Android Security

Android Security

ANDROID SECURITY ATTACKS AND DEFENSES ABHISHEK DUBEY | ANMOL MISRA CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2013 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20130403 International Standard Book Number-13: 978-1- 4822-0986-0 (eBook - ePub) This book contains information obtained from authentic and highly regarded sources. Reasonable eorts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microlming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright.com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750- 8400. CCC is a not-for-prot organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identication and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Dedication To Mom, Dad, Sekhar, and Anupam - Anmol To Maa, Papa, and Anubha - Abhishek Contents Dedication Foreword Preface About the Authors Acknowledgments Chapter 1 Introduction 1.1 Why Android 1.2 Evolution of Mobile Threats 1.3 Android Overview 1.4 Android Marketplaces 1.5 Summary Chapter 2 Android Architecture 2.1 Android Architecture Overview 2.1.1 Linux Kernel 2.1.2 Libraries 2.1.3 Android Runtime 2.1.4 Application Framework 2.1.5 Applications 2.2 Android Start Up and Zygote 2.3 Android SDK and Tools 2.3.1 Downloading and Installing the Android SDK 29 2.3.2 Developing with Eclipse and ADT 2.3.3 Android Tools 2.3.4 DDMS 2.3.5 ADB 2.3.6 ProGuard 2.4 Anatomy of the “Hello World” Application 2.4.1 Understanding Hello World 2.5 Summary Chapter 3 Android Application Architecture 3.1 Application Components 3.1.1 Activities 3.1.2 Intents 3.1.3 Broadcast Receivers 3.1.4 Services 3.1.5 Content Providers 3.2 Activity Lifecycles 3.3 Summary Chapter 4 Android (in)Security 4.1 Android Security Model 4.2 Permission Enforcement— Linux 4.3 Android’s Manifest Permissions 4.3.1 Requesting Permissions 4.3.2 Putting It All Together 4.4 Mobile Security Issues 4.4.1 Device 4.4.2 Patching 4.4.3 External Storage 4.4.4 Keyboards 4.4.5 Data Privacy 4.4.6 Application Security 4.4.7 Legacy Code 4.5 Recent Android Attacks—A Walkthrough 4.5.1 Analysis of DroidDream Variant 4.5.2 Analysis of Zsone 4.5.3 Analysis of Zitmo Trojan 4.6 Summary Chapter 5 Pen Testing Android 5.1 Penetration Testing Methodology 5.1.1 External Penetration Test 5.1.2 Internal Penetration Test 5.1.3 Penetration Test Methodologies 5.1.4 Static Analysis 5.1.5 Steps to Pen Test Android OS and Devices 100 5.2 Tools for Penetration Testing Android 5.2.1 Nmap 5.2.2 BusyBox 5.2.3 Wireshark 5.2.4 Vulnerabilities in the Android OS 5.3 Penetration Testing— Android Applications 5.3.1 Android Applications 5.3.2 Application Security 5.4 Miscellaneous Issues 5.5 Summary Chapter 6 Reverse Engineering Android Applications 6.1 Introduction 6.2 What is Malware? 6.3 Identifying Android Malware 6.4 Reverse Engineering Methodology for Android Applications 6.5 Summary Chapter 7 Modifying the Behavior of Android Applications without Source Code 7.1 Introduction 7.1.1 To Add Malicious Behavior 7.1.2 To Eliminate Malicious Behavior 7.1.3 To Bypass Intended Functionality 7.2 DEX File Format 7.3 Case Study: Modifying the Behavior of an Application 7.4 Real World Example 1— Google Wallet Vulnerability 161 7.5 Real World Example 2— Skype Vulnerability (CVE- 2011-1717) 7.6 Defensive Strategies 7.6.1 Perform Code Obfuscation 7.6.2 Perform Server Side Processing 7.6.3 Perform Iterative Hashing and Use Salt 7.6.4 Choose the Right Location for Sensitive Information 7.6.5 Cryptography 7.6.6 Conclusion 7.7 Summary Chapter 8 Hacking Android 8.1 Introduction 8.2 Android File System 8.2.1 Mount Points 8.2.2 File Systems 8.2.3 Directory Structure 8.3 Android Application Data 8.3.1 Storage Options 8.3.2 /data/data 8.4 Rooting Android Devices 8.5 Imaging Android 8.6 Accessing Application Databases 8.7 Extracting Data from Android Devices 8.8 Summary Chapter 9 Securing Android for the Enterprise Environment 9.1 Android in Enterprise 9.1.1 Security Concerns for Android in Enterprise 9.1.2 End-User Awareness 9.1.3 Compliance/Audit Considerations 9.1.4 Recommended Security Practices for Mobile Devices 9.2 Hardening Android 9.2.1 Deploying Android Securely 9.2.2 Device Administration 9.3 Summary Chapter 10 Browser Security and Future Threat Landscape 10.1 Mobile HTML Security 10.1.1 Cross-Site Scripting 10.1.2 SQL Injection 10.1.3 Cross-Site Request Forgery 10.1.4 Phishing 10.2 Mobile Browser Security 10.3 10.2.1 Browser Vulnerabilities 10.4 The Future Landscape 10.3.1 The Phone as a Spying/Tracking Device 10.3.2 Controlling Corporate Networks and Other Devices through Mobile Devices 10.3.3 Mobile Wallets and NFC 10.4 Summary Appendix A Appendix B B.1 Views B.2 Code Views B.3 Keyboard Shortcuts B.4 Options Appendix C Glossary Index Foreword Ever-present cyber threats have been increasing against mobile devices in recent years. As Android emerges as the leading platform for mobile devices, security issues associated with the Android platform become a growing concern for personal and enterprise customers. Android Security: Attacks and Defenses provides the reader with a sense of preparedness by breaking down the history of Android and its features and addressing the methods of attack, ultimately giving professionals, from mobile application developers to security architects, an understanding of the necessary groundwork for a good defense. In the context and broad realm of mobility, Dubey and Misra bring into focus the rise of Android to the scene and the security challenges of this particular platform. They go beyond the basic security concepts that are already readily available to application developers to tackle essential and advanced topics such as attack countermeasures, the integration of Android within the enterprise, and the associated regulatory and compliance risks to an enterprise. By reading this book, anyone with an interest in mobile security will be able to get up to speed on the Android platform and will gain a strategic perspective on how to protect personal and enterprise customers from the growing threats to mobile devices. It is a must-have for security architects and consultants as well as enterprise security managers who are working with mobile devices and applications. Dr. Dena Haritos Tsamitis Director, Information Networking Institute (INI) Director of Education, Training, and Outreach, CyLab Carnegie Mellon University Dr. Dena Haritos Tsamitis heads the Information Networking Institute (INI), a global, interdisciplinary department within Carnegie Mellon University’s College of Engineering. She oversees the INI’s graduate programs in information networking, information security technology and management, and information technology. Under her leadership, the INI expanded its programs to global locations and led the design of bicoastal programs in information security, mobility, and software management in collaboration with Carnegie Mellon’s Silicon Valley campus. Dena also directs education, training and outreach for Carnegie Mellon CyLab. She serves as the principal investigator on two educational programs in information assurance funded by the NSF—the CyberCorps Scholarship for Service and the Information Assurance Capacity Building Program—and she is also the principal investigator on the DOD-funded Information Assurance Scholarship Program. She received the 2012 Barbara Lazarus Award for Graduate Student and Junior Faculty Mentoring from Carnegie Mellon and the 2008 Women of Inuence Award, presented by Alta Associates and CSO Magazine, for her achievements in information security and education. Preface The launch of the Apple iPhone in 2007 started a new era in the world of mobile devices and applications. Google’s Android platform has emerged as a serious player in the mobile devices market, and by 2012, more Android devices were being sold than iPhones. With mobile devices becoming mainstream, we have seen the evolution of threats against them. Android’s popularity has brought it attention from the “bad guys,” and we have seen attacks against the platform on the uptick. About the Book In this book, we analyze the Android platform and applications in the context of security concerns and threats.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    871 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us