• No results found

Android Security. Giovanni Russello

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Android Security. Giovanni Russello"

Copied!
24
0
0

Loading.... (view fulltext now)

Download now ( 24 Page )

Full text

(1)

Android Security

Giovanni Russello

(2)

N-Degree of Separation

Applications can be thought as composed

by

Main Functionality

Several Non-functional Concerns

Security is a non-functional concern

(3)

Specification Vs. Enforcement

Security can affect several parts of

application code

However it is the

enforcement

that needs

to be spread over the application code

Specification

of security policies can be

(4)

Android Security Specification

• Android allows app developers to specify the security needs of their apps

• Each app comes with a Manifest file where the permissions listing the required permissions

• The user of the device has only two choices – Either install the app granting the whole set of

permissions

– Or not install the app

(5)

Android Permission Levels

• Android provides a set of well-defined permissions

Normal Permissions are assigned by default to apps • Dangerous Permissions require user confirmation

Signature Permissions are granted to apps signed by the

same developer

System or Signature Permissions are granted only to

special apps installed in the data/system folder (i.e., apps signed by Google)

(6)

Permission example

• An app that wants to listen for incoming SMS has to declare in its manifest:

<uses-permission

android:name=android.permission.RECEIVE_SMS"/>

• The RECEIVE_SMS is consider a dangerous permission and the apps has to request it

(7)

Android Security Enforcement

Android supports a security model that is

enforced by two layers: Linux and Android

middleware

Linux enforces the DAC model

(8)

Linux DAC in Android

When an app is installed it gets a unique

UID and GID

Each app gets a home dir

– /data/data/<package_name>/

The UID and GID of the app get full access

to its home dir and the files it contains

(9)

Linux Special Groups

Linux also maintains special groups for the

Internet, External Storage, and Bluetooth

If an app asks for accessing Internet it is

assigned to the Internet Group

Similarly for the other two

(10)

Android Middleware MAC

The Android Middleware controls the way

in which apps use the ICC mechanism

Each protected feature that is reachable

through the ICC mechanism is assigned a

label

When the app asks for a permission in its

manifest the corresponding label is

(11)

Android MAC Model

Android Middleware Activity Manager

(12)

Protection Domain

Android Middleware Activity Manager Reference Monitor System Sandbox Android Apps S1 S2 P1 P2 S1 = Location Service P1 = LOCATION_PERMISSION

(13)

Assignment of Permissions

Android Middleware App A Sandbox S C B A Activity Manager Reference Monitor System Sandbox Android Apps S1 S2 P1 P2

(14)

Using the Permission

Android Middleware App A Sandbox S C B A Activity Manager Reference Monitor System Sandbox Android Apps S1 S2 P1 P2 P1

(15)

Reference Monitor

Android Middleware App A Sandbox S C B A Activity Manager Reference Monitor System Sandbox Android Apps S1 S2 P1 P2 P1

(16)

Security Confinement

Once the labels are assigned neither the

app nor the user can change them

Apps cannot delegate their permissions

However, components can

expose

interfaces to other apps

This makes difficult in standard Android to

control information flow (can lead to severe

attacks)

(17)

Android Security Refinements

Android Security Model allows developers to refine the security domain of their applications

– Through the standard mechanism using the Manifest – Programmatically by using special parameters in the

API

Bad move!!! Make everything murky and worst of all by default access is granted!!

(18)

Public vs Private Components

• By default any components that is not assigned a permission is public

• Developers can declare a component private by setting the exported flag to false in the

manifest file

• Private components can only be accessed by other components in the same app

• Android can also infer if a component is private by other declarations in the manifest file (Do you trust it??)

(19)

Implicitly Open Components

• Public components have all their interface accessible to any other components

• Developers must explicitly assign permission labels to protect those interfaces

(20)

Broadcast Intent Protection

• When an intent is broadcasted, all installed apps are able to listen to those events

• This mechanism can be exploited by malicious apps that are listening for a certain event to happen

• It is possible to protect the intent programmatically:

sendBroadcast(intent, perm.MyPerm) This means that the Manifest does not provide a

(21)

Service Hooks

• Android does not support a fine-grained

mechanism to protect the interface of a Service • Once a component has the permission label to

access a service, the component can start, stop, bind the service

• Again programmatically it is possible to refine

this mechanism by doing some extra checking at the code level, putting security policies in the

app code

(22)

Delegation

• Pending Intents that delegate to another app the parameters and time when an action is executed

– Location service notifies registered apps when location changes

• URI delegation where an app delegates a

component to perform an action on a resource – The app provides a capability to the component for

performing the action

• Per se, there is nothing wrong with delegation. However, it deviates from the main MAC model

(23)

Concluding

• The Android security is based on two enforcement layers:

• Linux DAC

• Android Middleware MAC

• Specification is done mainly through the Manifest file

(24)

Main Drawbacks

Specification can be done programmatically

– Source code injection

Open default policy

– Developers have explicitly protect apps’ interfaces

Delegation

References

Download now ( PDF - 24 Page - 578.49 KB )

Related documents

SOS INTERNATIONAL ANNUAL REPORT. CVR. nr

OPINION In our opinion, the consolidated financial statements and the parent company financial statements give a true and fair view of the Group's and the parent company's

The Implementation of Speech Recognition using Mel-Frequency Cepstrum Coefficients (MFCC) and Support Vector Machine (SVM) method based on Python to Control Robot Arm

To get the feature extraction of speech signal used Mel-Frequency Cepstrum Coefficients (MFCC) method and to learn the database of speech recognition used Support

Training. NFC in Android. Public. MobileKnowledge October 2015

► Android is a Mobile Platform and its software stack includes:  The Operating System based on Linux..  The middleware that allows apps to talk to a network or to

Boston College Law School Office of Career Services

Most of the large and medium firms participating in this program are hiring second-year students to participate as summer associates in a structured “Summer Program.” A

CAN Bus Based Monitoring and Fault Diagnosis System for Wind Turbines

Tang, April 2012, Wind Turbine Gearbox Fault Detection using Multiple Sensors With Features Level Data Fusion Analytical techniques for performance monitoring of modern wind

Trends in reporting injury as a cause of death among people with epilepsy in the U.S., 1981–2010

Contrary to previous cohort studies indicating higher standardized mortality ratios among people with epilepsy, the findings of this study demonstrate that people with epilepsy had

Snow-avalanche impact craters in southern Norway: Their morphology and dynamics compared with small terrestrial meteorite craters

Aerial photographs of selected craters: (A) Crater 6 in 2013 (Brekkevatnet), a snow- avalanche impact pool with a spectacular proximal erosional scar (‘blast zone’) and prominent

Income Trusts and Growth : Empirical Evidence

Based on our whole income trust sample, Table 7, Panel C shows the number and corresponding percentage of income trusts that have worse performance in the post-IPO years than in