Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

EPFL Software Security > Mobile Security > Flashcards

Mobile Security Flashcards

1
Q

Android Security Goals

A
  1. Isolate individual applications
  2. Protect system resources from applications
  3. Vet applications “online”
  4. Protect data of the user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Android security architecture

A
  1. Apps are carefully vetted server-side and only approved apps can be installed from the “market”
  2. Apps run in a Java-like sandbox, restricted to user-granted permissions
  3. Apps leverage well-defined API channels to communicate with other apps
  4. The system is hardened against local user (app-based) attacks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Android system security

A
  • Leverages the Linux kernel as a foundation
    -> Process isolation (application runs as its unique user, permissions on file system)
    -> User-based permission model
    -> Extensible mechanism for secure IPC
    -> Configurable (trim down kernel to limit exposure)
    -> Effective resource isolation when accessing hardware
    -> Safe defaults: Verified boot, file system encryption, TEE, ASLR/Fortify/Stack canaries, …
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Android App limitations

A
  • Apps run in a private folder
  • Can start other apps (main activity is always “exported”)
  • Can show things on screen
  • Everything else requires a permission
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Android attack vectors: intent

A
  • Unauthorized intent receipt: Attacker creates an intent filter, receives other apps’ intents that contain privileged information
  • Intent spoofing: Attacker sends a malicious intent to an intent processor
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Android attack vectors: communication

A
  • Insecure Internet communication: Wireshark intercepts traffic
  • Bluetooth, NFC, IR is not restricted: Peripherals are not protected against malicious apps, any app may access any paired device. This is an issue of the granularity of the privileges. There’s only one Bluetooth privilege, privileges are per app, not per connected device
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Android attack vectors: privileges

A
  • Overprivileged app: confused deputy, bugs in application can be leveraged by attacker to gain privileges
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Android attack vectors: lack of (device) updates

A
  • Core problem with Android: fragmentation and heterogeneity
  • Devices are not updated:
    -> Vendors are interested in selling, not updating
    -> Vendors are interested in customizing and branding
  • Solution: bundle some updates with play services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

EPFL Software Security (10 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions