Android applications security.
So Android platform building blocks the android manifest dot xml This is the file that says,
um how does the application? What are the application components? What permissions are needed for each app?
This is when you install a nap. This is where the
you need this permission. This permission, This permission in this permission That's the android manifest on XML is what has that information.
As a user, you're probably never interact with any of these files. This is just how Google is protecting these applications.
Then activities. This is platform code for user focused tasks such as displaying the app user interface, inputting information into the
application, et cetera, et cetera. Whatever the application
is doing, whatever function at features, the user has to do to the app.
The activities block is what controls that
service is. This is the code that runs in the background.
This enables the process is to remain active after the you eyes closed. So even though android can multitask,
it's not necessarily keeping the program running all the time. It has a memory snapshot of the programs that when you go back to the program, it comes back up automatically without having to re read data from the program itself.
Service is what allows it to do that
broadcast receiver, an object used by the APS to receive inner process communication or I P. C from Android or other running laps.
So the example here, If I get a low battery signal,
the APP will do this. If I lose GPS, the APP will do this. If I get a WiFi connection, the APP will do this. It changes the apse behavior based on changes to the
device, whether battery power or whatever.
APS only have access to specific system resources.
The following resource is heir protected by the OS, and they do require explicit permission. Camera GPS, Bluetooth telephone
SMS network. There's others, too.
if so, such as your location, do you want it to be ableto use GPS location
service is that don't you want to be able to directly call phone numbers? Do you want it to be able to access your accounts?
This is the screen you see
when you install an application
as even see the bottom. I have to choose rather to install or whether to cancel.
There's no other options.
Ultimately it comes down to me is the user whether I'm going to install the app or not
from that graph we saw at the very beginning of this presentation, where 55% of people said it's up to the user.
is ultimately up to the user.
Google's not requiring me to install this.
Google maps is a great app. I use it all the time.
I don't have to install it. I don't have to agree. Toe. Let it be able to use one of these. Resource is
every app that runs on the android. I've mentioned this musty co signed code signed by the developer. If you fail to sign it,
it will be rejected from the Android Matt Market.
There may be installation errors when the user tries to install it
and rejection from the applications handbook so might not even run. If you're able to get it insult,
that doesn't mean the developers can't create
It happens on computers all the time.
Just be aware. Just because something says it's code signed doesn't necessarily mean that it iss
the AP signature developer signature is actually what dictates what other applications data. You can share their three applications from the same developer. They'll be able to access storage
between each application
I think that's probably a pretty port. Security concerns your say hiring third party very much can very much can. I have not done in depth research on
the code signing functionality that would not surprise me notes around whatsoever. Because if I'm
act developer X and I have five applications and they work in conjunction with each other. Of course, I want them to be ableto work with each other, and their Google does have ways
and it wouldn't surprise me at all. That has something to do with the way they're signed,
I can't say 100%. That's true. But if you've done the research, I would not be shocked to find out that's kept the case. I could do some Google stuff during break and
for the purpose of the class, I'll verify it. But no,
I very much agree, and the other issue with that is if during the code signing you
that you mentioned 1/3 party or if you accidentally include something else that you didn't mean to include
it can open up security risks,
so developers create APS within the Android platform. Security architecture.
Google has certain requirements for the apse. You have to have must do this. This isn't us. In order to be able to submit app to the marketplace,
APS do not have access to private user data or should not,
without explicit user permission.
Again, how many users actually read the permission? So very few? I know there's times that I just want to get an app installed and I just click Install as quickly as I can to get it installed. Breeze right past the permission screen.
Well, by doing that, I run a risk that there's permissions on it that I'm not aware of.
Do not have Reid Reid access to other APS files
cannot prevent mobile device from sleep mode.
Cannot access sim card data or network functionality
again. These are all explicit user permission. So sleep mode
there are raps that can can can cause your phone not to go into sleep. If I have Google maps running
the phone will not go to sleep. It will stay on the maps
in the maps program showing me where I'm driving
until I hit the button to turn the display off or I turn the application off
the application sandbox. All laps run in their own sandbox. I know I've mentioned this a couple times, but is one of the primary ways that applications control or Google controls applications.
It's in its own sandbox. It's isolated from other APS. It's isolated from the colonel.
There are ways to break out of the sandbox. But again, if people really want to try to find a way around something, normally they can.
The Dallas the Dal Vik V. M, which is the Java virtual machine that Android uses. Most third parties run within that virtual machine, and it provides an extra layer of security. So again, we're talking about layering security,
because that way, if one security feature fails, the next one might catch it. Think of it as a house. The first security feature of your house is the front door.
If they get through the front door, your house might have an alarm,
said the The alarm is the next security future.
If the alarm, for whatever reason, they either buy passage or get around, it may be your the third security function. So you you are the last line of defense to prevent somebody from getting into your house.
Same sort of thing with applications. There's the sand. Boxing is the primary. And then there's other features that help
protect the security of the phone
code. Review of Android Market APS is done by Google
to verify that not that none contained malicious functions are known vulnerabilities. They've
they've increased their app scanning capabilities. Within the last year,
as malware has been identified as news media has notified,
um, Google or the public about vulnerabilities and android APS, Google has taken steps to ensure their marketplaces more secure.
Nothing is ever gonna be, ah, 100% secure,
but you do. What you can do is a developer.
The scans are done when new vulnerabilities air discovered. So if a new vulnerability comes out that they didn't know about before, they scan every single app in the marketplace to make sure that none of those applications are vulnerable to that issue. If it is, it is removed from the marketplace
the developer fixes it.
Google actually has the ability
to touch back to the phone and in the case of an extravagant or
very big security flaw to remove an act from your device
uninstall, We don't We know there's this security vulnerability that opens up the phone. They can actually remove APS from your device.
So this is just another picture of what we saw a little bit earlier.
As you can see, Android shares more in common with with other job of platforms than with desktop clinics. Yes, it's running Lennix, but it's not the same sort of low sonic red hat or fedora.
It's not the same sort of limits that other
that you would normally see on the desktop, but the virtual machine has a lot in common with, say, Java virtual machine.
You can jail, break or route the phone,
um, which removes code signing restrictions. And it allows row gaps full device access,
depending on the routing you. D'oh! So if you root your phone with the N s a colonel because technically, that's what you're doing, your phone comes with the default operating system. I want to install another operating system.
I need to root it first. In order to do so,
I would. I haven't looked at the NSA,
operating system or version of the operating system,
but they worked with Google on that operate system. I would bet that that does not remove code signing restrictions. And I bet it does not grant road maps. From what I know of Google on what I know of the NSA,
they're looking at securing it, not allowing row gaps to run,
but rooting it enables device the device to download and install unsigned APS that could possibly contain Mountain. Where
the nice thing about Android is, if I want to go to another marketplace,
I can buy stuff from the Amazon marketplace, and there's like three other marketplaces. At least they got the market places that I know of that could buy APS from.
However, the developers there are still required. Dicked signed their code.
So even though the APP is on the Amazon marketplace,
there's still have thio code sign with a certificate that Google provided their applications in order for it to run on the device
with. Once I wrote it, the coat doesn't care about code signing anymore. I can run any application on the phone at that point
may be very difficult to remove completely from the device, and this is true for both APs. You install witness routed or the routing process itself.
you might not be able to get back to factory default,
depending on the manufacturer. The phone routing it may avoid your your warranty
uninstalled procedure is not approved by Google Android,
It has over 450,000 paid and free APS developed exclusively for the Android platform. So the same app that runs in IOS will not run on Android because the code base is entirely separate. So
each of these acts was created specifically for Android
organized. Well, this has organized into two main categories, and at the time it was games and application.
Android or Google just replaced the android market with Android play,
so it has all the same absent in it. But it's structured slightly differently, so it's not just games and applications anymore. You'll have to see the android play app to see how the data is actually structured with in the marketplace now,
and as soon as you purchase
the app, you can download it right from the store and install it on your device.
There's also third party portals, so those are just three different third party portals. Amazons. Another one
When I saw when I first activate my phone, I have to provide the phone with my Gmail accounts and my Gmail password,
and that becomes my user profile
for the android market. And I can have this on multiple android devices. So have an android phone and I have an android tablet.
Anything I buy on my phone I can also install on my tablet. I just have to download it. I don't not have to pay for it again. It's all linked to my account.
Your profile is both on the device, and it establishes the profile in the android market. Place
installed APS are linked to the user profile and maintained by the android market. If I purchase a nap and then remove it, I have permission within the marketplace or or, in this case, Android play to go back and re install it at a later date.
I haven't seen any APS that say you only have this for a year. It's either you own it or you don't,
and you've been recent move installed APS through the my abs menu. So you just
You'll get the option of what you want to do with it and one of the options going to be uninstalled
So popular Security APS
a vast mobile security Norton Mobile Security Webroot Security Antivirus
Ah, lot of these APS contain the same functionality. Antivirus. Um,
you see that a vast has a firewall. Anti theft, vast has SMS and call filter Norton Mobile Security has webbed protection. Webroot security antivirus, his identity protection
the these at manufacturers. These security vendors
insist that it you was the user need tohave
these kind of APS on your phone.
Google and the other OS manufacturers insist
that you don't need to have these APS on your phone and they're just a waste of system. Resource is, and whatever money you purchased for them,
out of the 500,000 APS or the foreign and 50,000 naps on the marketplace.
Last year, 250 APS were identified as malicious and they were quickly removed by Google.
Is it needed or not?
It does add an extra layer of security.
You will see your battery drain faster with one of these programs installed,
and the programs aren't that expensive. Most are like 10 bucks
us. The user need to decide whether you need to add another layer of security.
However, a lot of these APS you need to do reviews of them before you install them because, ah, lot of them testing's shown they don't provide that much protection. Some provide more protection than others, so make sure you're installing one that actually provides the protection that you're worried about.
Blew two. Best practice. The best practices.
Turn off the Bluetooth when you're not using it. You don't need to have Bluetooth on all the time. If you're not using a Bluetooth device,
it doesn't take that long to hit the Bluetooth button to turn it back on when you need it.
Also do do not allow the device to be discoverable. Instead, manually selecting the device that you wanna add at the time you want to use it