Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Malware Analysis and Exploits 2 > Week 6 - Understanding the Security Model > Flashcards

Week 6 - Understanding the Security Model Flashcards

1
Q

Security Model

A

To prevent unauthorized access to an application’s data by other applications running on the same device.

One application cannot negatively impact the operation of another without proper consent, creating what is known as the application sandbox.

Verifying an application’s identity is essential to maintain trust boundaries and prevent unauthorized claims of identity, such as impersonating Google. This identity verification is managed through code signing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Code Signing

A

A cryptographic process using digital certificates.

Private keys of these certificates are held by application developers.I

It helps prove the identity of an application’s author and establish trust in the security model.

All Android packages, or APK files, must be signed, even during development using a default debug certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Certificate Creation

A

Developers can create their own certificates for signing.

$ keytool -genkey -v -keystore mykey.keystore -alias alias_name -keyalg RSA -keysize 2048 -validity 10000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Signing Process

A

Sign an unsigned application using your certificate.

$ jarsigner -verbose -sigalg SHA1withRSA -digestalg SHA1 -keystore mykey.keystore application.apk alias_name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Certificate Information

A

Stored in the CERT.RSA file within the META-INF folder of the Android package.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Absence of Central Authority Verification

A

Android OS doesn’t verify application certificates against a central authority.

Self-signed certificates are commonly used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Importance of Keeping Signing Certificate Safe

A

Safeguarding the signing certificate is crucial.

Losing the certificate prevents issuing updates and may require publishing new applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Inspecting Permissions

A

Applications need to request permissions for device access.

Users see abstracted permission information in the Play Store.

Permissions are defined in XML using <permission> and <uses-permission> tags.</uses-permission></permission>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Finding Requested Permissions

A

Use the app.package.info module in drozer to find permissions for a specific app.

dz> run app.package.info -a com.android.browser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Search for Permissions

A

Use app.package.list with permission filtering.

dz> run app.package.list -p android.permission.READ_SMS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Permission Implications

A

Requesting permissions can add the app’s user identifier to a Linux group.

Some permissions are purely for access control, not groups.

Check /system/etc/permissions/platform.xml for permission mappings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Content Providers and Permissions

A

Content providers require permissions for access.

Android checks if an app has the required permission before granting access.

Query content providers to see which permissions are needed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Common Malware Tactics

A

Most Android malware relies on users not reading permissions.

They request permissions to access sensitive data.

No technical security flaw; exploits lack of user awareness.

Some malware bypasses security using kernel exploits for root access.

Signature-based protection restricts inter-app access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Protection Levels

A

Permissions have associated protection levels.

Levels determine conditions for permission requests.

Differentiate between normal, dangerous, signature, and system levels.

Correct protection level selection is crucial for security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

normal - Protection Level

A

Default value.

0x0

Any app may request a permission with this protection level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

dangerous - Protection Level

A

Indicates that this permission has the ability to access some potentially sensitive information or perform actions on the device.

0x1

Any application may request a permission with this protection level.

17
Q

signature - Protection Level

A

Indicates that this permission can only be granted to another application that was signed with the same certificate as the application that defined the permission.

0x2

18
Q

signatureOrSystem - Protection Level

A

This is the same as the signature protection level, except that the permission can also be granted to an application that came with the Android system image or any other application that is installed on the /system partition.

0x3

19
Q

system - Protection Level

A

This permission can only be granted to an application that came with the Android system image or any other application that is installed in particular folders on the /system partition.

0x10

20
Q

development - Protection Level

A

This permission can be granted from a privileged context to an application at runtime.

0x20

21
Q

Android Application Sandbox

A

Measures to prevent one app from harming others or accessing their data without permission.

Apps run as separate users in a Unix-like security model.

Private data directories are protected with user-specific file permissions.

Example: drwxr-x–x u0_a59 u0_a59 2014-05-11 18:49 com.mwr.dz.

World-executable directories can expose data if subfolders have lax permissions.

22
Q

SharedUserId Exception

A

Apps can share the same user identifier via android:sharedUserId in the manifest.

Granted only if signed with the same certificate.

Apps under the same UID share access, even with configurations to run in the same process.

Example: dz> run app.package.shareduid -u 10005.

23
Q

Binder and IPC Control

A

Binder is used for communication between apps.

Specialized IPC parcels check app permissions for tasks.

Android API calls to app components strictly enforce permissions.

Linux groups may enforce certain permissions instead of binder.

24
Q

Full Disk Encryption (FDE)

A

Encrypts the entire drive or volume.

Protects against lost or stolen disks.

Defeats common forensics techniques.

25
Q

FDE Implementation on Android

A

Uses dm-crypt in the kernel.

Encryption suite: aes-cbc-essiv:sha256.

Requires user activation before Android 5.0 (Lollipop).

26
Q

Key Derivation and User Password

A

User’s PIN/password encrypts FDE password.

Key derived from the user’s PIN/password.

KitKat onwards uses scrypt for stronger security.

27
Q

Data Encryption and SD Card Considerations

A

Encrypts the /data partition.

SD card encryption may vary among manufacturers.

28
Q

Protection and Limitations of FDE

A

Protects data at rest.

Transparent decryption during code execution.

Limits unauthorized access to stolen devices.

Malware Analysis and Exploits 2 (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions