8. Linux
Kernel
Linux
Process
Sandbox
Each
process
get
a
unique
UID
and
a
GID
9. Linux
Kernel
(Cont’d)
include/linux/android_aid.h
AID_NET_BT
3002
Can
create
Bluetooth
Sockets
AID_INET
3003
Can
create
IPv4
and
IPv6
Sockets
10. Dalvik
VM
Photo
by
floheinstein
Dalvik
is
not
a
security
boundary
11. Dalvik
VM
G7VJR's
Blog
• No
security
manager
• Process
isola>on,
memory
management,
threading
enforced
in
OS
• Byte
code
verifica>on
for
op>miza>on
• No
difference
between
na>ve
and
Java
code
12. Applica>on
Components
• Ac%vity:
Define
screens
• Service:
Background
processing
• Broadcast
Receiver:
Mailbox
for
messages
from
other
applica>ons
• Content
Provider:
Rela>onal
database
for
sharing
informa>on
All
components
are
secured
with
permissions
15. Ac>vity
Intent
intent
=
new
Intent(Intent.ACTION_SEND);
intent.putExtra(Intent.EXTRA_EMAIL,
recipientArray);
startAc>vity(intent);
Onen
run
in
their
UID
Secured
using
permissions
Visibility
can
be
set
Add
categories
to
Intent
Filter
Badly
configured
data
can
be
passed
using
Intent
Do
not
pass
sensi>ve
data
in
intents
18. Service
• Component
can
“bind”
to
service
using
bindService()
• Binder
channel
to
talk
to
service
• Check
permissions
of
calling
component
against
PERMISSION_DENIED
or
PERMISSION_GRANTED
getPackageManager().checkPermission(
permToCheck,
name.getPackageName())
19. Binder
• Synchronous
RPC
mechanism
• Define
interface
with
AIDL
• Same
process
or
different
processes
• transact() and
Binder.onTransact()
• Data
sent
as
a
Parcel
• Secured
by
caller
permission
or
iden>ty
checking
20. Broadcast
Receiver
I’ve
got
news!
Service
Android
System
Registered
receivers
Receiver
A
Receiver
B
Receiver
C
22. Broadcast
Receiver
<receiver
android:name=".MyListener"
android:permission="android.permission.READ_SMS">
<intent-‐filter>
<ac>on
android:name="android.provider.Telephony.SMS_RECEIVED"
/>
</intent-‐filter>
</receiver>
Protec>ng
a
receiver
with
permission
23. Broadcast
Receiver
Selec>ng
which
receiver
to
send
an
Intent
Intent
intent
=
new
Intent();
intent.setAc>on(MY_BROADCAST_ACTION);
sendBroadcast(intent,
"android.provider.Telephony.SMS_RECEIVED");
24. Broadcasts
• Sending
Broadcast
Intents
– For
sensi>ve
data,
pass
manifest
permission
name
• Receiving
Broadcast
Intents
– Validate
input
from
intents
– Intent
Filter
is
not
a
security
boundary
– Categories
narrow
down
delivery
but
do
not
guarantee
security
– android:exported=true
• S>cky
broadcasts
s>ck
around
– Need
special
privilege
BROADCAST_STICKY
25. Content
Provider
Remote
Database
SQLite
DB
Internet
Data
Files
Ac>vity
1
Content
Provider
Applica>on
A
Applica>on
B
Ac>vity
Ac>vity
2
Allows
applica>ons
to
share
data
Protected
with
permissions
Content
providers
use
URI
schemes
Content://<authority>/<table>/[<id>]
39. SharedUserID
com.example.example1
<manifest
xmlns:android="hyp://schemas.android.com/apk/res/android"
package="com.example.example1"
android:versionCode="1"
android:versionName="1.0"
android:sharedUserId="com.sharedID.example">
com.example.example2
<manifest
xmlns:android="hyp://schemas.android.com/apk/res/android"
package="com.example.example2"
android:versionCode="1"
android:versionName="1.0"
android:sharedUserId="com.sharedID.example">
sharedUserID
follows
package
name
format
Other
naming
conven>on
results
in
error
like
INSTALL_PARSE_FAILED_BAD_SHARED_USER_ID
40. Preferences
• Store
primi>ve
data
in
key-‐value
format
• Persistent
storage
• Sandboxed
with
applica>on
41. Cache
//Write
to
the
cache
file
String
myString
=
new
String
(“Hello
World!”);
File
file
=
new
File
(getCacheDir(),
"MyCacheFile");
FileOutputStream
fOut
=
new
FileOutputStream(file);
OutputStreamWriter
osw
=
new
OutputStreamWriter(fOut);
osw.write(myString);
osw.flush();
osw.close();
Cache
file
is
sandboxed
with
applica>on
Can
be
created
on
external
storage:
getExternalCacheDir()
Cache
file
is
deleted
when
system
is
running
low
on
memory
43. Files
• Applica>ons
have
own
area
for
files
• Files
are
protected
by
Unix
like
file
permissions
• Different
modes:
world
readable,
world
writable,
private,
append
File = openFileOutput(“myFile”,
Context.MODE_WORLD_READABLE);
44. Intents
Intent
Binder
exposed
through
AIDL
Binder
Inter
Component
Interac>on
Asynchronous
IPC
Explicit
or
Implicit
Intents
45. Explicit
Intents
I
know
where
you
live!
Ac>vity
Applica>on
A
Ac>vity
Applica>on
B
Specify
a
component
name
Do
not
put
sensi>ve
data
in
intents
Components
need
not
be
in
same
applica>on
startActivity(Intent)
startBroadcast(Intent)
46. Implicit
Intent
Ac>vity
Get
me
the
best
match!
Ac>vity
Applica>on
B
Applica>on
A
Ac>vity
Applica>on
C
Ac>vity
Applica>on
D
No
component
name
specified
Do
not
put
sensi>ve
data
in
intents
Components
need
not
be
in
same
applica>on
startActivity(Intent)
startBroadcast(Intent)
47. Pending
Intent
• Token
given
to
a
foreign
applica>on
to
perform
an
ac>on
on
your
applica>on’s
behalf
• Use
your
applica>on’s
permissions
• Even
if
its
owning
applica>on's
process
is
killed,
PendingIntent
itself
will
remain
usable
from
other
processes
• Provide
component
name
in
base
intent
– PendingIntent.getActivity(Context, int, Intent,
int)
Ac>vity
A
Ac>vity
B
Use
my
iden>ty
&
permissions
and
get
the
job
done!
48. Intent
Filters
• Ac>vity
Manager
matches
intents
against
Intent
Filters
<receiver android:name=“BootCompletedReceiver”>
<intent-filter>
<action android:name=“android.intent.action.BOOT_COMPLETED”/>
</intent-filter>
</receiver>
• Ac>vity
with
Intent
Filter
enabled
becomes
“exported”
• Ac>vity
with
“android:exported=true”
can
be
started
with
any
intent
• Intent
Filters
cannot
be
secured
with
permissions
• Add
categories
to
restrict
what
intent
can
be
called
through
android.intent.category.BROWSEABLE
55. External
Storage
• Star>ng
API
8
(Android
2.2)
APKs
can
be
stored
on
external
devices
– APK
is
stored
in
encrypted
container
called
asec
file
– Key
is
randomly
generated
and
stored
on
device
– Dex
files,
private
data,
na>ve
shared
libraries
s>ll
reside
on
internal
memory
– External
devices
are
mounted
with
“noexec”
• VFAT
does
not
support
Linux
access
control
• Sensi>ve
data
should
be
encrypted
before
storing
56. Applica>on
Signature
• Applica>ons
are
self-‐signed;
no
CA
required
• Signature
define
persistence
– Detect
if
the
applica>on
has
changed
– Applica>on
update
• Signatures
define
authorship
– Establish
trust
between
applica>ons
– Run
in
same
Linux
ID
57. Applica>on
Upgrade
• Applica>ons
can
register
for
auto-‐updates
• Applica>ons
should
have
the
same
signature
• No
addi>onal
permissions
should
be
added
• Install
loca>on
is
preserved
58. System
Packages
• Come
bundled
with
ROM
• Have
signatureOrSystem
Permission
• Cannot
be
uninstalled
• /system/app
59. Summary
• Linux
process
sandbox
• Permission
based
component
interac>on
• Permission
labels
defined
in
AndroidManifest.xml
• Applica>ons
need
to
be
signed
• Signature
define
persistence
and
authorship
• Install
>me
security
decisions
60. battlehack.org
Berlin New York
Tel Aviv Seattle Miami
Moscow Austin
London Barcelona
Washington DC