SlideShare a Scribd company logo

Android Security

Robin De Croon
Robin De Croon

This document discusses Android security. It covers system and kernel level security features like process sandboxing and memory protection. It also discusses user security features such as device encryption, password hashing, and screen locks. Additionally, it examines Android application security mechanisms like permissions and Play Store verification. Finally, it analyzes recent Android security problems involving SMS vulnerabilities and processor exploits.

TechnologyNews & Politics
1 of 32
Download to read offline
ANDROID SECURITY Robin De Croon Lars Jacobs |H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege prof. dr. Ir. Bart Preneel
Content • Introduction • System and Kernel Level Security • User Security Features • Android Application Security • Recent Security Problems • Demo May 8, 2013 2 http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
INTRODUCTION Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 3
Introduction • All data located on your smartphone • Passwords • Photos • (Text) messages • Medical records • … • Smartphone cannot trust anyone • Android secure? • Open Source  Safer (Hoepman et al.) May 8, 2013 4
Distribution of mobile malware by platform in 2012 May 8, 2013 5
Mobile threats motivated by profit by year May 8, 2013 6
AndroidVersions May 8, 2013 7
Android Software Stack May 8, 2013 8
SYSTEM AND KERNEL LEVEL SECURITY Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 9
Apps & Processes • Own Linux Process + user ID  Sandbox! •Data is protected from other apps •Secure IPC • API calls are authorized according to permissions • Hardware access is authorized by Group Membership • Java, Native,WebKit May 8, 2013 10
Bootloader • Bootloader is locked by default • Boot process • Signature check May 8, 2013 11
Memory management • A lot of memory corruption bugs  Attacker can control the program • Improvements •No eXecute (NX) (since Android 2.3) •Address Space Layout Randomization (since Android 4.0) •Position Independent Executables (since Android 4.1) •FORTIFY_SOURCE (since Android 4.2) May 8, 2013 12
Randomization in Android 2.3 May 8, 2013 13
Randomization in Android 4.0 May 8, 2013 14
Randomization in Android 4.1 May 8, 2013 15
Rooting •Default no root access •Possible through ‘su’ binary Bootloader unsafe Root apps can do ANYTHING Latest versions of Android May 8, 2013 16 http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
USER SECURITY FEATURES Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 17
Device protection • Screen lock •Face unlock, Pattern, PIN, Passcode, … • File Encryption • 128 AES with CBC and ESSIV:SHA256 • Master key encrypted with 128 bit AES via openssl library May 8, 2013 18
Passwords are hashed •Salt saved on device •/data/data/com.android.providers.settings.databases •/data/system/locksettings.db •‘Easily’ brute forced with salt •Keys are stored in software! May 8, 2013 20
Android source code May 8, 2013 21
ANDROID APPLICATION SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 22
Android Permissions • Accessing protected APIs •Location (GPS), Camera, Bluetooth,Telephony, SMS/MMS, Network/data • Defined in AndroidManifest.xml May 8, 2013 23
Play Store security • App is self signed • Bouncer •Online version •Local version (since Android 4.2) • App encryption •Introduced in Android 4.1 •Shutdown due to bugs May 8, 2013 24
CryptographicAPIs • Primitives •AES, DSA, RSA, SHA • Higher level •SSL, HTTPS • Virtual Private Network •IPsec May 8, 2013 25
RECENT SECURITY PROBLEMS Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 26
SMS problems • Smishing •http://www.youtube.com/watch?v=baWeMbGatfs • SMS to premium services •F-secure MobileThreat Report Q4 2012 •Kaspersky Security Bulletin 2012 May 8, 2013 27
Exynos Exploit • Exynos 4210 and 4412 processor •Sprint Galaxy S II,Galaxy S II,Galaxy S3, Galaxy Note, Galaxy Note 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera •Kernel: /dev/exynos-mem  R/W by all users  access to all physical memory • ExynosAbuse.apk May 8, 2013 28
DEMO Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 29
References (I) • F-secure MobileThreat Report Q4 2012, http://www.f- secure.com/static/doc/labs_global/Research/Mobile%20Thre at%20Report%20Q4%202012.pdf • Google, “Android PlatformVersions.”, http://developer.android.com/about/dashboards/index.html #Platform • Google, “Android SecurityOverview”, http://source.android.com/tech/security/#android- application-security • S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012ACM conference on Computer and communications security - CCS ’12, (NewYork, NewYork, USA), p. 50,ACM Press, 2012. May 8, 2013 30
References (II) • J.-H. Hoepman and B. Jacobs, “Increased security through open source”,Communications of the ACM, vol. 50, pp. 79– 83, Jan. 2007. • Matthias Lange, “State of the Union:Android security overview – IsAndroid the newXP?, http://de.droidcon.com/2013/sessnio/state-union-android- security-overview-android-new-xp • Xuxian Jiang, “SmishingVulnerability in MultipleAndroid Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html • A. Shabtai, “Google Android:A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010 May 8, 2013 31
References (III) • A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY •Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kas persky_Security_Bulletin_2012_The_overall_statistics_f or_2012 May 8, 2013 32
http://2.bp.blogspot.com/-gZjNR3XVULs/T_ZOVgE-5lI/AAAAAAAAAg8/6YVmd5Q064o/s1600/questions11.jpg May 8, 2013 33

Recommended

Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 

Recommended

Android Security
Android SecurityAndroid Security
Android SecurityLars Jacobs
 
Android Security
Android SecurityAndroid Security
Android SecurityMehrnaz Amoon
 
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...
Consulthink @ GDG Meets U - L'Aquila2014 - Codelab: Android Security -Il ke...Consulthinkspa
 
Sperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft talks: Android Security Threats
Sperasoft talks: Android Security ThreatsSperasoft
 
2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development 2015.04.24 Updated > Android Security Development - Part 1: App Development
2015.04.24 Updated > Android Security Development - Part 1: App Development Cheng-Yi Yu
 
Android security
Android securityAndroid security
Android securityMobile Rtpl
 
Android system security
Android system securityAndroid system security
Android system securityChong-Kuan Chen
 
Android Security
Android SecurityAndroid Security
Android SecuritySuminda Gunawardhana
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Android security
Android securityAndroid security
Android securityMidhun P Gopi
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumConstantine Mars
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayn|u - The Open Security Community
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack SurfaceDaniel Miessler
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
Android security
Android securityAndroid security
Android securityMohamed Alharbi
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 
Security in iOS
Security in iOSSecurity in iOS
Security in iOSClement Prem
 
การเกิดดาว
การเกิดดาวการเกิดดาว
การเกิดดาวkanjanappp
 
Thesispresentatie November
Thesispresentatie NovemberThesispresentatie November
Thesispresentatie NovemberRobin De Croon
 

More Related Content

What's hot

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumConstantine Mars
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaYogesh Ojha
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)ClubHack
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on androidRavishankar Kumar
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and SecurityKelwin Yang
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security WorkshopOWASP
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionJose Manuel Ortega Candel
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsBlrDroid
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Developmenthackstuff
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsDaniel Miessler
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardeninganupriti
 
Android Security
Android SecurityAndroid Security
Android SecurityArqum Ahmad
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...SyedImranAliKazmi1
 

What's hot (20)

Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Android security
Android securityAndroid security
Android security
 
Android N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at CiklumAndroid N Security Overview - Mobile Security Saturday at Ciklum
Android N Security Overview - Mobile Security Saturday at Ciklum
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Stealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker wayStealing sensitive data from android phones the hacker way
Stealing sensitive data from android phones the hacker way
 
Android security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh OjhaAndroid security and penetration testing | DIVA | Yogesh Ojha
Android security and penetration testing | DIVA | Yogesh Ojha
 
Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)Android Tamer (Anant Shrivastava)
Android Tamer (Anant Shrivastava)
 
Analysis and research of system security based on android
Analysis and research of system security based on androidAnalysis and research of system security based on android
Analysis and research of system security based on android
 
Introduction to Android Development and Security
Introduction to Android Development and SecurityIntroduction to Android Development and Security
Introduction to Android Development and Security
 
[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop[Wroclaw #1] Android Security Workshop
[Wroclaw #1] Android Security Workshop
 
Testing Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam editionTesting Android Security Codemotion Amsterdam edition
Testing Android Security Codemotion Amsterdam edition
 
The IoT Attack Surface
The IoT Attack SurfaceThe IoT Attack Surface
The IoT Attack Surface
 
Android Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android ApplicationsAndroid Security - Common Security Pitfalls in Android Applications
Android Security - Common Security Pitfalls in Android Applications
 
Android Security Development
Android Security DevelopmentAndroid Security Development
Android Security Development
 
RSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of ThingsRSA2015: Securing the Internet of Things
RSA2015: Securing the Internet of Things
 
Android security
Android securityAndroid security
Android security
 
Android Device Hardening
Android Device HardeningAndroid Device Hardening
Android Device Hardening
 
Android Security
Android SecurityAndroid Security
Android Security
 
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
A lightweight and_robust_secure_key_establishment_protocol_for_internet_of_me...
 
Security in iOS
Security in iOSSecurity in iOS
Security in iOS
 

Viewers also liked

การเกิดดาว
การเกิดดาวการเกิดดาว
การเกิดดาวkanjanappp
 
Thesispresentatie November
Thesispresentatie NovemberThesispresentatie November
Thesispresentatie NovemberRobin De Croon
 
ดอกไม้
ดอกไม้ดอกไม้
ดอกไม้kanjanappp
 
New master thesis proposal
New master thesis proposalNew master thesis proposal
New master thesis proposalRobin De Croon
 
Presentation #chikul12 TeamSjiek
Presentation #chikul12 TeamSjiekPresentation #chikul12 TeamSjiek
Presentation #chikul12 TeamSjiekRobin De Croon
 
Motivational needs
Motivational needsMotivational needs
Motivational needsZubair Ahmad
 
Thesispresentatie maart
Thesispresentatie maartThesispresentatie maart
Thesispresentatie maartRobin De Croon
 
Usability evaluation auxiliary slides
Usability evaluation auxiliary slidesUsability evaluation auxiliary slides
Usability evaluation auxiliary slidesRobin De Croon
 
Visualizing quantified self and objective patient data
Visualizing quantified self and objective patient dataVisualizing quantified self and objective patient data
Visualizing quantified self and objective patient dataRobin De Croon
 
food policy in banladesh
food policy in banladeshfood policy in banladesh
food policy in banladeshabidminar
 
Medical dashboard - case study Robin De Croon
Medical dashboard - case study Robin De CroonMedical dashboard - case study Robin De Croon
Medical dashboard - case study Robin De CroonRobin De Croon
 
02 internet history
02 internet history02 internet history
02 internet historySupasorn
 
First oral presentation Arenberg Doctoral School
First oral presentation Arenberg Doctoral SchoolFirst oral presentation Arenberg Doctoral School
First oral presentation Arenberg Doctoral SchoolRobin De Croon
 
Studentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationStudentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationRobin De Croon
 
Thesis presentation final
Thesis presentation finalThesis presentation final
Thesis presentation finalRobin De Croon
 
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...abidminar
 

Viewers also liked (18)

การเกิดดาว
การเกิดดาวการเกิดดาว
การเกิดดาว
 
Thesispresentatie November
Thesispresentatie NovemberThesispresentatie November
Thesispresentatie November
 
ดอกไม้
ดอกไม้ดอกไม้
ดอกไม้
 
New master thesis proposal
New master thesis proposalNew master thesis proposal
New master thesis proposal
 
Presentation #chikul12 TeamSjiek
Presentation #chikul12 TeamSjiekPresentation #chikul12 TeamSjiek
Presentation #chikul12 TeamSjiek
 
Motivational needs
Motivational needsMotivational needs
Motivational needs
 
Thesispresentatie maart
Thesispresentatie maartThesispresentatie maart
Thesispresentatie maart
 
Glosello
GloselloGlosello
Glosello
 
Usability evaluation auxiliary slides
Usability evaluation auxiliary slidesUsability evaluation auxiliary slides
Usability evaluation auxiliary slides
 
Visualizing quantified self and objective patient data
Visualizing quantified self and objective patient dataVisualizing quantified self and objective patient data
Visualizing quantified self and objective patient data
 
food policy in banladesh
food policy in banladeshfood policy in banladesh
food policy in banladesh
 
Medical dashboard - case study Robin De Croon
Medical dashboard - case study Robin De CroonMedical dashboard - case study Robin De Croon
Medical dashboard - case study Robin De Croon
 
02 internet history
02 internet history02 internet history
02 internet history
 
First oral presentation Arenberg Doctoral School
First oral presentation Arenberg Doctoral SchoolFirst oral presentation Arenberg Doctoral School
First oral presentation Arenberg Doctoral School
 
Paper Trends
Paper TrendsPaper Trends
Paper Trends
 
Studentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationStudentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentation
 
Thesis presentation final
Thesis presentation finalThesis presentation final
Thesis presentation final
 
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...
CROP DIVERSIFICATION : A SEARCH FOR AN ALTERNATIVE INCOME OF THE FARMERS IN T...
 

Similar to Android Security

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDefconRussia
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applicationsGTestClub
 
PRESENTATION ON ANDROID
PRESENTATION ON ANDROIDPRESENTATION ON ANDROID
PRESENTATION ON ANDROIDRajat Kumar
 
Andriod (operating system)
Andriod (operating system)Andriod (operating system)
Andriod (operating system)sai praneeth
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfNomanKhan869872
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA NITIN GUPTA
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systemsDivya Raval
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01rajesh kumar
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesIOSR Journals
 
Mobile security
Mobile securityMobile security
Mobile securityStefaan
 

Similar to Android Security (20)

DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
Android report
Android reportAndroid report
Android report
 
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS appsDmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
Dmitry 'D1g1' Evdokimov - BlackBox analysis of iOS apps
 
Android - An Introduction
Android - An IntroductionAndroid - An Introduction
Android - An Introduction
 
Security testing of mobile applications
Security testing of mobile applicationsSecurity testing of mobile applications
Security testing of mobile applications
 
Mobile security
Mobile securityMobile security
Mobile security
 
Untitled 1
Untitled 1Untitled 1
Untitled 1
 
PRESENTATION ON ANDROID
PRESENTATION ON ANDROIDPRESENTATION ON ANDROID
PRESENTATION ON ANDROID
 
Andriod (operating system)
Andriod (operating system)Andriod (operating system)
Andriod (operating system)
 
Android technology
Android technology Android technology
Android technology
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA Android Application Development Training by NITIN GUPTA
Android Application Development Training by NITIN GUPTA
 
Security models of modern mobile systems
Security models of modern mobile systemsSecurity models of modern mobile systems
Security models of modern mobile systems
 
Android
AndroidAndroid
Android
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01
 
Penetration Testing for Android Smartphones
Penetration Testing for Android SmartphonesPenetration Testing for Android Smartphones
Penetration Testing for Android Smartphones
 
Mobile security
Mobile securityMobile security
Mobile security
 

More from Robin De Croon

Designing and prototyping useful apps (2019 version)
Designing and prototyping useful apps (2019 version)Designing and prototyping useful apps (2019 version)
Designing and prototyping useful apps (2019 version)Robin De Croon
 
Designing & prototyping useful apps
Designing & prototyping useful appsDesigning & prototyping useful apps
Designing & prototyping useful appsRobin De Croon
 
Seminar Groep T - Panacea project
Seminar Groep T - Panacea projectSeminar Groep T - Panacea project
Seminar Groep T - Panacea projectRobin De Croon
 
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea... Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...Robin De Croon
 
Designing & prototyping useful apps
Designing & prototyping useful appsDesigning & prototyping useful apps
Designing & prototyping useful appsRobin De Croon
 
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...Robin De Croon
 
Designing & prototyping useful apps-II
Designing & prototyping useful apps-IIDesigning & prototyping useful apps-II
Designing & prototyping useful apps-IIRobin De Croon
 
International Welcome Evening presentation - February 2016
International Welcome Evening presentation - February 2016International Welcome Evening presentation - February 2016
International Welcome Evening presentation - February 2016Robin De Croon
 
Les 3 - Informatie Visualisatie
Les 3 - Informatie VisualisatieLes 3 - Informatie Visualisatie
Les 3 - Informatie VisualisatieRobin De Croon
 
Design and evaluation of an interactive proof-of-concept dashboard for genera...
Design and evaluation of an interactive proof-of-concept dashboard for genera...Design and evaluation of an interactive proof-of-concept dashboard for genera...
Design and evaluation of an interactive proof-of-concept dashboard for genera...Robin De Croon
 
PenO3 Introductie slides
PenO3 Introductie slidesPenO3 Introductie slides
PenO3 Introductie slidesRobin De Croon
 
Optimizing Smartphone Micro-usage with Smartwatch Notifications
Optimizing Smartphone Micro-usage with Smartwatch NotificationsOptimizing Smartphone Micro-usage with Smartwatch Notifications
Optimizing Smartphone Micro-usage with Smartwatch NotificationsRobin De Croon
 
A paradigm shift of GP generations and the implications on the evaluation of ...
A paradigm shift of GP generations and the implications on the evaluation of ...A paradigm shift of GP generations and the implications on the evaluation of ...
A paradigm shift of GP generations and the implications on the evaluation of ...Robin De Croon
 
Designing a useful and usable mobile EMR application through a participatory...
Designing a useful and usable mobile EMR application through a participatory...Designing a useful and usable mobile EMR application through a participatory...
Designing a useful and usable mobile EMR application through a participatory...Robin De Croon
 
PhD status januari 2014
PhD status januari 2014PhD status januari 2014
PhD status januari 2014Robin De Croon
 
Studentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationStudentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationRobin De Croon
 

More from Robin De Croon (17)

Designing and prototyping useful apps (2019 version)
Designing and prototyping useful apps (2019 version)Designing and prototyping useful apps (2019 version)
Designing and prototyping useful apps (2019 version)
 
Designing & prototyping useful apps
Designing & prototyping useful appsDesigning & prototyping useful apps
Designing & prototyping useful apps
 
Seminar Groep T - Panacea project
Seminar Groep T - Panacea projectSeminar Groep T - Panacea project
Seminar Groep T - Panacea project
 
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea... Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...
Augmenting Healthcare by Supporting General Practitioners and Disclosing Hea...
 
Designing & prototyping useful apps
Designing & prototyping useful appsDesigning & prototyping useful apps
Designing & prototyping useful apps
 
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...
A Proof-of-Concept Visualization to Increase Comprehension of Personal Medica...
 
User Experience Talk
User Experience TalkUser Experience Talk
User Experience Talk
 
Designing & prototyping useful apps-II
Designing & prototyping useful apps-IIDesigning & prototyping useful apps-II
Designing & prototyping useful apps-II
 
International Welcome Evening presentation - February 2016
International Welcome Evening presentation - February 2016International Welcome Evening presentation - February 2016
International Welcome Evening presentation - February 2016
 
Les 3 - Informatie Visualisatie
Les 3 - Informatie VisualisatieLes 3 - Informatie Visualisatie
Les 3 - Informatie Visualisatie
 
Design and evaluation of an interactive proof-of-concept dashboard for genera...
Design and evaluation of an interactive proof-of-concept dashboard for genera...Design and evaluation of an interactive proof-of-concept dashboard for genera...
Design and evaluation of an interactive proof-of-concept dashboard for genera...
 
PenO3 Introductie slides
PenO3 Introductie slidesPenO3 Introductie slides
PenO3 Introductie slides
 
Optimizing Smartphone Micro-usage with Smartwatch Notifications
Optimizing Smartphone Micro-usage with Smartwatch NotificationsOptimizing Smartphone Micro-usage with Smartwatch Notifications
Optimizing Smartphone Micro-usage with Smartwatch Notifications
 
A paradigm shift of GP generations and the implications on the evaluation of ...
A paradigm shift of GP generations and the implications on the evaluation of ...A paradigm shift of GP generations and the implications on the evaluation of ...
A paradigm shift of GP generations and the implications on the evaluation of ...
 
Designing a useful and usable mobile EMR application through a participatory...
Designing a useful and usable mobile EMR application through a participatory...Designing a useful and usable mobile EMR application through a participatory...
Designing a useful and usable mobile EMR application through a participatory...
 
PhD status januari 2014
PhD status januari 2014PhD status januari 2014
PhD status januari 2014
 
Studentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentationStudentenwijk Arenberg - International Welcome Evening presentation
Studentenwijk Arenberg - International Welcome Evening presentation
 

Recently uploaded

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 

Recently uploaded (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 

Android Security

  • 1. ANDROID SECURITY Robin De Croon Lars Jacobs |H05D9a| Cryptografie en netwerkbeveiliging: hoorcollege prof. dr. Ir. Bart Preneel
  • 2. Content • Introduction • System and Kernel Level Security • User Security Features • Android Application Security • Recent Security Problems • Demo May 8, 2013 2 http://blog.thoughtpick.com/wp-content/uploads/2011/01/web_design_services.11-18.web_content.jpg
  • 3. INTRODUCTION Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 3
  • 4. Introduction • All data located on your smartphone • Passwords • Photos • (Text) messages • Medical records • … • Smartphone cannot trust anyone • Android secure? • Open Source  Safer (Hoepman et al.) May 8, 2013 4
  • 5. Distribution of mobile malware by platform in 2012 May 8, 2013 5
  • 6. Mobile threats motivated by profit by year May 8, 2013 6
  • 9. SYSTEM AND KERNEL LEVEL SECURITY Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 9
  • 10. Apps & Processes • Own Linux Process + user ID  Sandbox! •Data is protected from other apps •Secure IPC • API calls are authorized according to permissions • Hardware access is authorized by Group Membership • Java, Native,WebKit May 8, 2013 10
  • 11. Bootloader • Bootloader is locked by default • Boot process • Signature check May 8, 2013 11
  • 12. Memory management • A lot of memory corruption bugs  Attacker can control the program • Improvements •No eXecute (NX) (since Android 2.3) •Address Space Layout Randomization (since Android 4.0) •Position Independent Executables (since Android 4.1) •FORTIFY_SOURCE (since Android 4.2) May 8, 2013 12
  • 13. Randomization in Android 2.3 May 8, 2013 13
  • 14. Randomization in Android 4.0 May 8, 2013 14
  • 15. Randomization in Android 4.1 May 8, 2013 15
  • 16. Rooting •Default no root access •Possible through ‘su’ binary Bootloader unsafe Root apps can do ANYTHING Latest versions of Android May 8, 2013 16 http://1.bp.blogspot.com/-_DBO12vjaWM/Tu-bRCULR-I/AAAAAAAAA74/fZc-hszZarE/s1600/thumbs-up.jpg
  • 17. USER SECURITY FEATURES Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 17
  • 18. Device protection • Screen lock •Face unlock, Pattern, PIN, Passcode, … • File Encryption • 128 AES with CBC and ESSIV:SHA256 • Master key encrypted with 128 bit AES via openssl library May 8, 2013 18
  • 19. Passwords are hashed •Salt saved on device •/data/data/com.android.providers.settings.databases •/data/system/locksettings.db •‘Easily’ brute forced with salt •Keys are stored in software! May 8, 2013 20
  • 21. ANDROID APPLICATION SECURITY Introduction System and Kernel Level Security User Security Features Android Application Security Recent Security Problems Demo May 8, 2013 22
  • 22. Android Permissions • Accessing protected APIs •Location (GPS), Camera, Bluetooth,Telephony, SMS/MMS, Network/data • Defined in AndroidManifest.xml May 8, 2013 23
  • 23. Play Store security • App is self signed • Bouncer •Online version •Local version (since Android 4.2) • App encryption •Introduced in Android 4.1 •Shutdown due to bugs May 8, 2013 24
  • 24. CryptographicAPIs • Primitives •AES, DSA, RSA, SHA • Higher level •SSL, HTTPS • Virtual Private Network •IPsec May 8, 2013 25
  • 25. RECENT SECURITY PROBLEMS Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 26
  • 26. SMS problems • Smishing •http://www.youtube.com/watch?v=baWeMbGatfs • SMS to premium services •F-secure MobileThreat Report Q4 2012 •Kaspersky Security Bulletin 2012 May 8, 2013 27
  • 27. Exynos Exploit • Exynos 4210 and 4412 processor •Sprint Galaxy S II,Galaxy S II,Galaxy S3, Galaxy Note, Galaxy Note 2, GalaxyTab 2, Galaxy Note 10.1, Galaxy Camera •Kernel: /dev/exynos-mem  R/W by all users  access to all physical memory • ExynosAbuse.apk May 8, 2013 28
  • 28. DEMO Introduction System and Kernel Level Security User Security Features AndroidApplication Security Recent Security Problems Demo May 8, 2013 29
  • 29. References (I) • F-secure MobileThreat Report Q4 2012, http://www.f- secure.com/static/doc/labs_global/Research/Mobile%20Thre at%20Report%20Q4%202012.pdf • Google, “Android PlatformVersions.”, http://developer.android.com/about/dashboards/index.html #Platform • Google, “Android SecurityOverview”, http://source.android.com/tech/security/#android- application-security • S. Fahl, M. Harbach,T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben, “Why eve and mallory love android,” in Proceedings of the 2012ACM conference on Computer and communications security - CCS ’12, (NewYork, NewYork, USA), p. 50,ACM Press, 2012. May 8, 2013 30
  • 30. References (II) • J.-H. Hoepman and B. Jacobs, “Increased security through open source”,Communications of the ACM, vol. 50, pp. 79– 83, Jan. 2007. • Matthias Lange, “State of the Union:Android security overview – IsAndroid the newXP?, http://de.droidcon.com/2013/sessnio/state-union-android- security-overview-android-new-xp • Xuxian Jiang, “SmishingVulnerability in MultipleAndroid Platforms”, http://www.cs.ncsu.edu/faculty/jiang/smishing.html • A. Shabtai, “Google Android:A Comprehensive Security Assessment”, Security & Privacy, IEEE, vol. 8, pp. 35-44, March-April 2010 May 8, 2013 31
  • 31. References (III) • A. Barresi and P. Somogyvari, “Android Security – An Introduction”, www.youtube.com/watch?v=OOFzu2J3EBY •Kaspersky Security Bulletin 2012, https://www.securelist.com/en/analysis/204792255/Kas persky_Security_Bulletin_2012_The_overall_statistics_f or_2012 May 8, 2013 32