Sandeep K. Shukla
Indian Institute of Technology
Kanpur
Acknowledgements
Maciej Olewiski
Web Resources
Lecture 8: Internet Security
Total Modules on Web Client Security
Module 8.1: Major Web server Threats: Command
and SQL Injection Attacks
Module 8.2: CSRF Cross-Site Request Forgery
Module 8.3: XSS Cross-Site Scripting
Module 8.4: Defenses and Protections against XSS
Module 8.5: Finding Vulnerabilities
Module 8.6: Secure Development
Module 9.1: Basics of Android
Why Study Android
Security?
Market Share Growth Trend
Versions of Android
Numerous Vulnerabilities discovered
on a daily basis
Android Nougat (7.0) Security
Enhancements
File-based encryption. Encrypting at the file level, instead of encrypting the entire
storage area as a single unit, better isolates and protects individual users and profiles
(such as personal and work) on a device.
Direct Boot. Enabled by file-based encryption, Direct Boot allows certain apps such
as alarm clock and accessibility features to run when device is powered on but not
unlocked.
Verified Boot. Verified Boot is now strictly enforced to prevent compromised devices
from booting; it supports error correction to improve reliability against non-malicious
data corruption.
Library load-order randomization and improved ASLR. Increased randomness
makes some code-reuse attacks less reliable.
Kernel hardening. Added additional memory protection for newer kernels by
marking portions of kernel memory as read-only, restricting kernel access to user
space addresses and further reducing the existing attack surface.
APK signature scheme v2. Introduced a whole-file signature scheme that improves
verification speed and strengthens integrity guarantees.
Trusted CA store. To make it easier for apps to control access to their secure
network traffic, user-installed certificate authorities and those installed through
Device Admin APIs are no longer trusted by default for apps targeting API Level 24+.
Android Marshmellow (6.0) Security Enhancements
Runtime Permissions. Applications request permissions at runtime instead of being
granted at App install time. Users can toggle permissions on and off for both M and
pre-M applications.
Verified Boot. A set of cryptographic checks of system software are conducted prior
to execution to ensure the phone is healthy from the boot loader all the way up to the
operating system.
Hardware-Isolated Security. New Hardware Abstraction Layer (HAL) used by
Fingerprint API, Lockscreen, Device Encryption, and Client Certificates to protect keys
against kernel compromise and/or local physical attacks
Fingerprints. Devices can now be unlocked with just a touch. Developers can also
take advantage of new APIs to use fingerprints to lock and unlock encryption keys.
SD Card Adoption. Removable media can beadoptedto a device and expand
available storage for app local data, photos, videos, etc., but still be protected by
block-level encryption.
Clear Text Traffic. Developers can use a new StrictMode to make sure their
application doesn't use cleartext.
System Hardening. Hardening of the system via policies enforced by SELinux. This
offers better isolation between users, IOCTL filtering, reduce threat of exposed
services, further tightening of SELinux domains, and extremely limited /proc access.
Android Architecture
Linux Substrate
At the bottom of the layers is Linux with many
patches. -- more recently SElinux
This provides a level of abstraction between the
device hardware
It contains all the essential hardware drivers like
camera, keypad, display etc.
Also, the kernel handles networking and a vast array
of device drivers, which is useful in interfacing to
peripheral hardware.
Libraries Layer
On top of Linux kernel there is a set of
libraries including
open-source Web browser engine WebKit
well known library libc
SQLite database which is a useful repository for
storage and sharing of application data
libraries to play and record audio and video,
SSL libraries responsible for Internet security
etc.
Android Libraries
Java-based libraries that are specific to
Android development
Examples
the application framework
Libraries to facilitate user interface building
Libraries for graphics drawing
Libraries for database access.
Examples of Android Libraries
android.app
Provides access to the application model
android.content
Facilitates content access, publishing and messaging between applications and
application components.
android.database
Used to access data published by content providers and includes SQLite database
management classes.
android.opengl
A Java interface to the OpenGL ES 3D graphics rendering API.
android.os
Provides applications with access to standard operating system services including
messages, system services and inter-process communication.
Example android libraries (2)
android.text
Used to render and manipulate text on a device display.
android.view
The fundamental building blocks of application user interfaces.
android.widget
A rich collection of pre-built user interface components such as
buttons, labels, list views, layout managers, radio buttons etc.
android.webkit
A set of classes intended to allow web-browsing capabilities to be
built into applications.
Android Runtime
a key component is Dalvik Virtual Machine
Java Virtual Machine specially designed and optimized for
Android
The Dalvik VM makes use of Linux core features like
memory management and multi-threading
The Dalvik VM enables every Android application to run in
its own process, with its own instance of the Dalvik virtual
machine.
The Android runtime also provides a set of core libraries
enables Android application developers to write Android applications
using standard Java programming language.
Android Application Framework