CSF645 – Mobile Computing 行動計算

Mobile OS - Android

吳俊興 國立高雄大學 資訊工程學系 Outline

•Mobile •Android System Overview – Applications, Development, Platform •Android System Security – Kernel and System Level Security – Security Enhancements •Android Application Security

2 Mobile Operating Systems

• OS that operates mobile devices such as smartphone, tablet, PDA, or other digital mobile devices • Combining the features of a PC OS with – Touchscreen, cellular, Bluetooth, WiFi, GPS mobile navigation, gyroscope sensor, NFC – Voice recorder, camera, video camera – Speech recognition, music player – Battery-powered • Usually without – Keyboard, mouse, CD/DVD-ROM, HDD

3 Mobile OS Milestones Before 1992 Mobile phones / PDA 1993 Apple Newton OS (Personal Digital Assistant, PDA) 1996 Palm OS 1999 Nokia S40 OS 2000 Symbian for Ericsson 2002 Windows CE ( PC) 2003 BlackBerry 2005 Nokia Maemo OS on the first Internet tablet N770 Google acquired Android Inc. on August 17, 2005 2007 Apple iPhone with iOS introduced as an iPhone - mobile phone and Internet communicator 2007 Open Handset Alliance (OHA) formed by Google, HTC, Sony, Dell, Intel, Motorola, Samsung, LG, etc 2007 Mobile 6 (Derived from Windows CE) 2008 OHA releases Android 1.0 with the HTC Dream (T-Mobile G1) as the first Android phone 2010 Microsoft Windows Phone (Metro Design Language) 4 Most Common Mobile OS

• Google Android – On top of Linux Kernel • Apple iOS – On top of open source Darwin core OS, derived from Mac OS X • Microsoft Windows Phone (=> Windows 10) • Nokia S40 OS and Symbian OS • BlackBerry 10 • Qualcomm Brew

5 Android System Overview

• Android – Unveiled by Google along with the founding of Open Handset Alliance to advance open standards for mobile devices • Early SDK was released on 12 November 2007 – iPhone firstly announced on January 9 2007 • Google acquired Android Inc. on August 17, 2005 • The first Android-powered phone was sold in October 2008 – Designed primarily for touchscreen mobile devices such as smartphones and tablet computers, and now for a multiscreen world include wearables, TV and auto • As of 2015, Android has the largest installed base of all general-purpose operating systems – Building on open-source Linux • Android code released as open source, under the Apache License

6 Android Applications

• Applications are usually developed in the Java language using the Android Software Development Kit – Native Development Kit for applications or extensions in C or C++ – Installed from a single file with the .apk file extension • Android applications run in a sandbox – An isolated area of the OS that does not have access to the rest of the system's resources, unless access permissions are granted by the user when the application is installed • However, applications routinely requesting unnecessary permissions, reducing its effectiveness • The complexity of inter-application communication implies Android may have opportunities to run unauthorized code • Two primary sources for applications – Pre-Installed Applications – User-Installed Applications • Either through a store such as Google Play or the Amazon Appstore, or by • Downloading and installing the application's APK file from a third-partysite

7 Android Development • Android consists of – A kernel based on the Linux kernel 2.6 and Linux Kernel 3.x (Android 4.0 onwards) • Does not have a native X Window System nor does it support the full set of standard GNU libraries • a power management feature called wakelocks • The flash storage is split into several partitions, such as "/system" for the operating system itself and "/data" for user data and app installations • Android device owners are not given root access – With middleware, libraries and APIs written in C and • Dalvik virtual machine with just-in-time compilation to run Dalvik dex-code (Dalvik Executable), which is usually translated from Java bytecode – Application software running on an application framework which includes Java-compatible libraries based on Apache Harmony – The main hardware platform for Android is the ARM architecture

8 Android Platform Building Blocks • Device Hardware – Including smart phones, tablets, and set-top-boxes – Processor-agnostic, but taking advantage of some hardware-specific security capabilities such as ARM v6 eXecute-Never • Android Operating System – The core operating system is built on top of the Linux kernel – All device resources, like camera functions, GPS data, Bluetooth functions, telephony functions, network connections, etc. are accessed through OS • Android Application Runtime – Most often written in Java and run in the Dalvik virtual machine – But core Android services and applications are native applications or include native libraries – Both Dalvik and native applications run within the same security environment, contained within the Application Sandbox • Applications get a dedicated part of the filesystem in which they can writeprivatedata, including databases and raw files • Android Runtime (ART) – Introduced by Android 4.4 but not enabled by default • the only runtime in Android 5.0 – Uses ahead-of-time (AOT) compilation to entirely compile the application bytecode into machine code upon the installation of an application 9 Architecture Diagram

10 Android Application Framework

Toolkit for applications in Java • Activity Manager: manages the activity life cycle – Started, Running, Background, Killed • Windows Manager: performs window management • View System: handles the views and layouts of UI • Content Providers: allows one application to make its data available to another • Notification Manager: alerts the user about events • Package Manager: maintains information on the available applications on the device • Telephony Manager: provides access to telephony services • Resource Manager: manages the storing of strings and layout files and bitmaps • Location Manager: finds the device’s geographic location • XMPP Service: supports IETF Extensible Messaging and Presence Protocol (adopted by GoogleTalk)

11 Main Android Application Building Blocks • AndroidManifest.xml: the control file that – Tells the system what to do with all the top-level components in an application • specifically activities, services, broadcast receivers, and content providers – Also specifies which permissions are required • Activities: An Activity is the code for a single, user- focused task – Usually includes displaying a UI to the user • some Activities never display UIs – Typically, one of the application's Activities is the entry point to an application

12 Main Android Application Building Blocks (cont.)

• Services: A Service is a body of code that runs in the background – It can run in its own process, or in the context of another application's process – Other components "bind" to a Service and invoke methods on it via remote procedure calls – An example of a Service is a media player • even when the user quits the media-selection UI, the user probably still intends for music to keep playing • A Service keeps the music going even when the UI has completed • Broadcast Receiver – A BroadcastReceiver is an object that is instantiated when an IPC mechanism known as an Intent is issued by the operating system or another application – For example, an application may register a receiver for the low battery message and change its behavior based on that information

13 Android Versions Version Release date API level 5.1.x March 9, 2015 22 Lollipop 5.0.x November 3, 2014 21 4.4.x KitKat October 31, 2013 19-20 4.3.x July 24, 2013 18 4.2.xJelly Bean November 13, 2012 17 4.1.x July 9, 2012 16 4.0.x Ice Cream Sandwich October 19, 2011 14-15 3.x.x Honeycomb February 22, 2011 11-13 2.3.x Gingerbread December 6, 2010 9-10 2.2 Froyo May 20, 2010 8 2.0, 2.1 Éclair October 26, 2009 7 1.6 Donut September 15, 2009 4 1.5 Cupcake April 30, 2009 3 14 Android Security Overview • Security objectives – Protect user data – Protect system resources (including the network) – Provide application isolation • Key security features – Linux security • Secure interprocess communication – Mandatory application sandbox for all applications • Exception of a small amount of Android OS code running as root, all code above the Linux Kernel is restricted by the Application Sandbox – Application signing – Application-defined and user-granted permissions

15 Kernel and System Level Security • Linux fundamental security features – Prevents user A from reading user B's files – Ensures that user A does not exhaust user B's memory – Ensures that user A does not exhaust user B's CPU resources – Ensures that user A does not exhaust user B's devices (e.g. telephony, GPS, bluetooth) • Android security features – A user-based permissions model – Process isolation – Extensible mechanism for secure IPC – The ability to remove unnecessary and potentially insecure parts of the kernel

16 Android Security Enhancements

• Application Sandbox • System Partition and Safe Mode • Filesystem Permissions • Filesystem Encryption • Device Administration • Password Protection • Memory Management Security Enhancements

17 Application Sandbox • Assign a unique user ID (UID) to each Android application – runs it as that user in a separate process

• A kernel-level Application Sandbox – The kernel enforces security between applications and the system at the process level through standard Linux facilities, such as user and group IDs that are assigned to applications – By default, applications cannot interact with each other and applications have limited access to the operating system • Explicit user-granted permissions required

18 System Partition and Safe Mode • System Partition – Set to read-only – Containing Android's kernel as well as the operating system libraries, application runtime, application framework, and applications • Safe Mode • When a user boots the device into Safe Mode, only core Android applications are available

19 Filesystem: Permissions and Encryption • Filesystem Permissions – Each application runs as its own user – Files created by one application cannot be read or altered by another application unless the developer explicitly exposes files to other applications • Filesystem Encryption – Android 3.0 and later provides full filesystem encryption • All user data can be encrypted in the kernel using the dmcrypt implementation of AES128 with CBC and ESSIV:SHA256 – Filesystem encryption requires the use of a user password • The encryption key is protected by AES128 • A key derived from the user password, preventing unauthorized access to stored data without the user device password • The password is combined with a random salt and hashed repeatedly with SHA1 using the standard PBKDF2 algorithm http://source.android.com/tech/encryption/android_crypto_implementation.html

20 Device Administration and Password Protection

• Device Administration API – Android 2.2 and later provide device administration features at the system level – A system administrator writes the device admin application to be installed on users’ devices • Administrators can enforce password policies — including alphanumeric passwords or numeric PINs — across devices • Administrators can also remotely wipe (that is, restore factory defaultson)lostor stolen handsets https://developer.android.com/guide/topics/admin/device-admin.html • Password Protection – Can be configured to verify a user-supplied password prior to providing access to a device • This password protects the cryptographic key for full filesystem encryption – Use of a password and/or password complexity rules can be required by a device administrator

21 Memory Management Security Enhancements •Android 1.5+ – ProPolice to prevent stack buffer overruns (-fstack-protector) – safe_iop to reduce integer overflows – Extensions to OpenBSD dlmalloc to prevent double free() vulnerabilitiesandto prevent chunk consolidation attacks. Chunk consolidation attacks are a common way to exploit heap corruption. – OpenBSD calloc to prevent integer overflows during memory allocation •Android 2.3+ – Format string vulnerability protections (-Wformat-security -Werror=format-security) – Hardware-based No eXecute (NX) to prevent code execution on the stack and heap – Linux mmap_min_addr to mitigate null pointer dereference privilege escalation (further enhanced in Android 4.1) •Android 4.0+ – Address Space Layout Randomization (ASLR) to randomize key locations in memory •Android 4.1+ – PIE (Position Independent Executable) support – Read-only relocations / immediate binding (-Wl,-z,relro -Wl,-z,now) – dmesg_restrict enabled (avoid leaking kernel addresses) – kptr_restrict enabled (avoid leaking kernel addresses) 22 Android Application Security

• Protected API: only accessible through the OS – Camera functions Location data (GPS) – Bluetooth functions Telephony functions – SMS/MMS functions Network/data connections • Steps 1. An application defines the capabilities it needs in its manifest 2. When preparing to install an application, the system displays a dialog to the user that indicates the permissions requested and asks whether to install 3. If continues, the user has granted all of the requested permissions • The user must grant or deny all of the requested permissions as a block • Applications included in the core OS or bundled by an OEM do not request permissions from the user 4. Once granted, the permissions are applied to the application as long as itis installed • Some device capabilities, such as the ability to send SMS broadcast intents, that are not available to third-party applications – That may be used by applications pre-installed by the OEM – These permissions use the signatureOrSystem permission

23 Interprocess Communication

• Processes can communicate using traditional UNIX-type mechanisms – For examples, filesystem, local sockets, or signals – The Linux permissions still apply • New IPC mechanisms – Binder: A lightweight capability-based RPC mechanism designed for high performance when performing in-process and cross-process calls • Implemented using a custom Linux driver – Services: provide interfaces directly accessible using binder – Intents: An Intent is a simple message object that represents an "intention" to do something. For example, to display a web page • An app expresses its "Intent" by creating an Intent instance to view the URL • The system locates some other piece of code (in this case, the Browser) that knows how to handle that Intent, and runs it – ContentProviders: A ContentProvider is a data storehouse that provides access to data on the device • An application can access data that other applications have exposed via a ContentProvider, and • An application can define its own ContentProviders to expose data of its own 24 Cost-Sensitive APIs

• A cost sensitive API is any function that might generate a cost for the user or the network – Telephony – SMS/MMS – Network/Data – In-App Billing – NFC Access • Placed in the list of protected APIs controlled by the OS • The user will have to grant explicit permission to third-party applications requesting use of cost sensitive APIs

25 SIM Card and Sensitive User Data

• SIM Card Access – Low level access to SIM card not available to third-party apps – Cannot access AT commands • Sensitive User Data Accessed Only by Protected APIs – Personal information – Sensitive input devices: i.e. GPS, camera – Device metadata: i.e. system logs, browser history, phone number, or hardware / network identification information

26 Digital Rights Management

• Two architectural layers – A DRM framework API, which is exposed to applications through the Android application framework and runs through the Dalvik VM for standard applications – A native code DRM manager, which implements the DRM framework and exposes an interface for DRM plug-ins (agents) to handle rights management and decryption for various DRM schemes

27 References • http://en.wikipedia.org/wiki/Mobile_operating_system • http://en.wikipedia.org/wiki/Android_(operating_system) • http://source.android.com/tech/security/ • http://developer.android.com/

28