presentation
Android seminar-presentationAndroid seminar-presentation
Android seminar-presentationconnectshilpa
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileJWORKS powered by Ordina
 

Viewers also liked (20)

Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Android sandbox
Android sandboxAndroid sandbox
Android sandbox
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Presentation on Android operating system
Presentation on Android operating systemPresentation on Android operating system
Presentation on Android operating system
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Security threats in Android OS + App Permissions
Security threats in Android OS + App PermissionsSecurity threats in Android OS + App Permissions
Security threats in Android OS + App Permissions
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Android seminar-presentation
Android seminar-presentationAndroid seminar-presentation
Android seminar-presentation
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Securing Android
Securing AndroidSecuring Android
Securing Android
 
Webinar on Enterprise Security & android
Webinar on Enterprise Security & androidWebinar on Enterprise Security & android
Webinar on Enterprise Security & android
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 

Similar to Android Security

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Andriod (operating system)
Andriod (operating system)Andriod (operating system)
Andriod (operating system)sai praneeth
 
PRESENTATION ON ANDROID
PRESENTATION ON ANDROIDPRESENTATION ON ANDROID
PRESENTATION ON ANDROIDRajat Kumar
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01rajesh kumar
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA NITIN GUPTA
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesIOSR Journals
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 

Similar to Android Security (20)

Android Security
Android SecurityAndroid Security
Android Security
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Android report
Android reportAndroid report
Android report
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Android - An Introduction
Android - An IntroductionAndroid - An Introduction
Android - An Introduction
 
Andriod (operating system)
Andriod (operating system)Andriod (operating system)
Andriod (operating system)
 
PRESENTATION ON ANDROID
PRESENTATION ON ANDROIDPRESENTATION ON ANDROID
PRESENTATION ON ANDROID
 
Android technology
Android technology Android technology
Android technology
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android Smartphones
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android
AndroidAndroid
Android
 
Android
AndroidAndroid
Android
 
Humla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null SingaporeHumla workshop on Android Security Testing - null Singapore
Humla workshop on Android Security Testing - null Singapore
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 

Android Security

  • 1. ANDROID SECURITY Robin De Croon Lars Jacobs |H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege prof. dr. Ir. Bart Preneel
  • 2. Content • Introduction • System and Kernel Level Security • User Security Features • AndroidApplication Security • Recent Security Problems • Demo May 8, 2013 2 http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
  • 3. INTRODUCTION Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 3
  • 4. Introduction • All data located on your smartphone • Passwords • Photos • (Text) messages • Medical records • … • Smartphone cannot trust anyone • Android secure? • Open Source  Safer (Hoepman et al.) May 8, 2013 4
  • 5. Distribution of mobile malware by platform in 2012 May 8, 2013 5
  • 6. Mobile threats motivated by profit by year May 8, 2013 6
  • 9. SYSTEM AND KERNEL LEVEL SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 9
  • 10. Apps & Processes • Own Linux Process + user ID  Sandbox! •Data is protected from other apps •Secure IPC • API calls are authorized according to permissions • Hardware access is authorized by Group Membership • Java, Native,WebKit May 8, 2013 10
  • 11. Bootloader • Bootloader is locked by default • Boot process • Signature check May 8, 2013 11
  • 12. Memory management • A lot of memory corruption bugs  Attacker can control the program • Improvements •No eXecute (NX) (since Android 2.3) •Address Space Layout Randomization (since Android 4.0) •Position Independent Executables (since Android 4.1) •FORTIFY_SOURCE (since Android 4.2) May 8, 2013 12
  • 13. Randomization in Android 2.3 May 8, 2013 13
  • 14. Randomization in Android 4.0 May 8, 2013 14
  • 15. Randomization in Android 4.1 May 8, 2013 15
  • 16. Rooting •Default no root access •Possible through ‘su’ binary Bootloader unsafe Root apps can do ANYTHING Latest versions of Android May 8, 2013 16 http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
  • 17. USER SECURITY FEATURES Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 17
  • 18. Device protection • Screen lock •Face unlock, Pattern, PIN, Passcode, … • File Encryption • 128AES with CBC and ESSIV:SHA256 • Master key encrypted with 128 bit AES via openssl library May 8, 2013 18
  • 19. Passwords are hashed •Salt saved on device •/data/data/com.android.providers.settings.databases •/data/system/locksettings.db •‘Easily’ brute forced with salt •Keys are stored in software! May 8, 2013 20
  • 21. ANDROID APPLICATION SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 22
  • 22. Android Permissions • Accessing protected APIs •Location (GPS), Camera, Bluetooth,Telephony, SMS/MMS, Network/data • Defined in AndroidManifest.xml May 8, 2013 23
  • 23. Play Store security • App is self signed • Bouncer •Online version •Local version (since Android 4.2) • App encryption •Introduced in Android 4.1 •Shutdown due to bugs May 8, 2013 24
  • 24. Cryptographic APIs • Primitives •AES, DSA, RSA, SHA • Higher level •SSL, HTTPS • Virtual Private Network •IPsec May 8, 2013 25
  • 25. RECENT SECURITY PROBLEMS Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 26
  • 26. SMS problems • Smishing •http://www.youtube.com/watch?v=baWeMbGatfs • SMS to premium services •F-secure MobileThreat Report Q4 2012 •Kaspersky Security Bulletin 2012 May 8, 2013 27
  • 27. Exynos Exploit • Exynos 4210 and 4412 processor •Sprint Galaxy S II, Galaxy S II, Galaxy S3, Galaxy Note, Galaxy Note 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera •Kernel: /dev/exynos-mem  R/W by all users  access to all physical memory • ExynosAbuse.apk May 8, 2013 28
  • 28. DEMO Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 29
  • 29. References (I) • F-secure MobileThreat Report Q4 2012, http://www.f- secure.com/static/doc/labs_global/Research/Mobile%20Thre at%20Report%20Q4%202012.pdf • Google, “Android PlatformVersions.”, http://developer.android.com/about/dashboards/index.html #Platform • Google, “Android Security Overview”, http://source.android.com/tech/security/#android- application-security • S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, (NewYork, NewYork, USA), p. 50, ACM Press, 2012. May 8, 2013 30
  • 30. References (II) • J.-H. Hoepman and B. Jacobs, “Increased security through open source”, Communications of the ACM, vol. 50, pp. 79– 83, Jan. 2007. • Matthias Lange, “State of the Union: Android security overview – Is Android the new XP?, http://de.droidcon.com/2013/sessnio/state-union-android- security-overview-android-new-xp • Xuxian Jiang, “SmishingVulnerability in Multiple Android Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html • A. Shabtai, “Google Android: A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010 May 8, 2013 31
  • 31. References (III) • A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY •Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kas persky_Security_Bulletin_2012_The_overall_statistics_f or_2012 May 8, 2013 32