java & the android stack: a security analysis

34
Java & The Android Stack: A Security Analysis Pragati Ogal Rai Mobile Technology Evangelist PayPal, eBay Inc. [email protected] @pragatiogal Conference, Bangalore, Dec 8, 2012

Upload: pragati-ogal-rai

Post on 12-May-2015

904 views

Category:

Technology


1 download

DESCRIPTION

Talk presented

TRANSCRIPT

Page 1: Java & The Android Stack: A Security Analysis

Java & The Android Stack: A Security Analysis

Pragati Ogal RaiMobile Technology Evangelist

PayPal, eBay Inc.

[email protected]@pragatiogalJava Conference, Bangalore, Dec 8, 2012

Page 2: Java & The Android Stack: A Security Analysis

Agenda

Java 2 Security Model

Android Security Model

Summarize

Page 3: Java & The Android Stack: A Security Analysis

Java 2 Security Model

Page 4: Java & The Android Stack: A Security Analysis

Java

Developed by Sun Microsystems in the

early 1990s

Platform Independent

Compiled to bytecode that runs on a

Virtual Machine

“Java is Secure”

Page 5: Java & The Android Stack: A Security Analysis

Java 2 Security Model

Platform Security

Crypto APIs

Authentication & Access Control APIs

Secure Communication APIs

Key Management APIs

Page 6: Java & The Android Stack: A Security Analysis

Java Language Security

Programs cannot access arbitrary memory locations

Variables cannot be used before initialization

Access methods are strictly adhered to

Entities declared final must not be changed

Objects cannot be arbitrarily cast into other objects

Array bounds must be checked on all array accesses

Page 7: Java & The Android Stack: A Security Analysis

Java 2 Platform Security Model

Remote Class Files

Local Class Files

Signed Class Files

Bytecode Verifier

Class LoaderCore API Class Files

Core Java APISecurity Package

Key Database

Operating System

Security ManagerAccess

Controller

Page 8: Java & The Android Stack: A Security Analysis

Java 2 Sandbox Model

• Fine grained access control

• Configurable Security Policy

• No built-in concept of

trusted local code

Page 9: Java & The Android Stack: A Security Analysis

Security Policy File Example

// If the code is signed by ”Pragati", grant it read/write access to all //files in /tmp/pragati grant signedBy ”Pragati" { permission java.io.FilePermission "/tmp/pragati/*", "read,write"; };

// If the code is signed by ”John", grant it read/write access to all //files in /tmp/john grant signedBy ”John" { permission java.io.FilePermission "/tmp/john/*", "read,write”; };

// Grant everyone the following permission: grant {

permission java.io.FilePermission "/tmp/pragati/*", "read"; };

…………..……….

Page 10: Java & The Android Stack: A Security Analysis

Protection Domain

Domain name “Pragati”Pragati’s certificateRead/write access to /temp/pragati/*

Domain name “John”John’s certificateRead/write access to /temp/john/*Read access to /temp/pragati/*

…………..……….Protection Domain = Code Source + Permission

Page 11: Java & The Android Stack: A Security Analysis

Java 2 Security Model

All code runs in a sandbox

All classes are loaded with full bytecode

verification

All classes are loaded with Java language

features

Signed classes verify the integrity and origination

of Java classes

Security policy provides fine-grained access Crypto APIs

Page 12: Java & The Android Stack: A Security Analysis

The Android Stack

Page 13: Java & The Android Stack: A Security Analysis

Android

Open Platform

First phone based on Android came out

in 2009

75% smartphone market share as of

October1

1: idc.com

Page 14: Java & The Android Stack: A Security Analysis

Android Security Model

Platform Security

Crypto APIs

Secure Communication APIs

Key Management APIs

Page 15: Java & The Android Stack: A Security Analysis

Install Time User Consent

Page 16: Java & The Android Stack: A Security Analysis

Android OS Architecture

http://developer.android.com

Page 17: Java & The Android Stack: A Security Analysis

Linux Kernel Unique UID and GID for each application at install time

Sharing can occur through component interactions

Linux Process Sandbox

Page 18: Java & The Android Stack: A Security Analysis

Linux Kernel (Cont’d)

include/linux/android_aid.h

AID_NET_BT 3002 Can create Bluetooth Sockets

AID_INET 3003 Can create IPv4 and IPv6 Sockets

Page 19: Java & The Android Stack: A Security Analysis

Middleware

Libraries for code execution

Libraries for services

Take care of device specific issues

Compiled to machine language

Native and Java code

Page 20: Java & The Android Stack: A Security Analysis

Java Virtual Machine?

There is no JVM in Android platform

No bytecode is executed

JAR file will not run on Android platform

Page 21: Java & The Android Stack: A Security Analysis

Dalvik Virtual Machine

Dalvik does not align to Java SE or Java ME

Library built on a subset of the Apache

Harmony Java

Highly optimized VM to support multiple VM

instances

Register based architecture

Shared constant pool

Executes Dalvik executables (.dex)

Page 22: Java & The Android Stack: A Security Analysis

Dalvik Virtual Machine

No security manager

Permissions are enforced in OS and not in VM

As of Android 2.2 Dalvik has a JIT compiler

Dalvik Bytecode verification mainly for

optimization

GC for each VM instance

Page 23: Java & The Android Stack: A Security Analysis

Android Application Structure Application is made of components

Activity: Define screens

Service: Background processing

Broadcast Receiver: Mailbox for messages from other

applications

Content Provider: Relational database for sharing information

Applications communicate through Intents

Secure RPC using Binder

AndroidManifest.xml defines policy for application

Page 24: Java & The Android Stack: A Security Analysis

Permission Protection Levels

Normal

android.permission.VIBRATE

com.android.alarm.permission.SET_ALARM Dangerous

android.permission.SEND_SMS

android.permission.CALL_PHONE Signature

android.permission.FORCE_STOP_PACKAGES

android.permission.INJECT_EVENTS SignatureOrSystem

android.permission.ACCESS_USB

android.permission.SET_TIME

All components are secured by permissionsDevelopers can define their own permissions as well

Page 25: Java & The Android Stack: A Security Analysis

Application Layer Security

Permissions restrict component interaction

Permission labels defined in AndroidManifest.xml

Applications are self-signed; no CA required

Signatures define persistence and authorship

Page 26: Java & The Android Stack: A Security Analysis

Android Security Model

Linux process sandbox

Permission based component interaction

Dalvik is not a security boundary

All applications need to be signed

Signature define persistence and authorship

Install time security decisions

Crypto APIs

Page 27: Java & The Android Stack: A Security Analysis

Summary

Page 28: Java & The Android Stack: A Security Analysis

Install Time Check

Who are you?

What do you want to do?

Page 29: Java & The Android Stack: A Security Analysis

Sandbox

Based on permissions, code sources, policy, keystore, protection domains

Process Sandbox

Page 30: Java & The Android Stack: A Security Analysis

Signature

Identity and Trust

Authorship and Persistence

Page 31: Java & The Android Stack: A Security Analysis

Permissions

Enforced by VM

Enforced by OS

Page 32: Java & The Android Stack: A Security Analysis

Protection Domain

Code Sources + Permissions

Process

Page 33: Java & The Android Stack: A Security Analysis

Virtual Machine

Is a security boundary

Is NOT a security boundary

Page 34: Java & The Android Stack: A Security Analysis

Thank you!

[email protected]@pragatiogal

http://www.slideshare.net/pragatiogal