The document provides a comprehensive overview of the Android security model, detailing its architecture, permissions, and components involved in app security. It emphasizes the importance of understanding Android security for developers, covering concepts like application signing, intent management, and external storage encryption. Additionally, it outlines best practices for securing sensitive data and permissions through the AndroidManifest.xml file.

1. Understanding Android Security ModelPragati Ogal RaiMTS1, Software Engineer, PayPal MobilePragati.Rai@paypal.comSV Android Dev CampMarch 04, 2011

2. AgendaWhy should I understand Android’s Security Model?What is Android’s security model?Architecture ComponentsIntentsPermissionsAndroidManifest.xmlApplication SigningSystem PackagesExternal StorageFilesBinders

3. Why should I understand Android’s Security Model?Smart(er) PhonesMail, calendar, Facebook, TwitterOpen PlatformOpen sourcedWell documentedYOU control your phone

4. Architecturehttp://developer.android.com/guide/basics/what-is-android.html

5. Linux KernelUnique UID and GID for each application at install timeSharing can occur through component interactionsLinux Process Sandbox

6. Linux Kernel (Cont’d)include/linux/android_aid.hAID_NET_BT 3002 Can create Bluetooth SocketsAID_INET 3003 Can create IPv4 and IPv6 Sockets

7. MiddlewareDalvik VM is not a security boundaryNo security managerPermissions are enforced in OS and not in VMBytecode verification for optimizationNative vs. Java code

8. Binder Component FrameworkBeOS, Palm, AndroidApplications are made of various componentsApplications interact via components

9. Application LayerPermissions restrict component interactionPermission labels defined in AndroidManifest.xmlMAC enforced by Reference MonitorPackageManager and ActivityManager enforce permissions

10. Permission Protection LevelsNormalandroid.permission.VIBRATEcom.android.alarm.permission.SET_ALARMDangerousandroid.permission.SEND_SMSandroid.permission.CALL_PHONESignatureandroid.permission.FORCE_STOP_PACKAGESandroid.permission.INJECT_EVENTSSignatureOrSystemandroid.permission.ACCESS_USBandroid.permission.SET_TIME

11. User Defined Permissions Developers can define own permissions<permission android:name="com.pragati.permission.ACCESS_DETAILS"android:label="@string/permlab_accessDetails"android:description="@string/permdesc_accessDetails"android:permissionGroup="android.permission-group.COST_MONEY"android:protectionLevel=“signature" />

12. ComponentsActivity: Define screensService: Background processingBroadcast Receiver: Mailbox for messages from other applicationsContent Provider: Relational database for sharing informationAll components are secured with permissions

13. ActivityOften run in their UIDSecured using Permissionsandroid:exported=true Badly configured data can be passed using IntentAdd categories to Intent FilterDo not pass sensitive data in intents

14. ServiceStarted with IntentPermissions can be enforced on ServiceCalled can “bind” to service using bindService()Binder channel to talk to serviceCheck permissions of calling component against PERMISSION_DENIED or PERMISSION_GRANTEDgetPackageManager().checkPermission( permToCheck, name.getPackageName())

15. BroadcastsSending Broadcast IntentsFor sensitive data, pass manifest permission nameReceiving Broadcast IntentsValidate input from intentsIntent Filter is not a security boundaryCategories narrow down delivery but do not guarantee securityandroid:exported=trueSticky broadcasts stick aroundNeed special privilege BROADCAST_STICKY

16. Content ProviderAllow applications to share dataDefine permissions for accessing <provider>Content providers use URI schemsContent://<authority>/<table>/[<id>]

17. BinderSynchronous RPC mechanismDefine interface with AIDLSame process or different processestransact() and Binder.onTransact()Data sent as a ParcelSecured by caller permission or identity checking

18. IntentsInter Component InteractionAsynchronous IPCExplicit or implicit intentsDo not put sensitive data in intentsComponents need not be in same applicationstartActivity(Intent), startBroadcast(Intent)

19. Intent FiltersActivity Manager matches intents against Intent Filters<receiver android:name=“BootCompletedReceiver”><intent-filter><action android:name=“android.intent.action.BOOT_COMPLETED”/></intent-filter></receiver>Activity with Intent Filter enabled becomes “exported”Activity with “android:exported=true” can be started with any intentIntent Filters cannot be secured with permissionsAdd categories to restrict what intent can be called throughandroid.intent.category.BROWSEABLE

20. Pending IntentToken given to a foreign application to perform an action on your application’s behalfUse your application’s permissionsEven if its owning application's process is killed, PendingIntent itself will remain usable from other processes Provide component name in base intentPendingIntent.getActivity(Context, int, Intent, int)

21. AndroidManifest.xmlApplication ComponentsRules for auto-resolutionPermissionsAccess rulesRuntime dependenciesRuntime libraries

22. AndroidManifest.xmlhttp://www.cse.psu.edu/~enck/cse597a-s09/slides/cse597a-android.pdf

23. External StorageStarting API 8 (Android 2.2) APKs can be stored on external devicesAPK is stored in encrypted container called asec fileKey is randomly generated and stored on deviceDex files, private data, native shared libraries still reside on internal memoryExternal devices are mounted with “noexec”VFAT does not support Linux access controlSensitive data should be encrypted before storing

24. Application SignatureApplications are self-signed; no CA requiredSignature define persistenceDetect if the application has changed Application updateSignatures define authorshipEstablish trust between applications Run in same Linux ID

25. Application UpgradeApplications can register for auto-updatesApplications should have the same signatureNo additional permissions should be addedInstall location is preserved

26. System PackagesCome bundled with ROMHave signatureOrSystem PermissionCannot be uninstalled/system/app

27. Files and PreferencesApplications have own area for filesFiles are protected by Unix like file permissionsDifferent modes: world readable, world writable, private, appendFile = openFileOutput(“myFile”, Context.MODE_WORLD_READABLE);SharedPreferences is system feature with file protected with permissions

28. SummaryLinux process sandbox Permission based component interactionPermission labels defined in AndroidManifest.xmlApplications need to be signedSignature define persistence and authorshipInstall time security decisions

29. Referenceshttp://developer.android.comJesse Burns http://www.isecpartners.com/files/iSEC_Securing_Android_Apps.pdfWilliam Enck, MachigarOngtang, and Patrick McDaniel, Understanding Android Security. IEEE Security & Privacy Magazine, 7(1):50--57, January/February, 2009.

30. Thank You!Pragati.Rai@paypal.com