FROM JAVA TO ANDROID: A SECURITY ANALYSIS

Pragati Ogal Rai

Mobile Technology Evangelist, PayPal

@pragatiogal @PayPalDev

www.ethos3.com

I’m Curious

• Motorola JUIX Platform

• Motorola Linux Java Platform

• Android

Agenda

• Java 2 Security Model

• Android Security Model

• Summarize

JAVA 2 SECURITY MODEL

Java

• Developed by Sun Microsystems in the early 1990s

• Platform Independent – write once run anywhere!

• Compiled to byte code that runs on a Virtual Machine

• “Java is Secure”

Java 2 Security Model

• Language Security Features

• Platform Security

• Crypto APIs

• Authentication & Access Control APIs

• Secure Communication APIs

• Key Management APIs

JDK 1.0 Sandbox Model

• Very restricted model

• Local code is trusted

• Remote code is not trusted

JDK 1.1 Security Model

• Signed applet model

• Trusted code has privileges

• Untrusted code runs in sandbox

Java 2 Sandbox Model

• Fine grained access control

• Configurable Security Policy

• No built-in concept of trusted

local code

Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; };

// If the code is signed by ”John", grant it read/write access to all files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; };

// Grant everyone the following permission: grant {

permission java.io.FilePermission "/tmp/pragati/*", "read"; };

Protection Domains

Domain name “Pragati”

Pragati’s certificate

Read/write access to /temp/pragati/*

Domain name “John”

John’s certificate

Read/write access to /temp/john/*

Read access to /temp/pragati/*

…………..

Protection Domain = Code Source + Permission

Protection Domains

A domain conceptually encloses a set of classes whose instances

are granted the same set of permissions.

Java 2 Platform Security Model

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Java Language Security

• Programs cannot access arbitrary memory locations

• Variables cannot be used before initialization

• Access methods are strictly adhered to

• Entities declared final must not be changed

• Objects cannot be arbitrarily cast into other objects

• Array bounds must be checked on all array accesses

Java Compiler

Java Files (.java) Java Class Files (.class)

Compiler enforces language rules

Bytecode Verifier

Mini theorem prover

Enforces language rules

Delayed bytecode verification

Runtime binding

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Class Loader

Loads classes in namespace

Set permission for each class it loads

Link type checks for type safety

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Java APIs and Security Package

Classes in java.security package

Classes in security extensions

Basis for application signing

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Security Manager & Access Controller

Security manager exists for historical reasons

Access control to system resources

Policy enforcement

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Security manager exists for historical reasons

Access control to system resources

Policy enforcement

Default only for applets

Key Database

Create / verify digital signatures

Operating System

Remote Class Files Local Class FilesSigned Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key DatabaseSecurity Manager

Access Controller

Java Sandbox

• Permissions

• Code Source

• Protection Domain

• Policy File

• Keystore

Java 2 Security Model

• All code runs in a sandbox

• All classes are loaded with full bytecode verification

• All classes are loaded with Java language features

• Signed classes verify the integrity and origination of Java

classes

• Security policy provides fine-grained access

• Crypto APIs

THE ANDROID STACK

Android

• Open Platform

• First phone based on Android came out in 2009

• 75% smartphone market share as of October1

1: idc.com

Android Security Model

• Platform Security

• Crypto APIs

• Secure Communication APIs

• Key Management APIs

Install Time User Consent

You control your phone!

Android Platform Architecture

http://developer.android.com

Linux Kernel

Unique UID and GID for each application at install time

Sharing can occur through component interactions

Linux Process Sandbox

Linux Kernel (Cont’d)

include/linux/android_aid.h

AID_NET_BT 3002 Can create Bluetooth Sockets

AID_INET 3003 Can create IPv4 and IPv6 Sockets

Middleware

• Libraries for code execution

• Libraries for services

• Take care of device specific issues

• Compiled to machine language

• Native and Java code

Java Virtual Machine?

• There is no JVM in Android platform

• No byte code is executed

• JAR file will not run on Android platform

Dalvik Virtual Machine

Dalvik Virtual Machine

• Dalvik does not align to Java SE or Java ME

• Library built on a subset of the Apache Harmony Java

• Highly optimized VM to support multiple VM instances

• Register based architecture

• Shared constant pool

• Executes Dalvik executables (.dex)

.dex File

Source Files

Java Compiler JAR Tool DX

Converter Dalvik VM

Example.jar

A.classB.class

Strings.xmlIcon.png

Example.jar

Classes.dexStrings.xml

Icon.png

.dex File

imsciences.edu.pk

Dalvik optimizes class files

Dalvik Virtual Machine

• No security manager

• Permissions are enforced in OS and not in VM

• As of Android 2.2 Dalvik has a JIT compiler

• Dalvik Bytecode verification mainly for optimization

• GC for each VM instance

Android Application Structure

• Application is made of components

• Activity: Define screens

• Service: Background processing

• Broadcast Receiver: Mailbox for messages from other

applications

• Content Provider: Relational database for sharing information

Android Application Structure

• Applications communicate through Intents

• Secure RPC using Binder

• AndroidManifest.xml defines policy for application

Permission Protection Levels• Normal

android.permission.VIBRATEcom.android.alarm.permission.SET_ALARM

• Dangerous

android.permission.SEND_SMSandroid.permission.CALL_PHONE

• Signature

android.permission.FORCE_STOP_PACKAGESandroid.permission.INJECT_EVENTS

• SignatureOrSystem

android.permission.ACCESS_USBandroid.permission.SET_TIME

All components are secured by permissions

Developers can define their own permissions as well

Application Layer Security

• Permissions restrict component interaction

• Permission labels defined in AndroidManifest.xml

• Applications are self-signed; no CA required

• Signatures define persistence and authorship

Android Security Model

• Linux process sandbox

• Permission based component interaction

• Dalvik is not a security boundary

• All applications need to be signed

• Signature define persistence and authorship

• Install time security decisions

• Crypto APIs

SUMMARY

Vision

Protect host machine from malicious code

Optimization for mobile platform

Install Time Checking

Who are you?

What do you want to do?

Sandbox

Permissions + Code Sources +

Policy + keystore + Protection Domains

Linux Process Sandbox

Signature

Identity and Trust

Authorship and Persistence

Permissions

Enforced by VM

Enforced by OS

Protection Domain

Code Sources + Permissions

Process

Virtual Machine

VM is a security boundary

VM is NOT a security boundary

Security Enforcement

Applets v/s Applications

Native v/s Java code

No exceptions!

developer@paypal.com

@PayPalDev @pragatiogal

http://www.slideshare.net/pragatiogal

Thank you!