SlideShare ist ein Scribd-Unternehmen logo

600.250 UI Cross Platform Development and the Android Security Model

Michael Rushanan
Michael Rushanan

In this presentation I provided undergraduates an introduction to the wildes of cross platform development in the mobile domain. In the end, we explored a few solutions and talked about the strengths/weaknesses of those third party providers. The second half of the talk involved the Android security model and how it WAS important to application developers.

Bildung
1 von 25
Cross-Platform UI Development 600.250 User Interfaces and Mobile Applications Michael Rushanan
Problems ● Providing a consistent UI across multiple platforms. – Most common/inefficient solution: implement UI individually for each platform. ● Number of platforms, at least in mobile, is increasing: – Ubuntu Touch – Android – IOS – Tizen – Moblin – MeeGo – Symbian – Windows 8 Phone – BlackBerry
Trivia Time! ● How many of you have heard of Tizen, Bada, Moblin, or MeeGo? ● Can anyone share an experience developing something event-driven (another mobile app maybe) while contrasting it with Android development so far? ● How do you mock up UI designs?
More Problems ● Providing a consistent UI across multiple platforms.... desktop vs. mobile. – What problems would you run into when transitioning from Desktop-to-Mobile, or Mobile-to-Desktop?
Welcome to UI Hell
Alternative Solutions ● Manufacturers have not been forthcoming with solutions in which to handle the inefficient approach to multi-platform support. The best you have is: – Xcode SDK supports streamlined development for both OS X and IOS development. It's at least in the same language. – Ubuntu and other Linux Mobile variants are leaning more heavily toward HTML5 for UI development (with an exposed API for gesture support). ● Third-party providers have been busy trying to solve the above and provide an intuitive UI development environment for not-well-versed programmers.
Trivia Time! ● Has anyone used a third-party UI development tool/SDK? ● How do you feel about HTML5, CSS, JavaScript... C#?
Third-Party Calling... ● MoSync SDK: Cross-platform SDK and HTML5 tools for mobile app development. – The Good: Free and open source. A free commercial license that removes support. Supports more than a handful of devices. – The Bad: Windows and OS X Only. ● PhoneGap: Unified UI development via one language: HTML, CSS, JavaScript. – The Good: I've used this to mock up applications before. It exposes device features via an API. Examples: Accelerometer, Camera, Compass, Geolocation, File, Notification, Storage. I can get this to work on Linux! – The Bad: Eh, it's all web based. Maybe this is ok? It also allows you to do some pretty non-standard things that blow off Android/IOS standardization. ● Mono: Cross platform, open source .NET development framework. – The Good: If you ever wanted to do .NET dev on a machine other than Windows, this was your calling. Mono offers MonoTouch (now Xamarin.iOS) for iOS and Mono (now Xamarin.Android) for Android. – The Bad: There are two separate SDKs for supporting iOS and Android. You have to purchase licenses to use these. You really have to <3 C# to make this transition However, the added perk of native code is speed and efficiency.
Transition UI consistency is hard to achieve, but a warranted task. Perhaps more painful, is achieving UI consistency while maintaining appropriate security design. Note: this is just an introduction to Android security.
Android Security Model 600.250 User Interfaces and Mobile Applications Michael Rushanan
Why Talk Security? This is a UI and Mobile Development class, right? Why do we care about security? – Whether it's event driven, or a simple deterministic shell script – you should always include security in your design! – When introducing principles of security into any application, there is often a trade-off between security and usability? Why do you think that is? – Can you think of some Android specific security considerations when implementing your application? ● Hint: Storage (external/internal), Content Providers, Networking, Input Validation, WebView, Interprocess Communication.
Core Security Features The, “things you don't have to worry about because it's already handled.” – Android Application Sandbox. ● Isolates data and code from other apps. – Encrypted Filesystem. – Application framework that provides secure functionality. ● Cryptography (never ever invent your own). ● Application Specific Permissions. ● Secure Interprocess Communication (IPC). – Granular Multi-layered Permissions. ● Application-defined. ● User-granted (don't rely on the user).
Storage ● Is the data I store on the device accessible to other applications? – Context.MODE_WORLD_READABLE/WRITEABLE ● No, and for good reason. Should Fruit Ninja have access to your ToDo list? Why? ● What about physical theft?
External Storage ● When and why would you use External Storage?
External Storage ● Music/ - Media scanner classifies all media found here as user music. ● Podcasts/ - Media scanner classifies all media found here as a podcast. ● Ringtones/ - Media scanner classifies all media found here as a ringtone. ● Alarms/ - Media scanner classifies all media found here as an alarm sound. ● Notifications/ - Media scanner classifies all media found here as a notification sound. ● Pictures/ - All photos (excluding those taken with the camera). ● Movies/ - All movies (excluding those taken with the camcorder). ● Download/ - Miscellaneous downloads. Oh... and caching too! Shamelessly stolen from: http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
Content Providers ● Content providers are useful for offering a storage mechanism that can be limited to your application, or exported to allow access to some set of applications. ● Input validation. Why should we validate input from an untrusted application? ● What about an untrusted user? ;)
Final Note on Input Validation ● Android already has query methods that manage input validation for you... hence doing RAW QUERIES is bad. No, doing you own input validation does not make it better. – query() – update() – delete() Come on, what could go wrong? SQL Injection (we're interested in this), buffer overflows, use after free, and off-by-one errors (these last few are native code implementation errors that have bad consequences).
Permissions
ToDo Permissions ● What permissions should your ToDo app have? String String String READ_SMS NFC CAMERA Allows an application to read SMS messages. Allows applications to perform I/O operations over NFC Required to be able to access the camera device. String String String CALL_PHONE BRICK BLUETOOTH Allows an application to initiate a phone call Required to be able to disable the device (very Allows applications to connect to paired bluetooth without going through the Dialer user dangerous!). devices interface for the user to confirm the call being placed. String String String SET_ALARM VIBRATE SEND_SMS Allows an application to broadcast an Intent to set an Allows access to the vibrator Allows an application to send SMS messages. alarm for the user. String String String FORCE_BACK READ_CALL_LOG WRITE_SMS Allows an application to force a BACK Allows an application to read the user's call log. Allows an application to write SMS messages. operation on whatever is the top activity.
Networking ● IP Networking – you're data is only as secure as the protocol that you use. ● Encrypted socket-level communication can be easily implemented using the SSLSocket class. In a game app, why would you want to use the SSLSocket class?
Networking ● SMS is not secure. There has been work in academia to encrypt the contents of SMS, but the constraint on such implementations is the allowable size of SMS. ● Google recommends the use of Google Cloud Messaging (GCM) and IP networking for sending data messages.
WebView ● WebView consumes web content, that includes malformed JavaScript. Thus, common web security issues such as cross-site scripting can occur. ● We can turn JS off by not calling setJavaScriptEnabled(). ● Android provides addJavaScriptInterface() such that JS can directly interface with some set of your android methods. If you allow a general WebView to enable such functionality, a malicious JS could do what it pleases with your methods.
Cryptography ● We've already seen an example with SSLSocket and HTTPSUrlConnect. ● The take-away here is always the same, “Don't invent your own cryptographic methods/ciphers/whatever.” ● There is a Cipher class in Android that provides the appropriate methods for symmetric and asymmetric encryption. ● There is a secure random number generator in Android, SecureRandom. Please don't use a seeded random method instead.
Interprocess Communication ● Intents are the preferred mechanisms for asynchronous IPC in Android. – sendBroadcast() – sendOrderedBroadcast() ● You can apply access permissions to broadcasted intents so only certain applications can register to see the intents. If you're doing this, you might just consider invoking the receiver directly. – android:exported ● Allow use of IPC by other apps. – android:protectionLevel ● Characterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant permission to requester. – “normal” = default low risk, requests isolated application features. – “dangerous” = high-risk, requests private user data or control. – “signature” = granted only if the requesting application is signed with the same certificate as the application that declared the permission. – “signatureOrSystem” = system grants only to applications that are in the Android system image or as above. – android:permission ● Applications will need to declare a corresponding <uses-permission> element in their manifest to start, stop, or bind service.
Everything Else ● Dynamically Loading Code. – Discouraged to load code outside of APK. That's why libraries get bundled in the APK. ● Security in a Virtual Machine. – Dalvik is Andriod's runtime virtual machine. – This provides an application sandbox in which to run applications. If you're interested in more about sandboxes, ask me – I have links to some relevant papers (all in the Android world if you like). ● Security in Native Code. – Google encourages development with the SDK. However, you can use the NDK to write more complex code for runtime efficiency and performance. – Native code tends to be problematic because bugs lead to root level compromises (buffer overflows). – Native code written for an application is SANDBOXED. Just because it's native, doesn't mean that it escapes the model. However, it also makes it easier to escape the sandbox with buggy/insecure native code.

Empfohlen

Meego Italian Day 2011 - Dr. Luca Roffia
Meego Italian Day 2011 - Dr. Luca RoffiaMeego Italian Day 2011 - Dr. Luca Roffia
Meego Italian Day 2011 - Dr. Luca Roffia
Francesco Baldassarri
 
889448 634356855122132416
889448 634356855122132416889448 634356855122132416
889448 634356855122132416
zxdrtyu
 
Android : a linux-based mobile operating system
Android : a linux-based mobile operating systemAndroid : a linux-based mobile operating system
Android : a linux-based mobile operating system
Clément Escoffier
 
Operating systems essentials & Android OS concepts
Operating systems essentials & Android OS conceptsOperating systems essentials & Android OS concepts
Operating systems essentials & Android OS concepts
Mohamed Taman
 
Latest Development Of MeeGo
Latest Development Of MeeGoLatest Development Of MeeGo
Latest Development Of MeeGo
Amanda Lam
 
MATHS
MATHSMATHS
MATHS
cool192
 
ANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEMANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEM
preeta sinha
 
Introduction to Mobile Development
Introduction to Mobile DevelopmentIntroduction to Mobile Development
Introduction to Mobile Development
Pragnesh Vaghela
 

Empfohlen

Meego Italian Day 2011 - Dr. Luca Roffia
Meego Italian Day 2011 - Dr. Luca RoffiaMeego Italian Day 2011 - Dr. Luca Roffia
Meego Italian Day 2011 - Dr. Luca Roffia
Francesco Baldassarri
 
889448 634356855122132416
889448 634356855122132416889448 634356855122132416
889448 634356855122132416
zxdrtyu
 
Android : a linux-based mobile operating system
Android : a linux-based mobile operating systemAndroid : a linux-based mobile operating system
Android : a linux-based mobile operating system
Clément Escoffier
 
Operating systems essentials & Android OS concepts
Operating systems essentials & Android OS conceptsOperating systems essentials & Android OS concepts
Operating systems essentials & Android OS concepts
Mohamed Taman
 
Latest Development Of MeeGo
Latest Development Of MeeGoLatest Development Of MeeGo
Latest Development Of MeeGo
Amanda Lam
 
MATHS
MATHSMATHS
MATHS
cool192
 
ANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEMANDROID MOBILE OPERATING SYSTEM
ANDROID MOBILE OPERATING SYSTEM
preeta sinha
 
Introduction to Mobile Development
Introduction to Mobile DevelopmentIntroduction to Mobile Development
Introduction to Mobile Development
Pragnesh Vaghela
 
Mobile technology
Mobile technologyMobile technology
Mobile technology
Sarankumar Rajagopal
 
Android vs Others Operating System
Android vs Others Operating SystemAndroid vs Others Operating System
Android vs Others Operating System
Shemul Hossain
 
Mobile Operating Systems
Mobile Operating SystemsMobile Operating Systems
Mobile Operating Systems
Bhargav Radia
 
Mobile Operating Systems
Mobile Operating SystemsMobile Operating Systems
Mobile Operating Systems
Andreas Jakl
 
Introduction to iOS Apps Development
Introduction to iOS Apps DevelopmentIntroduction to iOS Apps Development
Introduction to iOS Apps Development
Prof. Erwin Globio
 
Ultrabook Development Using Touch - Intel Ultrabook AppLab Berlin
Ultrabook Development Using Touch - Intel Ultrabook AppLab BerlinUltrabook Development Using Touch - Intel Ultrabook AppLab Berlin
Ultrabook Development Using Touch - Intel Ultrabook AppLab Berlin
Intel Developer Zone Community
 
MSR iOS Tranining
MSR iOS TraniningMSR iOS Tranining
MSR iOS Tranining
Prabin Datta
 
Android os(comparison all other mobile os)
Android os(comparison all other mobile os)Android os(comparison all other mobile os)
Android os(comparison all other mobile os)
DivyaKS12
 
B feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopmentB feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopment
sathesh leo
 
Droidcon2013 miracast final2
Droidcon2013 miracast final2Droidcon2013 miracast final2
Droidcon2013 miracast final2
Droidcon Berlin
 
Mobile operating system..
Mobile operating system..Mobile operating system..
Mobile operating system..
Aashish Uppal
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
Kai Aras
 
Symbian OS
Symbian OS Symbian OS
Symbian OS
Adit Pathak
 
Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems
Hardik Jain
 
Mobile operating systems
Mobile operating systemsMobile operating systems
Mobile operating systems
Nicolas Demetriou
 
Operating Systems in Mobile Phones
Operating Systems in Mobile PhonesOperating Systems in Mobile Phones
Operating Systems in Mobile Phones
SasukeJUchiha
 
Introduction to iOS Development
Introduction to iOS DevelopmentIntroduction to iOS Development
Introduction to iOS Development
Asim Rais Siddiqui
 
Android Meetup, Илья Лёвин
Android Meetup, Илья ЛёвинAndroid Meetup, Илья Лёвин
Android Meetup, Илья Лёвин
GDG Saint Petersburg
 
MeeGo Presentation
MeeGo PresentationMeeGo Presentation
MeeGo Presentation
Technopolis Plc
 
Seminar on mobile os
Seminar on mobile osSeminar on mobile os
Seminar on mobile os
abani12
 
Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012
CorSource
 
Android
AndroidAndroid
Android
aktash12
 

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to iOS Apps Development
Introduction to iOS Apps DevelopmentIntroduction to iOS Apps Development
Introduction to iOS Apps Development
Prof. Erwin Globio
 
B feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopmentB feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopment
sathesh leo
 
Droidcon2013 miracast final2
Droidcon2013 miracast final2Droidcon2013 miracast final2
Droidcon2013 miracast final2
Droidcon Berlin
 
Mobile operating system..
Mobile operating system..Mobile operating system..
Mobile operating system..
Aashish Uppal
 
Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems
Hardik Jain
 
Introduction to iOS Development
Introduction to iOS DevelopmentIntroduction to iOS Development
Introduction to iOS Development
Asim Rais Siddiqui
 
Android Meetup, Илья Лёвин
Android Meetup, Илья ЛёвинAndroid Meetup, Илья Лёвин
Android Meetup, Илья Лёвин
GDG Saint Petersburg
 

Was ist angesagt? (20)

Mobile technology
Mobile technologyMobile technology
Mobile technology
 
Android vs Others Operating System
Android vs Others Operating SystemAndroid vs Others Operating System
Android vs Others Operating System
 
Mobile Operating Systems
Mobile Operating SystemsMobile Operating Systems
Mobile Operating Systems
 
Mobile Operating Systems
Mobile Operating SystemsMobile Operating Systems
Mobile Operating Systems
 
Introduction to iOS Apps Development
Introduction to iOS Apps DevelopmentIntroduction to iOS Apps Development
Introduction to iOS Apps Development
 
Ultrabook Development Using Touch - Intel Ultrabook AppLab Berlin
Ultrabook Development Using Touch - Intel Ultrabook AppLab BerlinUltrabook Development Using Touch - Intel Ultrabook AppLab Berlin
Ultrabook Development Using Touch - Intel Ultrabook AppLab Berlin
 
MSR iOS Tranining
MSR iOS TraniningMSR iOS Tranining
MSR iOS Tranining
 
Android os(comparison all other mobile os)
Android os(comparison all other mobile os)Android os(comparison all other mobile os)
Android os(comparison all other mobile os)
 
B feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopmentB feigin mobileapplicationdevelopment
B feigin mobileapplicationdevelopment
 
Droidcon2013 miracast final2
Droidcon2013 miracast final2Droidcon2013 miracast final2
Droidcon2013 miracast final2
 
Mobile operating system..
Mobile operating system..Mobile operating system..
Mobile operating system..
 
from Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slidesfrom Realtime Operating systems to unlocking iPhones in less than 30 slides
from Realtime Operating systems to unlocking iPhones in less than 30 slides
 
Symbian OS
Symbian OS Symbian OS
Symbian OS
 
Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems Comparative Study On Mobile Operating Systems
Comparative Study On Mobile Operating Systems
 
Mobile operating systems
Mobile operating systemsMobile operating systems
Mobile operating systems
 
Operating Systems in Mobile Phones
Operating Systems in Mobile PhonesOperating Systems in Mobile Phones
Operating Systems in Mobile Phones
 
Introduction to iOS Development
Introduction to iOS DevelopmentIntroduction to iOS Development
Introduction to iOS Development
 
Android Meetup, Илья Лёвин
Android Meetup, Илья ЛёвинAndroid Meetup, Илья Лёвин
Android Meetup, Илья Лёвин
 
MeeGo Presentation
MeeGo PresentationMeeGo Presentation
MeeGo Presentation
 
Seminar on mobile os
Seminar on mobile osSeminar on mobile os
Seminar on mobile os
 

Ähnlich wie 600.250 UI Cross Platform Development and the Android Security Model

Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012
CorSource
 
Ch1 hello, android
Ch1 hello, androidCh1 hello, android
Ch1 hello, android
Jehad2012
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
Shubhneet Goel
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java ME
wiradikusuma
 

Ähnlich wie 600.250 UI Cross Platform Development and the Android Security Model (20)

Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012Extending softwareintomobile 11 28-2012
Extending softwareintomobile 11 28-2012
 
Android
AndroidAndroid
Android
 
Android Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdfAndroid Seminar BY Suleman Khan.pdf
Android Seminar BY Suleman Khan.pdf
 
Android ppt
Android ppt Android ppt
Android ppt
 
Android Applications
Android ApplicationsAndroid Applications
Android Applications
 
Android ppt
Android pptAndroid ppt
Android ppt
 
Mobile Application Development powerpoint
Mobile Application Development powerpointMobile Application Development powerpoint
Mobile Application Development powerpoint
 
Android 130923124440-phpapp01
Android 130923124440-phpapp01Android 130923124440-phpapp01
Android 130923124440-phpapp01
 
Ch1 hello, android
Ch1 hello, androidCh1 hello, android
Ch1 hello, android
 
SynapseIndia mobile build apps management
SynapseIndia mobile build apps managementSynapseIndia mobile build apps management
SynapseIndia mobile build apps management
 
Mobile application security
Mobile application securityMobile application security
Mobile application security
 
Mobile Application Security
Mobile Application SecurityMobile Application Security
Mobile Application Security
 
Android
AndroidAndroid
Android
 
Android platform
Android platform Android platform
Android platform
 
A Taste of Java ME
A Taste of Java MEA Taste of Java ME
A Taste of Java ME
 
Android architecture
Android architectureAndroid architecture
Android architecture
 
Demystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART IDemystifying the Mobile Container - PART I
Demystifying the Mobile Container - PART I
 
Android report
Android reportAndroid report
Android report
 
Basic of Android App Development
Basic of Android App DevelopmentBasic of Android App Development
Basic of Android App Development
 
Mobile Application Development
Mobile Application DevelopmentMobile Application Development
Mobile Application Development
 

Mehr von Michael Rushanan

Mehr von Michael Rushanan (6)

Security and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical DevicesSecurity and Privacy in Implantable Medical Devices
Security and Privacy in Implantable Medical Devices
 
Versatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor NetworksVersatile Low Power Media Access for Wireless Sensor Networks
Versatile Low Power Media Access for Wireless Sensor Networks
 
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted StorageReading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
Reading Group Presentation: Web Attacks on Host-Proof Encrypted Storage
 
Reading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of ProcrastinationReading Group Presentation: The Power of Procrastination
Reading Group Presentation: The Power of Procrastination
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
 
Reading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love AndroidReading Group Presentation: Why Eve and Mallory Love Android
Reading Group Presentation: Why Eve and Mallory Love Android
 

Kürzlich hochgeladen

Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
kauryashika82
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Kürzlich hochgeladen (20)

Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in DelhiRussian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Unit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptxUnit-IV; Professional Sales Representative (PSR).pptx
Unit-IV; Professional Sales Representative (PSR).pptx
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 

600.250 UI Cross Platform Development and the Android Security Model

  • 1. Cross-Platform UI Development 600.250 User Interfaces and Mobile Applications Michael Rushanan
  • 2. Problems ● Providing a consistent UI across multiple platforms. – Most common/inefficient solution: implement UI individually for each platform. ● Number of platforms, at least in mobile, is increasing: – Ubuntu Touch – Android – IOS – Tizen – Moblin – MeeGo – Symbian – Windows 8 Phone – BlackBerry
  • 3. Trivia Time! ● How many of you have heard of Tizen, Bada, Moblin, or MeeGo? ● Can anyone share an experience developing something event-driven (another mobile app maybe) while contrasting it with Android development so far? ● How do you mock up UI designs?
  • 4. More Problems ● Providing a consistent UI across multiple platforms.... desktop vs. mobile. – What problems would you run into when transitioning from Desktop-to-Mobile, or Mobile-to-Desktop?
  • 6. Alternative Solutions ● Manufacturers have not been forthcoming with solutions in which to handle the inefficient approach to multi-platform support. The best you have is: – Xcode SDK supports streamlined development for both OS X and IOS development. It's at least in the same language. – Ubuntu and other Linux Mobile variants are leaning more heavily toward HTML5 for UI development (with an exposed API for gesture support). ● Third-party providers have been busy trying to solve the above and provide an intuitive UI development environment for not-well-versed programmers.
  • 7. Trivia Time! ● Has anyone used a third-party UI development tool/SDK? ● How do you feel about HTML5, CSS, JavaScript... C#?
  • 8. Third-Party Calling... ● MoSync SDK: Cross-platform SDK and HTML5 tools for mobile app development. – The Good: Free and open source. A free commercial license that removes support. Supports more than a handful of devices. – The Bad: Windows and OS X Only. ● PhoneGap: Unified UI development via one language: HTML, CSS, JavaScript. – The Good: I've used this to mock up applications before. It exposes device features via an API. Examples: Accelerometer, Camera, Compass, Geolocation, File, Notification, Storage. I can get this to work on Linux! – The Bad: Eh, it's all web based. Maybe this is ok? It also allows you to do some pretty non-standard things that blow off Android/IOS standardization. ● Mono: Cross platform, open source .NET development framework. – The Good: If you ever wanted to do .NET dev on a machine other than Windows, this was your calling. Mono offers MonoTouch (now Xamarin.iOS) for iOS and Mono (now Xamarin.Android) for Android. – The Bad: There are two separate SDKs for supporting iOS and Android. You have to purchase licenses to use these. You really have to <3 C# to make this transition However, the added perk of native code is speed and efficiency.
  • 9. Transition UI consistency is hard to achieve, but a warranted task. Perhaps more painful, is achieving UI consistency while maintaining appropriate security design. Note: this is just an introduction to Android security.
  • 10. Android Security Model 600.250 User Interfaces and Mobile Applications Michael Rushanan
  • 11. Why Talk Security? This is a UI and Mobile Development class, right? Why do we care about security? – Whether it's event driven, or a simple deterministic shell script – you should always include security in your design! – When introducing principles of security into any application, there is often a trade-off between security and usability? Why do you think that is? – Can you think of some Android specific security considerations when implementing your application? ● Hint: Storage (external/internal), Content Providers, Networking, Input Validation, WebView, Interprocess Communication.
  • 12. Core Security Features The, “things you don't have to worry about because it's already handled.” – Android Application Sandbox. ● Isolates data and code from other apps. – Encrypted Filesystem. – Application framework that provides secure functionality. ● Cryptography (never ever invent your own). ● Application Specific Permissions. ● Secure Interprocess Communication (IPC). – Granular Multi-layered Permissions. ● Application-defined. ● User-granted (don't rely on the user).
  • 13. Storage ● Is the data I store on the device accessible to other applications? – Context.MODE_WORLD_READABLE/WRITEABLE ● No, and for good reason. Should Fruit Ninja have access to your ToDo list? Why? ● What about physical theft?
  • 14. External Storage ● When and why would you use External Storage?
  • 15. External Storage ● Music/ - Media scanner classifies all media found here as user music. ● Podcasts/ - Media scanner classifies all media found here as a podcast. ● Ringtones/ - Media scanner classifies all media found here as a ringtone. ● Alarms/ - Media scanner classifies all media found here as an alarm sound. ● Notifications/ - Media scanner classifies all media found here as a notification sound. ● Pictures/ - All photos (excluding those taken with the camera). ● Movies/ - All movies (excluding those taken with the camcorder). ● Download/ - Miscellaneous downloads. Oh... and caching too! Shamelessly stolen from: http://developer.android.com/guide/topics/data/data-storage.html#filesInternal
  • 16. Content Providers ● Content providers are useful for offering a storage mechanism that can be limited to your application, or exported to allow access to some set of applications. ● Input validation. Why should we validate input from an untrusted application? ● What about an untrusted user? ;)
  • 17. Final Note on Input Validation ● Android already has query methods that manage input validation for you... hence doing RAW QUERIES is bad. No, doing you own input validation does not make it better. – query() – update() – delete() Come on, what could go wrong? SQL Injection (we're interested in this), buffer overflows, use after free, and off-by-one errors (these last few are native code implementation errors that have bad consequences).
  • 19. ToDo Permissions ● What permissions should your ToDo app have? String String String READ_SMS NFC CAMERA Allows an application to read SMS messages. Allows applications to perform I/O operations over NFC Required to be able to access the camera device. String String String CALL_PHONE BRICK BLUETOOTH Allows an application to initiate a phone call Required to be able to disable the device (very Allows applications to connect to paired bluetooth without going through the Dialer user dangerous!). devices interface for the user to confirm the call being placed. String String String SET_ALARM VIBRATE SEND_SMS Allows an application to broadcast an Intent to set an Allows access to the vibrator Allows an application to send SMS messages. alarm for the user. String String String FORCE_BACK READ_CALL_LOG WRITE_SMS Allows an application to force a BACK Allows an application to read the user's call log. Allows an application to write SMS messages. operation on whatever is the top activity.
  • 20. Networking ● IP Networking – you're data is only as secure as the protocol that you use. ● Encrypted socket-level communication can be easily implemented using the SSLSocket class. In a game app, why would you want to use the SSLSocket class?
  • 21. Networking ● SMS is not secure. There has been work in academia to encrypt the contents of SMS, but the constraint on such implementations is the allowable size of SMS. ● Google recommends the use of Google Cloud Messaging (GCM) and IP networking for sending data messages.
  • 22. WebView ● WebView consumes web content, that includes malformed JavaScript. Thus, common web security issues such as cross-site scripting can occur. ● We can turn JS off by not calling setJavaScriptEnabled(). ● Android provides addJavaScriptInterface() such that JS can directly interface with some set of your android methods. If you allow a general WebView to enable such functionality, a malicious JS could do what it pleases with your methods.
  • 23. Cryptography ● We've already seen an example with SSLSocket and HTTPSUrlConnect. ● The take-away here is always the same, “Don't invent your own cryptographic methods/ciphers/whatever.” ● There is a Cipher class in Android that provides the appropriate methods for symmetric and asymmetric encryption. ● There is a secure random number generator in Android, SecureRandom. Please don't use a seeded random method instead.
  • 24. Interprocess Communication ● Intents are the preferred mechanisms for asynchronous IPC in Android. – sendBroadcast() – sendOrderedBroadcast() ● You can apply access permissions to broadcasted intents so only certain applications can register to see the intents. If you're doing this, you might just consider invoking the receiver directly. – android:exported ● Allow use of IPC by other apps. – android:protectionLevel ● Characterizes the potential risk implied in the permission and indicates the procedure the system should follow when determining whether or not to grant permission to requester. – “normal” = default low risk, requests isolated application features. – “dangerous” = high-risk, requests private user data or control. – “signature” = granted only if the requesting application is signed with the same certificate as the application that declared the permission. – “signatureOrSystem” = system grants only to applications that are in the Android system image or as above. – android:permission ● Applications will need to declare a corresponding <uses-permission> element in their manifest to start, stop, or bind service.
  • 25. Everything Else ● Dynamically Loading Code. – Discouraged to load code outside of APK. That's why libraries get bundled in the APK. ● Security in a Virtual Machine. – Dalvik is Andriod's runtime virtual machine. – This provides an application sandbox in which to run applications. If you're interested in more about sandboxes, ask me – I have links to some relevant papers (all in the Android world if you like). ● Security in Native Code. – Google encourages development with the SDK. However, you can use the NDK to write more complex code for runtime efficiency and performance. – Native code tends to be problematic because bugs lead to root level compromises (buffer overflows). – Native code written for an application is SANDBOXED. Just because it's native, doesn't mean that it escapes the model. However, it also makes it easier to escape the sandbox with buggy/insecure native code.