Mobile Application Security on Android

Originally presented by Jesse Burns at Black Hat 2009

1

What is Android?

Smart Phone Operating System Based on the Linux kernel Expanded to support cellular based

communicationGSM, CMDA

Java like middleware

2

More Android

Open SourceMostly Apache v2 licenseLinux kernel is GPLv2

Free Open API’s

If Google uses them, so can developers

3

Applications

Built from for “components”ActivityServiceContent ProviderBroadcast Receiver

Run in own VM sandbox using unique UID

4

More on Apps

Use explicitly defined permissions Communicate through Intents Intents are Inter-Process

Communications Applications register which Intents they

wish to handle

5

Signatures

applications must be signed, but are usually self-signedproves no relationship with Google, butcreates chain of trust between updates and

among applications

6

Permissions I >100 defined by the system Declared at install time in Manifest.xml Disclosed by PackageInstaller, protected by

root ownership

7

Permissions II

applications can define arbitrary new permsnormaldangeroussignaturesignatureOrSystem

8

Permission III

Permissions checked at runtime SecurityException thrown if permission

denied

9

Intents

Core of Android IPC Can cross security boundaries Generally defined as a goal action and

some data

10

Intent II

Used to:Start an ActivityBroadcast events or changesStart, stop, or communicate with

background ServicesAccess data held by ContentProvidersCall backs to handle events

11

Intent Filters

Used to determine recipient of Intent Can be overridden Provide no security

Intents can explicitly define receiver

12

Activities The user interface consists of a series of Activity

components. Each Activity is a “screen”. User actions tell an Activity to start another

Activity, possibly with the expectation of a result.

13

Activity II

The target Activity is not necessarily in the same application.

Directly or via Intent “action strings”. Processing stops when another Activity

is “on top”. Must be able to handle malformed intents Don’t start Intents that contain sensitive data

14

Activity III

Starting an Activity from an Intent

15

Activity IV

Forcing an Activity to start

16

Activity V

Protecting Activities

17

Broadcasts

Act as recievers for multiple components Provide secure IPC Done by specifying permissions on

BroadcastReceiver regarding sender Otherwise, behave like activities in

terms of IPC

18

Broadcast II

Still need to validate input just in case Sticky Broadcasts

PersistentApps require special permissions to

create/destroy sticky broadcasts No guarantee of persistenceCan’t define permission

○ Don’t send sensitive data

19

Services

Run in background Play music, alarm clock, etc Secured using permissions Callers may need to verify that Service

is the correct one

20

Services II

Verification:Check Service’s permissionsres = getPackageManager().checkPermission(permToCheck, name.getPackageName());

21

ContentProviders

Generally SQL backend Used to share content between apps Access controlled through permission

tags

22

ContentProviders II

Apps can be dynamically authorized accessPossible security hole

Must protect against SQL injectionSanitize input using parameterization

23

Intent Reflection

Intents may be sent when app is called App sends Intent as app and not as

caller: reflectionMay exceed caller’s permissions

Use PendingIntent instead, intent correctly identified as coming from caller

24

File System

Internally standard Linux file systems – yaffs2, ext*

Support stand Unix permissions Vulnerabilities if permissions not set

correctlySensitive data could be readOther programs could write junk/waste

space

25

File System II

Consider what files need what protectionsConfig files: not writeableLog files: not world readable

Mass storage formatted as FAT, no Unix permissions supportAll data world readableConsider encryption

26

Binder

Kernel module that provides secure IPC on top of the standard Linux shared memory architecture

Includes interface to ParceableParceable objects are passed by Binder

Can also move file descriptors, and other Binders

27

Binder II

Efficient, secure IPCCheck caller’s permissions / identityOnly selectively give out interface

○ Once given out, interface can be disseminated freely

All Binders are globally unique

28