Static Verification of Android Security
|
|
- Beatrix Wright
- 6 years ago
- Views:
Transcription
1 Static Verification of Android Security Michele Bugliesi based on work with Stefano Calzavara and Alvise Spanò appeared at FORTE/FMOODS Int. Conf Università Ca Foscari Venezia Dipartimento di Scienze Ambientali, Informatica e Statistica ISACA VENICE
2 Mobile Devices All Over Smartphones have become pervasive Increasingly widespread and involved in a variety of contexts: Web browsing and social networking Multimedia and entertainment Navigation and Location Based Services On-line payments... Smartphone security and robustness have therefore become critical M. Bugliesi (UNIVE) LINTENT / 24
3 Mobile/Smartphone Security A variety of attack surfaces Apple s IOS Closed platform: secret vetting process for new applications Largely (?) protected against malware and design flaws Privacy concerns arising from closed nature of the platform Google s Android An open platform: loose control on flawed applications Interesting case study for security research Lots of design flaws and security attacks found over the last few years M. Bugliesi (UNIVE) LINTENT / 24
4 Android Security Main attack surfaces Information flow leaks Privilege escalation Coarse permissioning ICC mismatches Countermeasures Data-flow analysis Runtime reference monitors OS enhancements Exception handling We focus on priviledge escalation and ICC mismatches Language-based security approach: static verification, based on security typing enforce certified secure design practices assist robust application development Also effective for validation of existing applications M. Bugliesi (UNIVE) LINTENT / 24
5 Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. M. Bugliesi (UNIVE) LINTENT / 24
6 Android Architecture in 1 slide Applications consist of separate components Activities: associated with user interfaces Services: performing long-running background computations Broadcast receivers: acting as forwarders of system-wide broadcast messages to specific application components. Content providers: managing persistent application data. Components communicate with intents explicit: directed to a specific component implicit: directed to any component supporting associated action exchanged asynchronously M. Bugliesi (UNIVE) LINTENT / 24
7 Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available M. Bugliesi (UNIVE) LINTENT / 24
8 Android Security Model in 1 slide Sandboxing Applications mutually distrusted Application assigned unique IDs Applications may only access resources they own, or resources owned by others that are made publicly available Permission system Sensitive components protected by permissions PHONE CALL, INTERNET, BLUETOOTH,... Permissions required to run an application defined in the application s manifest, and granted upon installation Runtime reference monitor to check permissions upon ICC calls Delegation via pending intents M. Bugliesi (UNIVE) LINTENT / 24
9 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P M. Bugliesi (UNIVE) LINTENT / 24
10 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no M. Bugliesi (UNIVE) LINTENT / 24
11 Android insecurities Privilege escalation Intended ICC protection policy An application protected by a permission P should only be invoked by applications owning P App A Granted: - Requires: - yes App B Granted: P Requires: - yes App C Granted: P Requires: P no Security flaws in Android protection system Unprivileged caller may invoke a privileged callee, transitively acquiring privileges Pending intents may be employed to transfer permissions to unprivileged components M. Bugliesi (UNIVE) LINTENT / 24
12 Android insecurities Privilege escalation A realistic threat [Felt et. al 2011] More than a third of the 872 surveyed Android applications request permissions for sensitive resources and also expose public interfaces; they are therefore at risk of privilege escalation Found 15 permission redelegation vulnerabilities in 5 core system applications A. Porter Felt, H-J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. USENIX Security Symposium, M. Bugliesi (UNIVE) LINTENT / 24
13 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee M. Bugliesi (UNIVE) LINTENT / 24
14 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - App B Granted: P Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24
15 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24
16 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24
17 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P M. Bugliesi (UNIVE) LINTENT / 24
18 Privilege escalation Countermeasures State of the art Existing solutions enforce runtime protection require patches to OS incur performance overhead Do not provide any certified guarantee Example ICC Inspection [Felt et. al 2011] inspect privileges in the ICC call chain, downgrade components as needed App A Granted: - Requires: - yes App B Granted: - Requires: - no App C Granted: P Requires: P Our approach is different we opt for static, certified verification by typing M. Bugliesi (UNIVE) LINTENT / 24
19 LINTENT Android source code analyzer Implemented as an Android Lint plugin Full Eclipse integration Detects Android API usage Component classes SDK method calls Special calling patterns Helps developers write robust code Type errors, warnings and hints on the code A second-tier Java type-checker M. Bugliesi (UNIVE) LINTENT / 24
20 LINTENT Security checking Analyzes Application permissions (manifest) IPC permissions used in source code Secrecy level of objects to track pending intents Detects Attack surfaces for privilege escalation Over-privileged applications Runtime failures due to under-privilege M. Bugliesi (UNIVE) LINTENT / 24
21 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24
22 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24
23 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24
24 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2 i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24
25 LINTENT Tracing pending intents class MyActivity extends Activity... // Create intent, requires BLUETOOTH: secrecy(i)= BLUETOOTH Intent i = new Intent(BluetoothAdapter.ACTION_REQUEST_ENABLE); // Create pending intent for i: secrecy(p) = secrecy(i) PendingIntent p = PendingIntent.getActivity(this,0,i,0); // Create new intent: secrecy(i2) = PUBLIC Intent i2 = new Intent("ACT_STRING"); // inject p into i2: TYPE ERROR! secrecy(p) > secrecy(i2) i2.putextra("pending", p); // pending intent within i2 provides BLUETOOTH to any recipient startactivity(i2); M. Bugliesi (UNIVE) LINTENT / 24
26 LINTENT Inter-component communication Analyzes Component classes Inter-component dataflow in message passing (within intents) Detects Mismatches in inter-component communication Undisciplined programming practices M. Bugliesi (UNIVE) LINTENT / 24
27 LINTENT Inter-component communication A real problem [Maji et. al. 2011] Extensive testing, based on randomly generated intents sent to 450+ components in Android 4.0 builtin applications, and 5 most popular applications on Google Play. Around 5% - 8% ICC crashes, depending on component type, due to uncaught exceptions. Corresponding to a total of 641 crashes in Android 4.0, 152 in Google Play apps A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android Dependable Systems and Networks, DSN 2011 M. Bugliesi (UNIVE) LINTENT / 24
28 LINTENT Tracing message passing class SenderActivity extends Activity protected void oncreate(bundle savedinstancestate)... // create an explicit intent Intent i = new Intent(this, ReceiverActivity.class); // populate with primitive and user-defined i.putextra("k1", 3); i.putextra("k2", true); i.putextra("k3", new SomeSerializable()); // start receiver startactivity(i); M. Bugliesi (UNIVE) LINTENT / 24
29 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24
30 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24
31 LINTENT Tracing message passing public class ReceiverActivity extends Activity protected void oncreate(bundle savedinstancestate) // retrieve the intent Intent i = getintent(); // retreive first extra component TYPE ERROR - k1: int String v1 = i.getstringextra("k1"); // retreive third extra component TYPE ERROR - k3: SomeSerializable WrongSerializable o = (WrongSerializable)i.getSerializableExtra("k3");... M. Bugliesi (UNIVE) LINTENT / 24
32 LINTENT Architecture Our implementation is an ADT Lint plugin Android source code parse Lint Plugin Lombok AST spawn process AST pipe LINTENT Engine warn pipe M. Bugliesi (UNIVE) LINTENT / 24
33 LINTENT Features Full supports for Java 1.6 Third-party libraries (external JARs) inspection Dataflow for intents, pending intents and bundles Support for recursive nesting Pending intents injected within intents and viceversa M. Bugliesi (UNIVE) LINTENT / 24
34 LINTENT First experiments Type-checked existing apps from Google Play store APN-Switch Any application can send an intent to turn the network on/off Wifi-Fixer Any application can send an intent to turn the wifi on/off difficult to notice by manual inspection not ideal for a fixer, ain t it? Both flaws uncovered by LINTENT and then verified manually M. Bugliesi (UNIVE) LINTENT / 24
35 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation M. Bugliesi (UNIVE) LINTENT / 24
36 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping M. Bugliesi (UNIVE) LINTENT / 24
37 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these M. Bugliesi (UNIVE) LINTENT / 24
38 LINTENT Further experiments Preliminary results over a small number of apps Tested on 11 open-source apps We re soon ready for massive experimentation Among self-contained apps with UI components 85% of intents are explicit 60% of warnings and errors relate to intent mistyping Among Service-based apps over 95% intents are implicit LINTENT cannot help much with these Among apps that use permissions 30% are over-privileged 10% accidentally incur privile escalation via PendingIntent within an Intent 25% are under-privileged based on Broadcast Receivers M. Bugliesi (UNIVE) LINTENT / 24
39 DEMO
40 Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction M. Bugliesi (UNIVE) LINTENT / 24
41 Conclusions Enhancing the Android development process highly desired type-based analysis is possible and useful, though demanding certified security is still far away, but LINTENT is a first step in that direction What s next continue engineering of prototype, extensive testing integrate a front-end to a decompiler re-target to DALVIK code support for robust declassification/endorsement M. Bugliesi (UNIVE) LINTENT / 24
42 Thanks
43 References M. Bugliesi, S. Calzavara, A. Spanò. Lintent: Towards Security Type-Checking of Android Applications. Joint IFIP International Conference, FMOODS/FORTE A. K. Maji, F A. Arshad, S. Bagchi and J. S. Rellermeyer. An empirical study of the robustness of Inter-component Communication in Android. Dependable Systems and Networks, DSN Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, and Marcel Winandy, Privilege escalation attacks on Android, ISC Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey, Modeling and enhancing Android s permission system, ESORICS Adrienne Porter Felt, Helen J. Wang, Alexander Moshchuk, Steve Hanna, and Erika Chin, Permission re-delegation: Attacks and defenses, USENIX Security Symposium, M. Bugliesi (UNIVE) LINTENT / 24
Lintent: Towards Security Type-Checking of Android Applications
Lintent: Towards Security Type-Checking of Android Applications Michele Bugliesi, Stefano Calzavara, and Alvise Spanò Università Ca Foscari Venezia Abstract. The widespread adoption of Android devices
More informationQuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android
QuantDroid: Quantitative Approach towards Mitigating Privilege Escalation on Android Tobias Markmann 1 Dennis Gessner 2 Dirk Westhoff 3 1 HAW Hamburg, Germany 2 NEC Laboratories Europe, Heidelberg, Germany
More informationLecture 08. Android Permissions Demystified. Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner. Operating Systems Practical
Lecture 08 Android Permissions Demystified Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, David Wagner Operating Systems Practical 20 November, 2013 OSP Lecture 08, Android Permissions Demystified
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More information2 Lecture Embedded System Security A.-R. Darmstadt, Android Security Extensions
2 Lecture Embedded System Security A.-R. Sadeghi, @TU Darmstadt, 2011-2014 Android Security Extensions App A Perm. P 1 App B Perm. P 2 Perm. P 3 Kirin [2009] Reference Monitor Prevents the installation
More informationSTUDY OF PRIVILEGE ESCALATION ATTACK ON ANDROID AND ITS COUNTERMEASURES
STUDY OF PRIVILEGE ESCALATION ATTACK ON ANDROID AND ITS COUNTERMEASURES REJO MATHEW Department of Information Technology, NMIMS University, MPSTME, Mumbai, Maharashtra 400056, India rejo.mathew@nmims.edu
More informationAn Effective Access Control Scheme for Preventing Permission Leak in Android
An Effective Access Control Scheme for Preventing Permission Leak in Android Longfei Wu 1, Xiaojiang Du 1, and Hongli Zhang 2 1 Department of Computer and Information Science, Temple University, Philadelphia,
More informationMobile Device and Platform Security Part II
CS 155 Spring 2018 Mobile Device and Platform Security Part II John Mitchell Two lectures on mobile security Introduction: platforms and trends Threat categories Physical, platform malware, malicious apps
More informationLecture Embedded System Security
Lecture Embedded System Security Prof. Dr.-Ing. Ahmad-Reza Sadeghi System Security Lab Technische Universität Darmstadt (CASED) Germany Summer Term 2011 Overview Introduction Android Software Stack Android
More informationStephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy. ACM CCS 2010, Chicago, USA
Stephen Checkoway, Lucas Davi, Alexandra Dmitrienko, Ahmad-Reza Sadeghi, Hovav Shacham, Marcel Winandy ACM CCS 2010, Chicago, USA Ad hoc defense against code injection: W X DEP Code injection unnecessary
More informationAriadnima - Android Component Flow Reconstruction and Visualization
2017 IEEE 31st International Conference on Advanced Information Networking and Applications Ariadnima - Android Component Flow Reconstruction and Visualization Dennis Titze, Konrad Weiss, Julian Schütte
More informationMobile development initiation
Mobile development initiation Outline Mobile development: o Why? o How? o New issues Android ios 2 Mobile growth ¼ Internet access Sales of smartphones and tablets increase o + 70% tab Community 3 Why
More informationLecture 3 MOBILE PLATFORM SECURITY
Lecture 3 MOBILE PLATFORM SECURITY You will be learning: What techniques are used in mobile software platform security? What techniques are used in mobile hardware platform security? Is there a common
More informationLecture 9. PSiOS: Bring Your Own Privacy & Security to ios Devices. Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz
Lecture 9 PSiOS: Bring Your Own Privacy & Security to ios Devices Tim Werthmann, Ralf Hund, Lucas Davi, Ahmad-Reza Sadeghi and Thorsten Holz Operating Systems Practical December 3, 2014 OSP Lecture 9,
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP German Chapter Stammtisch Initiative/Ruhrpott. Android App Pentest Workshop 101
OWASP German Chapter Stammtisch Initiative/Ruhrpott Android App Pentest Workshop 101 About What we will try to cover in the first session: Setup of a Mobile Application Pentest Environment Basics of Mobile
More informationIntroduction to Android
Introduction to Android Ambient intelligence Teodoro Montanaro Politecnico di Torino, 2016/2017 Disclaimer This is only a fast introduction: It is not complete (only scrapes the surface) Only superficial
More informationAndroid System Architecture. Android Application Fundamentals. Applications in Android. Apps in the Android OS. Program Model 8/31/2015
Android System Architecture Android Application Fundamentals Applications in Android All source code, resources, and data are compiled into a single archive file. The file uses the.apk suffix and is used
More informationVirtualSwindle: An Automated Attack Against In-App Billing on Android
Northeastern University Systems Security Lab VirtualSwindle: An Automated Attack Against In-App Billing on Android ASIACCS 2014 Collin Mulliner, William Robertson, Engin Kirda {crm,wkr,ek}[at]ccs.neu.edu
More informationDELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid
DELDroid: Determination & Enforcement of Least Privilege Architecture in AnDroid Mahmoud Hammad Software Engineering Ph.D. Candidate Mahmoud Hammad, Hamid Bagheri, and Sam Malek IEEE International Conference
More informationIntroduction to Android
Introduction to Android Ambient intelligence Alberto Monge Roffarello Politecnico di Torino, 2017/2018 Some slides and figures are taken from the Mobile Application Development (MAD) course Disclaimer
More informationNetwork and Distributed System Security Symposium (NDSS) San Diego, USA, Februrary 9, 2015
COPPERDROID Automatic Reconstruction of Android Malware Behaviors Network and Distributed System Security Symposium (NDSS) San Diego, USA, Februrary 9, 2015 Kimberly Tam, Salahuddin J. Khan Aristide Fattori,
More informationThe Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationCh 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated
Ch 1: The Mobile Risk Ecosystem CNIT 128: Hacking Mobile Devices Updated 1-12-16 The Mobile Ecosystem Popularity of Mobile Devices Insecurity of Mobile Devices The Mobile Risk Model Mobile Network Architecture
More informationLecture 1 Introduction to Android. App Development for Mobile Devices. App Development for Mobile Devices. Announcement.
CSCE 315: Android Lectures (1/2) Dr. Jaerock Kwon App Development for Mobile Devices Jaerock Kwon, Ph.D. Assistant Professor in Computer Engineering App Development for Mobile Devices Jaerock Kwon, Ph.D.
More informationAndroid Online Training
Android Online Training IQ training facility offers Android Online Training. Our Android trainers come with vast work experience and teaching skills. Our Android training online is regarded as the one
More informationANDROID APPS (NOW WITH JELLY BEANS!) Jordan Jozwiak November 11, 2012
ANDROID APPS (NOW WITH JELLY BEANS!) Jordan Jozwiak November 11, 2012 AGENDA Android v. ios Design Paradigms Setup Application Framework Demo Libraries Distribution ANDROID V. IOS Android $25 one-time
More informationSyllabus- Java + Android. Java Fundamentals
Introducing the Java Technology Syllabus- Java + Android Java Fundamentals Key features of the technology and the advantages of using Java Using an Integrated Development Environment (IDE) Introducing
More informationMultiple Activities. Many apps have multiple activities
Intents Lecture 7 Multiple Activities Many apps have multiple activities An activity A can launch another activity B in response to an event The activity A can pass data to B The second activity B can
More informationThe Multi-Principal OS Construction of the Gazelle Web Browser. Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter
The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform Single stop for many
More informationAndroid. Mobile operating system developed by Google A complete stack. Based on the Linux kernel Open source under the Apache 2 license
Android Android Mobile operating system developed by Google A complete stack OS, framework A rich set of applications Email, calendar, browser, maps, text messaging, contacts, camera, dialer, music player,
More informationModeling the Android Platform
Modeling the Android Platform Étienne Payet LIM-ERIMIA, université de la Réunion BYTECODE 13 Saturday 23 March 2013 Étienne Payet (LIM-ERIMIA) Modeling the Android Platform BYTECODE 13 1 / 50 Reunion,
More information1. Implementation of Inheritance with objects, methods. 2. Implementing Interface in a simple java class. 3. To create java class with polymorphism
ANDROID TRAINING COURSE CONTENT SECTION 1 : INTRODUCTION Android What it is? History of Android Importance of Java language for Android Apps Other mobile OS-es Android Versions & different development
More informationMobile Security Fall 2011
Mobile Security 14-829 Fall 2011 Patrick Tague Class #17 Location Security and Privacy HW #3 is due today Announcements Exam is in-class on Nov 9 Agenda Location security Location privacy Location, Location,
More informationTowards a Systematic Study of the Covert Channel Attacks in Smartphones
Towards a Systematic Study of the Covert Channel Attacks in Smartphones Swarup Chandra 1, Zhiqiang Lin 1, Ashish Kundu 2, and Latifur Khan 1 1 University of Texas at Dallas, Richardson, TX, USA {swarup.chandra,zhiqiang.lin,lkhan}@utdallas.edu
More informationCOSC 3P97 Mobile Computing
COSC 3P97 Mobile Computing Mobile Computing 1.1 COSC 3P97 Prerequisites COSC 2P13, 3P32 Staff instructor: Me! teaching assistant: Steve Tkachuk Lectures (MCD205) Web COSC: http://www.cosc.brocku.ca/ COSC
More informationANDROID SYLLABUS. Advanced Android
Advanced Android 1) Introduction To Mobile Apps I. Why we Need Mobile Apps II. Different Kinds of Mobile Apps III. Briefly about Android 2) Introduction Android I. History Behind Android Development II.
More informationCollusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang
Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications Amiangshu Bosu, Fang Liu, Danfeng (Daphne) Yao, & Gang Wang http://mashable.com/2013/10/30/department-of-defense-app-store/#ijubpfyljaq4
More informationApplications Mobiles et Internet des Objets Introduction a l architecture d Android
Applications Mobiles et Internet des Objets Introduction a l architecture d Android Thibault CHOLEZ - thibault.cholez@loria.fr TELECOM Nancy - Universite de Lorraine LORIA - INRIA Nancy Grand-Est From
More informationAndroid framework. How to use it and extend it
Android framework How to use it and extend it Android has got in the past three years an explosive growth: it has reached in Q1 2011 the goal of 100M of Activations world wide with a number of daily activations
More informationAndroid Malware: they divide, we conquer
Android Malware: they divide, we conquer Igor Muttik *, Irina Mariuca Asavoae ** J. Blasco ***, T.M. Chen ***, H.K. Kalutarage *****, H.N. Nguyen ****, M. Roggenbach **, S.A. Shaikh **** * - Intel Security;
More informationAndroid App Development. Muhammad Sharjeel COMSATS Institute of Information Technology, Lahore
Android App Development Muhammad Sharjeel COMSATS Institute of Information Technology, Lahore Mobile devices (e.g., smartphone, tablet PCs, etc.) are increasingly becoming an essential part of human life
More informationSecurity and privacy in the smartphone ecosystem: Final progress report
Security and privacy in the smartphone ecosystem: Final progress report Alexios Mylonas Athens University of Economics & Business Overview 2 Research Motivation Related work Objective Approach Methodology
More informationUnderstanding and Automatically Preventing Injection Attacks on Node.js
Understanding and Automatically Preventing Injection Attacks on Node.js Michael Pradel TU Darmstadt Joint work with Cristian Staicu (TU Darmstadt) and Ben Livshits (Microsoft Research, Redmond) 1 Why JavaScript?
More informationAndroid. Operating System and Architecture. Android. Screens. Main features
Android Android Operating System and Architecture Operating System and development system from Google and Open Handset Alliance since 2008 At the lower level is based on the Linux kernel and in a higher
More informationFormal Security Analysis of Android Apps
Formal Security Analysis of Android Apps Matteo Maffei S&P Security and Privacy Group Exploits extremely slow patching process Exploits OS vulnerabilities Breaks sandbox separation logic by notifications
More informationMobile Application Development - Android
Mobile Application Development - Android MTAT.03.262 Satish Srirama satish.srirama@ut.ee Goal Give you an idea of how to start developing Android applications Introduce major Android application concepts
More informationHelping Developers Construct Secure Mobile Applications. Erika Michelle Chin
Helping Developers Construct Secure Mobile Applications By Erika Michelle Chin A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science
More informationRelay Attacks on Secure Elementenabled
Relay Attacks on Secure Elementenabled Mobile Devices Virtual Pickpocketing Revisited Michael Roland University of Applied Sciences Upper Austria,, Austria SEC2012 IFIP International Information Security
More informationPermission Analysis of Health and Fitness Apps in IoT Programming Frameworks
Permission Analysis of Health and Fitness Apps in IoT Programming Frameworks Mehdi Nobakht,Yulei Sui,Aruna Seneviratne,Wen Hu, School of Computer Science and Engineering, UNSW, Sydney, Australia Faculty
More informationReal-Time Embedded Systems
Real-Time Embedded Systems DT8025, Fall 2016 http://goo.gl/azfc9l Lecture 8 Masoumeh Taromirad m.taromirad@hh.se Center for Research on Embedded Systems School of Information Technology 1 / 51 Smart phones
More informationAndroid App Development
Android App Development Course Contents: Android app development Course Benefit: You will learn how to Use Advance Features of Android with LIVE PROJECTS Original Fees: 15000 per student. Corporate Discount
More informationLecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015
Lecture 10 Denial of Service Attacks (cont d) Thursday 24/12/2015 Agenda DoS Attacks (cont d) TCP DoS attacks DNS DoS attacks DoS via route hijacking DoS at higher layers Mobile Platform Security Models
More informationScippa: System-Centric IPC Provenance on Android
Scippa: System-Centric IPC Provenance on Android Michael Backes, Sven Bugiel, Sebastian Gerling Saarland Univeristy, Germany 2014 Annual Computer Security Applications Conference Presenter: Qi Wang 1 Android
More informationAdaptive Android Kernel Live Patching
USENIX Security Symposium 2017 Adaptive Android Kernel Live Patching Yue Chen 1, Yulong Zhang 2, Zhi Wang 1, Liangzhao Xia 2, Chenfu Bao 2, Tao Wei 2 Florida State University 1 Baidu X-Lab 2 Android Kernel
More informationProgramming with Android: Intents. Luca Bedogni. Dipartimento di Scienze dell Informazione Università di Bologna
Programming with Android: Intents Luca Bedogni Dipartimento di Scienze dell Informazione Università di Bologna Outline What is an intent? Intent description Handling Explicit Intents Handling implicit
More informationProgramming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna
Programming with Android: System Architecture Luca Bedogni Marco Di Felice Dipartimento di Scienze dell Informazione Università di Bologna Outline Android Architecture: An Overview Android Dalvik Java
More informationSECURITY ANALYSIS OF EMERGING SMART HOME APPLICATIONS
SECURITY ANALYSIS OF EMERGING SMART HOME APPLICATIONS Earlence Fernandes, Jaeyeon jung, Atul Prakash Presented by Surya Mani Content Motivation Related Work SmartThings-Big Picture Security Analysis Proof-of-concept
More informationGoogle on BeyondCorp: Empowering employees with security for the cloud era
SESSION ID: EXP-F02 Google on BeyondCorp: Empowering employees with security for the cloud era Jennifer Lin Director, Product Management, Security & Privacy Google Cloud What is BeyondCorp? Enterprise
More informationDynamic Detection of Inter- Application Communication Vulnerabilities in Android. Daniel Barton
Dynamic Detection of Inter- Application Communication Vulnerabilities in Android Daniel Barton Authors/Paper Metadata Roee Hay IBM Security Omer Tripp IBM T.J. Watson Research Center Marco Pistoia IBM
More informationDeveloper s overview of the Android platform
Developer s overview of the Android platform Erlend Stav SINTEF November 10, 2009 mailto:erlend.stav@sintef.no 1 Overview Vendors and licensing Application distribution Platform architecture Application
More informationProgramming with Android: System Architecture. Dipartimento di Scienze dell Informazione Università di Bologna
Programming with Android: System Architecture Luca Bedogni Marco Di Felice Dipartimento di Scienze dell Informazione Università di Bologna Outline Android Architecture: An Overview Android Dalvik Java
More informationMARS AREA SCHOOL DISTRICT Curriculum TECHNOLOGY EDUCATION
Course Title: Java Technologies Grades: 10-12 Prepared by: Rob Case Course Unit: What is Java? Learn about the history of Java. Learn about compilation & Syntax. Discuss the principles of Java. Discuss
More informationAccess Control for Plugins in Cordova-based Hybrid Applications
2017 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising
More informationRUNTIME PERMISSIONS IN ANDROID 6.0 Lecture 10a
RUNTIME PERMISSIONS IN ANDROID 6.0 Lecture 10a COMPSCI 702 Security for Smart-Devices Muhammad Rizwan Asghar March 20, 2018 2 ANDROID 6.0 A version of the Android mobile operating system officially released
More informationANDROID DEVELOPMENT. Course Details
ANDROID DEVELOPMENT Course Details centers@acadgild.com www.acadgild.com 90360 10796 01 Brief About the Course Android s share of the global smartphone is 81%. The Google Certified Android development
More informationMC Android Programming
MC1921 - Android Programming Duration: 5 days Course Price: $3,395 Course Description Android is an open source platform for mobile computing. Applications are developed using familiar Java and Eclipse
More informationUnderstanding Application
Introduction to Android Application Development, Android Essentials, Fifth Edition Chapter 4 Understanding Application Components Chapter 4 Overview Master important terminology Learn what the application
More informationPaddyFrog: systematically detecting confused deputy vulnerability in Android applications
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8:2338 2349 Published online 30 January 2015 in Wiley Online Library (wileyonlinelibrary.com)..1179 RESEARCH ARTICLE PaddyFrog: systematically
More informationStefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything
More informationUnderstanding and Detecting Wake Lock Misuses for Android Applications
Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated by FSE 2016 Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research
More informationAN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE
AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley CHROME EXTENSIONS CHROME EXTENSIONS servers servers
More informationModeling and Enhancing Android's Permission System
Modeling and Enhancing Android's Permission System Elli Fragkaki, Lujo Bauer, Limin Jia, and David Swasey November 30, 2011 (revised April 25, 2012) CMU-CyLab-11-020 CyLab Carnegie Mellon University Pittsburgh,
More informationReDroid: Prioritizing Data Flows and Sinks for App Security Transformation
FEAST 2017 ReDroid: Prioritizing Data Flows and Sinks for App Security Transformation Ke Tian*, Gang Tan^, Daphne Yao*, Barbara Ryder* *Department of Computer Science Virginia Tech ^Department of CSE Penn
More informationAndroid Analysis Tools. Yuan Tian
Android Analysis Tools Yuan Tian Malware are more creative: XcodeGhost More than 300 a pps are infected, including wechat and netease Collect device ID, Apple ID and p assword 10/3/15 CMU Mobile Security
More informationAndroid Overview. Most of the material in this section comes from
Android Overview Most of the material in this section comes from http://developer.android.com/guide/ Android Overview A software stack for mobile devices Developed and managed by Open Handset Alliance
More informationAndroid App Development
Android App Development Outline Introduction Android Fundamentals Android Studio Tutorials Introduction What is Android? A software platform and operating system for mobile devices Based on the Linux kernel
More informationPractical Attack Scenarios on Secure Element-enabled Mobile Devices
Practical Attack Scenarios on Secure Element-enabled Mobile Devices Michael Roland University it of Applied Sciences Upper Austria,, Austria 4 th International Workshop on Near Field Communication 13 March
More informationIBM Datacap Mobile SDK Developer s Guide
IBM Datacap Mobile SDK Developer s Guide Contents Versions... 2 Overview... 2 ios... 3 Package overview... 3 SDK details... 3 Prerequisites... 3 Getting started with the SDK... 4 FAQ... 5 Android... 6
More informationOS Security Rethinking Permission Granting in Modern Operating Systems
Rethinking Permission Granting in Modern Operating Systems Joe Miner Nicholas Fouche Department of Electrical & Computer Engineering Missouri University of Science and Technology npf5zf@mst.edu 28 November
More informationAndroid Programming (5 Days)
www.peaklearningllc.com Android Programming (5 Days) Course Description Android is an open source platform for mobile computing. Applications are developed using familiar Java and Eclipse tools. This Android
More informationSecurity, Privacy, & User Expectations:
Security, Privacy, & User Expectations: Case Studies in Web Tracking and Application Permissions Franziska Roesner Assistant Professor Computer Science & Engineering University of Washington Security,
More informationSandboxing untrusted code: policies and mechanisms
Sandboxing untrusted code: policies and mechanisms Frank Piessens (Frank.Piessens@cs.kuleuven.be) Secappdev 2011 1 Overview Introduction Java and.net Sandboxing Runtime monitoring Information Flow Control
More informationUnderstanding and Detecting Wake Lock Misuses for Android Applications
Understanding and Detecting Wake Lock Misuses for Android Applications Artifact Evaluated Yepang Liu, Chang Xu, Shing-Chi Cheung, and Valerio Terragni Code Analysis, Testing and Learning Research Group
More informationLink-OS SDK for Xamarin README
Link-OS SDK for Xamarin README This readme is specific to the LinkOS Xamarin SDK. This SDK is a Xamarin PCL in the plugin format. Also included in the files is a sample app showing use of specific APIs.
More informationConfiguring the Android Manifest File
Configuring the Android Manifest File Author : userone What You ll Learn in This Hour:. Exploring the Android manifest file. Configuring basic application settings. Defining activities. Managing application
More information1. GOALS and MOTIVATION
AppSeer: Discovering Interface Defects among Android Components Vincenzo Chiaramida, Francesco Pinci, Ugo Buy and Rigel Gjomemo University of Illinois at Chicago 4 September 2018 Slides by: Vincenzo Chiaramida
More informationPIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices
W I S S E N T E C H N I K L E I D E N S C H A F T PIN Skimming: Exploiting the Ambient-Light Sensor in Mobile Devices IAIK, Graz University of Technology, Austria www.iaik.tugraz.at 2 Outline Introduction
More informationMobile Devices prioritize User Experience
Mobile Security 1 Uniqueness of Mobile Mobile Devices are Shared More Often Mobile Devices are Used in More Locations Mobile Devices prioritize User Experience Mobile Devices have multiple personas Mobile
More informationIntroduction To Android
Introduction To Android Mobile Technologies Symbian OS ios BlackBerry OS Windows Android Introduction to Android Android is an operating system for mobile devices such as smart phones and tablet computers.
More informationWhy using intents. Activity. Screen1 Screen 2
INTENTS Why using intents Screen1 Screen 2 Activity An activity may manage many layout file (screens) Intents, provides a way for an activity to start another activity (thus changing screen) Beside this
More informationMobile Computing. Introduction to Android
Mobile Computing Introduction to Android Mobile Computing 2011/2012 What is Android? Open-source software stack for mobile devices OS, middleware and key applications Based upon a modified version of the
More informationTongbo Luo Cong Zheng Zhi Xu Xin Ouyang ANTI-PLUGIN: DON T LET YOUR APP PLAY AS AN ANDROID PLUGIN
Tongbo Luo Cong Zheng Zhi Xu Xin Ouyang ANTI-PLUGIN: DON T LET YOUR APP PLAY AS AN ANDROID PLUGIN Bio Black Hat Veteran. Principle Security Researcher @ PANW. Mobile Security - Discover Malware - Android
More informationAndroid Programmierung leichtgemacht. Lars Vogel
Android Programmierung leichtgemacht Lars Vogel Twitter: @vogella Lars Vogel Arbeitet als unabhängiger Eclipse und Android Berater und Trainer Arbeit zusätzlichen für SAP AG als Product Owner in einem
More informationDetecting Advanced Android Malware by Data Flow Analysis Engine. Xu Hao & pll
Detecting Advanced Android Malware by Data Flow Analysis Engine Xu Hao & pll 2013.09 Content Background adfaer - Android Data Flow Analyzer Janus - Detect Reflection Experiment Future Work Android Security
More informationSecure Element APIs and Practical Attacks on Secure Element-enabled Mobile Devices
Secure Element APIs and Practical Attacks on Secure Element-enabled Mobile Devices Michael Roland University it of Applied Sciences Upper Austria,, Austria WIMA 2012 NFC Research Track 11 April 2012, Monaco
More informationEmbedded Systems Programming - PA8001
Embedded Systems Programming - PA8001 http://goo.gl/ydeczu Lecture 8 Mohammad Mousavi m.r.mousavi@hh.se Center for Research on Embedded Systems School of Information Science, Computer and Electrical Engineering
More informationLooking Forward: Challenges in Mobile Security. John Mitchell Stanford University
Looking Forward: Challenges in Mobile Security John Mitchell Stanford University Outline Mobile platform security SessionJuggler Using phone as authentication token SelectiveAuth Protecting resources on
More informationMandatory Access Control for the Android Dalvik VM
Mandatory Access Control for the Android Dalvik VM ESOS 13 Aline Bousquet, Jérémy Briffaut, Laurent Clevy, Christian Toinard, Benjamin Venelle June 25, 2013 Esos 13 Mandatory Access Control for the Android
More informationAndroid App Development. Ahmad Tayeb
Android App Development Ahmad Tayeb Ahmad Tayeb Lecturer @ Department of Information Technology, Faculty of Computing and Information Technology, KAU Master degree from Information Sciences and Technologies,
More information