10. Android - Control Questions Flashcards
What operating system kernel is Android built on? Name a few of it slow-level security features.
Android is based on Linux.
Slow-level security features:
• XN/NX bit (if supported by the hardware)
• ASLR (partial support in 4.0, fullsince4.1)
• SELinux (supported since4.3, partially enforced in 4.4, fully enforced since 5.0)
How are apps isolated on Android?
Application Sandbox
• Each app runs in its own sandbox with its own UID
• Apps cannot directly communicate with each other
• Typically, Intents and Binders are used for this purpose
• Apps cannot access each other’s files
• Except for external storage, which is accessible with the proper permissions
• Apps cannot access the hardware directly
• Requests must go through the Android Framework (and the app must have the appropriate permissions)
Name the two most typically used types of Permissions. Give at least one example for each type.
Normal
• Targeted at something that doesn’t pose much risk to the device or the user’s privacy (e.g. vibrate the phone, or access the internet)
• Normal permissions are automatically granted when the app is installed
Dangerous
• Permissions for potentially dangerous actions, e.g. accessing the user’s calendar (privacy concerns) or initiating phone calls (may cost money)
• Granted differently in different Android versions
o If Android version is less than6.0 OR the app’s target SDK is less than23, the permissions must be granted at install time
It’s all or nothing–you cannot grant a subset of the requested permissions
If denied, the application is not installed
o Otherwise, these permissions can be requested at runtime
The user may allow or deny the request
If denied, the application may continue running with limited functionality
• Dangerous permissions belong to different logical groups
• E.g. CALENDAR = { READ_CALENDAR, WRITE_CALENDAR }
• The group is allowed/denied, not the permissions themselves
• Later versions of apps may indicate the need for other permissions from the same group and you won’t be prompted
• This may work differently in certain ROMs, especially modern ones
How can Dangerous permissions be granted to an app?
• Granted differently in different Android versions
o If Android version is less than6.0 OR the app’s target SDK is less than23, the permissions must be granted at install time
It’s all or nothing–you cannot grant a subset of the requested permissions
If denied, the application is not installed
o Otherwise, these permissions can be requested at runtime
The user may allow or deny the request
If denied, the application may continue running with limited functionality
Why must applications be signed?
• All apps must be digitally signed in order to be installed
• The signing certificate does not need to be issued by a trusted CA
o That is, the certificate may be self-signed
o This also means that we can’t find out much (if anything) about the developer (based on the certificate)
• However, the choice of certificates is important
o Updates to apps may only be installed if the update is signed by the same key as the previous version
o Signature permissions, if used, are granted based on the signing certificates
o Apps signed by the same key may request to be put in the same sandbox
o Google requires that any app published to the Play Store be signed with a certificate that is valid at least until 22 October
How can applications be signed? What schemes are used? Explain and compare them.
There are two (three) different signature schemes
v1 scheme–a standard JAR signing method
• A hash is computed for each file separately, and the list of hashes is signed
• Verification is slow and more resource intensive as the entire package must be decompressed, files must be checked one-by-one, and unsigned files need to be skipped over
• Some parts of the application cannot be protected (e.g. ZIP metadata)
v2 scheme (APK Signature Scheme)
• The entire APK is treated as one data blob
• Faster and less resource intensive to validate
• Protects against more kinds of tampering
• Supported in Android7 or better
v3 scheme
• Very similar to v2, it just contains more information in the signing block
• New withAndroid9
The same application may contain multiple signatures of multiple versions
• I.e. an app may have a v1, a v2, and a v3 signature at the same time
• In theory, there maybe multiple signatures of the same version as well (with different certificates), however, Google does not allow such applications in the Play Store
• Devices verify the highest version of signature that they understand
o If verification fails, the app is rejected (lower versions are not tried)
Can one install apps from sources other than the Play Store? If so, how?
• By default, only apps from the Play Store can be installed
• You may choose to permit the installation of apps outside of the Play Store
o If using a different store (e.g. F-Droid)
o If a company needs a custom, non-listed application (side-loading)
o If you are a developer, testing your apps on a live device
Why is the Android ecosystem so fragmented? (Hint: think of how updates work.)
• It would be important to keep all devices up-to-date
o Security fixes
o Feature updates
o Easier app development (less diversity to account for)
• The typical update procedure
o A new version is released by the AOSP
o Manufacturers update their own ROMs and push updates to devices and mobile service providers(carriers)
o Mobile service providers test/integrate the changes to their versions
o Users download and instal lthem (OTA or by side-loading)
From the manufacturers, if the device is directly bought from them
From the carriers, if the device is carrier-sold
• Some carriers do not interfere with the update process, in that they do not change the update server URL to theirs, meaning that the updates can be downloaded from the manufacturer’s server as usual
• The procedure is way too complicated
o Manufacturers often ignore low/mid-end phones, sometimes even higher-end phones as well
And if they don’t, the support is still almost always less than the lifetime of the phone
o There’s the exact same issue with carriers
o Users don’t always know if there are updates available and that it would be important for them to update
• A possible solution: Project Treble?
o Allows the system to be updated without requiring support from the vendor and/o the carrier
o Phones that start with 8.0 or greater out of the box must support Treble
• It would be important to keep all devices up-to-date
o Security fixes
o Feature updates
o Easier app development (less diversity to account for)
• The typical update procedure
o A new version is released by the AOSP
o Manufacturers update their own ROMs and push updates to devices and mobile service providers(carriers)
o Mobile service providers test/integrate the changes to their versions
o Users download and instal lthem (OTA or by side-loading)
From the manufacturers, if the device is directly bought from them
From the carriers, if the device is carrier-sold
• Some carriers do not interfere with the update process, in that they do not change the update server URL to theirs, meaning that the updates can be downloaded from the manufacturer’s server as usual
• The procedure is way too complicated
o Manufacturers often ignore low/mid-end phones, sometimes even higher-end phones as well
And if they don’t, the support is still almost always less than the lifetime of the phone
o There’s the exact same issue with carriers
o Users don’t always know if there are updates available and that it would be important for them to update
• A possible solution: Project Treble?
o Allows the system to be updated without requiring support from the vendor and/o the carrier
o Phones that start with 8.0 or greater out of the box must support Treble
What is Google SafetyNet’s Attestation API used for? Give an example.
makes it possible for apps to check how ‘safe’ a device is
• ctsProfileMatch – Whether the device passes compatibility tests
• basicIntegrity – Whether the device was tampered with
• Apps may decide whether to run or what features to offer based on these
What are Trust Agents?
Modules that report to the system whether they believe that the current environment is trusted
• This can be used to temporarily relax the security configuration of the device
• In practice, this currently means bypassing the lock screen
How does Device Encryption work?
The contents of the phone maybe encrypted so that a password is needed to boot the phone (or read any file stored on it)
• Based on dm-crypt, a Linux full-disk encryption module
• Uses AES in CBC mode with a 128-bit key which is derived from the password using PBKDFv2
o Hardware-supported features such as trusted key storage maybe used if available
• Starting from Android5.1, PINs and patterns maybe used instead of a password, but this is less secure
o The fingerprint reader cannot be used at this point as this would need access to the fingerprint database, which is also stored encrypted on the phone
Why is it dangerous to set your phone to USB File Transfer mode by default?
Previously, file transfers were enabled by default, making it possible for rogue charging stations to steal date or hack your phone.
