Android Security What is out there? - PowerPoint PPT Presentation


PPT – Android Security What is out there? PowerPoint presentation | free to view - id: 45df49-NjdkO


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Android Security What is out there?


Android Security What is out there? Waqar Aziz Android Market Share - I * Android Market Share - II * Android Market Share - III * Android App Market Security Model ... – PowerPoint PPT presentation

Number of Views:145
Avg rating:3.0/5.0
Slides: 22
Provided by: Waqar1


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Android Security What is out there?

Android SecurityWhat is out there?
  • Waqar Aziz

Android Market Share - I
Android Market Share - II
Android Market Share - III
Android App Market Security Model
  • No formal application screening process.
  • Any developer can upload an application.
  • Android Market relies on community to identify
    and flag
  • Malfunctioning applications
  • Malicious applications
  • Inherently, early adopters suffer if the
    application is malicious.
  • Note Unlike iPhone, Android application can be
    directly downloaded and installed from a third
    party as well.

Phishing App Example
  • Bank Phishing application
  • Advertised to do banking activities from phone.
  • User to give account information and credentials
    for the app to facilitate banking activities.
  • In reality the app did only the following
  • Open the banking website in phones browser.
    Thats it!!
  • A number of users were scammed before the
    application was taken out from Android Market.

Android Market Statistics
  • About 20 of 48,000 apps in Android Marketplace
    allow a third-party application access to
    sensitive or private information.
  • 5 apps can place calls to any number without
    user interaction.
  • 2 apps can send text messages without user
  • 29 apps require the exact same permissions as
    applications that are known to be spyware.
  • 383 apps have the ability to read and use the
    authentication credentials from another app or

Android Security Apps - I
  • Both apps are developed by Pittsburgh based
    security researcher and hacker who goes by Moxie
  • RedPhone
  • Uses ZRTP, Internet voice cryptography scheme.
  • It uses two users keys to create a passphrase,
    which is later displayed at both ends for users
    to verify.
  • SecureText
  • Encrypted text messages.
  • Both apps generate a new key for every
    communication session.

Android Security Apps II
  • OI Safe
  • It saves password and other private data with AES
  • No information is kept online.
  • It works with OI Notepad to encrypt notes, and
    with Obscura to encrypt pictures.
  • Other apps for content encryption
  • B-folder sync
  • Secrets-for-android

Android Manifest - I
  • Android Manifest does the following
  • Declares applications components
  • Identifies any permissions that the application
    expects to be granted
  • Access the Internet, read phone contacts, access
    sensors, etc.
  • Thus, what an application can and cannot do is
    constrained by the total set of permissions that
    can be granted in a Manifest file.
  • Currently, almost all user content and private
    data can be accessed from phones internal phone
    and SD card.
  • However, no permission can be granted to do
    anything on system level except for accessing
    some small number of settings.

Android Manifest - II
Anti-malware Apps - I
  • Smobile Security Shield
  • It does permission-based malware detection.
  • Scans manifest files of apps installed on phone,
    and flags them based on suspicious manifest
  • Maintains a database of manifest files of all
    apps on Android Market other 3rd party sources.
  • Scans application signatures.
  • Maintains a database of application signatures.

Anti-malware Apps - II
  • WaveSecure
  • Remotely wipes out all user data.
  • Tracks and locates the phone.
  • Lock the phone as soon as SIM change is detected.
  • Protection again application uninstallation.
  • Backs up and restores private data SMS,
    contacts, etc.
  • Other similar apps
  • Mobile Defense

What you see is what they get - I
  • Googles Android OS grants access to sensors
    such as cameras and audio inputs only if their
    use is disclosed at installation time. At
    installation time, a user may not understand an
    application well enough to determine why it would
    need sensor data or guage its trustworthiness
  • iPhone instead uses standardized OS interface
    to prompt the user user to approve access

What you see is what they get - II
  • Sensor-access widget
  • When an application requests access to a sensor,
    runtime environment overlays a GUI widget on a
    portion of the screen, such as status bar, to
    notify user of a sensor access.

What you see is what they get - III
  • SWAAID (Show Widget and Allow After Input
  • Turn sensors from passive into active input
  • User intervention is required before sensor
  • User can also enable access without any
    intervention for a while.
  • Then the waiting period (or delay) is intended to
    give the user sufficient time to notice and
    respond to the sensor access.
  • _
  • _

I am allowing what?
  • A paper on Application Authority Disclosure by
    Microsoft Research
  • the great majority of participants preferred
    designs that used images or icons to represent
    resources. This great majority also disliked
    designs that used paragraphs, the central design
    element of Facebooks disclosures, and outlines,
    the central design element of Androids

Rooting Android
  • Rooting Android Gaining root access to Android
    operating system.
  • It can be deemed as similar to iPhone
  • Why root Android?
  • To gain full control over the system.
  • Modify system files themes, core apps, boot
    images, linux binaries, etc.
  • Run applications that require system level access

Other Findings
  • Not a single application currently does user
    authentication using accelerometer.
  • No application attempts to do anything on a
    system level, such as access network packets.
  • Two main reasons for the above findings
  • Android Manifest does not permit anything on
    system level, such as, replacement of factory
    default user authentication mechanism or access
    to other applications traffic.
  • An application written for rooted Android will
    not work on non-rooted Android phones.
  • Apps for rooted Android Internet tethering,
    ad-hoc network,

  1. http//
  2. http//
  3. http//
  4. http//
  5. http//
  6. http//
  7. http//
  8. http//
  9. http//
  10. http//
  11. http//
  12. http//