Android Security Extensions. Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Aurasium: Practical Policy Enforcement for Android Applications
An Example of an Android Security Extension YAASE - Yet Another Android Security Extension.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Machigar Ongtang, Stephen McLaughlin, William Enck, Patrick McDaniel Department of Computer Science and Engineering The Pennsylvania State University ACSCA.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Automated Remote Repair for Mobile Malware Yacin Nadji, Jonathon Giffin, Patrick Traynor Georgia Institute of Technology ACSAC’ 11.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Security of Mobile Applications Vitaly Shmatikov CS 6431.
Term 2, 2011 Week 3. CONTENTS Network security Security threats – Accidental threats – Deliberate threats – Power surge Usernames and passwords Firewalls.
Android Security Enforcement and Refinement. Android Applications --- Example Example of location-sensitive social networking application for mobile phones.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
IOS & Android Security, Hacking and Tweaking Workshop D.Papamartzivanos University Of the Aegean – Info Sec Lab Android Security – Cydia Substrate Dimitris.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Lei Wu, Michael Grace, Yajin Zhou, Chiachih Wu, Xuxian Jiang Department of Computer Science North Carolina State University CCS 2013.
TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Presented By: Steven Zittrower William Enck ( Penn St) (Duke)
Detecting and Preventing Privilege- Escalation on Android Jiaojiao Fu 1.
Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Authors: William Enck The Pennsylvania State University Peter Gilbert Duke University Byung-Gon Chun Intel Labs Landon P. Cox Duke University Jaeyeon Jung.
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Software Architecture of Android Yaodong Bi, Ph.D. Department of Computing Sciences University of Scranton.
Wireless Network Security. What is a Wireless Network Wireless networks serve as the transport mechanism between devices and among devices and the traditional.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
A Presentation Of TaintDroid & Related Topics
An Inside Look at Mobile Security Android & iOS Zachary Hance & Andrew Phifer Dr Harold Grossman.
University of Central Florida TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones Written by Enck, Gilbert,
2011/12/20 1 Tongbo Luo, Hao Hao, Wenliang Du, Yifei Wang, and Heng Yin Syracuse University ACSAC 2011.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
Enforcing Cyber security in Mobile Applications – Public Sector Use Case SAPHINA MCHOME, VIOLA RUKIZA TANZANIA REVENUE AUTHORITY INFORMATION AND COMMUNICATION.
Mobile Application Security on Android Originally presented by Jesse Burns at Black Hat
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Android System Security Xinming Ou. Android System Basics An open-source operating system for mobile devices (AOSP, led by Google) – Consists of a base.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Computer System and Internet Misuse at the Work Place By: Kris Dimon.
Academic Year 2014 Spring Academic Year 2014 Spring.
MobileSecurity Vulnerability Assessment Tools for the Enterprise Mobile Security Vulnerability Assessment Tools for the Enterprise Integrating Mobile/BYOD.
Information Systems Unit 3.
Android Permissions Demystified
Trusted Operating Systems
Dilip Dwarakanath.  The topic I’m about to present was taken from a paper titled “Apple iOS 4 Security Evaluation” written by Dino A Dai Zovi.  Dino.
Dynamic Vetting Android Applications for Privilege-escalation Risks Jiaojiao Fu 1.
CRePE: Context-Related Policy Enforcement for Android Mauro Conti, Vu Thien Nga Nguyen and Bruno Crispo Proceedings of the 13 th International Conference.
Challenges.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
DeepDroid Dynamically Enforcing Enterprise Policy Manwoong (Andy) Choi
What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protection of Android External Resources Literature by S. Demetriou et al. Presented.
ANDROID ACCESS CONTROL Presented by: Justin Williams Masters of Computer Science Candidate.
Android Access Control
Android System Security
TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.
Determined Human Adversaries: Mitigations
Methodologies for Data Preservation in IoT Platform
How to Mitigate the Consequences What are the Countermeasures?
Overview of Database Security
Understanding Android Security
Determined Human Adversaries: Mitigations
Chapter 10. Mobile Device Security
Android Access Control
Presentation transcript:

Android Security Extensions

Android Security Model Main objective is simplicity Users should not be bothered Does the user care? Most do not care…until its too late But We do It needs a more advanced security mechanism

Who is in charge of Security? It depends on the device use Personal use: then the user is in charge Work use: the security admin of the company BYOD: both The user for the private/personal part The security admin for the work part Google: they are in charge They control the platform The App developers Not as much as you think

Able to change your mind? The authority that is in charge should be allowed to change security policies/settings This should be done By using the device Remotely No side effects on the apps installed With the current model it is not possible Most apps crash when operations are denied

Defining Malware Any software that can disrupt normal activities Any software that does not behave as declared Any software that compromises some properties Privacy Confidentiality Reliability …

Poorly Designed Apps If not designed properly, apps can (unintentionally): Deplete your resources (battery, data, etc.) Expose resources (internet, location, etc.)

Over-Privileged Apps Apps (developers) can ask for any combination of permissions Users can either install the apps (granting permissions) or not install at all Combinations of permissions such as Internet and Locations SMS Local Storage Can result in information leakage

Privilege Escalation Attacks “An adversary tries to escalate privileges to get unauthorised access to protected resources” Confused deputy attack Leverage the vulnerability of a benign application Colluding attacks More applications collaborate to get an objectionable set of permissions Android does not deal with transitive privilege usage Allows applications to bypass restrictions imposed by their sandboxes An application with less permissions (a non-privileged caller) is not restricted to access components of a more privileged application (a privileged callee) by default.

Privilege Escalation Attacks Data from component CA1 can reach component CC1 indirectly, via the CB1 component CB1 is able to access CC1 component since the application B and consequently all its components are granted p1 permission

Privilege Escalation Attacks Application B must enforce additional checks on permissions to ensure that the application calling CB1 component is granted a permission p1 Reference monitor hooks included in the code of the component The task to perform these checks is delegated to application developers instead of being enforced by the system in a centralized way

Android Security Extensions

Fine-grained Security Policy Saint (ACSAC ‘09) Allows app developers to protect their applications from being misused APEX (ASIACCS ‘10) Circumvent the All-or-Nothing approach of Android permission granting Porscha (ACSAC ‘10) Support for DRM-like policies for phone data CRePE (ISC ’10) Enforcement of context-related policies

Data Filtering and Tainting MockDroid (HotMobile ‘11) Limiting the access to the data TISSA (Trust ‘11) Substituting the reply from content providers TaintDroid (OSDI ’10) Labelling of data for preventing data leakage

Protection against Privilege Escalation QUIRE (USENIX Security Symposium ‘11) Effective against confused deputy attacks Tracing of IPC chain to check if all apps have the right to access a resource However It requires that apps have to use modified API It does not solve the problem of colluding apps

Protection against Privilege Escalation AppFence (TR 11 Uni Washington and MS Research) Based on TaintDroid for taint capability It supports data shadowing and protects from data exfiltration However Effective only against confused deputy attack

Protection against Privilege Escalation XManDroid (TR 11) Real-time IPC monitoring System state of the app communications for potential spread of privileges However No control outside the IPC channels (i.e. Internet access)

What is missing? No modifications to Android API No trust on apps Control over IPC and system-level calls (internet) Data filtering capabilities Tuneable

That is why they came up with …Yet Another Android Security Extension

Readings Davi, Lucas, et al. "Privilege escalation attacks on android." Information Security. Springer Berlin Heidelberg,

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.