SlideShare une entreprise Scribd logo

Java & The Android Stack: A Security Analysis

Télécharger en tant que PPTX, PDF
Pragati Rai
Pragati Rai

Talk presented

Technologie
1  sur  34
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Inc. pragati.rai@paypal.com Java Conference, Bangalore, Dec 8, 2012 @pragatiogal
Agenda  Java 2 Security Model  Android Security Model  Summarize
Java 2 Security Model
Java  Developed by Sun Microsystems in the early 1990s  Platform Independent  Compiled to bytecode that runs on a Virtual Machine  “Java is Secure”
Java 2 Security Model  Platform Security  Crypto APIs  Authentication & Access Control APIs  Secure Communication APIs  Key Management APIs
Java Language Security  Programs cannot access arbitrary memory locations  Variables cannot be used before initialization  Access methods are strictly adhered to  Entities declared final must not be changed  Objects cannot be arbitrarily cast into other objects
Java 2 Platform Security Model Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Core API Class Files Class Loader Core Java API Security Package Security Manager Key Database Access Controller Operating System
Java 2 Sandbox Model • Fine grained access control • Configurable Security Policy • No built-in concept of trusted local code
Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; }; // If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; }; // Grant everyone the following permission: grant { permission java.io.FilePermission "/tmp/pragati/*", "read"; }; ………….. ……….
Protection Domain Domain name “Pragati” Pragati’s certificate Read/write access to /temp/pragati/* Domain name “John” John’s certificate Read/write access to /temp/john/* Read access to /temp/pragati/* ………….. ………. Protection Domain = Code Source + Permission
Java 2 Security Model  All code runs in a sandbox  All classes are loaded with full bytecode verification  All classes are loaded with Java language features  Signed classes verify the integrity and origination of Java classes  Security policy provides fine-grained access  Crypto APIs
The Android Stack
Android  Open Platform  First phone based on Android came out in 2009  75% smartphone market share as of October1 1: idc.com
Android Security Model  Platform Security  Crypto APIs  Secure Communication APIs  Key Management APIs
Install Time User Consent
Android OS Architecture http://developer.android.com
Linux Kernel  Unique UID and GID for each application at install time  Sharing can occur through component interactions  Linux Process Sandbox
Linux Kernel (Cont’d) include/linux/android_aid.h AID_NET_BT 3002 Can create Bluetooth Sockets AID_INET 3003 Can create IPv4 and IPv6 Sockets
Middleware  Libraries for code execution  Libraries for services  Take care of device specific issues  Compiled to machine language  Native and Java code
Java Virtual Machine?  There is no JVM in Android platform  No bytecode is executed  JAR file will not run on Android platform
Dalvik Virtual Machine  Dalvik does not align to Java SE or Java ME  Library built on a subset of the Apache Harmony Java  Highly optimized VM to support multiple VM instances  Register based architecture  Shared constant pool  Executes Dalvik executables (.dex)
Dalvik Virtual Machine  No security manager  Permissions are enforced in OS and not in VM  As of Android 2.2 Dalvik has a JIT compiler  Dalvik Bytecode verification mainly for optimization  GC for each VM instance
Android Application Structure  Application is made of components  Activity: Define screens  Service: Background processing  Broadcast Receiver: Mailbox for messages from other applications  Content Provider: Relational database for sharing information  Applications communicate through Intents  Secure RPC using Binder  AndroidManifest.xml defines policy for application
Permission Protection Levels  Normal android.permission.VIBRATE com.android.alarm.permission.SET_ALARM  Dangerous android.permission.SEND_SMS android.permission.CALL_PHONE  Signature android.permission.FORCE_STOP_PACKAGES android.permission.INJECT_EVENTS  SignatureOrSystem android.permission.ACCESS_USB android.permission.SET_TIME All components are secured by permissions Developers can define their own permissions as well
Application Layer Security  Permissions restrict component interaction  Permission labels defined in AndroidManifest.xml  Applications are self-signed; no CA required  Signatures define persistence and authorship
Android Security Model  Linux process sandbox  Permission based component interaction  Dalvik is not a security boundary  All applications need to be signed  Signature define persistence and authorship  Install time security decisions  Crypto APIs
Summary
Install Time Check Who are you? What do you want to do?
Sandbox Based on permissions, code sources, policy, keystore, protection domains Process Sandbox
Signature Identity and Trust Authorship and Persistence
Permissions Enforced by VM Enforced by OS
Protection Domain Code Sources + Permissions Process
Virtual Machine Is a security boundary Is NOT a security boundary
Thank you! pragati.rai@paypal.com @pragatiogal http://www.slideshare.net/pragatiogal

Recommandé

From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 

Recommandé

From java to android a security analysis
From java to android a security analysisFrom java to android a security analysis
From java to android a security analysisPragati Rai
 
Bypassing the Android Permission Model
Bypassing the Android Permission ModelBypassing the Android Permission Model
Bypassing the Android Permission ModelGeorgia Weidman
 
Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Permission enforcement s in android new (1)
Permission enforcement s in android new (1)Siddhartha Kakarla
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applicationsh4oxer
 
Understanding android security model
Understanding android security modelUnderstanding android security model
Understanding android security modelPragati Rai
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Permission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionPermission in Android Security: Threats and solution
Permission in Android Security: Threats and solutionTandhy Simanjuntak
 
Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Introduction to Android Application Security Testing - 2nd Sep 2017
Introduction to Android Application Security Testing - 2nd Sep 2017Satheesh Kumar V
 
Security in Java
Security in JavaSecurity in Java
Security in JavaSiddharth Coontoor
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python Final
Python FinalPython Final
Python FinalRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sri Prasanna
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
DexGuard
DexGuardDexGuard
DexGuardTopher Jordan
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 
Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentMaryadelMar85
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inchaitrabhat777
 

Contenu connexe

Tendances

First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in AndroidRich Helton
 
Python For Droid
Python For DroidPython For Droid
Python For DroidRich Helton
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC MobileSteve De Zitter
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)Sam Bowne
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)Sam Bowne
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sri Prasanna
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005Rich Helton
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingRomansh Yadav
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2Romansh Yadav
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)Sam Bowne
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperAjin Abraham
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool nullowaspmumbai
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testingMykhailo Antonishyn
 

Tendances (20)

Security in Java
Security in JavaSecurity in Java
Security in Java
 
First Steps in Android
First Steps in AndroidFirst Steps in Android
First Steps in Android
 
Python Final
Python FinalPython Final
Python Final
 
Python For Droid
Python For DroidPython For Droid
Python For Droid
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Android secure offline storage - CC Mobile
Android secure offline storage - CC MobileAndroid secure offline storage - CC Mobile
Android secure offline storage - CC Mobile
 
6. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 26. Analyzing Android Applications Part 2
6. Analyzing Android Applications Part 2
 
CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)CNIT 128 6. Analyzing Android Applications (Part 1)
CNIT 128 6. Analyzing Android Applications (Part 1)
 
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
CNIT 128 6. Analyzing Android Applications (Part 2 of 3)
 
Sandboxing (Distributed computing)
Sandboxing (Distributed computing)Sandboxing (Distributed computing)
Sandboxing (Distributed computing)
 
Spring Roo Rev005
Spring Roo Rev005Spring Roo Rev005
Spring Roo Rev005
 
DexGuard
DexGuardDexGuard
DexGuard
 
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentestingNull Dubai Humla_Romansh_Yadav_Android_app_pentesting
Null Dubai Humla_Romansh_Yadav_Android_app_pentesting
 
Mobile security part 2
Mobile security part 2Mobile security part 2
Mobile security part 2
 
CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)CNIT 128 7. Attacking Android Applications (Part 2)
CNIT 128 7. Attacking Android Applications (Part 2)
 
Hacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - WhitepaperHacking Tizen: The OS of everything - Whitepaper
Hacking Tizen: The OS of everything - Whitepaper
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 

En vedette

Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentMaryadelMar85
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inchaitrabhat777
 
Manipulating Android tasks and back stack
Manipulating Android tasks and back stackManipulating Android tasks and back stack
Manipulating Android tasks and back stackRan Nachmany
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of AndroidTetsuyuki Kobayashi
 
Android security
Android securityAndroid security
Android securityKrazy Koder
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementationChethan Pchethan
 

En vedette (7)

Intents and PendingIntents in Android application development
Intents and PendingIntents in Android application developmentIntents and PendingIntents in Android application development
Intents and PendingIntents in Android application development
 
Permission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior inPermission use analysis for vetting undesirable behavior in
Permission use analysis for vetting undesirable behavior in
 
Manipulating Android tasks and back stack
Manipulating Android tasks and back stackManipulating Android tasks and back stack
Manipulating Android tasks and back stack
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Android security
Android securityAndroid security
Android security
 
Android IPC Mechanism
Android IPC MechanismAndroid IPC Mechanism
Android IPC Mechanism
 
Overview of Android binder IPC implementation
Overview of Android binder IPC implementationOverview of Android binder IPC implementation
Overview of Android binder IPC implementation
 

Similaire à Java & The Android Stack: A Security Analysis

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android SecurityMarakana Inc.
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesMecklerMedia
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java securityveszpremimeetup
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basicsOWASPKerala
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java MEwiradikusuma
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.pptHaymanotTadese
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Androidsecurityxploded
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentestingMinali Arora
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Codemotion
 
Slides bootcamp21
Slides bootcamp21Slides bootcamp21
Slides bootcamp21dxsaki
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Martin Toshev
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
Getting started with android
Getting started with androidGetting started with android
Getting started with androidVandana Verma
 
Multithreading in Android
Multithreading in AndroidMultithreading in Android
Multithreading in Androidcoolmirza143
 

Similaire à Java & The Android Stack: A Security Analysis (20)

Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
From Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy DevicesFrom Bitcoin Hardware Wallets to Personal Privacy Devices
From Bitcoin Hardware Wallets to Personal Privacy Devices
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Advanced Java
Advanced JavaAdvanced Java
Advanced Java
 
Tollas Ferenc - Java security
Tollas Ferenc - Java securityTollas Ferenc - Java security
Tollas Ferenc - Java security
 
Java-Unit-I.ppt
Java-Unit-I.pptJava-Unit-I.ppt
Java-Unit-I.ppt
 
Android pen test basics
Android pen test basicsAndroid pen test basics
Android pen test basics
 
Java Security
Java SecurityJava Security
Java Security
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java ME
 
Chapter three Java_security.ppt
Chapter three Java_security.pptChapter three Java_security.ppt
Chapter three Java_security.ppt
 
Advanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to AndroidAdvanced Malware Analysis Training Session 8 - Introduction to Android
Advanced Malware Analysis Training Session 8 - Introduction to Android
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Getting started with Android pentesting
Getting started with Android pentestingGetting started with Android pentesting
Getting started with Android pentesting
 
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019Martin Toshev - Java Security Architecture - Codemotion Rome 2019
Martin Toshev - Java Security Architecture - Codemotion Rome 2019
 
Slides bootcamp21
Slides bootcamp21Slides bootcamp21
Slides bootcamp21
 
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
Security Architecture of the Java Platform (BG OUG, Plovdiv, 13.06.2015)
 
Android Security
Android SecurityAndroid Security
Android Security
 
Getting started with android
Getting started with androidGetting started with android
Getting started with android
 
Multithreading in Android
Multithreading in AndroidMultithreading in Android
Multithreading in Android
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 

Plus de Pragati Rai

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commercePragati Rai
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectivePragati Rai
 
Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorPragati Rai
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolutionPragati Rai
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexamplePragati Rai
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile paymentsPragati Rai
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?Pragati Rai
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101Pragati Rai
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Pragati Rai
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommercePragati Rai
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityPragati Rai
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile paymentsPragati Rai
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile EcosystemPragati Rai
 

Plus de Pragati Rai (13)

Hard problems in mobile commerce
Hard problems in mobile commerceHard problems in mobile commerce
Hard problems in mobile commerce
 
Mobile Commerce: A Security Perspective
Mobile Commerce: A Security PerspectiveMobile Commerce: A Security Perspective
Mobile Commerce: A Security Perspective
 
Be Your Own Technology Brand Ambassador
Be Your Own Technology Brand AmbassadorBe Your Own Technology Brand Ambassador
Be Your Own Technology Brand Ambassador
 
Mobile Payments revolution
Mobile Payments revolutionMobile Payments revolution
Mobile Payments revolution
 
Android securitybyexample
Android securitybyexampleAndroid securitybyexample
Android securitybyexample
 
The basics of mobile payments
The basics of mobile paymentsThe basics of mobile payments
The basics of mobile payments
 
How are mobile devices changing face of payments?
How are mobile devices changing face of payments?How are mobile devices changing face of payments?
How are mobile devices changing face of payments?
 
Mobile payments 101
Mobile payments 101Mobile payments 101
Mobile payments 101
 
Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.Enhancing your mobile commerce apps with eBay Inc.
Enhancing your mobile commerce apps with eBay Inc.
 
New Security Considerations for Mobile Commerce
New Security Considerations for Mobile CommerceNew Security Considerations for Mobile Commerce
New Security Considerations for Mobile Commerce
 
Amphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android SecuityAmphion Forum: Understanding Android Secuity
Amphion Forum: Understanding Android Secuity
 
Understanding Mobile payments
Understanding Mobile paymentsUnderstanding Mobile payments
Understanding Mobile payments
 
Mobile Ecosystem
Mobile EcosystemMobile Ecosystem
Mobile Ecosystem
 

Dernier

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetEnjoy Anytime
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 

Dernier (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your BudgetHyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Java & The Android Stack: A Security Analysis

  • 1. Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Inc. pragati.rai@paypal.com Java Conference, Bangalore, Dec 8, 2012 @pragatiogal
  • 2. Agenda  Java 2 Security Model  Android Security Model  Summarize
  • 4. Java  Developed by Sun Microsystems in the early 1990s  Platform Independent  Compiled to bytecode that runs on a Virtual Machine  “Java is Secure”
  • 5. Java 2 Security Model  Platform Security  Crypto APIs  Authentication & Access Control APIs  Secure Communication APIs  Key Management APIs
  • 6. Java Language Security  Programs cannot access arbitrary memory locations  Variables cannot be used before initialization  Access methods are strictly adhered to  Entities declared final must not be changed  Objects cannot be arbitrarily cast into other objects
  • 7. Java 2 Platform Security Model Remote Class Files Signed Class Files Local Class Files Bytecode Verifier Core API Class Files Class Loader Core Java API Security Package Security Manager Key Database Access Controller Operating System
  • 8. Java 2 Sandbox Model • Fine grained access control • Configurable Security Policy • No built-in concept of trusted local code
  • 9. Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; }; // If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; }; // Grant everyone the following permission: grant { permission java.io.FilePermission "/tmp/pragati/*", "read"; }; ………….. ……….
  • 10. Protection Domain Domain name “Pragati” Pragati’s certificate Read/write access to /temp/pragati/* Domain name “John” John’s certificate Read/write access to /temp/john/* Read access to /temp/pragati/* ………….. ………. Protection Domain = Code Source + Permission
  • 11. Java 2 Security Model  All code runs in a sandbox  All classes are loaded with full bytecode verification  All classes are loaded with Java language features  Signed classes verify the integrity and origination of Java classes  Security policy provides fine-grained access  Crypto APIs
  • 13. Android  Open Platform  First phone based on Android came out in 2009  75% smartphone market share as of October1 1: idc.com
  • 14. Android Security Model  Platform Security  Crypto APIs  Secure Communication APIs  Key Management APIs
  • 15. Install Time User Consent
  • 16. Android OS Architecture http://developer.android.com
  • 17. Linux Kernel  Unique UID and GID for each application at install time  Sharing can occur through component interactions  Linux Process Sandbox
  • 18. Linux Kernel (Cont’d) include/linux/android_aid.h AID_NET_BT 3002 Can create Bluetooth Sockets AID_INET 3003 Can create IPv4 and IPv6 Sockets
  • 19. Middleware  Libraries for code execution  Libraries for services  Take care of device specific issues  Compiled to machine language  Native and Java code
  • 20. Java Virtual Machine?  There is no JVM in Android platform  No bytecode is executed  JAR file will not run on Android platform
  • 21. Dalvik Virtual Machine  Dalvik does not align to Java SE or Java ME  Library built on a subset of the Apache Harmony Java  Highly optimized VM to support multiple VM instances  Register based architecture  Shared constant pool  Executes Dalvik executables (.dex)
  • 22. Dalvik Virtual Machine  No security manager  Permissions are enforced in OS and not in VM  As of Android 2.2 Dalvik has a JIT compiler  Dalvik Bytecode verification mainly for optimization  GC for each VM instance
  • 23. Android Application Structure  Application is made of components  Activity: Define screens  Service: Background processing  Broadcast Receiver: Mailbox for messages from other applications  Content Provider: Relational database for sharing information  Applications communicate through Intents  Secure RPC using Binder  AndroidManifest.xml defines policy for application
  • 24. Permission Protection Levels  Normal android.permission.VIBRATE com.android.alarm.permission.SET_ALARM  Dangerous android.permission.SEND_SMS android.permission.CALL_PHONE  Signature android.permission.FORCE_STOP_PACKAGES android.permission.INJECT_EVENTS  SignatureOrSystem android.permission.ACCESS_USB android.permission.SET_TIME All components are secured by permissions Developers can define their own permissions as well
  • 25. Application Layer Security  Permissions restrict component interaction  Permission labels defined in AndroidManifest.xml  Applications are self-signed; no CA required  Signatures define persistence and authorship
  • 26. Android Security Model  Linux process sandbox  Permission based component interaction  Dalvik is not a security boundary  All applications need to be signed  Signature define persistence and authorship  Install time security decisions  Crypto APIs
  • 28. Install Time Check Who are you? What do you want to do?
  • 29. Sandbox Based on permissions, code sources, policy, keystore, protection domains Process Sandbox
  • 30. Signature Identity and Trust Authorship and Persistence
  • 31. Permissions Enforced by VM Enforced by OS
  • 32. Protection Domain Code Sources + Permissions Process
  • 33. Virtual Machine Is a security boundary Is NOT a security boundary
  • 34. Thank you! pragati.rai@paypal.com @pragatiogal http://www.slideshare.net/pragatiogal

Notes de l'éditeur

  1. Total system RAM is 64 MB; available after low level startup: 40MB and after high level services have started: 20 MB and large system libs 10 MB
  2. "java.version" property returns "java.class.version" invariably returns 50"user.home" and "user.name" properties do not existHighly optimized VM to support multiple VM instances with own address space and separate memoryRelies on Linux kernel for underlying functionality such as threading and low-level memory managementLibrary built on a subset of the Apache Harmony JavaMemory is clean (mmap() and unwritten)) or dirty (malloc)Shared memory: used by many processesPrivate memory used by one process
  3. ExamplesDex structures are using valid indices and offsets and code can’t misbehaveOptimaization: byte swapping (not needed on ARM)m static linking, pruning empty methodsRelies on Linux kernel for underlying functionality Garbage Collector is independent for each process but respect sharingBytecode verifierOptimization“Exact” GCIntra-application SecurityAnalysis & Debugging