android introduction - usalearning · pdf fileandroid introduction . ... smartphones, tablets,...
TRANSCRIPT
Android Introduction
Table of Contents
Google Android Platform -1 ............................................................................................................ 2
Google Android Platform -2 ............................................................................................................ 4
Google Android Platform -3 ............................................................................................................ 8
Notices .......................................................................................................................................... 12
Page 1 of 12
Google Android Platform -1
14
Google Android Platform -1
Open source platform maintained by Google• Built on Linux kernel• Controls access to all device resources• Not hardware specific
— Smartphones, tablets, multimedia set-top boxes, and personal computers
Android Applications (apps)• Native apps
— Dependent on native libraries• 3rd Party apps
— Mostly written in Java— Execute within virtual machine
• All apps run in Android Sandbox
**014 So, let's discuss in depth the Google Android platform. It's an open source platform maintained by Google. It's built on a Linux kernel. If you were to see the kernel, it wouldn't look like most other Linux kernels. So they've customized this Linux kernel. Actually, the company they purchased that actually invented Android customized the kernel. But it's now Google's. They control access to all device resources. It is not hardware-specific. It can be run on smartphones, tablets, multimedia set-top boxes, personal computers. You don't see it very often on computers, but there are Google TVs out there. I can buy a Google TV
Page 2 of 12
that's running the Android operating system. Now, they've done some customization to it, but not as much as you would think they would need to do to get it running on a TV. Android applications: The native apps are dependent on the native libraries. This chart actually shows the features of each section. So we can see the display driver is part of the Linux kernel. Same with the Wi-Fi driver and all the other drivers. This section is read-only by default. So you're not able to write-- or you're not supposed to be able to write-- to this section. Then we have the libraries built on top of the kernels. The libraries are what are supposed to be used for the apps to actually run on the platform. Most third-party apps are actually written in Java. This is why-- this is one of the reasons Oracle has been in the process of suing Google for the last-- forever-- the last couple of years. Oracle says, "You're using our patents illegally. You haven't paid us to use our patents. We have this technology patented. You can't use this without paying us royalties." And Google said, "No, we came up with our own custom Java kernel, or Java platform, and we're not using your patents." It's finally going to court. So finally the court is going to decide whether Google is using these patents inappropriately or not, and if they are, then they're going to owe Oracle money. We'll see. That's up in the air.
Page 3 of 12
All apps run in Android Sandbox, and we'll discuss what this Sandbox does in a second.
Google Android Platform -2
15
Google Android Platform -2
Android Applications (apps)• App data is written to dedicated section of the file system• Can be developed by anyone using the Android SDK • Can be installed from multiple sources
— Android Market is the most popular and maintains access to over 450,000 apps.
• Disadvantage:— Open source code model allows malware to be distributed freely and
undermine default security posture of device.
**015 App data is written to dedicated sections of the file system. So there's only certain areas where these applications are actually able to be written. Again, we want to keep the kernel and the libraries as apart from the virtual area-- slash, the applications-- as we can. We want there to be too big of a gap for the application to jump over, if we think in physical terms. Anybody can develop an app using the Android SDK. You can go online to Google, type in Android SDK, and you'll be
Page 4 of 12
taken right to the developer site where you can download both the virtual environment and whichever version of the operating system you want to. They have everything up through ICS in there. So if you want to develop for ICS, you can do it for free. You just have to pay an upload fee to Google if you actually want the app to run in the marketplace. So you can develop all you want; it's only when you try to sell it or give it away in the marketplace that you actually have to pay the fee to Google. You can install software from multiple sources. So the Android Market itself has over 450 thousand apps, and this is as of December/January timeframe of 2011. Or December 2011 to January 2012. If they're not at 500 thousand apps at this point, they're really close to 500 thousand. The app ecosystem has been increasing pretty rapidly. So they've been putting a lot of resources into catching up with the Apple marketplace, because Apple had a couple years' basically head-start on Google. However, the disadvantage of this is that the software is open source, which means that anybody can get access to the source code. Now, open source proponents will argue, "Well, with more people having access to the source code, that means there's more eyes on the source code, so there's more chance of bugs being found." And this argument goes back probably since the first computer was created. But
Page 5 of 12
at least when Windows and Linux were, in the '90s, having their-- or the fanboys-- were having their war: What's better, Windows or Linux? And the open source people said, "Linux is better because I can see the source code and I can see exactly what the operating system is doing." Windows proponents said, "Windows is better because the operating system is proprietary so bad people can't find out what the source code is doing." But the proprietary source code was still leaked, and the bad people were still able to get the source code, and they were still able to look at it. However many people are looking at it, there's going to be bugs. It's software. There's so many millions of lines of codes, there's going to be bugs. There's never been a perfect piece of code written, and there probably never will be a perfect piece of code written. That's why there's constant firmware upgrades. As well as adding features, these address bugs that were found on the operating system, whether by Google or by other people that notified Google that these bugs were here. In order to use the Android trademark-- so even though the software is open source, you can't use Android unless you agree to Google's definition document. There's a compatibility definition document that Google has that says, "You must have these features to be able to call your phone an Android device." And it's about 100 pages
Page 6 of 12
long, and it's on their website-- the Android SDK website. But it's stuff like you have to have an email client. You have to-- or you have to either use Google's email client or you have to have an equivalent email client. You have to have Calendar. You've got to be able to do this. You've got to be able to do this. So using that-- and most people want to use the Android trademark, because they want to be able to say, "This is an Android phone." I don't know many phones out there that are using the Google operating system without complying with the Android definition document, because the trademark is what people know. When somebody goes to the store, they don't go, "I'm going to buy the latest operating system running this operating system." They go, "I want to buy a Google phone," or, "I want to buy an Android phone." And if it doesn't conform with the definition document, the compatibility document, they can't say that it's a Google Android phone.
Page 7 of 12
Google Android Platform -3
16
Google Android Platform -3
NSA collaborated with Google to create a secure kernel that allows Android to be cleared for classified communications.
• The NSA developed a "hardened" kernel so Android can pass all the necessary security measures to be an option for government use.
• Not supported on all devices
**016 So, along with having the ability or releasing the ability or working on the ability to have secure communication, NSA actually collaborated with Google to create a secure kernel that allows the Android to be cleared for classified communication. So the Dell Streak was not in conjunction with NSA, but Dell worked with Google to make sure that their device was DISA- approved. Well, at the same time Dell was working with DISA to get DoD approval, NSA was working on their own kernel.
Page 8 of 12
The NSA developed a hardened kernel so that Android can pass all the necessary security measures to be an option for government use. It's not supported on all devices. What it actually does is it replaces the default kernel. So basically you're routing your device and installing a custom kernel on the device so that it meets NSA's security requirements. Sir? Student: Are there any hardware factors required for compliance with these security models? Shawn Fleury: For the NSA version, or just--? Student: Yeah. Well, you said Dell was working with Google, for example. Were they working with them from the perspective of hardware or just from the perspective of software modifications? Shawn Fleury: They were working primarily on the DISA side. So they looked at the DISA STIG and said, "Okay, what requirements are part of the DISA STIG," and, by default, Google already meets these five requirements. So, "Using hardware and software at that point, how can we make it so that it meets the rest of the requirements?" Mostly it's going to be software-based, but I wouldn't-- I haven't seen the internals of the Streak. I wouldn't be surprised if there is some custom hardware in there allowing-- like encryption. The version of-- actually, the Streak is running 3.0. So the 3.0
Page 9 of 12
was part of it. So mostly it's going to be a software adjustment that they've done. Student: So is there any reason to believe or not believe that Google will then be taking this knowledge and rolling it into kernels in the future? Shawn Fleury: That's probably-- it's up to their agreement with both the NSA and Dell. I would hope, as a consumer, that their agreement allows them to incorporate some of the security features. I wouldn't be surprised if the NSA one does. I would be a little more surprised if the Dell one does, because Dell's in business to make money. So if they can come out with a device that's approved for government use, or DoD use, when no other device is able to-- Android device is able to be used for DoD use, Dell's going to want to keep that as close to the vest as they can, because then they're the sole provider to the DoD. They're the only Android device that can be used for this function. I haven't done the research, so I don't know if the improvements that both the Dell Streak saw to get DoD approval or the NSA kernel upgrade-- the changes they made-- are going to be rolled into the Google operating system. I would hope so. I hate software patents. I know they're a necessary evil. I understand that Google, Microsoft, Apple, RIM, put a lot of money into the software they develop. But the way they're used usually ends up
Page 10 of 12
stifling the creative process. Apple comes up with an improvement, and then all the consumers want that. So Google, Microsoft, RIM have to either pay Apple for the right to use it, or they have to come up with another way to do the exact same thing, or they have to break the patent. And the problem is, the development cycle for these-- Google might have been working on a feature for the last year; Apple releases their phone, and right before they release it, they patent the new software in it. Well, if Google was already working on something in a parallel track and didn't know that Apple was about to release it, what are they supposed to do? Are they supposed to just say, "Do you know what? I'm not going to release this update anymore. I'm going to get rid of it." Probably not. They're going to roll the dice and say, "We're going to release it anyway, and we'll let the patent office decide whether their patent is valid." And that validation process can take years. So Apple releases a phone; they have 10 new things, and they patent those 10 new things. The patent office may come back and say, "Only these four are relevant," but it may take them a year or two to come back and say that. So is Google just supposed to stop all the work they're doing while they wait to find out whether the patent office approves Apple's patents or not? The way Microsoft is getting around this is they're actually going to all the Android manufacturers and coming into
Page 11 of 12
separate licensing agreements with the Android manufacturers. They're saying, "Android's using patents that we own. We will gladly license them to you, but you have to pay us a percentage of each device you sell for X, Y and Z patents." Most of the Android manufacturers have agreed to do this. So for every Android phone that's sold, Microsoft is actually getting a cut of the pie for the patents that they either created or that they currently own.
Notices
NoticesCopyright 2013 Carnegie Mellon University
This material has been approved for public release and unlimited distribution except as restricted below. This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].
This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center.
The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.
Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.
NO WARRANTY. THE MATERIAL IS PROVIDED ON AN “AS IS” BASIS, AND CARNEGIE MELLON DISCLAIMS ANY AND ALL WARRANTIES, IMPLIED OR OTHERWISE (INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR A PARTICULAR PURPOSE, RESULTS OBTAINED FROM USE OF THE MATERIAL, MERCHANTABILITY, AND/OR NON-INFRINGEMENT).
CERT® is a registered mark of Carnegie Mellon University..
Page 12 of 12