Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer and Information Sciences

Published byAugust Mathews Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer and Information Sciences"— Presentation transcript:

0 A Comparison of Android and iOS Security Models
Trevor L. Buttrey Computer and Information Sciences

1 Computer and Information Sciences
vs. Computer and Information Sciences

2 Computer and Information Sciences
Reasons for Concern Smartphones are advancing technologically Have become popular People are growing more dependant upon them Size makes them easy to lose Security problems are becoming more of an issue as users store more and more personal information on them Computer and Information Sciences

3 Unsecure Devices Allow
Access to s and social networking accounts Access to personal messages Access to phone book Access to phone accounts Access to personal and confidential information Computer and Information Sciences

4 Unsecure Devices Allow
Access to bank accounts Access to mobile payments Access to web accounts Access to passwords Knowledge of location Computer and Information Sciences

5 The 5 Security Pillars Traditional Access Controls
Permissions -based Access Control Encryption Application Provenance Isolation Computer and Information Sciences

6 Traditional Access Controls
Computer and Information Sciences

7 Traditional Access Control
iOS Password and passcode locking mechanisms Touch ID Device self-wipe capabilities Lockout of internal memory if not unlocked Memory is soldered to PCB Computer and Information Sciences

8 Traditional Access Control
Android Starting with 2.x, password, passcode, and pattern locking mechanism, 4.0 introduced facial recognition Other locking methods include fingerprint readers and pictures. Lockout of internal memory if not unlocked SD card removable Computer and Information Sciences

9 Computer and Information Sciences
Data Encryption Computer and Information Sciences

10 Computer and Information Sciences
Data Encryption iOS (old) Bi-level encryption 1st Layer encrypts the whole disk Key is always in memory as background apps need it to run (imperfect) 2nd Layer encrypts , attachments and other data if an app requests to use it (AES-256) Computer and Information Sciences

11 Computer and Information Sciences
Data Encryption iOS Hierarchy of encryption keys: Passcode Key Hardware Keys: Unique ID (UID) and device group ID (GID) AES 256-bit keys Built Into Hardware and not directly accessible File System Key Generated Randomly and stored in Flash Memory Used to encrypt File Metadata Per File Key Encrypted by Class Key for file’s encryption class Encrypts contents of files on disk Computer and Information Sciences

12 Computer and Information Sciences
Data Encryption iOS Encryption Classes Complete Protection Only Decryptable when unlocked, unusable when locked Protected Unless Open Uses Asymmetric Elliptic Curves (it’s complicated) Protected Until First User Authentication Similar to FDE No Protection Only protected by UID Protected Unless Open: Makes a PK pair that encrypts the Per File key who is derivable from PUO private key and file’s ephemeral key Computer and Information Sciences

13 Computer and Information Sciences
Data Encryption iOS Effaceable Storage Low Level access to storage for secure wiping Used to erase File System Key Computer and Information Sciences

14 Computer and Information Sciences
Data Encryption iOS Secure enclave Securely process fingerprints Is given the key to decrypt the complete protection data class when locked. Separate and directly inaccessible to OS Computer and Information Sciences

15 Computer and Information Sciences
Data Encryption Android Some data encryption present Android 3.x “Honeycomb” and above support full filesystem encryption (AES128 CBC & ESSIV:SHA256) SD card encryption is not supported on any version in AOSP Device Manufacturers Can implement this themselves Computer and Information Sciences

16 Computer and Information Sciences
Data Encryption Android Samsung Knox: Brings android closer to iOS Supports AES-256 encryption of internal storage and SD cards Computer and Information Sciences

17 Permissions-based Access Control
Computer and Information Sciences

18 Permissions-based Access Control
After an app is installed, it has access to all permitted resources of that device It can perform any kind of malicious operation using the permissions provided Computer and Information Sciences

19 Permissions-based Access Control
iOS Each app is given only certain permissions by iOS Once installed, user has granted app access to any of the devices resources Apps can use most resources without additional permission May access things they don’t need Does not require permission of the user Computer and Information Sciences

20 Permissions-based Access Control
Android Follows Capability-Based Security Model App must request specific permissions from OS before access User sees what is being requested and must grant permission before app is installed Once app is granted permission, it could perform malicious activity using those permissions Computer and Information Sciences

21 Permissions-based Access Control
Android vs. iOS Android allows more access to the system than iOS does Android only gives explicit permissions to apps while apps installed on iOS can perform any operation as defined by the OS Computer and Information Sciences

22 Default App Permissions: Android vs. iOS
Internet Phone Number YouTube History Read SD Card Address Book Music/Video Files WiFi Connection Logs List of Installed Apps Calendar Safari Search History Mic and Video Camera Launch An Installed App Device UID Auto-Complete Computer and Information Sciences

23 Requestable App Permissions: Android vs. iOS
Location (GPS) Prevent Phone From Sleeping Fine Location (GPS) Coarse Location (Network) Internet Push Notifications Record Audio SMS/MMS Send/Receive Calendar Address Book Make Phone Call Manage Accounts Music/Video/Picture SD Read/Write Make and Terminate Calls Send SMS/MMS Control NFC Access Device Logs Obtain Task List Make Bluetooth Connections Computer and Information Sciences

24 Computer and Information Sciences
Which is Legitimate? AndroidOS.FakePlayer Legit Video Player Computer and Information Sciences

25 Application Provenance
Computer and Information Sciences

26 Application Provenance
iOS Robust signing system Apple provides digital certificate only to those who register $100 per year Thorough analysis of apps, takes weeks Computer and Information Sciences

27 Application Provenance
Android Not a robust signing system Anonymous signing certificates can be made without oversight from Google Allows legitimate applications to be repackaged after adding malware Although not signed with the same signature, they will be signed, and can be distributed on the web. Computer and Information Sciences

28 Computer and Information Sciences
Isolation Computer and Information Sciences

29 Computer and Information Sciences
Programming iOS: All apps are Objective-C or Swift Android: Apps run in Dalvik JVM Android does not use that as main form of isolation as not all code run in the VM Most web browsers use significant amounts of native code Computer and Information Sciences

30 Computer and Information Sciences
Isolation iOS Sandboxed Own home directory Must use APIs to access or modify system settings Cannot communicate with other apps directly Nothing runs as root except kernel Computer and Information Sciences

31 Computer and Information Sciences
Isolation iOS Declared Entitlements Digitally signed Allow extra permissions Alternative to running as root Computer and Information Sciences

32 Computer and Information Sciences
Isolation Android Sandboxing Uses native Linux user-based permissions model Each app is it’s own user Secured by the Linux kernel itself Computer and Information Sciences

33 Computer and Information Sciences
Isolation Android Samsung Knox: Further separates applications Prevents access to Android APIs Reduces API set allows data in, but not out Computer and Information Sciences

34 Jailbreaking, Rooting, and Exploits
Computer and Information Sciences

35 Jailbreaking, Rooting, and Exploits
iOS Jailbreaking: Uses exploits (buffer overflows among other things) to allow unsigned code to run Android Rooting: Uses exploits (usually buffer overflows) to load a su binary (usually harder than it sounds) to allow apps to run with elevated privileges Computer and Information Sciences

36 Jailbreaking, Rooting, and Exploits
The Point: Although the uses for the exploits are usually beneficial for the user, their existence represents flaws in OS’s that can be leveraged by malicious apps. Computer and Information Sciences

37 Jailbreaking and Rooting
Advantages: The (hacking) community can push out patches for other exploits faster than the manufactures (iOS PDF) Finer control over the system Computer and Information Sciences

38 Jailbreaking and Rooting
Disadvantages: May cause security vulnerabilities May “brick” the device May void the warranty Computer and Information Sciences

39 Computer and Information Sciences
After running the exploits, the device may become vulnerable in other ways (iPhone.Ikee) Computer and Information Sciences

40 Computer and Information Sciences
Summary Both have Strong Isolation iOS’s Permission system is static, but due to vetting process harder for apps to abuse them. Android’s Permission system is flexible, but requires user vigilance. Both have Strong Traditional access controls Both have encryption on recent versions, however android 2.x versions don’t have any and 3.x+ encryption pales compared to iOS Apple has a stronger vetting process, but also takes longer for app updates Android has weaker vetting process, but updates get pushed out almost immediately Computer and Information Sciences

41 Computer and Information Sciences
xkcd,com Computer and Information Sciences

Download ppt "Computer and Information Sciences"

Similar presentations

1 G CARD Lock your data in memory card. The key to unlock your data is your memory card. Cross Platform for your security solution 8/25/2011.

1 G CARD Lock your data in memory card. The key to unlock your data is your memory card. Cross Platform for your security solution 8/25/2011.
Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.

Introduction to Android Mohammad A. Gowayyed CS334-Spring 2014.
1 GP Confidential ©2013 1 GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)

1 GP Confidential © GlobalPlatform’s Value Proposition for Mobile Point of Sale (mPOS)
Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.

Lee Hang Lam Wong Kwun Yam Chan Sin Ping Wong Cecilia Kei Ka Mobile Phone OS.
6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,

6218 Mobile Devices- Are They Secure Enough for our Patient's Data? Presented By Aaron Hendriks, CISSP Other: Employee of University Health Network, Toronto,
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
IOS VS ANDROID Presented by, Lowkya Pothineni.

IOS VS ANDROID Presented by, Lowkya Pothineni.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Vivek-Vijayan University of Tennessee at Chattanooga.

Vivek-Vijayan University of Tennessee at Chattanooga.
Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.

Chung Man Ho Willims Chow Man Kei Gary Kwok Pak Wai Lion.
Student Name: Group.  Developed by Microsoft  Alliance with Nokia in 2011  4 main functions:  Outlook Mobile  Windows Media Player for Windows Mobile.

Student Name: Group.  Developed by Microsoft  Alliance with Nokia in 2011  4 main functions:  Outlook Mobile  Windows Media Player for Windows Mobile.
Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.

Mobile Mobile OS and Application Team: Kwok Tak Chi Law Tsz Hin So Ting Wai.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.

CMPTR1 CHAPTER 3 COMPUTER SOFTWARE Application Software – The programs/software/apps that we run to do things like word processing, web browsing, and games.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

Similar presentations

Ads by Google