Android Security Mechanisms

Size: px

Start display at page:

Download "Android Security Mechanisms"

Hector Cameron
6 years ago
Views:

1 Android Security Mechanisms Lecture 8 Operating Systems Practical 7 December 2016 This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy of this license, visit OSP Android Security Mechanisms, Lecture 8 1/35

2 Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 2/35

3 Outline Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 3/35

4 Signing Applications Each apk signed with a certificate Generated using the developer s private key Identifies the developer of the application Can be self-signed System applications signed with the platform key Update allowed only if the certificate matches OSP Android Security Mechanisms, Lecture 8 4/35

5 Outline Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 5/35

6 UIDs and File Access Unique UID at install time for each application Access rights on application s files - other applications cannot access those files Shared UID shareduserid attribute of <manifest> Signed with the same key Treated as the same application, same UID and file permissions Share files with other applications MODE_WORLD_READABLE or MODE_WORLD_WRITABLE when creating a file Gives read or write access to files OSP Android Security Mechanisms, Lecture 8 6/35

7 Outline Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 7/35

8 Android Permissions By default, applications cannot perform operations to impact other apps, the OS or the user Permission - the ability to perform a particular operation Built-in permissions documented in the platform API reference Defined in the android package Custom permissions - defined by system or user apps pm list permissions Defining package +.permission + name android.permission.reboot com.android.laucher3.permission.receive_launch_- BROADCASTS OSP Android Security Mechanisms, Lecture 8 8/35

9 Android Permissions Apps request permissions in AndroidManifest.xml <uses-permission android:name="android.permission.internet" /> Permissions handled by the PackageManager service Central database of installed packages /data/system/packages.xml Programatically access package information from android.content.pm.packagemanager getpackageinfo() returns PackageInfo instance Cannot be changed or revoked without uninstalling app (until Android 5.1) Android 6.0: apps request permissions at runtime OSP Android Security Mechanisms, Lecture 8 9/35

10 Permission Enforcement A permission can be enforced in a number of places Making a call into the system Starting an activity Starting and binding a service Sending and receiving broadcasts Accessing a content provider OSP Android Security Mechanisms, Lecture 8 10/35

11 Permission Protection Levels Potential risk and procedure to grant permission Normal Low risk Automatically granted without user confirmation ACCESS_NETWORK_STATE, GET_ACCOUNTS Dangerous Access to user data or control over the device Requires user confirmation CAMERA, READ_SMS OSP Android Security Mechanisms, Lecture 8 11/35

12 Permission Protection Levels Signature Highest level of protection Apps signed with the same key as the app that declared the permission Built-in signature permissions are used by system apps (signed with platform key) NET_ADMIN, ACCESS_ALL_EXTERNAL_STORAGE SignatureOrSystem Apps part of system image or signed with the same key as the app that declared the permission Vendors may have preinstalled apps without using the platform key OSP Android Security Mechanisms, Lecture 8 12/35

13 Permission Groups All dangerous permissions belong to permission groups Until Android 5.1: Permission groups are requested at install time (not the individual permissions) On Android 6.0: If there is no other permission in that group, it requests the user s confirmation for that permission group If there is another permission in that group already granted, it does not request any confirmation Examples of dangerous permission groups: Calendar, Camera, Contacts, Location, Phone, SMS, Sensors, Storage, Microphone OSP Android Security Mechanisms, Lecture 8 13/35

14 Kernel-Level Enforcement Access to regular files, device nodes and local sockets managed by the Linux kernel, based on UID, GID Permissions are mapped to supplementary GIDs Built-in permission mapping in /etc/permission/platform.xml Example: INTERNET permission associated with GID inet Only apps with INTERNET permission can create network sockets The kernel verifies if the app belongs to GID inet OSP Android Security Mechanisms, Lecture 8 14/35

15 Framework-Level Enforcement Static permission enforcement System keeps track of permissions associated to each app component Checks whether callers have the required permission before allowing access Enforcement by runtime environment Isolating security decisions from business logic Less flexible Dynamic permission enforcement Components check to see if the caller has the necessary permissions Decisions made by each component, not by runtime environment More fine-grained access control More operations in components OSP Android Security Mechanisms, Lecture 8 15/35

16 Dynamic Enforcement Helper methods in android.content.context class to perform permission check checkpermission(string permission, int pid, int uid) Returns PERMISSION_GRANTED or PERMISSION_DENIED For root and system, permission is automatically granted If permission is declared by calling app, it is granted Deny for private components Queries the Package Manager enforcepermission(string permission, int pid, int uid, String message) Throws SecurityException with message if permission is not granted OSP Android Security Mechanisms, Lecture 8 16/35

17 Static Enforcement An app tries to call a component of another app - intent Target component - android:permission attribute Caller - <uses-permission> Activity Manager Resolves intent Checks if target component has an associated permission Delegates permission check to Package Manager If caller has necessary permission, the target component is started Otherwise, a SecurityException is generated OSP Android Security Mechanisms, Lecture 8 17/35

18 Activity and Service Permission Enforcement Permission checks for activities Intent is passed to Context.startActivity() or startactivityforresult() Resolves to an activity that declares a permission Permission checks for services Intent passed to Context.startService() or stopservice() or bindservice() Resolves to a service that declares a permission If caller does not have the necessary permission, generates SecurityExceptions OSP Android Security Mechanisms, Lecture 8 18/35

19 Content Provider Permission Enforcement Protect the whole component or a particular exported URI Different permissions for reading and writing Read permission - ContentResolver.query() on provider or URI Write permission - ContentResolver.insert(), update(), delete() on provider or URI Synchronous checks OSP Android Security Mechanisms, Lecture 8 19/35

20 Broadcast Permission Enforcement Receivers may be required to have a permission Context.sendBroadcast(Intent intent, String receiverpermission) Check when delivering intent to receivers No permission - broadcast not received, no exception Broadcasters may need to have a permission to send a broadcast Specified in manifest or in registerreceiver Checked when delivering broadcast No permission - no delivery, no exception 2 checks for each delivery: for sender and receiver OSP Android Security Mechanisms, Lecture 8 20/35

21 Custom Permissions Declared by apps Checked statically by the system or dynamically by the components Declared in AndroidManifest.xml <permission t r e e android : name= com. example. app. permission a n d r o i d : l a b e l s t r i n g / e x a m p l e p e r m i s s i o n t r e e l a b e l /> <p e r m i s s i o n group android : name= com. example. app. permission group. TEST GROUP a n d r o i d : l a b e l s t r i n g / t e s t p e r m i s s i o n g r o u p l a b e l a n d r o i d : d e s c r i p t i o n s t r i n g / t e s t p e r m i s s i o n g r o u p d e s c /> <p e r m i s s i o n android : name= com. example. app. permission. PERMISSION1 a n d r o i d : l a b e l s t r i n g / p e r m i s s i o n 1 l a b e l a n d r o i d : d e s c r i p t i o n s t r i n g / p e r m i s s i o n 1 d e s c android : permissiongroup= com. example. app. permission group. TEST GROUP a n d r o i d : p r o t e c t i o n L e v e l = s i g n a t u r e /> OSP Android Security Mechanisms, Lecture 8 21/35

22 Outline Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 22/35

23 JCA Provider Architecture Java Cryptography Architecture (JCA) Extensible cryptographic provider framework Set of APIs - major cryptographic primitives Applications specify an algorithm, do not depend on particular provider implementation Cryptographic Service Provider (CSP) Package with implementation of cryptographic services Advertises the implemented services and algorithms JCA maintains a registry of providers and their algorithms Providers in a order of preference Service Provider Interface (SPI) Common interface for implementations of a specific algorithm Abstract class implemented by provider OSP Android Security Mechanisms, Lecture 8 23/35

24 JCA Engine Classes JCA engines provide: Cryptographic operations (encrypt/decrypt, sign/verify, hash) Generation or conversion of cryptographic material (keys, parameters) Management and storage of cryptographic objects (keys, certificates) Decouple client code from algorithm implementation Static factory method getinstance() Request implementation indirectly s t a t i c EngineClassName getinstance ( String algorithm ) throws NoSuchAlgorithmException s t a t i c EngineClassName g e t I n s t a n c e ( S t r i n g a l g o r i t h m, S t r i n g p r o v i d e r ) throws NoSuchAlgorithmException, NoSuchProviderException s t a t i c EngineClassName g e t I n s t a n c e ( S t r i n g a l g o r i t h m, P r o v i d e r p r o v i d e r ) throws NoSuchAlgorithmException OSP Android Security Mechanisms, Lecture 8 24/35

25 Message Digest Hash function M essagedigest md = MessageDigest. g e t I n s t a n c e ( SHA 256 ); b y t e [ ] data = getmessage ( ) ; b y t e [ ] hash = md. d i g e s t ( data ) ; Data provided in chuncks using update() then call digest() If data is short and fixed - hashed in one step using digest() OSP Android Security Mechanisms, Lecture 8 25/35

26 Signature Digital signature algorithms based on asymmetric encryption Algorithm name: <digest>with<encryption> Sign: b y t e [ ] data = message to be s i g n e d. g e t B y t e s ( ASCII ) ; S i g n a t u r e s = S i g n a t u r e. g e t I n s t a n c e ( SHA256withRSA ) ; s. i n i t S i g n ( p r i v K e y ) ; s. update ( data ) ; b y t e [ ] s i g n a t u r e = s. s i g n ( ) ; Verify: S i g n a t u r e s = S i g n a t u r e. g e t I n s t a n c e ( SHA256withRSA ) ; s. i n i t V e r i f y ( pubkey ) ; s. update ( data ) ; b o o l e a n v a l i d = s. v e r i f y ( s i g n a t u r e ) ; OSP Android Security Mechanisms, Lecture 8 26/35

27 Cipher Encryption and decryption operations Encryption: S e c r e t key = g e t S e c r e t K e y ( ) ; C i p h e r c = C i p h e r. g e t I n s t a n c e ( AES/CBC/PKCS5Padding ) ; b y t e [ ] i v = new b y t e [ c. g e t B l o c k S i z e ( ) ] ; SecureRandom s r = new SecureRandom ( ) ; s r. n e x t B y t e s ( i v ) ; I v P a r a m e t e r S p e c i v p = new I v P a r a m e t e r S p e c ( i v ) ; c. i n i t ( C i p h e r.encrypt MODE, key, i v p ) ; b y t e [ ] data = Message to e n c r y p t. g e t B y t e s ( UTF 8 ); b y t e [ ] c i p h e r t e x t = c. d o F i n a l ( data ) ; OSP Android Security Mechanisms, Lecture 8 27/35

28 Cipher Decryption: C i p h e r c = C i p h e r. g e t I n s t a n c e ( AES/CBC/PKCS5Padding ) ; c. i n i t ( C i p h e r.decrypt MODE, key, i v p ) ; b y t e [ ] data = c. d o F i n a l ( c i p h e r t e x t ) ; OSP Android Security Mechanisms, Lecture 8 28/35

29 MAC Message Authentication Code algorithms S e c r e t K e y key = g e t S e c r e t K e y ( ) ; Mac m = Mac. g e t I n s t a n c e ( HmacSha256 ) ; m. i n i t ( key ) ; b y t e [ ] data = Message. g e t B y t e s ( UTF 8 ); b y t e [ ] hmac = m. d o F i n a l ( data ) ; OSP Android Security Mechanisms, Lecture 8 29/35

30 KeyGenerator Generates symmetric keys Additional checks for weak keys Set key parity when necessary Takes advantage of the cryptographic hardware KeyGenerator kg = KeyGenerator. g e t I n s t a n c e ( HmacSha256 ) ; S e c r e t K e y key = kg. g e n e r a t e K e y ( ) ; KeyGenerator kg = KeyGenerator. g e t I n s t a n c e ( AES ) ; kg. i n i t ( ) ; S e c r e t K e y key = kg. g e n e r a t e K e y ( ) ; OSP Android Security Mechanisms, Lecture 8 30/35

31 KeyPairGenerator Generates public and private keys K e y P a i r G e n e r a t o r kpg = K e y P a i r G e n e r a t o r. g e t I n s t a n c e ( RSA ) ; kpg. i n i t i a l i z e ( ) ; KeyPair p a i r = kpg. g e n e r a t e K e y P a i r ( ) ; P r i v a t e K e y p r i v = p a i r. g e t P r i v a t e ( ) ; P u b l i c K e y pub = p a i r. g e t P u b l i c ( ) ; OSP Android Security Mechanisms, Lecture 8 31/35

32 Android JCA Providers Harmony s Crypto Provider Limited JCA provider part of the Java runtime library SecureRandom (SHA1PRNG), KeyFactory (DSA) MessageDigest (SHA-1), Signature (SHA1withDSA) Android s Bouncy Castle Provider Full-featured JCA provider Part of the Bouncy Castle Crypto API Cipher, KeyGenerator, Mac, MessageDigest, SecretKeyFactory, Signature, CertificateFactory Large number of algorithms AndroidOpenSSL Provider Native code, performance reasons Covers most functionality of Bouncy Castle Preferred provider Implementation uses JNI to access OpenSSL s native code OSP Android Security Mechanisms, Lecture 8 32/35

33 Outline Signing Applications UIDs and File Access Android Permissions Cryptographic Providers Bibliography OSP Android Security Mechanisms, Lecture 8 33/35

34 Bibliography Android Security Internals, Nikolay Elenkov security/permissions.html OSP Android Security Mechanisms, Lecture 8 34/35

35 Keywords Permissions Protection levels Static enforcement Dynamic enforcement Custom permissions Java Cryptography Architecture Cryptographic Service Provider Engine classes OSP Android Security Mechanisms, Lecture 8 35/35

Android Security Mechanisms

Android Security Mechanisms Lecture 9 Android and Low-level Optimizations Summer School 1 August 2015 This work is licensed under the Creative Commons Attribution 4.0 International License. To view a copy