ANDROID ICC Lecture 9D Slide Title in CAPITALS 50 Pt COMPSCI 702 Security for Smart-Devices

ANDROID ICC Lecture 9d Slide title In CAPITALS 50 pt COMPSCI 702 Security for Smart-Devices

Slide subtitle 32 pt Muhammad Rizwan Asghar

March 18, 2021 Top right Slide title corner for 40 pt ANDROID BINDER field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . Binder enables Inter-Component Communication (ICC) Text 24 pt in Android 5 20 pt . It is implemented as a driver in the Linux kernel

. It is a customised version of Open Binder

. It provides a simple RPC-like mechanism

. Apps use Java methods to invoke ICC

. Android then translates this in C++ invocations and system calls to the Binder driver

2 Top right Slide title corner for 40 pt COMMUNICATION IN ANDROID field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 . In Linux, processes communicate and share 20 pt data through – Pipes – Shared memory – Message queue

. In Android, app components communicate through – Binder

3 Top right Slide title corner for 40 pt ACTIVITY MANAGER field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . The Activity Manager is a special service that apps use Text 24 pt for ICC 5 20 pt . It provides more than 100 methods

. Most common methods include – startActivity – sendBroadcast – startService – bindService

. Apps can export services by “publishing” them through the Activity Manager

4 Top right Slide title corner for 40 pt ACTIVITY MANAGER AND BINDER field customer or Slide subtitle partner logotypes. 24 pt Applications See Best practice Home Dialer SMS/MMS IM Browser Camera Alarm Calculator for example.

Text Contacts Voice Dial Email Calendar Media Player Albums Clock … 24 pt 5 20 pt Application Framework Window View Notification Activity Manager Manager Content Providers System Manager

Telephony Location Package Manager Manager Resource Manager Manager … Libraries AndroidA n d r o i Runtime d Runtime

Surface Manager Media Framework SQLite Core Libraries Core Libraries

OpenGL|ES FreeType WebKit DalvikVirtual MachineDalvik Virtual Machine

SGL SSL Libc Linux K e r n e l Shared Memory Display Driver Camera Driver Bluetooth Driver Driver Binder (IPC) Driver

Audio Power USB Driver Keypad Driver WiFi Driver Drivers Management

5 Top right Slide title corner for 40 pt ACTIVITY MANAGER AND BINDER field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt OnServiceConnected Loads the service 5 (binder-handle) if it's not alreay loaded 20 pt Service Client 4 Activity Manager 2 Service

bindService(required-intent) BIND_SERVICE_ publish(receivable-intent) TRANSACTION PUBLISH_SERVICE_ 1 TRANSACTION 3

5 OK Binder OK service name, service args, binder handle service name, service args response response

6 Top right Slide title corner for 40 pt SERVICE MANAGER field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . The Service Manager is a special system service to Text 24 pt keep track of available services 5 20 pt . An app that wants to provide a service to others can publish its service through the Service Manager . Communication to the Service Manager takes place through Binder . The Service Manager accepts the following commands – Publish: Takes two arguments – service name and address – used for publishing a service within the Service Manager – Get/check: Takes one argument – service name – returns an address of the service in the form of a handler – List: Lists the service names registered with the Service Manager

7 Top right Slide title corner for 40 pt SERVICE MANAGER IN ACTION field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 Service Client Service Manager 20 pt Service Provider

get/check("x") publish("x") get/check("x") publish("x") 2 1

binder handle Binder OK "x" args, binder handle "x" args "x" response "x" response

8 Top right Slide title corner for 40 pt EXAMPLE: ANDROID APPLICATION field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 20 pt

. The FriendTracker and FriendViewer applications: users can discover and view their friends’ locations

9 Top right Slide title corner for 40 pt FRIENDTRACKER APPLICATION field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . FriendTracker (Service) polls an external Text 24 pt service to discover friends’ locations 5 20 pt . FriendProvider (Content provider) maintains the most recent geographic coordinates of friends

. FriendTrackerControl (Activity) defines a user interface for starting and stopping the tracking functionality

. BootReceiver (Broadcast receiver) gets a notification from the system once it boots – The application uses this to automatically start the FriendTracker service

10 Top right Slide title corner for 40 pt COMPONENT INTERACTION field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 20 pt

. Service components support start, stop, and bind actions so the FriendTrackerControl (Activity) can start and stop the FriendTracker (Service) that runs in the background

11 Top right Slide title corner for 40 pt REFERENCE MONITOR field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 20 pt

. Android middleware contains a reference monitor that mediates the establishment of ICC

. Reference monitor is part of the Activity Manager

12 Top right Slide title corner for 40 pt MAC SECURITY ENFORCEMENT field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . The core idea of Android security enforcement - label Text 24 pt assignment to applications and components 5 20 pt . A reference monitor enforces MAC for regulating access to app components . Access to each component is restricted by assigning it an access permission label . Applications are assigned collections of permission labels . When a component initiates ICC, the reference monitor checks whether its permission label is same as the target component’s access permission label 13 Top right Slide title corner for 40 pt PERMISSION LABELS field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 20 pt

. The Android middleware implements a reference monitor providing MAC enforcement about how applications access components

. Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C with the collection of labels assigned to Application 1

14 Top right Slide title corner for 40 pt SECURITY ENFORCEMENT field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example. . Assigning permission labels to an application specifies Text 24 pt its protection domain 5 20 pt

. Android’s policy enforcement is mandatory: permission labels cannot be changed until the application is re- installed

. Android’s permission label model only restricts access to components and does not currently provide information flow guarantees

15 Top right Slide title corner for 40 pt ACKNOWLEDGEMENT field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 . The first half of this topic is based on the slides 20 pt presented by Giovanni Russello, thanks to him!

. The second half of this presentation is based on slides of Yinshu Wu, which is further based on the following: Enck, William, Machigar Ongtang, and Patrick McDaniel Understanding Android Security IEEE Security & Privacy 1 (2009): 50-57

16 Top right Slide title corner for 40 pt field customer or Slide subtitle partner logotypes. 24 pt See Best practice for example.

Text 24 pt 5 20 pt

Questions?

Thanks for your attention!