Download to read offline
Uploaded byBirju Tank
Vulnerabilities in Android
The document discusses vulnerabilities in the Android operating system. It begins by noting the dominance of Android and iOS in the smartphone market and the need for privacy awareness as malicious codes are increasingly reported. It then defines vulnerability as a weakness or soft spot, and lists some common types of vulnerabilities like invalidated inputs, broken access control, and SQL injection. The document also covers Android security features like encryption, sandboxing, and permissions, as well as current issues around mobile security including malicious apps, unsafe websites, and data security problems. It concludes that while Android utilizes sandboxing and permissions, optional permission assignments can still leave security loopholes.
More Related Content
Similar to Vulnerabilities in Android
![Attack surfaces and attack tress[inform]](https://cdn.slidesharecdn.com/ss_thumbnails/lecture03-260108015941-a4dee53b-thumbnail.jpg?width=640&height=640&fit=bounds)
Vulnerabilities in Android
- 1. Vulnerabilities in Android By: BIRJU TANK(141060753017) M.E 3rd Sem WiMC GTU PG School, BISAG-CDAC, Gandhinagar birjutank27@gmail.com
- 2. Introduction • Growth ofthe Smartphones increases rapidly • Android and iOS Smartphones claimed above 90% • Universal awareness of Privacy should require • Many Malicious codes are reported • Causes Security flaw, financial loss, private information leakage birjutank27@gmail.com
- 3. What is Vulnerability..? •Weakness • Soft Spot birjutank27@gmail.com
- 4. Tools to measureVulnerability • Nessus • IWH tool birjutank27@gmail.com
- 5. Types of vulnerabilities •Invalidated inputs • Broken Access Control • Cross-site scripting • Buffer overflow • SQL Injection • Http Header Injection • FTP Bounce attack birjutank27@gmail.com
- 6. Android Security • Filesystem is encrypted against any theft or loss of device • The Sandbox concept is adopted to isolate apps data and codes from other apps • Concept of Content Provider and Permission birjutank27@gmail.com
- 7. Content Provider andPermission birjutank27@gmail.com
- 8. Current Safety Statusof Mobile Devices • Extract an application's signature and then compare it with the signatures in the malicious application signature database • But this is time consuming • Solution to this is Cloud Antivirus birjutank27@gmail.com
- 9. Security Problems facedby mobile devices • Malicious applications • Unsafe websites • Data security of mobile devices • Network data security of the mobile devices birjutank27@gmail.com
- 10. Conclusion • Android relieson the Sandbox to protect codes and data of an app from other apps, whilst it offers the ContentProviders to share databases as necessary. • Assigning permissions to control accesses is not mandatory, which leads to security loopholes. birjutank27@gmail.com
- 11. Future Work • Securitymodule of any object is very huge area b’coz 100% Security is Myth birjutank27@gmail.com
- 12. References 1. P. D.Meshram, Dr. R.C. Thool – “A paper on Vulnerabilities in Android and Security of Android Devices”, 2014 IEEE Global Conference on Wireless Computing and Networking (GCWCN), 978-1-4799-6298-3/14/$31.00 © 2014 IEEE 2. Jingzheng Wu, Yanjun Wu, Mutian Yang, Zhifei Wu, Yongji Wang – “Vulnerability Detection in Android system”, 2013 IEEE Sixth International Conference on Cloud Computing - 978-0-7695-5028-2/13 $26.00 © 2013 IEEE 3. Xiali Hei, Xiaojiang Du and Shan Lin – “Two Vulnerabilities in Android Kernel” IEEE ICC 2013 - Wireless Networking Symposium- 978-1-4673-3122- 7/13/$31.00 ©2013 IEEE 4. AndroidManifest, http://developer.android.com/guide/topics/ manifest/ manifestt-intro.html 5. Android Security, http://developer.android.com/training / articles/security- tips.html birjutank27@gmail.com
- 13.
Editor's Notes
- #6 Not checking whether text a user types into a field on a website is appropriate for that field Access controls determine what a user can access after logging in to his personal account and blocks access to other accounts. When a hacker sends commands embedded in queries to a website. Attacker can take control of application server, gaining access to all the data that the server manages. FTP : an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request
- #7 address books or photo albums provided by the system are supposed to be available to other chatting apps, which aspect has been abused or misused by many malicious apps
- #8 An app cannot directly access the databases of other apps even though it has knowledge of their locations and structures. Server apps assign URIs to identify their databases externally. That is, as a database identifier, the server assigns URI in AndroidManifest.xml or ContentProvider, and client apps that intend to use the database make requests to send queries to server apps via given URI. Client apps send queries and URIs to ContentProvider via ContentResolvers. Then, ContentProvider receive query results from database via DB Helper and send them back to ContentResolvers. Differently put, ContentProvider and ContentResolvers serve as windows for sharing databases between server and client apps. Android.permission-group.CAMERA, Android.permission.INTERNET
- #9 drawback of the method of signature comparison is that whenever the malicious applications replace their signatures, the malicious signature database must be updated accordingly its basic idea is to extract the signature of the application on the mobile devices, send it to the cloud for detecting and return results to the devices from the cloud