Presentation is loading. Please wait.

Presentation is loading. Please wait.

Android Security Auditing Slides and projects at samsclass.info.

Published byImogen Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "Android Security Auditing Slides and projects at samsclass.info."— Presentation transcript:

1 Android Security Auditing Slides and projects at samsclass.info

2 Android is #1 80% market share in 2014 – Link Ch 4a Slides and projects at samsclass.info

3 Open Source Android itself is open source (Link Ch 4b) But the Google apps included with most Android phones are closed-source Many device manufacturers and carriers modify Android – Closed-source device drivers and apps – Leads to fragmentation: two devices with the same hardware but different carriers can be running very different software – More total sales, many different Android devices Slides and projects at samsclass.info

4 Fragmentation Updates are essential for security Very big problem for Android – Link Ch 1f Slides and projects at samsclass.info

5 Android Architecture Slides and projects at samsclass.info

6 Kernel Permissions Each app has a unique user ID – File ownership based on User ID Can only access the resources and functionality it has explicit permissions for This is "sandboxing" – Apps cannot access resources of other apps – Apps cannot access hardware components they have not been given permission to use Slides and projects at samsclass.info

7 Viewing Users with ps System processes run as root Slides and projects at samsclass.info

8 Viewing Users with ps Apps run as u0_a1, u0_a2, etc. Permissions for data directories Slides and projects at samsclass.info

9 App Signing All apps must be signed to be installed Android allows self-signed certificates – Developers can generate their own signing certificates The only security mechanisms that use signatures are the signature or signatureOrSystem permissions Slides and projects at samsclass.info

10 SDK (Software Development Kit) Allows developers to build and debug Android apps – Runs on Windows, Mac OS X, or Linux In Dec., 2014, Google released Android Studio – A full IDE (Integrated Development Environment) – Links Ch 4e, 4f Slides and projects at samsclass.info

11 Android Emulator Helps developers test apps without an actual mobile device Simulates common hardware – ARMv5 CPU – SIM card – Flash memory partitions Slides and projects at samsclass.info

12 Value of the Emulator Allows developers and researchers to test Android apps quickly in different versions of Android Drawbacks – Android Virtual Device (AVD) cannot send or receive phone calls or SMS messages – But it can emulate them, and send them to other AVDs Can define an HTTP/HTTPS proxy to intercept and manipulate Web traffic Slides and projects at samsclass.info

13 Android Debug Bridge Command-line tool Allows you to communicate with a mobile device via a USB cable or an SVD running within an emulator Connects to device's daemon running on TCP port 5037 Slides and projects at samsclass.info

14 Useful ADB Commands push – Copies a file from your computer to the mobile device pull – Copies a file from the mobile device to your computer logcat – Shows logging information on the console – Useful to see if an app or the OS is logging sensitive information Slides and projects at samsclass.info

15 Useful ADB Commands install – Copies an application package file (APK) to the mobile device and installs the app – Useful for side-loading apps (so you don't have to use Google Play) shell – Starts a remote shell on the mobile device – Allows you to execute arbitrary commands Slides and projects at samsclass.info

16 Decompiling and Disassembly Slides and projects at samsclass.info

17 Static Analysis Source code is generally kept confidential by app developers A binary, compiled app can be analyzed by disassembling or decompiling them, into – Smali assembly code (used by Dalvik VM), or – Java code Slides and projects at samsclass.info

18

19 Java v. Smali Code Slides and projects at samsclass.info

20 Building & Signing an App Slides and projects at samsclass.info

21 Monitoring the Log Slides and projects at samsclass.info

22 Attacks via Decompiling and Disassembly Insert Trojan code, like keyloggers Find encryption methods & keys Change variables to bypass client-side authentication or input validation Cheat at games Slides and projects at samsclass.info

23 Link Ch 4z43 Slides and projects at samsclass.info

24 Decompiling, Disassembly, and Repackaging Countermeasures Every binary can be reverse-engineered – Given enough time and effort Never store secrets on the client-side Never rely on client-side authentication or client-side validation Obfuscate source code – ProGuard (free) or Arxan (commercial) Slides and projects at samsclass.info

25 DashO – Powerful Obfuscator Slides and projects at samsclass.info

26 All Strings Concealed BUT it costs $2000 Slides and projects at samsclass.info

27 Information Leakage via Logs Every app can read the logs, if it requests the android.permission.READ_LOGS permission at install time Some developers don't realize this and put sensitive information into the logs Slides and projects at samsclass.info

28 Link Ch 4z68 Slides and projects at samsclass.info

29 Facebook SDK Information Disclosure in the Log Facebook promptly patched it – Link Ch 4z69 Slides and projects at samsclass.info

30 Facebook SDK Information Disclosure Countermeasures Update Facebook SDK to latest version App developers should not log any sensitive information Slides and projects at samsclass.info

31

32 OAuth Authorization Code Grant Type Slides and projects at samsclass.info

33 OAuth Resource Owner Password Credentials Grant Type App is trusted with credentials, but need not save them It can save the token instead Slides and projects at samsclass.info

34 Increase in Mobile Malware From link Ch 5a Slides and projects at samsclass.info

35 Android is #1 Link Ch 5b Slides and projects at samsclass.info

36

37

38

39

40 DroidDream (2011) Was primarily distributed by the Google Play store Legitimate apps were repackaged to include DroidDream and then put back in the Play store Slides and projects at samsclass.info

41 Google's Response Google removed the repackaged apps from the Play Store But 50,000 – 200,000 users were already infected Slides and projects at samsclass.info

42 Google Application Verification Service Launched in 2012 Tries to detect malicious apps Much less effective than 3 rd -party AV – Link Ch 5e Slides and projects at samsclass.info

43 Moral: Get Real AV Avast! won in a review from Feb., 2015 – Link Ch 5g There are plenty of others, including – Lookout – AVG – Kaspersky – Norton – McAfee Slides and projects at samsclass.info

Download ppt "Android Security Auditing Slides and projects at samsclass.info."

Similar presentations

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.

Aurasium: Practical Policy Enforcement for Android Applications By Yaoqi USENIX Security Symposium 2012.
Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.

Programming with Android: SDK install and initial setup Luca Bedogni Marco Di Felice Dipartimento di Informatica: Scienza e Ingegneria Università di Bologna.
Android Tools & Wireless ADB Αντρέας Λύμπουρας Θεόφιλος Φωκάς Ζαχαρίας Χ’’Λάμπρου.

Android Tools & Wireless ADB Αντρέας Λύμπουρας Θεόφιλος Φωκάς Ζαχαρίας Χ’’Λάμπρου.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson Presented By: Rajat Khandelwal – 2009CS10209 Parikshit.
Get android development environment running. Install – Get and install JDK 5 or 6 (see link in the.

Get android development environment running. Install – Get and install JDK 5 or 6 (see link in the.
The Android Development Environment.  Getting started on the Android Platform  Installing required libraries  Programming Android using the Eclipse.

The Android Development Environment.  Getting started on the Android Platform  Installing required libraries  Programming Android using the Eclipse.
Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.

Aurasium: Practical Policy Enforcement for Android Applications R. Xu, H. Saidi and R. Anderson.
CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:

CSCD 303 Essential Computer Security Fall 2010 Lecture 4 - Desktop Security Reading:
Android and Project Structure. Android Android OS – Built on Linux Kernel – Phones – Netbooks – Readers – Other???

Android and Project Structure. Android Android OS – Built on Linux Kernel – Phones – Netbooks – Readers – Other???
Google Android as a mobile development platform T-110.7111 Internet Technologies for Mobile Computing Olli Mäkinen.

Google Android as a mobile development platform T Internet Technologies for Mobile Computing Olli Mäkinen.
This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit

This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit
Debugging Android Applications

Debugging Android Applications
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
2. Setting Up Your Android Development Environment.

2. Setting Up Your Android Development Environment.
ANDROID PROGRAMMING MODULE 1 – GETTING STARTED

ANDROID PROGRAMMING MODULE 1 – GETTING STARTED
UFCFX5-15-3Mobile Device Development Android Development Environments and Windows.

UFCFX5-15-3Mobile Device Development Android Development Environments and Windows.
Setting up the Development Environment www.supinfo.com Copyright © SUPINFO. All rights reserved Preparation.

Setting up the Development Environment Copyright © SUPINFO. All rights reserved Preparation.
Case study 2 Android – Mobile OS.

Case study 2 Android – Mobile OS.
SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

SEEM4570: XAMPP, Eclipse, Summary of Html Kangfei Zhao Room 711,ERB

Similar presentations

Ads by Google