Android securitybyexample
-
Upload
pragati-ogal-rai -
Category
Technology
-
view
855 -
download
0
description
Transcript of Android securitybyexample
![Page 1: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/1.jpg)
Android Security by Example
Praga% Ogal Rai Mobile Technology Evangelist, PayPal
@praga>ogal @PayPalDev
![Page 2: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/2.jpg)
Agenda
securitywatch.pcmag.com
www.androidauthority.com
![Page 3: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/3.jpg)
Why do I care?
500000+ apps on Google Play�applica>onandroid.info
![Page 4: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/4.jpg)
Why do I care?
I’m free and open!
![Page 5: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/5.jpg)
Why do I care?
You control your phone!
![Page 6: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/6.jpg)
Why do I care?
Security
Consumers
Developers
Carriers OS Vendors OEMs
Services
Infrastructure
You only control your phone and your apps!
![Page 7: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/7.jpg)
Architecture
developer.android.com
![Page 8: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/8.jpg)
Linux Kernel
Linux Process Sandbox
Each process get a unique UID and a GID
![Page 9: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/9.jpg)
Linux Kernel (Cont’d)
include/linux/android_aid.h
AID_NET_BT 3002 Can create Bluetooth Sockets
AID_INET 3003 Can create IPv4 and IPv6 Sockets
![Page 10: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/10.jpg)
Dalvik VM
Photo by floheinstein
Dalvik is not a security boundary
![Page 11: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/11.jpg)
Dalvik VM
G7VJR's Blog
• No security manager
• Process isola>on, memory management, threading
enforced in OS
• Byte code verifica>on for op>miza>on
• No difference between na>ve and Java code
![Page 12: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/12.jpg)
Applica>on Components
• Ac%vity: Define screens
• Service: Background processing
• Broadcast Receiver: Mailbox for messages from other
applica>ons
• Content Provider: Rela>onal database for sharing informa>on
All components are secured with permissions
![Page 13: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/13.jpg)
Ac>vity
Check out developer.android.com
![Page 14: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/14.jpg)
Ac>vity
<ac>vity android:name=".ExampleAc>vity”
android:process= “:new_process”
android:exported= “true”
android:permission= “android.permission.SEND_SMS”>
<intent-‐filter>
<ac>on android:name="android.intent.ac>on.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-‐filter>
</ac>vity>
![Page 15: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/15.jpg)
Ac>vity
Intent intent = new Intent(Intent.ACTION_SEND);
intent.putExtra(Intent.EXTRA_EMAIL, recipientArray);
startAc>vity(intent);
Onen run in their UID
Secured using permissions
Visibility can be set
Add categories to Intent Filter
Badly configured data can be passed using Intent
Do not pass sensi>ve data in intents
![Page 16: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/16.jpg)
Service <service
android:enabled=["true" | "false"]
android:exported=["true" | "false"]
android:icon="drawable resource"
android:isolatedProcess=["true" | "false"]
android:label="string resource"
android:name="string"
android:permission="string"
android:process="string" >
. . . . .
</service>
![Page 17: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/17.jpg)
Service
<service
android:name="bookService"
android:process=":my_process"
android:icon="@drawable/icon"
android:label="@string/service_name" >
. . . . . . .
</service>
![Page 18: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/18.jpg)
Service
• Component can “bind” to service using bindService()
• Binder channel to talk to service
• Check permissions of calling component against
PERMISSION_DENIED or PERMISSION_GRANTED
getPackageManager().checkPermission( permToCheck, name.getPackageName())
![Page 19: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/19.jpg)
Binder
• Synchronous RPC mechanism
• Define interface with AIDL
• Same process or different processes
• transact() and Binder.onTransact()
• Data sent as a Parcel
• Secured by caller permission or iden>ty checking
![Page 20: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/20.jpg)
Broadcast Receiver
I’ve got news! Service
Android System
Registered receivers
Receiver A
Receiver B
Receiver C
![Page 21: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/21.jpg)
Broadcast Receiver
<receiver android:enabled=["true" | "false"]
android:exported=["true" | "false"]
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permission="string"
android:process="string" >
. . .
</receiver>
![Page 22: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/22.jpg)
Broadcast Receiver
<receiver android:name=".MyListener"
android:permission="android.permission.READ_SMS">
<intent-‐filter>
<ac>on android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-‐filter>
</receiver>
Protec>ng a receiver with permission
![Page 23: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/23.jpg)
Broadcast Receiver
Selec>ng which receiver to send an Intent
Intent intent = new Intent();
intent.setAc>on(MY_BROADCAST_ACTION);
sendBroadcast(intent, "android.provider.Telephony.SMS_RECEIVED");
![Page 24: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/24.jpg)
Broadcasts
• Sending Broadcast Intents
– For sensi>ve data, pass manifest permission name
• Receiving Broadcast Intents
– Validate input from intents
– Intent Filter is not a security boundary
– Categories narrow down delivery but do not guarantee security
– android:exported=true
• S>cky broadcasts s>ck around
– Need special privilege BROADCAST_STICKY
![Page 25: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/25.jpg)
Content Provider
Remote Database
SQLite DB Internet Data Files
Ac>vity 1 Content Provider
Applica>on A
Applica>on B
Ac>vity
Ac>vity 2
Allows applica>ons to share data
Protected with permissions
Content providers use URI schemes
Content://<authority>/<table>/[<id>]
![Page 26: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/26.jpg)
Content Provider <provider android:authorities="list" android:enabled=["true" | "false"] android:exported=["true" | "false"] android:grantUriPermissions=["true" | "false"] android:icon="drawable resource" android:initOrder="integer" android:label="string resource" android:multiprocess=["true" | "false"] android:name="string" android:permission="string" android:process="string" android:readPermission="string" android:syncable=["true" | "false"] android:writePermission="string" > . . . . . . . </provider>
![Page 27: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/27.jpg)
Content Provider
<provider
android:authorities="com.example.android.books.contentprovider"
android:name=".contentprovider.MyBooksdoContentProvider"
android:readPermission=“com.example.android.books.DB_READ”
android:writePermission=“com.example.android.book.DB_WRITE”>
<grant-uri-permission android:path=“/figures/” />
<meta-data android:name="books" android:value="@string/books" />
</provider>
![Page 28: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/28.jpg)
Applica>on
Check tag declara>on on developer.android.com
![Page 29: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/29.jpg)
Permissions
Permissions restrict component interac>on
Permission labels defined in AndroidManifest.xml
MAC enforced by Reference Monitor
PackageManager and Ac>vityManager enforce permissions
![Page 30: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/30.jpg)
Applica>on Permissions
!
<uses-‐permission android:name="android.permission.CAMERA" />
<uses-‐permission android:name="android.permission.INTERNET" />
<uses-‐permission android:name="android.permission.ACCESS_FINE_LOCATION" />
![Page 31: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/31.jpg)
Permissions for External Applica>ons
Defined in <applica>on> tag
Defined incomponent tag<ac>vity>, <provider>, <receiver>, <service>
Component permission overrides applica>on level permission
![Page 32: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/32.jpg)
Permissions for External Applica>ons <applica>on
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:permission="android.permission.ACCESS_COARSE_LOCATION">
<service android:enabled="true"
android:name=".MyService"
android:permission="android.permission.WRITE_EXTERNAL_STORAGE">
</service>
. . . . . . . .
</applica>on>
![Page 33: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/33.jpg)
Permission Protec>on Levels
• android.permission.VIBRATE • com.android.alarm.permission.SET_ALARM Normal
• android.permission.SEND_SMS • android.permission.CALL_PHONE Dangerous
• android.permission.FORCE_STOP_PACKAGES • android.permission.INJECT_EVENTS
Signature
• android.permission.ACCESS_USB • android.permission.SET_TIME SignatureOrSystem
![Page 34: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/34.jpg)
User Defined Permissions
<permission android:name="com.example.android.book.READ_BOOKSTORE"
android:descrip>on="@string/perm_read_bookstore"
android:label="Read access to books database”
android:permissionGroup="BOOKSTORE_PERMS"
android:protec>onLevel="dangerous”/>
<permission-‐group android:descrip>on="@string/perm_group_bookstore"
android:label="@string/perm_group_bookstore_label"
android:name="BOOKSTORE_PERMS" />
Create a permission
Create a permission group
![Page 35: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/35.jpg)
User Defined Permissions
<permission-‐tree android:name="com.example.android.book"
android:label="@string/perm_tree_book" />
Create a permission tree
com.example.android.book
com.example.android.book.READ_BOOK
com.example.android.book.bookstore.READ_BOOKSTORE
com.example.android.book.bookstore.WRITE_BOOKSTORE
![Page 36: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/36.jpg)
Storing & Sharing
hyp://blogs.salesforce.com/
Sharing with internal applica>ons (same cer>ficate)
Sharing with external applica>ons
![Page 37: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/37.jpg)
Sharing with Internal Applica>ons
• sharedUserID
• Preferences
• Cache
• Intents
![Page 38: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/38.jpg)
sharedUserID
Run applica>ons in same UID
![Page 39: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/39.jpg)
SharedUserID com.example.example1 <manifest xmlns:android="hyp://schemas.android.com/apk/res/android" package="com.example.example1" android:versionCode="1" android:versionName="1.0" android:sharedUserId="com.sharedID.example">
com.example.example2 <manifest xmlns:android="hyp://schemas.android.com/apk/res/android" package="com.example.example2" android:versionCode="1" android:versionName="1.0" android:sharedUserId="com.sharedID.example">
sharedUserID follows package name format
Other naming conven>on results in error like INSTALL_PARSE_FAILED_BAD_SHARED_USER_ID
![Page 40: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/40.jpg)
Preferences
• Store primi>ve data in key-‐value format
• Persistent storage
• Sandboxed with applica>on
![Page 41: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/41.jpg)
Cache
//Write to the cache file
String myString = new String (“Hello World!”);
File file = new File (getCacheDir(), "MyCacheFile");
FileOutputStream fOut = new FileOutputStream(file);
OutputStreamWriter osw = new OutputStreamWriter(fOut);
osw.write(myString);
osw.flush();
osw.close();
Cache file is sandboxed with applica>on
Can be created on external storage: getExternalCacheDir()
Cache file is deleted when system is running low on memory
![Page 42: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/42.jpg)
Sharing with External Applica>ons
• Content Providers
• Files
• Intents
• Databases
![Page 43: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/43.jpg)
Files
• Applica>ons have own area for files
• Files are protected by Unix like file permissions
• Different modes: world readable, world writable,
private, append File = openFileOutput(“myFile”,
Context.MODE_WORLD_READABLE);
![Page 44: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/44.jpg)
Intents
Intent
Binder exposed through AIDL
Binder
Inter Component Interac>on
Asynchronous IPC
Explicit or Implicit Intents
![Page 45: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/45.jpg)
Explicit Intents
I know where you live!
Ac>vity
Applica>on A
Ac>vity
Applica>on B
Specify a component name
Do not put sensi>ve data in intents
Components need not be in same applica>on
startActivity(Intent)
startBroadcast(Intent)
![Page 46: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/46.jpg)
Implicit Intent Ac>vity
Get me the best match! Ac>vity
Applica>on B
Applica>on A Ac>vity
Applica>on C
Ac>vity
Applica>on D
No component name specified
Do not put sensi>ve data in intents
Components need not be in same applica>on
startActivity(Intent)
startBroadcast(Intent)
![Page 47: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/47.jpg)
Pending Intent
• Token given to a foreign applica>on to perform an ac>on on your applica>on’s behalf
• Use your applica>on’s permissions
• Even if its owning applica>on's process is killed, PendingIntent itself will remain usable from other processes
• Provide component name in base intent
– PendingIntent.getActivity(Context, int, Intent, int)
Ac>vity A Ac>vity B Use my iden>ty & permissions and get the job done!
![Page 48: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/48.jpg)
Intent Filters
• Ac>vity Manager matches intents against Intent Filters
<receiver android:name=“BootCompletedReceiver”>
<intent-filter>
<action android:name=“android.intent.action.BOOT_COMPLETED”/>
</intent-filter>
</receiver>
• Ac>vity with Intent Filter enabled becomes “exported”
• Ac>vity with “android:exported=true” can be started with any intent
• Intent Filters cannot be secured with permissions
• Add categories to restrict what intent can be called through
android.intent.category.BROWSEABLE
![Page 49: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/49.jpg)
Intent Filters
<intent-‐filter>
<ac>on android:name="android.intent.ac>on.VIEW" />
<ac>on android:name="android.intent.ac>on.EDIT" />
<ac>on android:name="android.intent.ac>on.PICK" />
<category android:name="android.intent.category.DEFAULT" />
<data mimeType:name="vnd.android.cursor.dir/vnd.google.note" />
</intent-‐filter>
![Page 50: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/50.jpg)
AndroidManifest.xml
Turn debugging off
www.wpclipart.com
![Page 51: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/51.jpg)
AndroidManifest.xml
Set component visibility right
![Page 52: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/52.jpg)
AndroidManifest.xml
Protect components by permissions
![Page 53: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/53.jpg)
AndroidManifest.xml
Define access rules
ctmls.ctreal.com
![Page 54: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/54.jpg)
AndroidManifest.xml
Backup and storage decisions
en.wikipedia.org
![Page 55: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/55.jpg)
External Storage
• Star>ng API 8 (Android 2.2) APKs can be stored on external devices
– APK is stored in encrypted container called asec file
– Key is randomly generated and stored on device
– Dex files, private data, na>ve shared libraries s>ll reside on internal memory
– External devices are mounted with “noexec”
• VFAT does not support Linux access control
• Sensi>ve data should be encrypted before storing
![Page 56: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/56.jpg)
Applica>on Signature
• Applica>ons are self-‐signed; no CA required
• Signature define persistence – Detect if the applica>on has changed
– Applica>on update
• Signatures define authorship – Establish trust between applica>ons – Run in same Linux ID
![Page 57: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/57.jpg)
Applica>on Upgrade
• Applica>ons can register for auto-‐updates
• Applica>ons should have the same signature
• No addi>onal permissions should be added
• Install loca>on is preserved
![Page 58: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/58.jpg)
System Packages
• Come bundled with ROM
• Have signatureOrSystem Permission
• Cannot be uninstalled
• /system/app
![Page 59: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/59.jpg)
Summary
• Linux process sandbox
• Permission based component interac>on
• Permission labels defined in AndroidManifest.xml
• Applica>ons need to be signed
• Signature define persistence and authorship
• Install >me security decisions
![Page 60: Android securitybyexample](https://reader033.fdocuments.in/reader033/viewer/2022060116/557ddba1d8b42a124f8b4ee9/html5/thumbnails/60.jpg)
battlehack.orgBerlin New York
Tel Aviv Seattle Miami
Moscow Austin
London Barcelona
Washington DC