SlideShare a Scribd company logo

Understanding Android Security

Download as PPT, PDF
Asanka Dilruk
Asanka Dilruk

This presentation done for my MSc studies @ UOM. The presentation is related to the paper "Understanding Android Security" by William Enck, Machigar Ongtang, and Patrick McDaniel. Pennsylvania State University on 2009

Software
1 of 21
William Enck, Machigar Ongtang, and PatrickMcDanielWilliam Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State UniversityPennsylvania State University Presented by: Dilruk G.A .(148209B) Jagoda S.D. (148214K)
Outline  Introduction  Android Applications  Security Enforcement  Security Refinements  Lessons in Defining Policy
Introduction  Android (Google)  Open source  A base operation system for mobiles  Application middleware layer  Java software development kit  Collection of system applications
Feature of Android OS  Doesn’t support applications developed for other platforms  Restricts application interaction to its special APIs by running each application as its own user identity  Uses a simple permission label assignment model to restrict access to resources and other applications
Android OS Architecture
Example Application
FriendTracker - Component Interaction Intent - message object containing a destination component address and data Action - the process of inter- components communication
Security Enforcement  Android applications execute as its own user identity, allowing the underlying Linux system to provide system-level isolation  Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC)
Security Enforcement  Core idea of Android security enforcement - labels assignment to applications and components  A reference monitor provides mandatory access control (MAC) enforcement of how applications access components  Access to each component is restricted by assigning it an access permission label. Applications are assigned collections of permission labels  When a component initiates ICC, the reference monitor looks at the permission labels assigned to its containing application and— if the target component’s access permission label is in that collection— allows ICC establishment to proceed.
Security Enforcement : Access permission logic Example  Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application 1.
Android Security Refinements
Public and Private Components  Applications often contain components that another application should never access. For example, component related to password storing.  The solution is to Instead of defining an access permission user can define the component as private.  Best Practice: Always set the “exported” attribute.  This significantly reduces the attack surface for many applications.
Implicitly Open Components  At development time, if the decision of access permission is unclear, The developer can permit the functionality by not assigning an access permission to it.  If a public component doesn’t explicitly have an access permission listed in its manifest definition, Android permits any application to access it.  Best Practice: Should always assign access permissions to public components.
Intent Broadcast Permissions  Sending the unprotected intent is a privacy risk.  Android API for broadcasting intents optionally allows the developer to specify a permission label to restrict access to the intent object.  Best Practice: Always specify an access permission on Intent broadcasts
Content Provider Permissions  If the developer want his application to be the only one to update the contents but for other applications to be able to read them.  Android allows such a security policy assigning read or write permissions.  Best Practice: Always define separate read and write permissions.
Service Hooks  Android only lets the developer assign one permission label to restrict starting, stopping, and binding to a service.  Under this model, any application can start or stop Friend tracker can also tell it to monitor new friends.  Best Practice: Use service hooks and let the developers write code to perform custom runtime security.  Eg.. Use checkPermission() to mediate “administrative” operations in Friend Tracker .
Protected APIs  Not all system are accessed through components— instead, Android provides direct API access.  Android protects these sensitive APIs with additional permission label checks: an application must declare a corresponding permission label in its manifest file to use them.  Best Practice: Application need to request permissions for protected APIs
Permission Protection Levels  The permission protection levels provide a means of controlling how developers assign permission labels.  Normal – grant to any application that request them in its manifest  Dangerous – granted only after user confirmation  Signature – granted only to application signed by the same developer key  Signature or system – same like signature but exist for legacy compatibility.  Best Practice: Use either signature or dangerous permissions depending on the application behaviour
Pending Intents  The Pending Intent object is simply a reference pointer that can pass to another application.  Recipient application can modify the original intent and specify when the action is invoked.  Pending intents allow applications included with the framework to integrate better with third-party applications.  Best Practice: Only use Pending Intents as “delayed callbacks” to private Components and always specify the private broadcast receiver.
Lessons in Defining Policy  Android security policy begins with a relatively easy-to-understand MAC enforcement model  Some refinements push policy into the application code  The permission label itself is merely a text string, but its assignment to an application provides access to potentially limitless resources
Understanding Android Security

Recommended

Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
Jimmy Software
 

Recommended

Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android Security
Android SecurityAndroid Security
Android Security
Lars Jacobs
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Hacking and securing ios applications
Hacking and securing ios applicationsHacking and securing ios applications
Hacking and securing ios applicationsSatish b
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
n|u - The Open Security Community
 
Hacking Android OS
Hacking Android OSHacking Android OS
Hacking Android OS
Jimmy Software
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Android media framework overview
Android media framework overviewAndroid media framework overview
Android media framework overview
Jerrin George
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
ijafrc
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
Android Presentation
Android PresentationAndroid Presentation
Android PresentationAdhoura Academy
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for userSudhir Kumar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Android JNI
Android JNIAndroid JNI
Android JNI
Siva Ramakrishna kv
 
Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)
Priyanka Tyagi
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
Zafar Shahid, PhD
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
National Cheng Kung University
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
Flutter talkshow
Flutter talkshowFlutter talkshow
Flutter talkshow
Nhan Cao
 
Automotive android
Automotive androidAutomotive android
Automotive android
Godfrey Nolan
 
08 android multimedia_framework_overview
08 android multimedia_framework_overview08 android multimedia_framework_overview
08 android multimedia_framework_overview
Arjun Reddy
 
Displays for advertising
Displays for advertisingDisplays for advertising
Displays for advertising
Serigrafiarte
 
su vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doaisu vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doaimenngan
 

More Related Content

What's hot

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
Android Security
Android SecurityAndroid Security
Android Security
Suminda Gunawardhana
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
Pragati Rai
 
Android media framework overview
Android media framework overviewAndroid media framework overview
Android media framework overview
Jerrin George
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
Sander Alberink
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
ijafrc
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
Nikhil Mittal
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for userSudhir Kumar
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
Prem Kumar (OSCP)
 
Android JNI
Android JNIAndroid JNI
Android JNI
Siva Ramakrishna kv
 
Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)
Priyanka Tyagi
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
Zafar Shahid, PhD
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
OWASP
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
National Cheng Kung University
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
jasonhaddix
 
Android Internals
Android InternalsAndroid Internals
Android Internals
Opersys inc.
 
Flutter talkshow
Flutter talkshowFlutter talkshow
Flutter talkshow
Nhan Cao
 
Automotive android
Automotive androidAutomotive android
Automotive android
Godfrey Nolan
 
08 android multimedia_framework_overview
08 android multimedia_framework_overview08 android multimedia_framework_overview
08 android multimedia_framework_overview
Arjun Reddy
 

What's hot (20)

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
Android Security
Android SecurityAndroid Security
Android Security
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security model
 
Android media framework overview
Android media framework overviewAndroid media framework overview
Android media framework overview
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
Customizing AOSP For Different Embedded Devices And Integration at Applicatio...
 
PowerShell for Practical Purple Teaming
PowerShell for Practical Purple TeamingPowerShell for Practical Purple Teaming
PowerShell for Practical Purple Teaming
 
Android Presentation
Android PresentationAndroid Presentation
Android Presentation
 
android phone feature and value for user
android phone feature and value for userandroid phone feature and value for user
android phone feature and value for user
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Android JNI
Android JNIAndroid JNI
Android JNI
 
Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)Developing Cross platform apps in flutter (Android, iOS, Web)
Developing Cross platform apps in flutter (Android, iOS, Web)
 
Android Binder: Deep Dive
Android Binder: Deep DiveAndroid Binder: Deep Dive
Android Binder: Deep Dive
 
Introduction to iOS Penetration Testing
Introduction to iOS Penetration TestingIntroduction to iOS Penetration Testing
Introduction to iOS Penetration Testing
 
Low Level View of Android System Architecture
Low Level View of Android System ArchitectureLow Level View of Android System Architecture
Low Level View of Android System Architecture
 
Pentesting iOS Applications
Pentesting iOS ApplicationsPentesting iOS Applications
Pentesting iOS Applications
 
Android Internals
Android InternalsAndroid Internals
Android Internals
 
Flutter talkshow
Flutter talkshowFlutter talkshow
Flutter talkshow
 
Automotive android
Automotive androidAutomotive android
Automotive android
 
08 android multimedia_framework_overview
08 android multimedia_framework_overview08 android multimedia_framework_overview
08 android multimedia_framework_overview
 

Viewers also liked

Displays for advertising
Displays for advertisingDisplays for advertising
Displays for advertising
Serigrafiarte
 
su vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doaisu vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doaimenngan
 
SITCON2014 LT 快倒的座位表
SITCON2014 LT 快倒的座位表SITCON2014 LT 快倒的座位表
SITCON2014 LT 快倒的座位表
Yi Tseng
 
Military service in Swaziland
Military service in SwazilandMilitary service in Swaziland
Military service in Swaziland
Derik Lu
 
Model-Driven Testing with UML 2.0
Model-Driven Testing with UML 2.0Model-Driven Testing with UML 2.0
Model-Driven Testing with UML 2.0
Asanka Dilruk
 
Dracula Presentation with Answers
Dracula Presentation with AnswersDracula Presentation with Answers
Dracula Presentation with Answers
alexteacherproa
 
‫فايروس الاختصارات
‫فايروس الاختصارات ‫فايروس الاختصارات
‫فايروس الاختصارات Groh-alroh
 
Health recordsandinformationmanagersbill2015
Health recordsandinformationmanagersbill2015Health recordsandinformationmanagersbill2015
Health recordsandinformationmanagersbill2015
kiptisia
 
11 Model-Driven Testing with UML 2
11 Model-Driven Testing with UML 211 Model-Driven Testing with UML 2
11 Model-Driven Testing with UML 2Asanka Dilruk
 
Day 6
Day 6Day 6
Day 6
alexteacherproa
 
sự vận động của tỷ giá hối đoái
sự vận động của tỷ giá hối đoáisự vận động của tỷ giá hối đoái
sự vận động của tỷ giá hối đoáimenngan
 
karakteristik komponen komponenn
karakteristik komponen komponennkarakteristik komponen komponenn
karakteristik komponen komponennrosmariasinurat19
 

Viewers also liked (20)

Displays for advertising
Displays for advertisingDisplays for advertising
Displays for advertising
 
su vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doaisu vab dong cua ti gia hoi doai
su vab dong cua ti gia hoi doai
 
销售人员手册080905
销售人员手册080905销售人员手册080905
销售人员手册080905
 
SITCON2014 LT 快倒的座位表
SITCON2014 LT 快倒的座位表SITCON2014 LT 快倒的座位表
SITCON2014 LT 快倒的座位表
 
Military service in Swaziland
Military service in SwazilandMilitary service in Swaziland
Military service in Swaziland
 
Model-Driven Testing with UML 2.0
Model-Driven Testing with UML 2.0Model-Driven Testing with UML 2.0
Model-Driven Testing with UML 2.0
 
Dracula Presentation with Answers
Dracula Presentation with AnswersDracula Presentation with Answers
Dracula Presentation with Answers
 
BitonicSortSIMD
BitonicSortSIMDBitonicSortSIMD
BitonicSortSIMD
 
‫فايروس الاختصارات
‫فايروس الاختصارات ‫فايروس الاختصارات
‫فايروس الاختصارات
 
Health recordsandinformationmanagersbill2015
Health recordsandinformationmanagersbill2015Health recordsandinformationmanagersbill2015
Health recordsandinformationmanagersbill2015
 
11 Model-Driven Testing with UML 2
11 Model-Driven Testing with UML 211 Model-Driven Testing with UML 2
11 Model-Driven Testing with UML 2
 
Day 6
Day 6Day 6
Day 6
 
Potassium humte
Potassium humtePotassium humte
Potassium humte
 
Evaluation question 5
Evaluation question 5Evaluation question 5
Evaluation question 5
 
Evaluation question 5
Evaluation question 5Evaluation question 5
Evaluation question 5
 
sự vận động của tỷ giá hối đoái
sự vận động của tỷ giá hối đoáisự vận động của tỷ giá hối đoái
sự vận động của tỷ giá hối đoái
 
La comida marroquí
La comida marroquíLa comida marroquí
La comida marroquí
 
HydraFS
HydraFSHydraFS
HydraFS
 
La ciudad de tanger
La ciudad de tanger La ciudad de tanger
La ciudad de tanger
 
karakteristik komponen komponenn
karakteristik komponen komponennkarakteristik komponen komponenn
karakteristik komponen komponenn
 

Similar to Understanding Android Security

COVERT app
COVERT appCOVERT app
COVERT app
itba9
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
Vandana Verma
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdf
Talha Naqash
 
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docx
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docxAndroid Permissions DemystifiedAdrienne Porter Felt, Erika.docx
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docx
durantheseldine
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
Minali Arora
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android SystemNizar Maan
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
IJNSA Journal
 
Mitigating Privilege-Escalation Attacks on Android Report
Mitigating Privilege-Escalation Attacks on Android ReportMitigating Privilege-Escalation Attacks on Android Report
Mitigating Privilege-Escalation Attacks on Android ReportVinoth Kanna
 
Android Basic- CMC
Android Basic- CMCAndroid Basic- CMC
Android Basic- CMC
Pragati Singh
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
Jose Manuel Ortega Candel
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 
Android security
Android securityAndroid security
Android security
Dr Amira Bibo
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksAmina WADDIZ
 
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
What is Android app Pentesting in 2022- DetoxTechnologies.pdfWhat is Android app Pentesting in 2022- DetoxTechnologies.pdf
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
Cyber security professional services- Detox techno
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
IOSR Journals
 
Security on android
Security on androidSecurity on android
Security on androidpk464312
 
Android Overview
Android OverviewAndroid Overview
Android Overview
Raju Kadam
 
A Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android ApplicationsA Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android Applications
IOSR Journals
 
Security and privacy in smartphones
Security and privacy in smartphonesSecurity and privacy in smartphones
Security and privacy in smartphones
Mysa Vijay
 
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
csandit
 

Similar to Understanding Android Security (20)

COVERT app
COVERT appCOVERT app
COVERT app
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Android_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdfAndroid_Nougats_security_issues_and_solutions.pdf
Android_Nougats_security_issues_and_solutions.pdf
 
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docx
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docxAndroid Permissions DemystifiedAdrienne Porter Felt, Erika.docx
Android Permissions DemystifiedAdrienne Porter Felt, Erika.docx
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Mediating Applications on the Android System
Mediating Applications on the Android SystemMediating Applications on the Android System
Mediating Applications on the Android System
 
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
SYSTEM CALL DEPENDENCE GRAPH BASED BEHAVIOR DECOMPOSITION OF ANDROID APPLICAT...
 
Mitigating Privilege-Escalation Attacks on Android Report
Mitigating Privilege-Escalation Attacks on Android ReportMitigating Privilege-Escalation Attacks on Android Report
Mitigating Privilege-Escalation Attacks on Android Report
 
Android Basic- CMC
Android Basic- CMCAndroid Basic- CMC
Android Basic- CMC
 
Securing android applications
Securing android applicationsSecuring android applications
Securing android applications
 
Android security
Android securityAndroid security
Android security
 
Android security
Android securityAndroid security
Android security
 
Detection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacksDetection of Android Third Party Libraries based attacks
Detection of Android Third Party Libraries based attacks
 
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
What is Android app Pentesting in 2022- DetoxTechnologies.pdfWhat is Android app Pentesting in 2022- DetoxTechnologies.pdf
What is Android app Pentesting in 2022- DetoxTechnologies.pdf
 
Android open-source operating System for mobile devices
Android open-source operating System for mobile devicesAndroid open-source operating System for mobile devices
Android open-source operating System for mobile devices
 
Security on android
Security on androidSecurity on android
Security on android
 
Android Overview
Android OverviewAndroid Overview
Android Overview
 
A Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android ApplicationsA Framework for Providing Selective Permissions to Android Applications
A Framework for Providing Selective Permissions to Android Applications
 
Security and privacy in smartphones
Security and privacy in smartphonesSecurity and privacy in smartphones
Security and privacy in smartphones
 
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
DROIDSWAN: Detecting Malicious Android Applications Based on Static Feature A...
 

More from Asanka Dilruk

Software architecture quality attributes & Trade-offs
Software architecture quality attributes & Trade-offs Software architecture quality attributes & Trade-offs
Software architecture quality attributes & Trade-offs
Asanka Dilruk
 
Agile Requirements Engineering Practices: An Empirical Study
Agile Requirements Engineering Practices: An Empirical StudyAgile Requirements Engineering Practices: An Empirical Study
Agile Requirements Engineering Practices: An Empirical Study
Asanka Dilruk
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
Asanka Dilruk
 
Oracle DB Performance Tuning Tips
Oracle DB Performance Tuning TipsOracle DB Performance Tuning Tips
Oracle DB Performance Tuning Tips
Asanka Dilruk
 
Windows OS Architecture in Summery
Windows OS Architecture in SummeryWindows OS Architecture in Summery
Windows OS Architecture in Summery
Asanka Dilruk
 

More from Asanka Dilruk (6)

oracle tables
oracle tablesoracle tables
oracle tables
 
Software architecture quality attributes & Trade-offs
Software architecture quality attributes & Trade-offs Software architecture quality attributes & Trade-offs
Software architecture quality attributes & Trade-offs
 
Agile Requirements Engineering Practices: An Empirical Study
Agile Requirements Engineering Practices: An Empirical StudyAgile Requirements Engineering Practices: An Empirical Study
Agile Requirements Engineering Practices: An Empirical Study
 
Bitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array ProcessorBitonic Sort in Shared SIMD Array Processor
Bitonic Sort in Shared SIMD Array Processor
 
Oracle DB Performance Tuning Tips
Oracle DB Performance Tuning TipsOracle DB Performance Tuning Tips
Oracle DB Performance Tuning Tips
 
Windows OS Architecture in Summery
Windows OS Architecture in SummeryWindows OS Architecture in Summery
Windows OS Architecture in Summery
 

Recently uploaded

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
rickgrimesss22
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
Juraj Vysvader
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
vrstrong314
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
IES VE
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
kalichargn70th171
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
NYGGS Automation Suite
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Globus
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
Fermin Galan
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
Adele Miller
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
Donna Lenk
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
Srikant77
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
Globus
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 

Recently uploaded (20)

Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxTop Features to Include in Your Winzo Clone App for Business Growth (4).pptx
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptx
 
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
A Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdfA Comprehensive Look at Generative AI in Retail App Testing.pdf
A Comprehensive Look at Generative AI in Retail App Testing.pdf
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Enterprise Resource Planning System in Telangana
Enterprise Resource Planning System in TelanganaEnterprise Resource Planning System in Telangana
Enterprise Resource Planning System in Telangana
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...
 
Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604Orion Context Broker introduction 20240604
Orion Context Broker introduction 20240604
 
May Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdfMay Marketo Masterclass, London MUG May 22 2024.pdf
May Marketo Masterclass, London MUG May 22 2024.pdf
 
Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"Navigating the Metaverse: A Journey into Virtual Evolution"
Navigating the Metaverse: A Journey into Virtual Evolution"
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
RISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent EnterpriseRISE with SAP and Journey to the Intelligent Enterprise
RISE with SAP and Journey to the Intelligent Enterprise
 
Vitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume MontevideoVitthal Shirke Microservices Resume Montevideo
Vitthal Shirke Microservices Resume Montevideo
 
Understanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSageUnderstanding Globus Data Transfers with NetSage
Understanding Globus Data Transfers with NetSage
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 

Understanding Android Security

  • 1. William Enck, Machigar Ongtang, and PatrickMcDanielWilliam Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State UniversityPennsylvania State University Presented by: Dilruk G.A .(148209B) Jagoda S.D. (148214K)
  • 2. Outline  Introduction  Android Applications  Security Enforcement  Security Refinements  Lessons in Defining Policy
  • 3. Introduction  Android (Google)  Open source  A base operation system for mobiles  Application middleware layer  Java software development kit  Collection of system applications
  • 4. Feature of Android OS  Doesn’t support applications developed for other platforms  Restricts application interaction to its special APIs by running each application as its own user identity  Uses a simple permission label assignment model to restrict access to resources and other applications
  • 7. FriendTracker - Component Interaction Intent - message object containing a destination component address and data Action - the process of inter- components communication
  • 8. Security Enforcement  Android applications execute as its own user identity, allowing the underlying Linux system to provide system-level isolation  Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC)
  • 9. Security Enforcement  Core idea of Android security enforcement - labels assignment to applications and components  A reference monitor provides mandatory access control (MAC) enforcement of how applications access components  Access to each component is restricted by assigning it an access permission label. Applications are assigned collections of permission labels  When a component initiates ICC, the reference monitor looks at the permission labels assigned to its containing application and— if the target component’s access permission label is in that collection— allows ICC establishment to proceed.
  • 10. Security Enforcement : Access permission logic Example  Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application 1.
  • 12. Public and Private Components  Applications often contain components that another application should never access. For example, component related to password storing.  The solution is to Instead of defining an access permission user can define the component as private.  Best Practice: Always set the “exported” attribute.  This significantly reduces the attack surface for many applications.
  • 13. Implicitly Open Components  At development time, if the decision of access permission is unclear, The developer can permit the functionality by not assigning an access permission to it.  If a public component doesn’t explicitly have an access permission listed in its manifest definition, Android permits any application to access it.  Best Practice: Should always assign access permissions to public components.
  • 14. Intent Broadcast Permissions  Sending the unprotected intent is a privacy risk.  Android API for broadcasting intents optionally allows the developer to specify a permission label to restrict access to the intent object.  Best Practice: Always specify an access permission on Intent broadcasts
  • 15. Content Provider Permissions  If the developer want his application to be the only one to update the contents but for other applications to be able to read them.  Android allows such a security policy assigning read or write permissions.  Best Practice: Always define separate read and write permissions.
  • 16. Service Hooks  Android only lets the developer assign one permission label to restrict starting, stopping, and binding to a service.  Under this model, any application can start or stop Friend tracker can also tell it to monitor new friends.  Best Practice: Use service hooks and let the developers write code to perform custom runtime security.  Eg.. Use checkPermission() to mediate “administrative” operations in Friend Tracker .
  • 17. Protected APIs  Not all system are accessed through components— instead, Android provides direct API access.  Android protects these sensitive APIs with additional permission label checks: an application must declare a corresponding permission label in its manifest file to use them.  Best Practice: Application need to request permissions for protected APIs
  • 18. Permission Protection Levels  The permission protection levels provide a means of controlling how developers assign permission labels.  Normal – grant to any application that request them in its manifest  Dangerous – granted only after user confirmation  Signature – granted only to application signed by the same developer key  Signature or system – same like signature but exist for legacy compatibility.  Best Practice: Use either signature or dangerous permissions depending on the application behaviour
  • 19. Pending Intents  The Pending Intent object is simply a reference pointer that can pass to another application.  Recipient application can modify the original intent and specify when the action is invoked.  Pending intents allow applications included with the framework to integrate better with third-party applications.  Best Practice: Only use Pending Intents as “delayed callbacks” to private Components and always specify the private broadcast receiver.
  • 20. Lessons in Defining Policy  Android security policy begins with a relatively easy-to-understand MAC enforcement model  Some refinements push policy into the application code  The permission label itself is merely a text string, but its assignment to an application provides access to potentially limitless resources

Editor's Notes

  1. In the first part of the paper they explain about android market and android flat form. Then they discussed sample application developed by them to explain android framework architecture and application components. After that main topic android security implementation is explained as two major topics which are security enforcement and security refinements. Finally paper is discussed about the lessons in defining android security policy.
  2. Our presentation is organized as here. First we will give brief introduction about android OS. Then let’s looking to the android application framework. Next we are willing to talk about security enforcement and security refinements of android application. And finally about the lesion in defining security policy.
  3. Android is a base operating system for mobile applications which is led by Google. It is widely anticipated open source application development platform and a large community of developers organized around android. Because of that many new products and application are now available for it. Android provides base operating system, application middleware layer, Java development kit (SDK) and collection of system level applications. Android is supporting for lot of online services like Google's Gmail, calendar and contacts. Phones which are used android is automatically synchronized with these services.
  4. Here we can see several main features of android which is very important when we talked about the android application security. First android OS Doesn’t support applications developed for other platforms Android Restricts application interaction to its special APIs by running each application as its own user identity Android Uses a simple permission label assignment model to restrict access to resources and other applications We will looking to these in more details under security enforcements section.
  5. The Android operating system is built on a modified Linux kernel. The software stack contains Java applications running on a virtual machine called Dalvik virtual machine. The system components are written in Java, C, C++, and XML. Android OS consist of lot of core libraries which is support java. On top of that application framework is build to support android application developments.
  6. Authors are developed sample application to explain android application components. Which is called friend tracker application and developed as two android applications. One is called friend tracker and other is friend viewer. This is mainly due to explain communication between two applications. Android application doesn’t have a main () function or single entry point for execution, instead, developers must design applications in terms of components. There are four components Activity, Broadcast Receiver, Service and Content Provider.
  7. Components in android applications are communicate each other using intents and actions. Intent is a message object, which is containing a destination component address and data. Action is a process of inter component communication.
  8. 9 security refinements Some are extension to basic MAC model and some are new concepts
  9. Some Applications often contain components that another application should never need access.
  10. This is also related to the first point.
  11. That can leak the user privacy information to explicitly listening attackers.
  12. Insert, Update or delete
  13. resources(for example, network, camera, microphone
  14. Early model had two levels application or system But new model has 4 protection levels for permission labels Nomal is same as application permission in previous model
  15. In Android defines an intent object to perform an action. However, instead of performing the action, it passes the intent to a special method that creates a Pending Intent object corresponding to that action.
  16. Android has to find a answer for how to control access to permission label Things like allowing a application to use both microphone and internet