SlideShare a Scribd company logo

Android Security

Download as PPTX, PDF
Arqum Ahmad
Arqum Ahmad

The given presentation is a part of my work in field of Smartphone Security. The talk given in IIIT- Naya Raipur on April-2,2016

Mobile
1 of 37
YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
How much unsecure is ANDROID ?
Who is this ?
Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
What do you think about the audience’s response.
They laughed , A LOT.
Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
Smartphone, Android Mobile Security
Smartphone Security App Markets
Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
THE ANDROID PLATFORM
ANDROID Architecture
What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
STOP!
I’m saying Think Again!
OK! Do it on your own risk! You’re the last person I trust 
Device And Data Security
http://xkcd.com/538/
Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com
ITS SHOW TIME!

Recommended

Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 

Recommended

Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
Mobile security
Mobile securityMobile security
Mobile securitypriyanka pandey
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application SecurityIshan Girdhar
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentBenny Skogberg
 
Android ppt
Android pptAndroid ppt
Android pptAnsh Singh
 
Mobile Security
Mobile SecurityMobile Security
Mobile SecurityMarketingArrowECS_CZ
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Android seminar ppt
Android seminar pptAndroid seminar ppt
Android seminar pptchakrapani tripathi
 
Android - A brief introduction
Android - A brief introductionAndroid - A brief introduction
Android - A brief introductionRoshan Gautam
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android StudioSuyash Srijan
 
Mobile security
Mobile securityMobile security
Mobile securitydilipdubey5
 
Android Location and Maps
Android Location and MapsAndroid Location and Maps
Android Location and MapsJussi Pohjolainen
 
Introduction to Android Development
Introduction to Android DevelopmentIntroduction to Android Development
Introduction to Android DevelopmentAly Abdelkareem
 
Basic android-ppt
Basic android-pptBasic android-ppt
Basic android-pptSrijib Roy
 
Presentation on Android application
Presentation on Android applicationPresentation on Android application
Presentation on Android applicationAtibur Rahman
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to androidzeelpatel0504
 
Android ppt
Android ppt Android ppt
Android ppt blogger at indiandswad
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2Krisshhna Daasaarii
 
Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 

More Related Content

What's hot

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration TestingSubho Halder
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android SecurityAsanka Dilruk
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile ApplicationsDenim Group
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Securitycclark_isec
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application DevelopmentBenny Skogberg
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysisJason Ross
 
Android - A brief introduction
Android - A brief introductionAndroid - A brief introduction
Android - A brief introductionRoshan Gautam
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android StudioSuyash Srijan
 
Introduction to Android Development
Introduction to Android DevelopmentIntroduction to Android Development
Introduction to Android DevelopmentAly Abdelkareem
 
Basic android-ppt
Basic android-pptBasic android-ppt
Basic android-pptSrijib Roy
 
Presentation on Android application
Presentation on Android applicationPresentation on Android application
Presentation on Android applicationAtibur Rahman
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to androidzeelpatel0504
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Javaamaankhan
 

What's hot (20)

Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Understanding Android Security
Understanding Android SecurityUnderstanding Android Security
Understanding Android Security
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android Application Development
Android Application DevelopmentAndroid Application Development
Android Application Development
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Mobile Security
Mobile SecurityMobile Security
Mobile Security
 
Android malware analysis
Android malware analysisAndroid malware analysis
Android malware analysis
 
Android seminar ppt
Android seminar pptAndroid seminar ppt
Android seminar ppt
 
Android - A brief introduction
Android - A brief introductionAndroid - A brief introduction
Android - A brief introduction
 
Introduction to Android and Android Studio
Introduction to Android and Android StudioIntroduction to Android and Android Studio
Introduction to Android and Android Studio
 
Mobile security
Mobile securityMobile security
Mobile security
 
Android Location and Maps
Android Location and MapsAndroid Location and Maps
Android Location and Maps
 
Introduction to Android Development
Introduction to Android DevelopmentIntroduction to Android Development
Introduction to Android Development
 
Basic android-ppt
Basic android-pptBasic android-ppt
Basic android-ppt
 
Presentation on Android application
Presentation on Android applicationPresentation on Android application
Presentation on Android application
 
Introduction to android
Introduction to androidIntroduction to android
Introduction to android
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Application Development Using Java
Android Application Development Using JavaAndroid Application Development Using Java
Android Application Development Using Java
 
Mobile App Security Testing -2
Mobile App Security Testing -2Mobile App Security Testing -2
Mobile App Security Testing -2
 

Viewers also liked

Android security in depth
Android security in depthAndroid security in depth
Android security in depthSander Alberink
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and PrivacyAnika Tasnim Hafiz
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Ontico
 
Android coding standard
Android coding standard Android coding standard
Android coding standard Rakesh Jha
 
Naya raipur chhattisgarh
Naya raipur chhattisgarhNaya raipur chhattisgarh
Naya raipur chhattisgarhDeepakMahadeo
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2Salman Zahid
 
Android security model
Android security modelAndroid security model
Android security modelrrand1
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 networkidsecconf
 

Viewers also liked (16)

Android security in depth
Android security in depthAndroid security in depth
Android security in depth
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solution
 
Brief Tour about Android Security
Brief Tour about Android SecurityBrief Tour about Android Security
Brief Tour about Android Security
 
Information Security and Privacy
Information Security and PrivacyInformation Security and Privacy
Information Security and Privacy
 
Digging for Android Kernel Bugs
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
 
Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)Security in Android Applications / Александр Смирнов (RedMadRobot)
Security in Android Applications / Александр Смирнов (RedMadRobot)
 
Android coding standard
Android coding standard Android coding standard
Android coding standard
 
Naya raipur chhattisgarh
Naya raipur chhattisgarhNaya raipur chhattisgarh
Naya raipur chhattisgarh
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya RaipurCONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
CONNECTKaro 2015 - Land Management For Smart Cities - Naya Raipur
 
Sdp Aicte
Sdp AicteSdp Aicte
Sdp Aicte
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Mobile device security informative v2
Mobile device security informative v2Mobile device security informative v2
Mobile device security informative v2
 
Android security model
Android security modelAndroid security model
Android security model
 
y3dips hacking priv8 network
y3dips hacking priv8 networky3dips hacking priv8 network
y3dips hacking priv8 network
 
Testing Android Security
Testing Android SecurityTesting Android Security
Testing Android Security
 

Similar to Android Security

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3mPrem Kumar (OSCP)
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)ClubHack
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Subhransu Behera
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarDenim Group
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)Sam Bowne
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration TestingSurabaya Blackhat
 
android Security
android Security android Security
android Security darkC0de
 

Similar to Android Security (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
iOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3miOS-Application-Security-iAmPr3m
iOS-Application-Security-iAmPr3m
 
Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)Pentesting Mobile Applications (Prashant Verma)
Pentesting Mobile Applications (Prashant Verma)
 
Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1Hacking and Securing iOS Apps : Part 1
Hacking and Securing iOS Apps : Part 1
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
How iOS and Android Handle Security Webinar
How iOS and Android Handle Security WebinarHow iOS and Android Handle Security Webinar
How iOS and Android Handle Security Webinar
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013Mobile code mining for discovery and exploits nullcongoa2013
Mobile code mining for discovery and exploits nullcongoa2013
 
Mobile security
Mobile securityMobile security
Mobile security
 
6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)6 Analyzing Android Applications (Part 2)
6 Analyzing Android Applications (Part 2)
 
Hacking Mobile Apps
Hacking Mobile AppsHacking Mobile Apps
Hacking Mobile Apps
 
Android Security and Peneteration Testing
Android Security and Peneteration TestingAndroid Security and Peneteration Testing
Android Security and Peneteration Testing
 
android Security
android Security android Security
android Security
 

Recently uploaded

Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Pooja Nehwal
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7Pooja Nehwal
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceDelhi Call girls
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPsychicRuben LoveSpells
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...wyqazy
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceanilsa9823
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRnishacall1
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Niamh verma
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceanilsa9823
 

Recently uploaded (9)

Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
Call US Pooja 9892124323 ✓Call Girls In Mira Road ( Mumbai ) secure service,
 
9892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x79892124323 | Book Call Girls in Juhu and escort services 24x7
9892124323 | Book Call Girls in Juhu and escort services 24x7
 
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 71 Noida Escorts >༒8448380779 Escort Service
 
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost LoverPowerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
Powerful Love Spells in Arkansas, AR (310) 882-6330 Bring Back Lost Lover
 
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
哪里有卖的《俄亥俄大学学历证书+俄亥俄大学文凭证书+俄亥俄大学学位证书》Q微信741003700《俄亥俄大学学位证书复制》办理俄亥俄大学毕业证成绩单|购买...
 
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Saharaganj Lucknow best sexual service
 
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCRFULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
FULL ENJOY - 9999218229 Call Girls in {Mahipalpur}| Delhi NCR
 
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
Chandigarh Call Girls Service ❤️🍑 9115573837 👄🫦Independent Escort Service Cha...
 
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun serviceCALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
CALL ON ➥8923113531 🔝Call Girls Gomti Nagar Lucknow best Night Fun service
 

Android Security

  • 1. YOU REALLY THINK YOU ARE SAFE ?? Answer lies inside.
  • 2. Android Security An Introduction E-security summit Computer Society of India Allahabad Chapter
  • 3. About Us Arqum Ahmad Student 4th Sem B.Tech Information Technology Jay Tibrewal Student 4th Sem B.Tech Information Technology Indian Institute of Information Technology, Allahabad Under the guidance & supervision of Prof. Dr. O.P. Vyas Professor Dean R&D IIIT-A
  • 4. GROWTH OF SMARTPHONE Period Android iOS Windows Phone BlackBerry OS Others 2015Q2 82.8% 13.9% 2.6% 0.3% 0.4% 2014Q2 84.8% 11.6% 2.5% 0.5% 0.7% 2013Q2 79.8% 12.9% 3.4% 2.8% 1.2% 2012Q2 69.3% 16.6% 3.1% 4.9% 6.1% Source: IDC, AUG 2015
  • 5. How much unsecure is ANDROID ?
  • 7. Is your android secured ? In a major conference, the former CEO of Google.Inc Eric Schmidt claimed that ANDROID is more secure than iPhone
  • 8. What do you think about the audience’s response.
  • 9. They laughed , A LOT.
  • 10. Why Care ? • “Android users are two and half times as likely to encounter malware today than 6 months ago…” -Lookout Mobile Threat Report • “Today’s mobile devices are a mix bag when it comes to security… still vulnerable to many traditional attacks..” -Carey Nachenberg, Symantec • The growth rate in malware within Android is huge; in the future there will definetly be more.” -Nikolay Grebennikov, CTO of Kaspersky • “Any time a technology becomes adopted and popular, that technology will be targeted by the bad guys.” -Jay Abbott, PricewaterhouseCoopers LLP
  • 11. Outline • Security Basics • Smartphone’s security • Android Platform • Device and data Security
  • 14. Data on Smartphones • Emails/SMS • Contacts • Pictures • GPS Data • Google searches & Web History • Documents • Account Information &Passwords • Banking Data Almost everything that was on your desktop a couple of years ago.
  • 17. What is an APP AndroidManifest.xml res/* classes/.dex META-INF/MANIFEST.MF META-INF/CRT.SF META-INF/CERT.RSA .apk Android Package Name of the package Describes components of the App Required Permissions Minimum level of API App Resources Dalvik Bytecode (all classes in one file) MANIFEST.MF : Hashes of all files. CERT.SF : Hash of MANEFEST.MF and hashes of all the entries in MANIFEST.MF CERT.RSA: Signature of CERT.SF file including the signer’s certificate(public key itself)
  • 18. App Installation • .apk Package are self signed! • It’s not about the trustworthiness of the developer! • The signature is just checked at installation time • Files may be manipulated after that! • At installation every App gets an own Linux User assigned • Example: app_user_10 • Every App gets a directory within the filesystem • Example: /data/data/com.example.MyApp
  • 19. Where does App run? • Every App runs within it’s own Linux process • And as it’s own Linux user! • Within the process a Dalvik VM instances is running • Most Apps are just JAVA based • Or they are Web based running within WebKit • Native code can also be used for specific use-cases • Over JNI or completely native
  • 20. Android Apps and Processes zygote Dalvik VM dex libs uid=0(root) gid=0(root) com.example.App1 Dalvik VM dex libs uid=10040(app_40) gid=10040app_40) Dalvik VM dex libs com.example.App1 uid=10041(app_41) gid=10041app_41) Kernel fork()
  • 21. Android Permissions • Defined within AndroidManifest.xml • Different Protection Levels (predefined) • Normal, dangereous. Signature, signatureOrSystem <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="com.android.app.myapp" > <uses-permission android:name="android.permission.INTERNET" /> <uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" /> <uses-permission android:name="android.permission.READ_CONTACTS" /> <uses-permission android:name="android.permission.SEND_SMS" /> ... </manifest>
  • 22. Android Permissions (Contd.) • Require permissions to interact with App • Permission required to pass an intent e.g. to startActivity() • Intent send through ActivityManagerService • System Content Providers are normal Apps e.g. com.android.provider.contacts • Permissions required to read/write content providers can be defined • Content Provider are “invoked” by ContentResolver.query() <permission android:name="com.example.myApp.permission.CRITICAL_ACTIVITY" android:label="@string/permlab_criticalActivity" android:description="@string/permdesc_criticalActivity" android:permissionGroup="android.permission-group.COST_MONEY" android:permissionLevel="dangerous" />
  • 23. Android Sandbox • Sandboxing is implemented by the Android Permission Model and Linux User separation • Process are separated by different UIDs • Filesystem Access is authorized by File Permissions • Android API calls are authorized according to the Android permissions e.g. access to Contacts, SMS, Location… • Network, SD Card or Blutooth access is authorized by Linux Group Membership
  • 24. Escaping The Sandbox • Apps can talk to other Apps via • Intents • IPC (Binder) • Content Providers • Otherwise, to escape our sandbox, we need to use Permissions • Some permissions are only available to system apps
  • 25. Installing App from Unknown Source • Downloaded App from Unknown Source • Download .apk directly from internet • Black Market App (Cracked version of Paid App)
  • 26. STOP!
  • 28. OK! Do it on your own risk! You’re the last person I trust 
  • 29. Device And Data Security
  • 31. Device Protection • Screen Lock with PIN, Password, pattern, etc • Bootloader is locked by DEFAULT
  • 32. Boot Process Power on boot ROM code execution Load the Bootloader Load the Linux Kernel Init Process Launch Zygote and Dalvik Initialize Sysytem Server Depends on Device
  • 33. Rooting • By default there is no way to execute app as root • Rooting: Find a way to run apps/ process as root! • Eg. Install a Super User binary • If you want to do it safely, do not do it! • An unlocked bootloader is risky!
  • 34. Attack Paths By Software Malicious App with too much permissions Malicious App elevating privileges Exploited Vulnerable App e.g. Browser Physical Attack ADB enabled? Install App with all permissions and extract data! Bootloader Unlocked? Dump with recovery image Hardware technique? Dump with Hardware technique Is storage encrypted? Brute-Force encryption key offline!
  • 35. Conclusion • Passcode should be used • As comlex as possible, as usual • But it does’t full protection! • Physical acquisition is a serious threat • Lack of hardware support encryption • Hardware module with hardware key would be better! • Debug mode is evil!
  • 36. Sources • Hacktivity-2012 Android Security • developers.android.com • Stackoverflow.com