from java to android a security analysis
DESCRIPTION
Presented at AnDevCon Boston 2013TRANSCRIPT
FROM JAVA TO ANDROID: A SECURITY ANALYSIS
Pragati Ogal Rai
Mobile Technology Evangelist, PayPal
@pragatiogal @PayPalDev
www.ethos3.com
I’m Curious
• Motorola JUIX Platform
• Motorola Linux Java Platform
• Android
Agenda
• Java 2 Security Model
• Android Security Model
• Summarize
JAVA 2 SECURITY MODEL
Java
• Developed by Sun Microsystems in the early 1990s
• Platform Independent – write once run anywhere!
• Compiled to byte code that runs on a Virtual Machine
• “Java is Secure”
Java 2 Security Model
• Language Security Features
• Platform Security
• Crypto APIs
• Authentication & Access Control APIs
• Secure Communication APIs
• Key Management APIs
JDK 1.0 Sandbox Model
• Very restricted model
• Local code is trusted
• Remote code is not trusted
JDK 1.1 Security Model
• Signed applet model
• Trusted code has privileges
• Untrusted code runs in sandbox
Java 2 Sandbox Model
• Fine grained access control
• Configurable Security Policy
• No built-in concept of trusted
local code
Security Policy File Example // If the code is signed by ”Pragati", grant it read/write access to all files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; };
// If the code is signed by ”John", grant it read/write access to all files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; };
// Grant everyone the following permission: grant {
permission java.io.FilePermission "/tmp/pragati/*", "read"; };
Protection Domains
Domain name “Pragati”
Pragati’s certificate
Read/write access to /temp/pragati/*
Domain name “John”
John’s certificate
Read/write access to /temp/john/*
Read access to /temp/pragati/*
…………..
Protection Domain = Code Source + Permission
Protection Domains
A domain conceptually encloses a set of classes whose instances
are granted the same set of permissions.
Java 2 Platform Security Model
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Java Language Security
• Programs cannot access arbitrary memory locations
• Variables cannot be used before initialization
• Access methods are strictly adhered to
• Entities declared final must not be changed
• Objects cannot be arbitrarily cast into other objects
• Array bounds must be checked on all array accesses
Java Compiler
Java Files (.java) Java Class Files (.class)
Compiler enforces language rules
Bytecode Verifier
Mini theorem prover
Enforces language rules
Delayed bytecode verification
Runtime binding
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Class Loader
Loads classes in namespace
Set permission for each class it loads
Link type checks for type safety
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Java APIs and Security Package
Classes in java.security package
Classes in security extensions
Basis for application signing
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Security Manager & Access Controller
Security manager exists for historical reasons
Access control to system resources
Policy enforcement
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Security manager exists for historical reasons
Access control to system resources
Policy enforcement
Default only for applets
Key Database
Create / verify digital signatures
Operating System
Remote Class Files Local Class FilesSigned Class Files
Bytecode Verifier
Class LoaderCore API Class Files
Core Java APISecurity Package
Key DatabaseSecurity Manager
Access Controller
Java Sandbox
• Permissions
• Code Source
• Protection Domain
• Policy File
• Keystore
Java 2 Security Model
• All code runs in a sandbox
• All classes are loaded with full bytecode verification
• All classes are loaded with Java language features
• Signed classes verify the integrity and origination of Java
classes
• Security policy provides fine-grained access
• Crypto APIs
THE ANDROID STACK
Android
• Open Platform
• First phone based on Android came out in 2009
• 75% smartphone market share as of October1
1: idc.com
Android Security Model
• Platform Security
• Crypto APIs
• Secure Communication APIs
• Key Management APIs
Install Time User Consent
You control your phone!
Android Platform Architecture
http://developer.android.com
Linux Kernel
Unique UID and GID for each application at install time
Sharing can occur through component interactions
Linux Process Sandbox
Linux Kernel (Cont’d)
include/linux/android_aid.h
AID_NET_BT 3002 Can create Bluetooth Sockets
AID_INET 3003 Can create IPv4 and IPv6 Sockets
Middleware
• Libraries for code execution
• Libraries for services
• Take care of device specific issues
• Compiled to machine language
• Native and Java code
Java Virtual Machine?
• There is no JVM in Android platform
• No byte code is executed
• JAR file will not run on Android platform
Dalvik Virtual Machine
Dalvik Virtual Machine
• Dalvik does not align to Java SE or Java ME
• Library built on a subset of the Apache Harmony Java
• Highly optimized VM to support multiple VM instances
• Register based architecture
• Shared constant pool
• Executes Dalvik executables (.dex)
.dex File
Source Files
Java Compiler JAR Tool DX
Converter Dalvik VM
Example.jar
A.classB.class
Strings.xmlIcon.png
Example.jar
Classes.dexStrings.xml
Icon.png
.dex File
imsciences.edu.pk
Dalvik optimizes class files
Dalvik Virtual Machine
• No security manager
• Permissions are enforced in OS and not in VM
• As of Android 2.2 Dalvik has a JIT compiler
• Dalvik Bytecode verification mainly for optimization
• GC for each VM instance
Android Application Structure
• Application is made of components
• Activity: Define screens
• Service: Background processing
• Broadcast Receiver: Mailbox for messages from other
applications
• Content Provider: Relational database for sharing information
Android Application Structure
• Applications communicate through Intents
• Secure RPC using Binder
• AndroidManifest.xml defines policy for application
Permission Protection Levels• Normal
android.permission.VIBRATEcom.android.alarm.permission.SET_ALARM
• Dangerous
android.permission.SEND_SMSandroid.permission.CALL_PHONE
• Signature
android.permission.FORCE_STOP_PACKAGESandroid.permission.INJECT_EVENTS
• SignatureOrSystem
android.permission.ACCESS_USBandroid.permission.SET_TIME
All components are secured by permissions
Developers can define their own permissions as well
Application Layer Security
• Permissions restrict component interaction
• Permission labels defined in AndroidManifest.xml
• Applications are self-signed; no CA required
• Signatures define persistence and authorship
Android Security Model
• Linux process sandbox
• Permission based component interaction
• Dalvik is not a security boundary
• All applications need to be signed
• Signature define persistence and authorship
• Install time security decisions
• Crypto APIs
SUMMARY
Vision
Protect host machine from malicious code
Optimization for mobile platform
Install Time Checking
Who are you?
What do you want to do?
Sandbox
Permissions + Code Sources +
Policy + keystore + Protection Domains
Linux Process Sandbox
Signature
Identity and Trust
Authorship and Persistence
Permissions
Enforced by VM
Enforced by OS
Protection Domain
Code Sources + Permissions
Process
Virtual Machine
VM is a security boundary
VM is NOT a security boundary
Security Enforcement
Applets v/s Applications
Native v/s Java code
No exceptions!
@PayPalDev @pragatiogal
http://www.slideshare.net/pragatiogal
Thank you!