Google security team's knowledge about Android Security

Http://commondatastorage.googleapis.com/io2012/presentations/live%20to%20website/107.pdf

Let's take a look at google's knowledge about android security:

1. If sensitive data is protected by permissions, these permissions will be held by the Authority. To use these permissions, you must apply for them.

2. The security awareness of MFA farmers is very important.

Codoon worked very hard. Unfortunately, due to lack of security awareness, data may be leaked:
-Storing personal data in a world-readable file: globally read files...
-Exporting an unprotected content provider component is exported and accessible to all users. Component export is prone to abuse, resulting in permission proxy attacks.
-Logging personal data in logcat logs like log ..
Consider the evil external environment.
-Insecure wireless networks transmission is easy to steal, and ssl has been cracked recently.
-Lost and stolen devices Lost mobile phones

3. User Certificate

Android does not have a strict developer certificate as ios does. But it should also be serious.

After all, the certificate carries a lot of content.

1) the same signature can share UID

2) software upgrade issues.

Therefore, for the sake of security, programmers should also protect their private keys !!! Otherwise, someone may steal your application information.

4. android Security Architecture

The android security architecture mainly includes the following parts:

1) linux DAC mechanism, RWX, and some special group ID control, such as internet

For example, open () is controlled by kernel through uid.

2) component Authentication is usually implemented by the caller. For example, the calling system may have System_server authentication. If it interacts with another application, authentication is performed by another application. It is actually IPC authentication.

5. Sandbox

Applications exist in their own sandboxes.

However, we also need to consider two issues:

1) reflection. Currently, many hook technologies are connected to the java layer through reflection. Very evil

2) native code is not an external location and cannot bypass the permission mechanism, but can modify the process space, that is, dynamically modify the application status.

In addition, there are some protection measures for inter-process communication:

Intent filters --- Filter
Permissions --- display
Signatures ----- is really valuable. Share the value of a signature.

6. Attack entry

7. Protection Components

Don't export app components unless you want other apps on the system to interact with your app

Manifest xmlns: android = "http://schemas.android.com/apk/res/android"
Package = "com. example. awesome">
<Application android: label = "@ string/app_name">
...
<Service android: name = ". ServiceExample"
Android: exported = "false">
<Intent-filter>... </Intent-filter>
</Service>
...
</Application>
</Manifest>

Never go around. Please apply for permissions and then share the signature control (the last one below )!! Tears

Defining permissions is only the first step in the long journey. You have defined that, when someone else applies, the key is signature control!

ProtectionLevel = "normal"-A lower-risk permission that gives requesting applications
Access to isolated application-level features, with minimal risk to other applications,
System, or the user. This is the default protection level. Quietly working, no prompt

ProtectionLevel = "dangerous"-A higher-risk permission that wowould give a requesting
Application access to private user data or control over the device that can negatively impact
The user. Is the prompt, what is the use
ProtectionLevel = "signature"-Can be used to limit access to components to only apps
Signed with the same certificate. Truly valuable!

 

The above permission control is defined by you. The system helps you control the verification. You can also do it yourself. Be confident.

In fact, there are many methods (there are too few columns below)
-Context. registerReceiver (...) Can be used to register a BroadcastReceiver dynamically
• There is a version of registerReceiver (...) Which can be used to specify permission the broadcaster must hold for your dynamically-registered already er to be invoked.
-Context. checkCallingPermission (...) And Context. enforceCallingPermission (...) Can be self-Verified
Used in your source code to make sure the calling app holds the appropriate permission.
This can be used to implement fine-grained permissions if needed.

• Avoid the confused deputy problem !!!

You have no permission to apply !! However, if you have applied for the permission, you may find it easy to be hacked !!! Swollen !!

-If your app is using its granted permissions to respond to another app, check that the calling app has that permission as well

 

If you have these permissions and vulnerabilities .. Is to provide the interface...

8. Pay attention to the details.

1) debug

Android: do not enable debuggable !! Easy to be attacked ***
-Disabled by default
-Never leave this enabled in release code!
-Allows a user to debug your app-even without source code
-Users with physical access can run code as your app and access your app's data to start your privacy journey... Is run-as understandable?

Jlarw.macbookair :~ Jlarimer $ adb shell
Shell @ android:/$ run-as com. example. awesomeness sh
Shell @ android:/data/com. example. awesomeness $ id
Uid = 10060 (app_60) gid = 10060 (app_60)
Shell @ android:/data/com. example. awesomeness $ ls files/
Secret_data.txt
Shell @ android:/data/com. example. awesomeness $ cat files/secret_data.txt
SECRETS!

2) data

Use MODE_PRIVATE for data files, shared preferences, and databases to protect your privacy. Do not read or write data globally.
• OpenFileOutput (), openSharedPreferences (), and openOrCreateDatabase () create files in your app's
Private data directory
External storage (sdcard) is shared storage the SD card has no permission control and can be read. You have to think twice about storage. If not, encrypt it! There are many open-source encryption libraries now!

EncryptedMessage = Encrypt (K, "Login-OK = 0 ")
AlteredMessage = EncryptedMessage... XOR {..., 0x31}
Plaintext = Decrypt (K, AlteredMessage) = "Login-OK = 1"

Haomnong

FileOutputStream fos = openFileOutput ("private_data.txt", Context. MODE_PRIVATE );
SharedPreferences prefs = getSharedPreferences ("data", Context. MODE_PRIVATE );

Goddess is open to anyone!
FileOutputStream fos = openFileOutput ("private_data.txt", Context. MODE_WORLD_WRITEABL
SharedPreferences prefs = getSharedPreferences ("data", Context. MODE_WORLD_READABLE );

Do not store programs in the SD card:

Don't store code libraries that are world writable or on external storage is easy to replace unless you verify
-Don't store paths to code libraries in files that are world writable or on external storage paths are the same
-Don't process data from writable files in native code-memory resume uption vulnerabilities cocould allow apps to run arbitrary code with your app's ID !!
• Don't store personal or protected data on external storage without user consent

9. wireless link security

At present, there are too many diaosi and I like to engage in WIFI Hack at Starbucks.

Many man-in-the-middle attacks!

How to Protect:

-HTTPS and SSL can protect against MitM attacks and prevent casual snooping Use https and ssl. But now there are too many problems with ssl in codefarm implementation. For more information, see Old Wang's book! For example, Certificate pinning
-For example
URL url = new URL ("https://www.google.com /");
HttpURLConnection urlConnection = (HttpURLConnection) url. openConnection ();

Tip:

Use cryptographic signing for any DEX or native code libraries that you load dynamically is an evil software skill! Remotely download APK and dex for dynamic execution
-Better yet, don't run code from the network

10. webview

Web security is a big topic... Xss .....

JavaScript is disabled by default in webview. Disabled by default

AddJavascriptInterface () is dangerous you can enable.

-Since Avoid exposing protected or personal data to a JavaScript interface is opened, it is difficult to ensure that js and java can communicate with each other, and the same-source mechanism will be damaged.
-Server or network cocould be compromised, you can't trust the code
-If you do use it, ensure that you're using HTTPS for the WebView

10. Friendly reminder

Do not abuse your authority. The people will not forgive me !! Apply for the minimum privilege!

 

Permissions aren't required if you launch an activity that has the permission system already has a task, don't apply for Permissions again. Just call these applications! Why does google not directly delete those APIs that send text messages directly. Who can tell me !!!
-Getting a picture from the camera

// Create Intent to take a picture and return control to the calling application !!
Intent intent = new Intent (MediaStore. ACTION_IMAGE_CAPTURE );
// Create a file to save the image
FileUri = getOutputMediaFileUri (MEDIA_TYPE_IMAGE );
// Set the image file name
Intent. putExtra (MediaStore. EXTRA_OUTPUT, fileUri );
// Start the image capture Intent
StartActivityForResult (intent, MY_REQUEST_CO

-Sending an SMS through the SMS app is not authorized to send messages !!

 

Uri smsNumber = Uri. parse ("sms: 5551212 ");
Intent intent = new Intent (Intent. ACTION_VIEW );
Intent. setData (smsNumber );
Intent. putExtra (Intent. EXTRA_TEXT, "hey there! ");
StartActivity (intent );

Permissions can be temporarily granted to apps by content providers
-Leader the user pick a contact to share with your app does not need to apply for READ_CONTACTS !!

Intent intent = new Intent (Intent. ACTION_GET_CONTENT );
Intent. setType (Phone. CONTENT_ITEM_TYPE );
StartActivityForResult (intent, MY_REQUEST_CODE );
Void onActivityResult (int requestCode, int resultCode, Intent data ){
If (data! = Null ){
Uri uri = data. getData ();
If (uri! = Null ){
Try {
Cursor c = getContentResolver (). query (uri, new String [] {
Contacts. DISPLAY_NAME, Phone. NUMBER}, null );

11. trick

Need a unique identifier? What is the unique identifier of the terminal! I have been searching for it for many years, but I cannot find it !! The following are more unreliable!
-TelephonyManager. getDeviceId () requires READ_PHONE_STATE permission
-Settings. Secure. ANDROID_ID doesn't require a permission, but still not perfect
To identify an installation of your app
-Generate a UUID when your app starts and store it in shared preferences:
-String id = UUID. randomUUID (). toString ();
-Use Android Backup Service to save the shared preferences to the cloud
-See: https://developers.google.com/android/backup/

12. device management

Device management was originally born for Enterprise Management MDM, but it was used by some Xiao !!

Recently, the best malware in history also used device management, and then used a Registration Vulnerability to hide it .. This prevents users from uninstalling the code !!!

After activating the Enterprise Manager, there are many functions. You can set the complexity of the pin code, lock screen, and erase data. This part of ios is even richer !!

You can try it yourself and activate it after activation! A vulnerability is not displayed in the activation list. If the app is not activated, it cannot be uninstalled! So it becomes evil!

 

Last

Use Android Lint hopes google will work harder. Let Programmers spend more time with the goddess! Don't tangle with bugs! But now the function is too child!

 

This feature is very promising !! Please contact me if any investor sees it. I used an application vulnerability detection tool.
Original article: http://blog.csdn.net/u011069813/article/details/9237631