Android Security What is out there? - PowerPoint PPT Presentation

About This Presentation
Title:

Android Security What is out there?

Description:

Android Security What is out there? Waqar Aziz Android Market Share - I * Android Market Share - II * Android Market Share - III * Android App Market Security Model ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 22
Provided by: Waqar1
Category:

less

Transcript and Presenter's Notes

Title: Android Security What is out there?


1
Android SecurityWhat is out there?
  • Waqar Aziz

2
Android Market Share - I
3
Android Market Share - II
4
Android Market Share - III
5
Android App Market Security Model
  • No formal application screening process.
  • Any developer can upload an application.
  • Android Market relies on community to identify
    and flag
  • Malfunctioning applications
  • Malicious applications
  • Inherently, early adopters suffer if the
    application is malicious.
  • Note Unlike iPhone, Android application can be
    directly downloaded and installed from a third
    party as well.

6
Phishing App Example
  • Bank Phishing application
  • Advertised to do banking activities from phone.
  • User to give account information and credentials
    for the app to facilitate banking activities.
  • In reality the app did only the following
  • Open the banking website in phones browser.
    Thats it!!
  • A number of users were scammed before the
    application was taken out from Android Market.

7
Android Market Statistics
  • About 20 of 48,000 apps in Android Marketplace
    allow a third-party application access to
    sensitive or private information.
  • 5 apps can place calls to any number without
    user interaction.
  • 2 apps can send text messages without user
    interaction.
  • 29 apps require the exact same permissions as
    applications that are known to be spyware.
  • 383 apps have the ability to read and use the
    authentication credentials from another app or
    service.

8
Android Security Apps - I
  • Both apps are developed by Pittsburgh based
    security researcher and hacker who goes by Moxie
    Marlinspike.
  • RedPhone
  • Uses ZRTP, Internet voice cryptography scheme.
  • It uses two users keys to create a passphrase,
    which is later displayed at both ends for users
    to verify.
  • SecureText
  • Encrypted text messages.
  • Both apps generate a new key for every
    communication session.

9
Android Security Apps II
  • OI Safe
  • It saves password and other private data with AES
    encryption.
  • No information is kept online.
  • It works with OI Notepad to encrypt notes, and
    with Obscura to encrypt pictures.
  • Other apps for content encryption
  • B-folder sync
  • Secrets-for-android

10
Android Manifest - I
  • Android Manifest does the following
  • Declares applications components
  • Identifies any permissions that the application
    expects to be granted
  • Access the Internet, read phone contacts, access
    sensors, etc.
  • Thus, what an application can and cannot do is
    constrained by the total set of permissions that
    can be granted in a Manifest file.
  • Currently, almost all user content and private
    data can be accessed from phones internal phone
    and SD card.
  • However, no permission can be granted to do
    anything on system level except for accessing
    some small number of settings.

11
Android Manifest - II
12
Anti-malware Apps - I
  • Smobile Security Shield
  • It does permission-based malware detection.
  • Scans manifest files of apps installed on phone,
    and flags them based on suspicious manifest
    permissions.
  • Maintains a database of manifest files of all
    apps on Android Market other 3rd party sources.
  • Scans application signatures.
  • Maintains a database of application signatures.

13
Anti-malware Apps - II
  • WaveSecure
  • Remotely wipes out all user data.
  • Tracks and locates the phone.
  • Lock the phone as soon as SIM change is detected.
  • Protection again application uninstallation.
  • Backs up and restores private data SMS,
    contacts, etc.
  • Other similar apps
  • Mobile Defense

14
What you see is what they get - I
  • Googles Android OS grants access to sensors
    such as cameras and audio inputs only if their
    use is disclosed at installation time. At
    installation time, a user may not understand an
    application well enough to determine why it would
    need sensor data or guage its trustworthiness
  • iPhone instead uses standardized OS interface
    to prompt the user user to approve access

15
What you see is what they get - II
  • Sensor-access widget
  • When an application requests access to a sensor,
    runtime environment overlays a GUI widget on a
    portion of the screen, such as status bar, to
    notify user of a sensor access.

16
What you see is what they get - III
  • SWAAID (Show Widget and Allow After Input
    Delay)
  • Turn sensors from passive into active input
    devices.
  • User intervention is required before sensor
    access.
  • User can also enable access without any
    intervention for a while.
  • Then the waiting period (or delay) is intended to
    give the user sufficient time to notice and
    respond to the sensor access.
  • _
  • _

17
I am allowing what?
  • A paper on Application Authority Disclosure by
    Microsoft Research
  • the great majority of participants preferred
    designs that used images or icons to represent
    resources. This great majority also disliked
    designs that used paragraphs, the central design
    element of Facebooks disclosures, and outlines,
    the central design element of Androids
    disclosures.

18
Rooting Android
  • Rooting Android Gaining root access to Android
    operating system.
  • It can be deemed as similar to iPhone
    jailbreaking.
  • Why root Android?
  • To gain full control over the system.
  • Modify system files themes, core apps, boot
    images, linux binaries, etc.
  • Run applications that require system level access

19
Other Findings
  • Not a single application currently does user
    authentication using accelerometer.
  • No application attempts to do anything on a
    system level, such as access network packets.
  • Two main reasons for the above findings
  • Android Manifest does not permit anything on
    system level, such as, replacement of factory
    default user authentication mechanism or access
    to other applications traffic.
  • An application written for rooted Android will
    not work on non-rooted Android phones.
  • Apps for rooted Android Internet tethering,
    ad-hoc network,

20
Questions?
21
Sources
  1. http//developer.android.com/reference/android/Man
    ifest.permission.html
  2. http//threatcenter.smobilesystems.com/wp-content/
    plugins/download-monitor/download.php?id8
  3. http//research.microsoft.com/pubs/131132/devices-
    camera-ready.pdf
  4. http//blogs.forbes.com/firewall/2010/05/25/androi
    d-app-aims-to-allow-wiretap-proof-cell-phone-calls
    /
  5. http//research.microsoft.com/pubs/131517/AppAuth.
    pdf
  6. http//www.openintents.org/en/node/205/
  7. http//www.openintents.org/en/node/231
  8. http//threatcenter.smobilesystems.com/?category_n
    amenews
  9. http//portal.acm.org/citation.cfm?id1613858.1613
    878
  10. http//smarterware.org/3189/why-and-how-to-root-yo
    ur-android-phone
  11. http//android-dls.com/wiki/index.php?titleWhy_Ro
    ot
  12. http//metrics.admob.com/
Write a Comment
User Comments (0)
About PowerShow.com