Mobile Application Security on Android

Originally presented by Jesse Burns at Black Hat 2009

What is Android?
Smart Phone Operating System Based on the Linux kernel Expanded to support cellular based communication

GSM, CMDA

Java like middleware

More Android

Open Source
Mostly Apache v2 license
Linux kernel is GPLv2

Free Open APIs

If Google uses them, so can developers

Applications

Built from for components

Activity
Service Content Provider Broadcast Receiver

Run in own VM sandbox using unique UID

More on Apps
Use explicitly defined permissions Communicate through Intents Intents are Inter-Process Communications Applications register which Intents they wish to handle

Signatures

applications must be signed, but are usually self-signed

proves no relationship with Google, but creates chain of trust between updates and

among applications

Permissions I
>100 defined by the system Declared at install time in Manifest.xml Disclosed by PackageInstaller, protected by root ownership

Permissions II

applications can define arbitrary new perms

normal dangerous signature signatureOrSystem

Permission III
Permissions checked at runtime SecurityException thrown if permission denied

Intents
Core of Android IPC Can cross security boundaries Generally defined as a goal action and some data

10

Intent II

Used to:
Start an Activity
Broadcast events or changes Start, stop, or communicate with

background Services Access data held by ContentProviders Call backs to handle events

11

Intent Filters
Used to determine recipient of Intent Can be overridden Provide no security

Intents can explicitly define receiver

12

Activities

The user interface consists of a series of Activity components. Each Activity is a screen. User actions tell an Activity to start another Activity, possibly with the expectation of a result.

13

Activity II
The

target Activity is not necessarily in the same application. Directly or via Intent action strings. Processing stops when another Activity is on top.
Must be able to handle malformed intents Dont start Intents that contain sensitive data

14

Activity III

Starting an Activity from an Intent

15

Activity IV

Forcing an Activity to start

16

Activity V

Protecting Activities

17

Broadcasts
Act as recievers for multiple components Provide secure IPC Done by specifying permissions on BroadcastReceiver regarding sender Otherwise, behave like activities in terms of IPC

18

Broadcast II
Still need to validate input just in case Sticky Broadcasts

Persistent Apps require special permissions to

create/destroy sticky broadcasts No guarantee of persistence Cant define permission

Dont send sensitive data

19

Services
Run in background Play music, alarm clock, etc Secured using permissions Callers may need to verify that Service is the correct one

20

Services II

Verification:
Check Services permissions
res = getPackageManager().checkPermission(permToCheck, name.getPackageName());

21

ContentProviders
Generally SQL backend Used to share content between apps Access controlled through permission tags

22

ContentProviders II

Apps can be dynamically authorized access

Possible security hole

Must protect against SQL injection

Sanitize input using parameterization

23

Intent Reflection
Intents may be sent when app is called App sends Intent as app and not as caller: reflection

May exceed callers permissions

Use PendingIntent instead, intent correctly identified as coming from caller

24

File System
Internally standard Linux file systems yaffs2, ext* Support stand Unix permissions Vulnerabilities if permissions not set correctly

Sensitive data could be read Other programs could write junk/waste

space

25

File System II

Consider what files need what protections

Config files: not writeable Log files: not world readable

Mass storage formatted as FAT, no Unix permissions support

All data world readable Consider encryption

26

Binder
Kernel module that provides secure IPC on top of the standard Linux shared memory architecture Includes interface to Parceable

Parceable objects are passed by Binder

Can also move file descriptors, and other Binders

27

Binder II

Efficient, secure IPC

Check callers permissions / identity
Only selectively give out interface Once given out, interface can be disseminated freely

All Binders are globally unique

28