android security
play

Android Security CS 4720 Mobile Application Development CS 4720 - PowerPoint PPT Presentation

Dec 23, 2022 •489 likes •660 views

Android Security CS 4720 Mobile Application Development CS 4720 Security through Obscurity It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal Phone number

  1. Android Security CS 4720 – Mobile Application Development CS 4720

  2. Security through Obscurity • It used to be that phones had so little connectivity to devices other than the phone network that security wasn't a huge deal • Phone number stealing did occur • But nothing compared to what can happen with today's smartphones! CS 4720 2

  3. Encrypting Credentials • Create a configuration file for use of logging into a web service or DB or whatever • Then encrypt that file with a username/password combo that isn't stored anywhere on the device • For multiple users, add another layer – encrypt a master password with a username/password combo that can unlock the configuration files CS 4720 3

  4. Other “ Good Things ” • Encryption of data • SSL for connections • Input validation • Power-on password for the device • Everything else we discussed CS 4720 4

  5. Mobile Remote Management • With an “ always on ” (theoretically) network like a cellular network, remote enterprise management is an option • Can force: – Policies (power on password, etc) – Password changes – Removal of all data through remote wipe CS 4720 5

  6. Application Signing • Under “ normal circumstances, ” to run code on a mobile device the following must be true: – The executable files are “ signed ” – The signature is valid – The signature matches a recognized certificate on the device • Code signing ensures two things: the code hasn't been modified and the owner is known CS 4720 6

  7. Application Signing • Works similarly to public/private key signing – On a compile, the code is hashed and encrypted with the private key of the author – The author's public key and info is attached to the code as a resource – At runtime, the mobile device gets the public key and decrypts the hash – Then it hashes the code and does a comparison – Finally, the public key is verified against the trust authorities certificate store CS 4720 7

  8. Mobile Security Policy • Applications can be: – Privileged: signed and verified in the cert store – Unprivileged : verified as unprivileged in the cert store – Unsigned: app not signed • And these apps can run: – Trusted: consider this as running as root (almost) – Normal: API and Registry is severely restricted CS 4720 8

  9. Changing Security Configurations • This is why you have to call Verizon/Sprint/AT&T to get an “ unlock code ” for some phones • Some aspects are locked to the provider, even if you own the phone! CS 4720 9

  10. Android Security • “ No application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. ” • “ This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc. ” CS 4720 10

  11. Android Security • Sandbox model • All apps run in their own sandbox • All potential permissions needed to exit the sandbox must be statically declared at app install time CS 4720 11

  12. Android Manifest Permissions • Network communication: view Wi-Fi state, create Bluetooth connections, full Internet access, view network state • Your location: access extra location provider commands, fine (GPS) location, mock location sources for testing, coarse (network-based) location • Services that cost you money: send SMS messages, directly call phone numbers CS 4720 12

  13. Android Application Signing • All .apk's (Android packages) must be signed by the developer's private key stored on the local machine • A “ default ” keyset is generated when you install the Android SDK – It can be found in your .android directory – This can be used for development • When you publish your app, you must create your own public key CS 4720 13

  14. Android Application Signing • Google provides detailed steps on how to create your own key • MAJOR POINT – Google / Android does NOT require that your certificate / private key is verified by a certificate authority • This is called a “ self-signed certificate ” CS 4720 14

  15. Self-Signing • What does it mean to have a self-signed certificate? • How it affects apache / https • What are the potential risks to having a self- signed certificate: – For a server? – For an Android application? • This is very different than Apple's stance CS 4720 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig

Security Enhanced (SE) Android: Bringing Flexible MAC to Android Stephen Smalley and Robert Craig Trusted Systems Research National Security Agency Motivation Android security relies on Linux DAC. To protect the system from apps. To

480 views • 21 slides
Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware

Security & Pie Android 9.0 & APK Security Plan of Attack Start at the hardware Work up to Android OS Climb into the Play Store Discuss Application (APK) Connor Tumbleson Senior Software Engineer @Sourcetoad

672 views • 56 slides
Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and

Runtime verification meets Android security Gil Vegliach Joint work with Andreas Bauer and Jan-Christoph K uster Background, what Android is Developed by Android Inc. (acquired by Google in 2005) Open Handset Alliance (founded in 2007)

161 views • 15 slides
Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security

Evaluating the Android Security Key Scheme: An Early Usability, Deployability, Security Evaluation with Comparative Analysis Robbie MacGregor 5 th Who Are You?! Adventures in Authentication (WAY), Santa Clara, CA, USA, 2019. I did a thing so

132 views • 10 slides
Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal

Security Enhancements (SE) for Android Stephen Smalley Trusted Systems Research Natjonal Security Agency CLASSIFICATION HEADER Agenda Motjvatjon/Background Current State Using SELinux in Android What's Next for SELinux in

762 views • 72 slides
CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Mobile Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Android Security Table of Contents Android

562 views • 15 slides
Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2

Developers Google Maps Android API v2 Make your Android app pop with Google Maps Android API v2 Anthony Morris Jan-Felix Schmakeit Tech Lead, Android Maps API Android Developer Relations Code, Slides, Worksheet: http://goo.gl/MfY67 Welcome!

687 views • 49 slides
Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to

Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy cornerstones Need to

582 views • 37 slides
Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to

Introduction to Android Development What is Android? Android is the customizable, easy to use operating system that powers more than a billion devices across the globe - from phones and tablets to watches, TV, cars and more to come.

464 views • 21 slides
Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June

Improving Android Reliability and Security Iulian Neamtiu, Assoc. Prof. CS Chairs Meeting June 14, 2018 Mobile OSes rapidly expanding their device range and user base. Android: 2 billion monthly active users but

403 views • 15 slides
Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile

Multi-Persona Android Oren Laadan orenl@cellrox.com Android Builders 2014 www.cellrox.com aprilzosia Mobile devices have multiple uses - - the device needs to reflect that. 2 Android Builders 2014 Security Use Case Personal Phone

874 views • 55 slides
Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a

Exploratory Android Surgery Digging into droids. Jesse Burns Black Hat USA 2009 Android is a trademark of Google Inc. Use of this trademark is subject to Google Permissions. https://www.isecpartners.com Agenda Android Security Model

725 views • 47 slides
Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices

Mobile security: Tips and tricks for securing your iPhone, Android and other mobile devices Presented by Michael Harris [MS, CISSP, WAPT] Systems Security Analyst University of Missouri Overview What data needs to be protected, what

407 views • 18 slides
CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest

Project #1: Color Guess Game CS619 Android 101 BENCE CSERNA Android: Manifest example Android: Manifest <manifest xmlns:android="http://schemas.android.com/apk/res/android" package="net.cserna.bence.colorguess

201 views • 3 slides
What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4

What other Android APIs may be useful for ubicomp? Speaking to Android Ref: Professional Android 4 Development, Meier, Ch 11, pg 437 Speech recognition: Accept inputs as speech (instead of typing) e.g. dragon dictate app? Note: Google

333 views • 16 slides
File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda

File format fuzzing in Android: Giving Stagefright to the Android installer Alexandru Blanda Intel OTC Security SQE Agenda File format fuzzing in Android Fuzzing the Stagefright media framework Fuzzing the Android application

614 views • 40 slides
SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist

SSL/TLS OpenSSL OpenSSL is a very common SSL/TLS library Written in C Wrappers exist for many languages Can be used for many encryption needs Generating keys Signing certs Validating certs We'll use OpenSSL in the

287 views • 6 slides
Pennsylvanias Solar Future Kickoff Meeting March 2, 2017 Harrisburg, PA Overview Damon

Pennsylvanias Solar Future Kickoff Meeting March 2, 2017 Harrisburg, PA Overview Damon

Pennsylvanias Solar Future Kickoff Meeting March 2, 2017 Harrisburg, PA Overview Damon Lane David G. Hill, Ph.D. Lead Analyst Distributed Resources Director Dlane@veic.org Dhill@veic.org Scenario modeling Background on VEIC

601 views • 36 slides
Today Memory Management Virtual Memory Motivation and Requirements Project 5 Nov 28,

Today Memory Management Virtual Memory Motivation and Requirements Project 5 Nov 28,

Today Memory Management Virtual Memory Motivation and Requirements Project 5 Nov 28, 2018 Sprenkle - CSCI330 1 Review What is RAID? What is its motivation? What are its goals? What are some RAID levels? What

580 views • 19 slides
Computational Semantics and Pragmatics Autumn 2014 Raquel Fernndez Institute for Logic,

Computational Semantics and Pragmatics Autumn 2014 Raquel Fernndez Institute for Logic,

Computational Semantics and Pragmatics Autumn 2014 Raquel Fernndez Institute for Logic, Language & Computation University of Amsterdam Last lecture Dynamic semantics for dialogue: Ginzburgs KoS What we have seen up to now:

180 views • 17 slides
HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock

HTTPS Demystified! What is that green lock and why is it so important? What is that green lock and why is it important? Security Integrity It protects* the It guarantees* that you information you send are talking to who you across the

430 views • 29 slides
Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member

Setting up a secure server with Apache and mod_ssl Daniel Lopez Ridruejo About Me ASF member and long time Apache user Interested in usability and lowering the learning curve for Apache Comanche GUI configuration tool Teach Yourself

258 views • 25 slides
Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

Admin Monday is a holiday! Project checkpoint #2 due Wed, 5/31, 11:59pm Lab 3 due Fri

CSE 484 / CSE M 584: Computer Security and Privacy Mobile Platform Security [finish], Usable Security [start] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada

764 views • 48 slides
Homework 4 Web Server kuohh Computer Center, CS, NCTU Requirements You need to build two

Homework 4 Web Server kuohh Computer Center, CS, NCTU Requirements You need to build two

System Administration Homework 4 Web Server kuohh Computer Center, CS, NCTU Requirements You need to build two different web servers for this assignment Apache (50%) and NGINX (50%) Virtual Host (10%) Indexing (5%) htaccess

548 views • 15 slides

More recommend