android securitybyexample
DESCRIPTION
AnDevCon Boston 2013TRANSCRIPT
Android Security by Example
Praga% Ogal Rai Mobile Technology Evangelist, PayPal
@praga>ogal @PayPalDev
Agenda
securitywatch.pcmag.com
www.androidauthority.com
Why do I care?
500000+ apps on Google Play�applica>onandroid.info
Why do I care?
I’m free and open!
Why do I care?
You control your phone!
Why do I care?
Security
Consumers
Developers
Carriers OS Vendors OEMs
Services
Infrastructure
You only control your phone and your apps!
Architecture
developer.android.com
Linux Kernel
Linux Process Sandbox
Each process get a unique UID and a GID
Linux Kernel (Cont’d)
include/linux/android_aid.h
AID_NET_BT 3002 Can create Bluetooth Sockets
AID_INET 3003 Can create IPv4 and IPv6 Sockets
Dalvik VM
Photo by floheinstein
Dalvik is not a security boundary
Dalvik VM
G7VJR's Blog
• No security manager
• Process isola>on, memory management, threading
enforced in OS
• Byte code verifica>on for op>miza>on
• No difference between na>ve and Java code
Applica>on Components
• Ac%vity: Define screens
• Service: Background processing
• Broadcast Receiver: Mailbox for messages from other
applica>ons
• Content Provider: Rela>onal database for sharing informa>on
All components are secured with permissions
Ac>vity
Check out developer.android.com
Ac>vity
<ac>vity android:name=".ExampleAc>vity”
android:process= “:new_process”
android:exported= “true”
android:permission= “android.permission.SEND_SMS”>
<intent-‐filter>
<ac>on android:name="android.intent.ac>on.MAIN" />
<category android:name="android.intent.category.LAUNCHER" />
</intent-‐filter>
</ac>vity>
Ac>vity
Intent intent = new Intent(Intent.ACTION_SEND);
intent.putExtra(Intent.EXTRA_EMAIL, recipientArray);
startAc>vity(intent);
Onen run in their UID
Secured using permissions
Visibility can be set
Add categories to Intent Filter
Badly configured data can be passed using Intent
Do not pass sensi>ve data in intents
Service <service
android:enabled=["true" | "false"]
android:exported=["true" | "false"]
android:icon="drawable resource"
android:isolatedProcess=["true" | "false"]
android:label="string resource"
android:name="string"
android:permission="string"
android:process="string" >
. . . . .
</service>
Service
<service
android:name="bookService"
android:process=":my_process"
android:icon="@drawable/icon"
android:label="@string/service_name" >
. . . . . . .
</service>
Service
• Component can “bind” to service using bindService()
• Binder channel to talk to service
• Check permissions of calling component against
PERMISSION_DENIED or PERMISSION_GRANTED
getPackageManager().checkPermission( permToCheck, name.getPackageName())
Binder
• Synchronous RPC mechanism
• Define interface with AIDL
• Same process or different processes
• transact() and Binder.onTransact()
• Data sent as a Parcel
• Secured by caller permission or iden>ty checking
Broadcast Receiver
I’ve got news! Service
Android System
Registered receivers
Receiver A
Receiver B
Receiver C
Broadcast Receiver
<receiver android:enabled=["true" | "false"]
android:exported=["true" | "false"]
android:icon="drawable resource"
android:label="string resource"
android:name="string"
android:permission="string"
android:process="string" >
. . .
</receiver>
Broadcast Receiver
<receiver android:name=".MyListener"
android:permission="android.permission.READ_SMS">
<intent-‐filter>
<ac>on android:name="android.provider.Telephony.SMS_RECEIVED" />
</intent-‐filter>
</receiver>
Protec>ng a receiver with permission
Broadcast Receiver
Selec>ng which receiver to send an Intent
Intent intent = new Intent();
intent.setAc>on(MY_BROADCAST_ACTION);
sendBroadcast(intent, "android.provider.Telephony.SMS_RECEIVED");
Broadcasts
• Sending Broadcast Intents
– For sensi>ve data, pass manifest permission name
• Receiving Broadcast Intents
– Validate input from intents
– Intent Filter is not a security boundary
– Categories narrow down delivery but do not guarantee security
– android:exported=true
• S>cky broadcasts s>ck around
– Need special privilege BROADCAST_STICKY
Content Provider
Remote Database
SQLite DB Internet Data Files
Ac>vity 1 Content Provider
Applica>on A
Applica>on B
Ac>vity
Ac>vity 2
Allows applica>ons to share data
Protected with permissions
Content providers use URI schemes
Content://<authority>/<table>/[<id>]
Content Provider <provider android:authorities="list" android:enabled=["true" | "false"] android:exported=["true" | "false"] android:grantUriPermissions=["true" | "false"] android:icon="drawable resource" android:initOrder="integer" android:label="string resource" android:multiprocess=["true" | "false"] android:name="string" android:permission="string" android:process="string" android:readPermission="string" android:syncable=["true" | "false"] android:writePermission="string" > . . . . . . . </provider>
Content Provider
<provider
android:authorities="com.example.android.books.contentprovider"
android:name=".contentprovider.MyBooksdoContentProvider"
android:readPermission=“com.example.android.books.DB_READ”
android:writePermission=“com.example.android.book.DB_WRITE”>
<grant-uri-permission android:path=“/figures/” />
<meta-data android:name="books" android:value="@string/books" />
</provider>
Applica>on
Check tag declara>on on developer.android.com
Permissions
Permissions restrict component interac>on
Permission labels defined in AndroidManifest.xml
MAC enforced by Reference Monitor
PackageManager and Ac>vityManager enforce permissions
Applica>on Permissions
!
<uses-‐permission android:name="android.permission.CAMERA" />
<uses-‐permission android:name="android.permission.INTERNET" />
<uses-‐permission android:name="android.permission.ACCESS_FINE_LOCATION" />
Permissions for External Applica>ons
Defined in <applica>on> tag
Defined incomponent tag<ac>vity>, <provider>, <receiver>, <service>
Component permission overrides applica>on level permission
Permissions for External Applica>ons <applica>on
android:allowBackup="true"
android:icon="@drawable/ic_launcher"
android:label="@string/app_name"
android:permission="android.permission.ACCESS_COARSE_LOCATION">
<service android:enabled="true"
android:name=".MyService"
android:permission="android.permission.WRITE_EXTERNAL_STORAGE">
</service>
. . . . . . . .
</applica>on>
Permission Protec>on Levels
• android.permission.VIBRATE • com.android.alarm.permission.SET_ALARM Normal
• android.permission.SEND_SMS • android.permission.CALL_PHONE Dangerous
• android.permission.FORCE_STOP_PACKAGES • android.permission.INJECT_EVENTS
Signature
• android.permission.ACCESS_USB • android.permission.SET_TIME SignatureOrSystem
User Defined Permissions
<permission android:name="com.example.android.book.READ_BOOKSTORE"
android:descrip>on="@string/perm_read_bookstore"
android:label="Read access to books database”
android:permissionGroup="BOOKSTORE_PERMS"
android:protec>onLevel="dangerous”/>
<permission-‐group android:descrip>on="@string/perm_group_bookstore"
android:label="@string/perm_group_bookstore_label"
android:name="BOOKSTORE_PERMS" />
Create a permission
Create a permission group
User Defined Permissions
<permission-‐tree android:name="com.example.android.book"
android:label="@string/perm_tree_book" />
Create a permission tree
com.example.android.book
com.example.android.book.READ_BOOK
com.example.android.book.bookstore.READ_BOOKSTORE
com.example.android.book.bookstore.WRITE_BOOKSTORE
Storing & Sharing
hyp://blogs.salesforce.com/
Sharing with internal applica>ons (same cer>ficate)
Sharing with external applica>ons
Sharing with Internal Applica>ons
• sharedUserID
• Preferences
• Cache
• Intents
sharedUserID
Run applica>ons in same UID
SharedUserID com.example.example1 <manifest xmlns:android="hyp://schemas.android.com/apk/res/android" package="com.example.example1" android:versionCode="1" android:versionName="1.0" android:sharedUserId="com.sharedID.example">
com.example.example2 <manifest xmlns:android="hyp://schemas.android.com/apk/res/android" package="com.example.example2" android:versionCode="1" android:versionName="1.0" android:sharedUserId="com.sharedID.example">
sharedUserID follows package name format
Other naming conven>on results in error like INSTALL_PARSE_FAILED_BAD_SHARED_USER_ID
Preferences
• Store primi>ve data in key-‐value format
• Persistent storage
• Sandboxed with applica>on
Cache
//Write to the cache file
String myString = new String (“Hello World!”);
File file = new File (getCacheDir(), "MyCacheFile");
FileOutputStream fOut = new FileOutputStream(file);
OutputStreamWriter osw = new OutputStreamWriter(fOut);
osw.write(myString);
osw.flush();
osw.close();
Cache file is sandboxed with applica>on
Can be created on external storage: getExternalCacheDir()
Cache file is deleted when system is running low on memory
Sharing with External Applica>ons
• Content Providers
• Files
• Intents
• Databases
Files
• Applica>ons have own area for files
• Files are protected by Unix like file permissions
• Different modes: world readable, world writable,
private, append File = openFileOutput(“myFile”,
Context.MODE_WORLD_READABLE);
Intents
Intent
Binder exposed through AIDL
Binder
Inter Component Interac>on
Asynchronous IPC
Explicit or Implicit Intents
Explicit Intents
I know where you live!
Ac>vity
Applica>on A
Ac>vity
Applica>on B
Specify a component name
Do not put sensi>ve data in intents
Components need not be in same applica>on
startActivity(Intent)
startBroadcast(Intent)
Implicit Intent Ac>vity
Get me the best match! Ac>vity
Applica>on B
Applica>on A Ac>vity
Applica>on C
Ac>vity
Applica>on D
No component name specified
Do not put sensi>ve data in intents
Components need not be in same applica>on
startActivity(Intent)
startBroadcast(Intent)
Pending Intent
• Token given to a foreign applica>on to perform an ac>on on your applica>on’s behalf
• Use your applica>on’s permissions
• Even if its owning applica>on's process is killed, PendingIntent itself will remain usable from other processes
• Provide component name in base intent
– PendingIntent.getActivity(Context, int, Intent, int)
Ac>vity A Ac>vity B Use my iden>ty & permissions and get the job done!
Intent Filters
• Ac>vity Manager matches intents against Intent Filters
<receiver android:name=“BootCompletedReceiver”>
<intent-filter>
<action android:name=“android.intent.action.BOOT_COMPLETED”/>
</intent-filter>
</receiver>
• Ac>vity with Intent Filter enabled becomes “exported”
• Ac>vity with “android:exported=true” can be started with any intent
• Intent Filters cannot be secured with permissions
• Add categories to restrict what intent can be called through
android.intent.category.BROWSEABLE
Intent Filters
<intent-‐filter>
<ac>on android:name="android.intent.ac>on.VIEW" />
<ac>on android:name="android.intent.ac>on.EDIT" />
<ac>on android:name="android.intent.ac>on.PICK" />
<category android:name="android.intent.category.DEFAULT" />
<data mimeType:name="vnd.android.cursor.dir/vnd.google.note" />
</intent-‐filter>
AndroidManifest.xml
Turn debugging off
www.wpclipart.com
AndroidManifest.xml
Set component visibility right
AndroidManifest.xml
Protect components by permissions
AndroidManifest.xml
Define access rules
ctmls.ctreal.com
AndroidManifest.xml
Backup and storage decisions
en.wikipedia.org
External Storage
• Star>ng API 8 (Android 2.2) APKs can be stored on external devices
– APK is stored in encrypted container called asec file
– Key is randomly generated and stored on device
– Dex files, private data, na>ve shared libraries s>ll reside on internal memory
– External devices are mounted with “noexec”
• VFAT does not support Linux access control
• Sensi>ve data should be encrypted before storing
Applica>on Signature
• Applica>ons are self-‐signed; no CA required
• Signature define persistence – Detect if the applica>on has changed
– Applica>on update
• Signatures define authorship – Establish trust between applica>ons – Run in same Linux ID
Applica>on Upgrade
• Applica>ons can register for auto-‐updates
• Applica>ons should have the same signature
• No addi>onal permissions should be added
• Install loca>on is preserved
System Packages
• Come bundled with ROM
• Have signatureOrSystem Permission
• Cannot be uninstalled
• /system/app
Summary
• Linux process sandbox
• Permission based component interac>on
• Permission labels defined in AndroidManifest.xml
• Applica>ons need to be signed
• Signature define persistence and authorship
• Install >me security decisions
battlehack.orgBerlin New York
Tel Aviv Seattle Miami
Moscow Austin
London Barcelona
Washington DC