SlideShare une entreprise Scribd logo

Java & The Android Stack: A Security Analysis

Télécharger en tant que PPTX, PDF
Pragati Rai
Pragati Rai

Talk presented

Technologie
1  sur  34
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Inc. pragati.rai@paypal.com Java Conference, Bangalore, Dec 8, 2012 @pragatiogal
Agenda  Java 2 Security Model  Android Security Model  Summarize
Java 2 Security Model
Java  Developed by Sun Microsystems in the early 1990s  Platform Independent  Compiled to bytecode that runs on a Virtual Machine  “Java is Secure”
Java 2 Security Model  Platform Security  Crypto APIs  Authentication & Access Control APIs  Secure Communication APIs  Key Management APIs
Java Language Security  Programs cannot access arbitrary memory locations  Variables cannot be used before initialization  Access methods are strictly adhered to  Entities declared final must not be changed  Objects cannot be arbitrarily cast into other objects
Java 2 Platform Security Model Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Core API Class Files Class Loader Core Java API Security Package Security Manager Key Database Access Controller Operating System
Java 2 Sandbox Model • Fine grained access control • Configurable Security Policy • No built-in concept of trusted local code
Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; }; // If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; }; // Grant everyone the following permission: grant { permission java.io.FilePermission "/tmp/pragati/*", "read"; }; ………….. ……….
Protection Domain Domain name “Pragati” Pragati’s certificate Read/write access to /temp/pragati/* Domain name “John” John’s certificate Read/write access to /temp/john/* Read access to /temp/pragati/* ………….. ………. Protection Domain = Code Source + Permission
Java 2 Security Model  All code runs in a sandbox  All classes are loaded with full bytecode verification  All classes are loaded with Java language features  Signed classes verify the integrity and origination of Java classes  Security policy provides fine-grained access  Crypto APIs
The Android Stack
Android  Open Platform  First phone based on Android came out in 2009  75% smartphone market share as of October1 1: idc.com
Android Security Model  Platform Security  Crypto APIs  Secure Communication APIs  Key Management APIs
Install Time User Consent
Android OS Architecture http://developer.android.com
Linux Kernel  Unique UID and GID for each application at install time  Sharing can occur through component interactions  Linux Process Sandbox
Linux Kernel (Cont’d) include/linux/android_aid.h AID_NET_BT 3002 Can create Bluetooth Sockets AID_INET 3003 Can create IPv4 and IPv6 Sockets
Middleware  Libraries for code execution  Libraries for services  Take care of device specific issues  Compiled to machine language  Native and Java code
Java Virtual Machine?  There is no JVM in Android platform  No bytecode is executed  JAR file will not run on Android platform
Dalvik Virtual Machine  Dalvik does not align to Java SE or Java ME  Library built on a subset of the Apache Harmony Java  Highly optimized VM to support multiple VM instances  Register based architecture  Shared constant pool  Executes Dalvik executables (.dex)
Dalvik Virtual Machine  No security manager  Permissions are enforced in OS and not in VM  As of Android 2.2 Dalvik has a JIT compiler  Dalvik Bytecode verification mainly for optimization  GC for each VM instance
Android Application Structure  Application is made of components  Activity: Define screens  Service: Background processing  Broadcast Receiver: Mailbox for messages from other applications  Content Provider: Relational database for sharing information  Applications communicate through Intents  Secure RPC using Binder  AndroidManifest.xml defines policy for application
Permission Protection Levels  Normal android.permission.VIBRATE com.android.alarm.permission.SET_ALARM  Dangerous android.permission.SEND_SMS android.permission.CALL_PHONE  Signature android.permission.FORCE_STOP_PACKAGES android.permission.INJECT_EVENTS  SignatureOrSystem android.permission.ACCESS_USB android.permission.SET_TIME All components are secured by permissions Developers can define their own permissions as well
Application Layer Security  Permissions restrict component interaction  Permission labels defined in AndroidManifest.xml  Applications are self-signed; no CA required  Signatures define persistence and authorship
Android Security Model  Linux process sandbox  Permission based component interaction  Dalvik is not a security boundary  All applications need to be signed  Signature define persistence and authorship  Install time security decisions  Crypto APIs
Summary
Install Time Check Who are you? What do you want to do?
Sandbox Based on permissions, code sources, policy, keystore, protection domains Process Sandbox
Signature Identity and Trust Authorship and Persistence
Permissions Enforced by VM Enforced by OS
Protection Domain Code Sources + Permissions Process
Virtual Machine Is a security boundary Is NOT a security boundary
Thank you! pragati.rai@paypal.com @pragatiogal http://www.slideshare.net/pragatiogal

Recommandé

From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 

Recommandé

From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Security in Java
Security in JavaSecurity in Java
Security in JavaSiddharth Coontoor
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python Final
Python FinalPython Final
Python FinalRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sri Prasanna
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
DexGuard
DexGuardDexGuard
DexGuardTopher Jordan
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentMaryadelMar85
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inchaitrabhat777
 

Contenu connexe

Tendances

First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sri Prasanna
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 

Tendances (20)

Security in Java
Security in JavaSecurity in Java
Security in Java
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
Python Final
Python FinalPython Final
Python Final
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
DexGuard
DexGuardDexGuard
DexGuard
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 

En vedette

Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentMaryadelMar85
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inchaitrabhat777
 
Manipulating Android tasks and back stack
Manipulating Android tasks and back stackManipulating Android tasks and back stack
Manipulating Android tasks and back stackRan Nachmany
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of AndroidTetsuyuki Kobayashi
 
Android security
Android securityAndroid security
Android securityKrazy Koder
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 

En vedette (7)

Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application development
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior in
 
Manipulating Android tasks and back stack
Manipulating Android tasks and back stackManipulating Android tasks and back stack
Manipulating Android tasks and back stack
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Android security
Android securityAndroid security
Android security
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementation
 

Similaire à Java & The Android Stack: A Security Analysis

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesMecklerMedia
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java MEwiradikusuma
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Slides bootcamp21
Slides bootcamp21Slides bootcamp21
Slides bootcamp21dxsaki
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Multithreading in Android
Multithreading in AndroidMultithreading in Android
Multithreading in Androidcoolmirza143
 

Similaire à Java & The Android Stack: A Security Analysis (20)

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy Devices
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java security
 
Java-Unit-I.ppt
Java-Unit-I.pptJava-Unit-I.ppt
Java-Unit-I.ppt
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Java Security
Java SecurityJava Security
Java Security
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java ME
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Slides bootcamp21
Slides bootcamp21Slides bootcamp21
Slides bootcamp21
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Android Security
Android SecurityAndroid Security
Android Security
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Multithreading in Android
Multithreading in AndroidMultithreading in Android
Multithreading in Android
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 

Plus de Pragati Rai

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commercePragati Rai
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorPragati Rai
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolutionPragati Rai
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile paymentsPragati Rai
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?Pragati Rai
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101Pragati Rai
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Pragati Rai
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommercePragati Rai
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityPragati Rai
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile paymentsPragati Rai
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile EcosystemPragati Rai
 

Plus de Pragati Rai (13)

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commerce
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand Ambassador
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolution
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexample
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile payments
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile Commerce
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android Secuity
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile payments
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile Ecosystem
 

Dernier

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Dernier (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

Java & The Android Stack: A Security Analysis

  • 1. Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Inc. pragati.rai@paypal.com Java Conference, Bangalore, Dec 8, 2012 @pragatiogal
  • 2. Agenda  Java 2 Security Model  Android Security Model  Summarize
  • 4. Java  Developed by Sun Microsystems in the early 1990s  Platform Independent  Compiled to bytecode that runs on a Virtual Machine  “Java is Secure”
  • 5. Java 2 Security Model  Platform Security  Crypto APIs  Authentication & Access Control APIs  Secure Communication APIs  Key Management APIs
  • 6. Java Language Security  Programs cannot access arbitrary memory locations  Variables cannot be used before initialization  Access methods are strictly adhered to  Entities declared final must not be changed  Objects cannot be arbitrarily cast into other objects
  • 7. Java 2 Platform Security Model Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Core API Class Files Class Loader Core Java API Security Package Security Manager Key Database Access Controller Operating System
  • 8. Java 2 Sandbox Model • Fine grained access control • Configurable Security Policy • No built-in concept of trusted local code
  • 9. Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; }; // If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; }; // Grant everyone the following permission: grant { permission java.io.FilePermission "/tmp/pragati/*", "read"; }; ………….. ……….
  • 10. Protection Domain Domain name “Pragati” Pragati’s certificate Read/write access to /temp/pragati/* Domain name “John” John’s certificate Read/write access to /temp/john/* Read access to /temp/pragati/* ………….. ………. Protection Domain = Code Source + Permission
  • 11. Java 2 Security Model  All code runs in a sandbox  All classes are loaded with full bytecode verification  All classes are loaded with Java language features  Signed classes verify the integrity and origination of Java classes  Security policy provides fine-grained access  Crypto APIs
  • 13. Android  Open Platform  First phone based on Android came out in 2009  75% smartphone market share as of October1 1: idc.com
  • 14. Android Security Model  Platform Security  Crypto APIs  Secure Communication APIs  Key Management APIs
  • 15. Install Time User Consent
  • 16. Android OS Architecture http://developer.android.com
  • 17. Linux Kernel  Unique UID and GID for each application at install time  Sharing can occur through component interactions  Linux Process Sandbox
  • 18. Linux Kernel (Cont’d) include/linux/android_aid.h AID_NET_BT 3002 Can create Bluetooth Sockets AID_INET 3003 Can create IPv4 and IPv6 Sockets
  • 19. Middleware  Libraries for code execution  Libraries for services  Take care of device specific issues  Compiled to machine language  Native and Java code
  • 20. Java Virtual Machine?  There is no JVM in Android platform  No bytecode is executed  JAR file will not run on Android platform
  • 21. Dalvik Virtual Machine  Dalvik does not align to Java SE or Java ME  Library built on a subset of the Apache Harmony Java  Highly optimized VM to support multiple VM instances  Register based architecture  Shared constant pool  Executes Dalvik executables (.dex)
  • 22. Dalvik Virtual Machine  No security manager  Permissions are enforced in OS and not in VM  As of Android 2.2 Dalvik has a JIT compiler  Dalvik Bytecode verification mainly for optimization  GC for each VM instance
  • 23. Android Application Structure  Application is made of components  Activity: Define screens  Service: Background processing  Broadcast Receiver: Mailbox for messages from other applications  Content Provider: Relational database for sharing information  Applications communicate through Intents  Secure RPC using Binder  AndroidManifest.xml defines policy for application
  • 24. Permission Protection Levels  Normal android.permission.VIBRATE com.android.alarm.permission.SET_ALARM  Dangerous android.permission.SEND_SMS android.permission.CALL_PHONE  Signature android.permission.FORCE_STOP_PACKAGES android.permission.INJECT_EVENTS  SignatureOrSystem android.permission.ACCESS_USB android.permission.SET_TIME All components are secured by permissions Developers can define their own permissions as well
  • 25. Application Layer Security  Permissions restrict component interaction  Permission labels defined in AndroidManifest.xml  Applications are self-signed; no CA required  Signatures define persistence and authorship
  • 26. Android Security Model  Linux process sandbox  Permission based component interaction  Dalvik is not a security boundary  All applications need to be signed  Signature define persistence and authorship  Install time security decisions  Crypto APIs
  • 28. Install Time Check Who are you? What do you want to do?
  • 29. Sandbox Based on permissions, code sources, policy, keystore, protection domains Process Sandbox
  • 30. Signature Identity and Trust Authorship and Persistence
  • 31. Permissions Enforced by VM Enforced by OS
  • 32. Protection Domain Code Sources + Permissions Process
  • 33. Virtual Machine Is a security boundary Is NOT a security boundary
  • 34. Thank you! pragati.rai@paypal.com @pragatiogal http://www.slideshare.net/pragatiogal

Notes de l'éditeur

  1. Total system RAM is 64 MB; available after low level startup: 40MB and after high level services have started: 20 MB and large system libs 10 MB
  2. "java.version" property returns "java.class.version" invariably returns 50"user.home" and "user.name" properties do not existHighly optimized VM to support multiple VM instances with own address space and separate memoryRelies on Linux kernel for underlying functionality such as threading and low-level memory managementLibrary built on a subset of the Apache Harmony JavaMemory is clean (mmap() and unwritten)) or dirty (malloc)Shared memory: used by many processesPrivate memory used by one process
  3. ExamplesDex structures are using valid indices and offsets and code can’t misbehaveOptimaization: byte swapping (not needed on ARM)m static linking, pruning empty methodsRelies on Linux kernel for underlying functionality Garbage Collector is independent for each process but respect sharingBytecode verifierOptimization“Exact” GCIntra-application SecurityAnalysis & Debugging