anil android

8/3/2019 Anil Android

1/23

Understanding Android

Security

Yinshu Wu

William Enck, Machigar Ongtang, and PatrickMcDanielPennsylvania State University


2/23

I. Introduction

II. Android Applications

III. Security Enforcement

IV. Security RefinementsV. Lessons in Defining Policy

Outline


3/23

Introduction

Next generation open operation system willbe developed on small mobile devices.

Android (Google)-a widely anticipated open source operatingsystem for mobile devices

-it provide base operation system,application middleware layer, Javasoftware development kit and a collection ofsystem applications.


4/23

Introduction (cont.)

Feature of Android

1.Doesnt support applications developed for

other platforms

2.Restricts application interaction to itsspecial APIs by running each application asits own user identity

3.Uses a simple permission label assignment

model to restrict access to resources andother applications


5/23

Android Applications ---Example

Example of location-sensitive social networking application formobile phones in which users can discover their friends locations.

Activities provide a user interface, Services execute backgroundprocessing, Content providers are data storage facilities, andBroadcast receivers act as mailboxes for messages from otherapplications.


6/23

Android Applications ---Example Application(cont.)

Take FriendTracker application for example,

FriendTracker (Service) polls an external service to discover friendslocations

FriendProvider (Content provider) maintains the most recent

geographic coordinates for friendsFriendTrackerControl (Activity) defines a user interface for startingand stopping the tracking functionality

BootReceiver (Broadcast receiver) gets a notification from thesystem once it boots (the application uses this to automatically startthe FriendTracker service).


7/23

Android Applications---Component Interaction

Intent - is the primary mechanism forcomponent interaction, which is simply

a message object containing adestination component address anddata

Action - the process of inter-components communication


8/23

Android Applications---Component Interaction (cont.)

Example: Interaction between components in applications and withcomponents in system applications. Interactions occur primarily at thecomponent level.


9/23

Android Applications---Component Interaction (cont.)

Each component type supports interaction specific to its type. Forexample, Service components support start , stop, and bind actions,so the FriendTrackerControl (Activity) can start and stop theFriendTracker (Service) that runs in the background.


10/23

Security Enforcement

Android protect application at system leveland at the Inter-component communication(ICC) level. This article focus on the ICClevel enforcement.

Each application runs as a unique user

identity, which lets Android limit the potential

damage of programming flaws.


11/23

Security Enforcement (cont.)

Example: Protection. Security enforcement in Android occurs in two places:each application executes as its own user identity, allowing the underlyingLinux system to provide system-level isolation; and the Android middlewarecontains a reference monitor that mediates the establishment of inter-component communication (ICC).


12/23


Core idea of Android security enforcement -labels assignment to applications andcomponents

A reference monitor provides mandatory accesscontrol (MAC) enforcement of how applications

access components. Access to each component is restricted by

assigning it an access permission label;applications are assigned collections ofpermission labels.

When a component initiates ICC, the referencemonitor looks at the permission labels assignedto its containing application and if the targetcomponents access permission label is in thatcollection allows ICC establishment to

proceed.


13/23


Example: Access permission logic. The Android middleware implementsa reference monitor providing mandatory access control (MAC)

enforcement about how applications access components. The basicenforcement model is the same for all component types. Component As

ability to access components B and C is determined by comparing theaccess permission labels on B and C to the collection of labels assignedto application 1.


14/23

Security Enforcement -Conclusion Assigning permission labels to an application

specifies its protection domain. Assigningpermissions to the components in anapplicationspecifies an access policy to protect itsresources.

Androids policy enforcement is mandatory,all permission labels are set at install time

and cant change until the application isreinstalled.

Androids permission label model only

restricts access to components and doesntcurrently provide information flow guarantees.


15/23

Security Refinements --- Publicvs. Private Components

Applications often contain components

that another application should neveraccess. For example, component related

to password storing. The solution is todefine privatecomponent.

This significantly reduces the attack surfacefor many applications.


16/23

Security Refinements ---Implicitly Open Components At development time, if the decision of

access permission is unclear, Thedeveloper can permit the functionality bynot assigning an access permission to it.

If a public component doesnt explicitly have

an access permission listed in its manifest

definition, Android permits any applicationto access it.


17/23

Security Refinements ---Broadcast Intent Permissions Sending the unprotected intent is a

privacy risk.

Android API for broadcasting intentsoptionally allows the developer tospecify a permission label to restrict

access to the intent object.


18/23

Security Refinements ---Content Provider Permissions If the developer want his application to

be the only one to update the contentsbut for other applications to be able to

read them.

Android allows such a security policy

assigning read or write permissions.


19/23

Security Refinements ---Protected APIs Not all system resources(for example,

network) are accessed throughcomponentsinstead, Android

provides direct API access.

Android protects these sensitive APIswith additional permission labelchecks: an application must declare acorresponding

permission label in its manifest file to

use them.

S it R fi t


20/23

Security Refinements ---Permission

Protection Levels The permission protection levelsprovide a means of controlling howdevelopers assign permission labels.

Signature permissions ensure thatonly the framework developer can usethe specific functionality (only Google

applications can directly interface thetelephony API, for

example).


21/23

Security Refinements ---Pending Intents Pending intent - a developer defines an

intent object to perform an action.However, instead of performing theaction, the developer passes the intent to

a special method that creates aPendingIntent object corresponding tothe desired action. The PendingIntentobject is simply a reference pointer thatcan pass to another application.

Pending intents allow applicationsincluded with the framework to integratebetter with third-party applications.


22/23

Lessons in Defining Policy

Android security policy begins with arelatively easy-to-understand MACenforcement model, but the number

and subtlety of refinements make itdifficult to discover an applications

policy.

The label itself is merely a text string,but its assignment to an applicationprovides access to potentially limitlessresources.


23/23

Thanks!

anil android

Documents