Android Security Auditing Slides and projects at samsclass.info.

Slides:

Advertisements

Similar presentations

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Advertisements

Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.

Android Tools & Wireless ADB Αντρέας Λύμπουρας Θεόφιλος Φωκάς Ζαχαρίας Χ’’Λάμπρου.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Get android development environment running. Install – Get and install JDK 5 or 6 (see link in the.

The Android Development Environment.  Getting started on the Android Platform  Installing required libraries  Programming Android using the Eclipse.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

Android and Project Structure. Android Android OS – Built on Linux Kernel – Phones – Netbooks – Readers – Other???

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.

This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit

Debugging Android Applications

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

2. Setting Up Your Android Development Environment.

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

UFCFX5-15-3Mobile Device Development Android Development Environments and Windows.

Setting up the Development Environment Copyright © SUPINFO. All rights reserved Preparation.

Case study 2 Android – Mobile OS.

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Hacking Exposed 7 Network Security Secrets & Solutions

Android Programming. Outline Preparation Create new project Build and Run a project Debug a project Deploy on devices.

Test Automation For Web-Based Applications Portnov Computer School Presenter: Ellie Skobel.

Presentation By Deepak Katta

Android Introduction Platform Overview.

Introduction to Mobile Malware

Chapter 3 Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Introduction to Android Swapnil Pathak Advanced Malware Analysis Training Series.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영

Presented by: Kushal Mehta University of Central Florida Michael Spreitzenbarth, Felix Freiling Friedrich-Alexander- University Erlangen, Germany michael.spreitzenbart,

Android Programming By Mohsen Biglari Android Programming, Part1: Introduction 1 Part1: Introduction By Mohsen Biglari.

Is Your Mobile App Secure. DEF CON 23 Wall of Sheep Sat

Ali Shahrokni Application Components Activities Services Content providers Broadcast receivers.

Computer and Information Sciences

Java Android-8 Imran Shafi. Lecture Contents  Debugging Android Projects  Java/XML Errors  Debugger  Logcat Utility  Android Debug Bridge (adb) 

ANDROID Presented By Mastan Vali.SK. © artesis 2008 | 2 1. Introduction 2. Platform 3. Software development 4. Advantages Main topics.

Section 3.1: Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random.

Android for Java Developers Denver Java Users Group Jan 11, Mike

How to publish your app 1 CS440. Step 1: Remove any debug logging  Good practice: comment out any debug logging  Why? CS440 2.

1 Company Proprietary and ConfidentialThe document name can go here Android OS Security Omar Alaql July 8, 2013 Kent State University Android OS Security.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

ANDROID BY:-AANCHAL MEHTA MNW-880-2K11. Introduction to Android Open software platform for mobile development A complete stack – OS, Middleware, Applications.

Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat

Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.

Slides and projects at samsclass.info. Adding Trojans to Apps Slides and projects at samsclass.info.

Malicious Software.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

Wireless and Mobile Security

INTRODUCTION TO JAVA AND ANDROID. Slide 2 Our Ecosystem Java Eclipse Android SDK.

VMM Based Rootkit Detection on Android

Installation of Visual Studio Android emulator and Android Studio

Intoduction to Andriod studio Environment With a hello world program.

Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Java.

THREATS, VULNERABILITIES IN ANDROID OS BY DNYANADA PRAMOD ARJUNWADKAR AJINKYA THORVE Guided by, Prof. Shambhu Upadhyay.

Android and IOS Permissions Why are they here and what do they want from me?

Accelerometer based motion gestures for mobile devices Presented by – Neel Parikh Advisor Committee members Dr. Chris Pollett Dr. Robert Chun Dr. Mark.

ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.

Day 1 Session 2. Setup & Installation

Module 51 (Mobile Device Fundamentals - Android)

Mobile Device Development

Mobile Hacking - Fundamentals

Android Mobile Application Development

Android Developer Fundamentals V2

CS-3013 Operating Systems Hugh C. Lauer

Android Platform, Android App Basic Components

Presentation transcript:

Android Security Auditing Slides and projects at samsclass.info

Android is #1 80% market share in 2014 – Link Ch 4a Slides and projects at samsclass.info

Open Source Android itself is open source (Link Ch 4b) But the Google apps included with most Android phones are closed-source Many device manufacturers and carriers modify Android – Closed-source device drivers and apps – Leads to fragmentation: two devices with the same hardware but different carriers can be running very different software – More total sales, many different Android devices Slides and projects at samsclass.info

Fragmentation Updates are essential for security Very big problem for Android – Link Ch 1f Slides and projects at samsclass.info

Android Architecture Slides and projects at samsclass.info

Kernel Permissions Each app has a unique user ID – File ownership based on User ID Can only access the resources and functionality it has explicit permissions for This is "sandboxing" – Apps cannot access resources of other apps – Apps cannot access hardware components they have not been given permission to use Slides and projects at samsclass.info

Viewing Users with ps System processes run as root Slides and projects at samsclass.info

Viewing Users with ps Apps run as u0_a1, u0_a2, etc. Permissions for data directories Slides and projects at samsclass.info

App Signing All apps must be signed to be installed Android allows self-signed certificates – Developers can generate their own signing certificates The only security mechanisms that use signatures are the signature or signatureOrSystem permissions Slides and projects at samsclass.info

SDK (Software Development Kit) Allows developers to build and debug Android apps – Runs on Windows, Mac OS X, or Linux In Dec., 2014, Google released Android Studio – A full IDE (Integrated Development Environment) – Links Ch 4e, 4f Slides and projects at samsclass.info

Android Emulator Helps developers test apps without an actual mobile device Simulates common hardware – ARMv5 CPU – SIM card – Flash memory partitions Slides and projects at samsclass.info

Value of the Emulator Allows developers and researchers to test Android apps quickly in different versions of Android Drawbacks – Android Virtual Device (AVD) cannot send or receive phone calls or SMS messages – But it can emulate them, and send them to other AVDs Can define an HTTP/HTTPS proxy to intercept and manipulate Web traffic Slides and projects at samsclass.info

Android Debug Bridge Command-line tool Allows you to communicate with a mobile device via a USB cable or an SVD running within an emulator Connects to device's daemon running on TCP port 5037 Slides and projects at samsclass.info

Useful ADB Commands push – Copies a file from your computer to the mobile device pull – Copies a file from the mobile device to your computer logcat – Shows logging information on the console – Useful to see if an app or the OS is logging sensitive information Slides and projects at samsclass.info

Useful ADB Commands install – Copies an application package file (APK) to the mobile device and installs the app – Useful for side-loading apps (so you don't have to use Google Play) shell – Starts a remote shell on the mobile device – Allows you to execute arbitrary commands Slides and projects at samsclass.info

Decompiling and Disassembly Slides and projects at samsclass.info

Static Analysis Source code is generally kept confidential by app developers A binary, compiled app can be analyzed by disassembling or decompiling them, into – Smali assembly code (used by Dalvik VM), or – Java code Slides and projects at samsclass.info

Java v. Smali Code Slides and projects at samsclass.info

Building & Signing an App Slides and projects at samsclass.info

Monitoring the Log Slides and projects at samsclass.info

Attacks via Decompiling and Disassembly Insert Trojan code, like keyloggers Find encryption methods & keys Change variables to bypass client-side authentication or input validation Cheat at games Slides and projects at samsclass.info

Link Ch 4z43 Slides and projects at samsclass.info

Decompiling, Disassembly, and Repackaging Countermeasures Every binary can be reverse-engineered – Given enough time and effort Never store secrets on the client-side Never rely on client-side authentication or client-side validation Obfuscate source code – ProGuard (free) or Arxan (commercial) Slides and projects at samsclass.info

DashO – Powerful Obfuscator Slides and projects at samsclass.info

All Strings Concealed BUT it costs $2000 Slides and projects at samsclass.info

Information Leakage via Logs Every app can read the logs, if it requests the android.permission.READ_LOGS permission at install time Some developers don't realize this and put sensitive information into the logs Slides and projects at samsclass.info

Link Ch 4z68 Slides and projects at samsclass.info

Facebook SDK Information Disclosure in the Log Facebook promptly patched it – Link Ch 4z69 Slides and projects at samsclass.info

Facebook SDK Information Disclosure Countermeasures Update Facebook SDK to latest version App developers should not log any sensitive information Slides and projects at samsclass.info

OAuth Authorization Code Grant Type Slides and projects at samsclass.info

OAuth Resource Owner Password Credentials Grant Type App is trusted with credentials, but need not save them It can save the token instead Slides and projects at samsclass.info

Increase in Mobile Malware From link Ch 5a Slides and projects at samsclass.info

Android is #1 Link Ch 5b Slides and projects at samsclass.info

DroidDream (2011) Was primarily distributed by the Google Play store Legitimate apps were repackaged to include DroidDream and then put back in the Play store Slides and projects at samsclass.info

Google's Response Google removed the repackaged apps from the Play Store But 50,000 – 200,000 users were already infected Slides and projects at samsclass.info

Google Application Verification Service Launched in 2012 Tries to detect malicious apps Much less effective than 3 rd -party AV – Link Ch 5e Slides and projects at samsclass.info

Moral: Get Real AV Avast! won in a review from Feb., 2015 – Link Ch 5g There are plenty of others, including – Lookout – AVG – Kaspersky – Norton – McAfee Slides and projects at samsclass.info