Time
8 hours 33 minutes
Difficulty
Beginner
CEU/CPE
9

Video Transcription

00:05
Android applications security.
00:07
So Android platform building blocks the android manifest dot xml This is the file that says,
00:15
um how does the application? What are the application components? What permissions are needed for each app?
00:22
This is when you install a nap. This is where the
00:25
you need this permission. This permission, This permission in this permission That's the android manifest on XML is what has that information.
00:33
As a user, you're probably never interact with any of these files. This is just how Google is protecting these applications.
00:41
Then activities. This is platform code for user focused tasks such as displaying the app user interface, inputting information into the
00:52
application, et cetera, et cetera. Whatever the application
00:56
is doing, whatever function at features, the user has to do to the app.
01:00
The activities block is what controls that
01:06
service is. This is the code that runs in the background.
01:08
This enables the process is to remain active after the you eyes closed. So even though android can multitask,
01:18
it's not necessarily keeping the program running all the time. It has a memory snapshot of the programs that when you go back to the program, it comes back up automatically without having to re read data from the program itself.
01:32
Service is what allows it to do that
01:34
broadcast receiver, an object used by the APS to receive inner process communication or I P. C from Android or other running laps.
01:44
So the example here, If I get a low battery signal,
01:48
the APP will do this. If I lose GPS, the APP will do this. If I get a WiFi connection, the APP will do this. It changes the apse behavior based on changes to the
02:02
device, whether battery power or whatever.
02:07
APS only have access to specific system resources.
02:12
The following resource is heir protected by the OS, and they do require explicit permission. Camera GPS, Bluetooth telephone
02:21
SMS network. There's others, too.
02:24
So
02:25
if so, such as your location, do you want it to be ableto use GPS location
02:32
service is that don't you want to be able to directly call phone numbers? Do you want it to be able to access your accounts?
02:40
This is the screen you see
02:45
when you install an application
02:49
as even see the bottom. I have to choose rather to install or whether to cancel.
02:55
There's no other options.
02:58
Ultimately it comes down to me is the user whether I'm going to install the app or not
03:05
from that graph we saw at the very beginning of this presentation, where 55% of people said it's up to the user.
03:13
This
03:15
is ultimately up to the user.
03:17
Google's not requiring me to install this.
03:21
Google maps is a great app. I use it all the time.
03:24
I don't have to install it. I don't have to agree. Toe. Let it be able to use one of these. Resource is
03:38
every app that runs on the android. I've mentioned this musty co signed code signed by the developer. If you fail to sign it,
03:47
it will be rejected from the Android Matt Market.
03:51
There may be installation errors when the user tries to install it
03:54
and rejection from the applications handbook so might not even run. If you're able to get it insult,
04:01
that doesn't mean the developers can't create
04:05
fake certificates.
04:08
It happens on computers all the time.
04:12
Just be aware. Just because something says it's code signed doesn't necessarily mean that it iss
04:17
if our correctly
04:20
the AP signature developer signature is actually what dictates what other applications data. You can share their three applications from the same developer. They'll be able to access storage
04:32
between each application
04:34
if they don't name.
04:36
I think that's probably a pretty port. Security concerns your say hiring third party very much can very much can. I have not done in depth research on
04:47
the code signing functionality that would not surprise me notes around whatsoever. Because if I'm
04:54
act developer X and I have five applications and they work in conjunction with each other. Of course, I want them to be ableto work with each other, and their Google does have ways
05:03
to allow that,
05:05
and it wouldn't surprise me at all. That has something to do with the way they're signed,
05:10
so
05:12
I can't say 100%. That's true. But if you've done the research, I would not be shocked to find out that's kept the case. I could do some Google stuff during break and
05:20
for the purpose of the class, I'll verify it. But no,
05:28
I very much agree, and the other issue with that is if during the code signing you
05:33
that you mentioned 1/3 party or if you accidentally include something else that you didn't mean to include
05:40
it can open up security risks,
05:44
so developers create APS within the Android platform. Security architecture.
05:48
Google has certain requirements for the apse. You have to have must do this. This isn't us. In order to be able to submit app to the marketplace,
05:58
APS do not have access to private user data or should not,
06:01
without explicit user permission.
06:05
Again, how many users actually read the permission? So very few? I know there's times that I just want to get an app installed and I just click Install as quickly as I can to get it installed. Breeze right past the permission screen.
06:20
Well, by doing that, I run a risk that there's permissions on it that I'm not aware of.
06:28
Do not have Reid Reid access to other APS files
06:30
cannot prevent mobile device from sleep mode.
06:34
Cannot access sim card data or network functionality
06:39
again. These are all explicit user permission. So sleep mode
06:43
there are raps that can can can cause your phone not to go into sleep. If I have Google maps running
06:48
the phone will not go to sleep. It will stay on the maps
06:54
in the maps program showing me where I'm driving
06:58
until I hit the button to turn the display off or I turn the application off
07:06
the application sandbox. All laps run in their own sandbox. I know I've mentioned this a couple times, but is one of the primary ways that applications control or Google controls applications.
07:18
It's in its own sandbox. It's isolated from other APS. It's isolated from the colonel.
07:25
There are ways to break out of the sandbox. But again, if people really want to try to find a way around something, normally they can.
07:34
The Dallas the Dal Vik V. M, which is the Java virtual machine that Android uses. Most third parties run within that virtual machine, and it provides an extra layer of security. So again, we're talking about layering security,
07:48
because that way, if one security feature fails, the next one might catch it. Think of it as a house. The first security feature of your house is the front door.
07:59
If they get through the front door, your house might have an alarm,
08:03
said the The alarm is the next security future.
08:07
If the alarm, for whatever reason, they either buy passage or get around, it may be your the third security function. So you you are the last line of defense to prevent somebody from getting into your house.
08:20
Same sort of thing with applications. There's the sand. Boxing is the primary. And then there's other features that help
08:26
protect the security of the phone
08:31
code. Review of Android Market APS is done by Google
08:35
to verify that not that none contained malicious functions are known vulnerabilities. They've
08:41
they've increased their app scanning capabilities. Within the last year,
08:46
as malware has been identified as news media has notified,
08:54
um, Google or the public about vulnerabilities and android APS, Google has taken steps to ensure their marketplaces more secure.
09:03
Nothing is ever gonna be, ah, 100% secure,
09:07
but you do. What you can do is a developer.
09:11
The scans are done when new vulnerabilities air discovered. So if a new vulnerability comes out that they didn't know about before, they scan every single app in the marketplace to make sure that none of those applications are vulnerable to that issue. If it is, it is removed from the marketplace
09:31
until
09:33
the developer fixes it.
09:35
Google actually has the ability
09:39
to touch back to the phone and in the case of an extravagant or
09:46
very big security flaw to remove an act from your device
09:50
so they could say
09:52
uninstall, We don't We know there's this security vulnerability that opens up the phone. They can actually remove APS from your device.
10:03
So this is just another picture of what we saw a little bit earlier.
10:09
As you can see, Android shares more in common with with other job of platforms than with desktop clinics. Yes, it's running Lennix, but it's not the same sort of low sonic red hat or fedora.
10:20
It's not the same sort of limits that other
10:24
that you would normally see on the desktop, but the virtual machine has a lot in common with, say, Java virtual machine.
10:33
You can jail, break or route the phone,
10:37
um, which removes code signing restrictions. And it allows row gaps full device access,
10:45
depending on the routing you. D'oh! So if you root your phone with the N s a colonel because technically, that's what you're doing, your phone comes with the default operating system. I want to install another operating system.
11:01
I need to root it first. In order to do so,
11:05
I would. I haven't looked at the NSA,
11:09
um,
11:09
operating system or version of the operating system,
11:13
but they worked with Google on that operate system. I would bet that that does not remove code signing restrictions. And I bet it does not grant road maps. From what I know of Google on what I know of the NSA,
11:26
they're looking at securing it, not allowing row gaps to run,
11:31
but rooting it enables device the device to download and install unsigned APS that could possibly contain Mountain. Where
11:39
the nice thing about Android is, if I want to go to another marketplace,
11:45
I can
11:46
I can buy stuff from the Amazon marketplace, and there's like three other marketplaces. At least they got the market places that I know of that could buy APS from.
11:54
However, the developers there are still required. Dicked signed their code.
12:01
So even though the APP is on the Amazon marketplace,
12:05
there's still have thio code sign with a certificate that Google provided their applications in order for it to run on the device
12:15
with. Once I wrote it, the coat doesn't care about code signing anymore. I can run any application on the phone at that point
12:24
may be very difficult to remove completely from the device, and this is true for both APs. You install witness routed or the routing process itself.
12:33
What you installed,
12:35
you might not be able to get back to factory default,
12:37
depending on the manufacturer. The phone routing it may avoid your your warranty
12:43
uninstalled procedure is not approved by Google Android,
12:48
the android market.
12:50
It has over 450,000 paid and free APS developed exclusively for the Android platform. So the same app that runs in IOS will not run on Android because the code base is entirely separate. So
13:05
each of these acts was created specifically for Android
13:09
organized. Well, this has organized into two main categories, and at the time it was games and application.
13:16
Android or Google just replaced the android market with Android play,
13:22
so it has all the same absent in it. But it's structured slightly differently, so it's not just games and applications anymore. You'll have to see the android play app to see how the data is actually structured with in the marketplace now,
13:39
and as soon as you purchase
13:41
the app, you can download it right from the store and install it on your device.
13:46
There's also third party portals, so those are just three different third party portals. Amazons. Another one
13:54
application management.
13:58
When I saw when I first activate my phone, I have to provide the phone with my Gmail accounts and my Gmail password,
14:09
and that becomes my user profile
14:11
for the android market. And I can have this on multiple android devices. So have an android phone and I have an android tablet.
14:18
Anything I buy on my phone I can also install on my tablet. I just have to download it. I don't not have to pay for it again. It's all linked to my account.
14:30
Your profile is both on the device, and it establishes the profile in the android market. Place
14:35
installed APS are linked to the user profile and maintained by the android market. If I purchase a nap and then remove it, I have permission within the marketplace or or, in this case, Android play to go back and re install it at a later date.
14:52
I haven't seen any APS that say you only have this for a year. It's either you own it or you don't,
14:58
and you've been recent move installed APS through the my abs menu. So you just
15:03
touch the app.
15:05
You'll get the option of what you want to do with it and one of the options going to be uninstalled
15:11
So popular Security APS
15:15
a vast mobile security Norton Mobile Security Webroot Security Antivirus
15:20
Ah, lot of these APS contain the same functionality. Antivirus. Um,
15:26
you see that a vast has a firewall. Anti theft, vast has SMS and call filter Norton Mobile Security has webbed protection. Webroot security antivirus, his identity protection
15:41
the these at manufacturers. These security vendors
15:46
insist that it you was the user need tohave
15:50
these kind of APS on your phone.
15:54
Google and the other OS manufacturers insist
15:56
that you don't need to have these APS on your phone and they're just a waste of system. Resource is, and whatever money you purchased for them,
16:07
I don't know,
16:07
um,
16:10
out of the 500,000 APS or the foreign and 50,000 naps on the marketplace.
16:15
Last year, 250 APS were identified as malicious and they were quickly removed by Google.
16:21
Is it needed or not?
16:22
It does add an extra layer of security.
16:26
You will see your battery drain faster with one of these programs installed,
16:32
and the programs aren't that expensive. Most are like 10 bucks
16:36
us. The user need to decide whether you need to add another layer of security.
16:42
However, a lot of these APS you need to do reviews of them before you install them because, ah, lot of them testing's shown they don't provide that much protection. Some provide more protection than others, so make sure you're installing one that actually provides the protection that you're worried about.
17:03
Blew two. Best practice. The best practices.
17:06
Turn off the Bluetooth when you're not using it. You don't need to have Bluetooth on all the time. If you're not using a Bluetooth device,
17:14
it doesn't take that long to hit the Bluetooth button to turn it back on when you need it.
17:18
Also do do not allow the device to be discoverable. Instead, manually selecting the device that you wanna add at the time you want to use it

Up Next