Post on 09-May-2015
Application Security Based On
By- Ravishankar Kumar 95511101
Overview
• Why care about mobile security?• What is Android?
• How do I develop on Android?o Android Market
• What about Security?o Cornerstones of Android security
PreventionMinimizationDetectionReaction
Overview
• Why care about mobile security?• What is Android?
• How do I develop on Android?o Android Market
• What about Security?o Cornerstones of Android security
PreventionMinimizationDetectionReaction
Some Statistics→Android powers hundreds of millions of mobile devices in more than 190 countries around the world.
→Android users download more than 1.5 billion apps and games from Google Play each month.
→Easily optimize a single binary for phones, tablets,
and other devices.
→Google Play is the premier marketplace for
selling and distributing Android apps.
Factor care about mobile security1.Android malware
→ It can use runtime environments like
Java virtual machine or the .NET Framework.
→ It sends personal information to unauthorised third parties.
→ It can partially damage the device, or delete or modify
data on the device.
→ It can spread through proximate devices using Wi-Fi,
Bluetooth and infrared.
→ It can also spread using remote networks such as telephone calls
or SMS or emails.
Factor care about mobile security
2.Ad Networks and Permissions
→Attackers access to a phone number or device ID lets advertisers track your movements between apps, and build up complicated profiles.
→Less reputable ad networks may also try to access your address book in order to send ads to other people, or even change your ringtone to an advertisement.
→The attacker can easily force the smartphone to make phone calls.
3. Loss and Theft
→Reports claim that 1.6 million Americans had their phone stolen in 2013.
Mobile Security Matures
We are now seeing attacks against all layers of mobile infrastructure:
• Applications• Platform• OS• Baseband• Network
Mobile devices must be treated as fully fledged computers.
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Cornerstones of Android securityPreventionMinimizationDetectionReaction
Introducing Android
» Android is open source and Google releases the code under the Apache License.
Source code at http://source.android.com
» Any developer can use
SDK at http://developer.android.com
» Third party apps available on Google Play
Download at http://play.google.com/store
»Official Website of Android
More at http://www.android.com
Android Version
New Version
Usage On
The Android Technology Stack• Linux kernel• Relies upon 90+ open source libraries
o Integrated Web Kit based browsero SQLite for structured data storageo OpenSSLo Bouncy Castleo libc based on OpenBSDo Apache Harmonyo Apache Http Client
• Supports common sound, video and image codecs• API support for handset I/O
o Bluetooth, EDGE, 3G, wifio Camera, Video, GPS, compass, accelerometer,
sound, vibrator
Overview• Why care about mobile security?• What is Android?• How do I develop on Android?
o Android Market• What about Security?
o Android security IssueoStoring DataoUsing PermissionoCryptography
Example Application
Android SecuritySome of the core security features that help you build secure apps include:
»The Android Application Sandbox, which isolates your app data and code execution from other apps.
»An application framework with robust implementations of common security functionality such as cryptography, permissions, and secure IPC.
» An encrypted file system that can be enabled to protect data on lost or stolen devices.
» User-granted permissions to restrict access to system features and user data.
» Application-defined permissions to control application data on a per-app basis.
Android Application Sandbox
Storing DataThe most common security concern for an application on Android is whether the data that you save on the device is accessible to other apps.
There are three fundamental ways to save data on the device:
1. Using internal storage
» By default, files that you create on internal storage are accessible only to your app.
» To provide additional protection for sensitive data, you might choose to encrypt local files using a key that is not directly accessible to the application.
2. Using external storage
» Files created on external storage, such as SD Cards, are globally readable and writable.
» As with data from any untrusted source, you should perform input validation when handling data from external storage.
Storing Data Cont..
3. Using content providers
»Content providers offer a structured storage mechanism that can be limited to your own application or exported to allow access by other applications.
» When creating a ContentProvider that will be exported for use by other applications, you can specify a single permission for reading and writing, or distinct permissions for reading and writing within the manifest.
Using PermissionsBecause Android sandboxes applications from each other, applications must explicitly share resources and data.
Requesting Permissions
» If it's possible to design your application in a way that does not require any permissions, that is preferable.
» addition to requesting permissions, your application can use the <permissions> to protect IPC that is security sensitive and will be exposed to other applications, such as a ContentProvider.
Creating Permissions
» Creating a new permission is relatively uncommon for most applications.
Using Permission Cont..Creating Permissions
» If you must create a new permission, consider whether you can accomplish your task with a "signature" protection level.
» If you create a permission with the "dangerous" protection level, there are a number of complexities that you need to consider:
1. The permission must have a string that concisely expresses to a user the security decision they will be required to make.
2.The permission string must be localized to many different languages.
3.Users may choose not to install an application because a permission is confusing or perceived as risky.
4.Applications may request the permission when the creator of the permission has not been installed.
Using Cryptography
» Android provides a wide array of algorithms for protecting data using cryptography.
» Use existing cryptographic algorithms such as those in the implementation of AES or RSA provided in the Cipher class.
» Use a secure random number generator, SecureRandom, to initialize any cryptographic keys, KeyGenerator.
Overview
• Why care about mobile security?• What is Android?• How do I develop on Android?o Android Market
• What about Security?o Cornerstones of Android security
Prevention Minimization Detection ReactionExample Application
Example Applications
• Lookout Security & Antivirus
• App Lock
• Phone security alarm system
Lookout Security & AntivirusLookout Security & Antivirus FREE Features:
Lookout Security & AntivirusLookout Security & Antivirus FREE Features:
►SECURITY & ANTIVIRUS• App Scanning: Continuous, over-the-air
protection from viruses, malware,
adware and spyware
Lookout Security & AntivirusLookout Security & Antivirus FREE Features:
►SECURITY & ANTIVIRUS• App Scanning: Continuous, over-the-air
protection from viruses, malware,
adware and spyware
►FIND MY PHONE• Locate & Scream: Map the location of
your device and make it sound an alarm• Signal Flare: Automatically save your
phone's location when the battery is low.
Lookout Security & AntivirusLookout Security & Antivirus FREE Features:
►SECURITY & ANTIVIRUS• App Scanning: Continuous, over-the-air
protection from viruses, malware,
adware and spyware
►FIND MY PHONE• Locate & Scream: Map the location of
your device and make it sound an alarm• Signal Flare: Automatically save your
phone's location when the battery is low.
►BACKUP & DOWNLOAD
• Contact Backup: Save a copy of your
Google contacts
Lookout Security & Antivirus
App LockApp Lock Features:
» AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings.
App LockApp Lock Features:
» AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings.
» AppLock empowers you to control photo and
video access.
App LockApp Lock Features:
» AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings.
» AppLock empowers you to control photo and
video access.
» With AppLock, only you can see your hidden pictures. Privacy made easy!
App LockApp Lock Features:
» AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings.
» AppLock empowers you to control photo and
video access.
» With AppLock, only you can see your hidden pictures. Privacy made easy!
» Selected pictures vanish from your photo
gallery, and stay locked behind an
easy-to-use PIN pad.
App Lock