Analysis and research of system security based on android

Application Security Based On

By- Ravishankar Kumar 95511101

Overview

• Why care about mobile security?• What is Android?

• How do I develop on Android?o Android Market

• What about Security?o Cornerstones of Android security

PreventionMinimizationDetectionReaction

Some Statistics→Android powers hundreds of millions of mobile devices in more than 190 countries around the world.

→Android users download more than 1.5 billion apps and games from Google Play each month.

→Easily optimize a single binary for phones, tablets,

and other devices.

→Google Play is the premier marketplace for

selling and distributing Android apps.

Factor care about mobile security1.Android malware

→ It can use runtime environments like

Java virtual machine or the .NET Framework.

→ It sends personal information to unauthorised third parties.

→ It can partially damage the device, or delete or modify

data on the device.

→ It can spread through proximate devices using Wi-Fi,

Bluetooth and infrared.

→ It can also spread using remote networks such as telephone calls

or SMS or emails.

Factor care about mobile security

2.Ad Networks and Permissions

→Attackers access to a phone number or device ID lets advertisers track your movements between apps, and build up complicated profiles.

→Less reputable ad networks may also try to access your address book in order to send ads to other people, or even change your ringtone to an advertisement.

→The attacker can easily force the smartphone to make phone calls.

3. Loss and Theft

→Reports claim that 1.6 million Americans had their phone stolen in 2013.

Mobile Security Matures

We are now seeing attacks against all layers of mobile infrastructure:

• Applications• Platform• OS• Baseband• Network

Mobile devices must be treated as fully fledged computers.

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Cornerstones of Android securityPreventionMinimizationDetectionReaction

Introducing Android

» Android is open source and Google releases the code under the Apache License.

Source code at http://source.android.com

» Any developer can use

SDK at http://developer.android.com

» Third party apps available on Google Play

Download at http://play.google.com/store

»Official Website of Android

More at http://www.android.com

Android Version

New Version

Usage On

The Android Technology Stack• Linux kernel• Relies upon 90+ open source libraries

o Integrated Web Kit based browsero SQLite for structured data storageo OpenSSLo Bouncy Castleo libc based on OpenBSDo Apache Harmonyo Apache Http Client

• Supports common sound, video and image codecs• API support for handset I/O

o Bluetooth, EDGE, 3G, wifio Camera, Video, GPS, compass, accelerometer,

sound, vibrator

Overview• Why care about mobile security?• What is Android?• How do I develop on Android?

o Android Market• What about Security?

o Android security IssueoStoring DataoUsing PermissionoCryptography

Example Application

Android SecuritySome of the core security features that help you build secure apps include:

»The Android Application Sandbox, which isolates your app data and code execution from other apps.

»An application framework with robust implementations of common security functionality such as cryptography, permissions, and secure IPC.

» An encrypted file system that can be enabled to protect data on lost or stolen devices.

» User-granted permissions to restrict access to system features and user data.

» Application-defined permissions to control application data on a per-app basis.

Android Application Sandbox

Storing DataThe most common security concern for an application on Android is whether the data that you save on the device is accessible to other apps.

There are three fundamental ways to save data on the device:

1. Using internal storage

» By default, files that you create on internal storage are accessible only to your app.

» To provide additional protection for sensitive data, you might choose to encrypt local files using a key that is not directly accessible to the application.

2. Using external storage

» Files created on external storage, such as SD Cards, are globally readable and writable.

» As with data from any untrusted source, you should perform input validation when handling data from external storage.

Storing Data Cont..

3. Using content providers

»Content providers offer a structured storage mechanism that can be limited to your own application or exported to allow access by other applications.

» When creating a ContentProvider that will be exported for use by other applications, you can specify a single permission for reading and writing, or distinct permissions for reading and writing within the manifest.

Using PermissionsBecause Android sandboxes applications from each other, applications must explicitly share resources and data.

Requesting Permissions

» If it's possible to design your application in a way that does not require any permissions, that is preferable.

» addition to requesting permissions, your application can use the <permissions> to protect IPC that is security sensitive and will be exposed to other applications, such as a ContentProvider.

Creating Permissions

» Creating a new permission is relatively uncommon for most applications.

Using Permission Cont..Creating Permissions

» If you must create a new permission, consider whether you can accomplish your task with a "signature" protection level.

» If you create a permission with the "dangerous" protection level, there are a number of complexities that you need to consider:

1. The permission must have a string that concisely expresses to a user the security decision they will be required to make.

2.The permission string must be localized to many different languages.

3.Users may choose not to install an application because a permission is confusing or perceived as risky.

4.Applications may request the permission when the creator of the permission has not been installed.

Using Cryptography

» Android provides a wide array of algorithms for protecting data using cryptography.

» Use existing cryptographic algorithms such as those in the implementation of AES or RSA provided in the Cipher class.

» Use a secure random number generator, SecureRandom, to initialize any cryptographic keys, KeyGenerator.

Overview

• Why care about mobile security?• What is Android?• How do I develop on Android?o Android Market

• What about Security?o Cornerstones of Android security

Prevention Minimization Detection ReactionExample Application

Example Applications

• Lookout Security & Antivirus

• App Lock

• Phone security alarm system

Lookout Security & AntivirusLookout Security & Antivirus FREE Features:


►SECURITY & ANTIVIRUS• App Scanning: Continuous, over-the-air

protection from viruses, malware,

adware and spyware




adware and spyware

►FIND MY PHONE• Locate & Scream: Map the location of

your device and make it sound an alarm• Signal Flare: Automatically save your

phone's location when the battery is low.




adware and spyware

►FIND MY PHONE• Locate & Scream: Map the location of

your device and make it sound an alarm• Signal Flare: Automatically save your

phone's location when the battery is low.

►BACKUP & DOWNLOAD

• Contact Backup: Save a copy of your

Google contacts

Lookout Security & Antivirus

App LockApp Lock Features:

» AppLock can lock SMS, Contacts, Gmail, Facebook, Gallery, Market, Settings.



» AppLock empowers you to control photo and

video access.




video access.

» With AppLock, only you can see your hidden pictures. Privacy made easy!




video access.

» With AppLock, only you can see your hidden pictures. Privacy made easy!

» Selected pictures vanish from your photo

gallery, and stay locked behind an

easy-to-use PIN pad.

App Lock

Analysis and research of system security based on android

Technology

Transcript of Analysis and research of system security based on android