.4247.50 x 9.257.50 x 9.25php|architect’sGuide toPHP SecurityA Step-by-step Guide to WritingSecure and Reliable PHP ApplicationsIlia Alshanetskyphp|architect’sGuide toPHP SecurityNanoBooks are excellent, in-depth resources created by the publishers of php|architect (http://www.phparch.com), the world’s premier magazine dedicated to PHP professionals.NanoBooks focus on delivering high-quality content with in-depth analysis andexpertise, centered around a single, well-defined topic and without any of the fluffof larger, more expensive books.Shelve under PHP/Web Development/Internet ProgrammingFrom the publishers ofphp|architect’s Guide to PHP SecurityIlia AlshanetskyUS $32.99Canada $47.99UK (net) £18.99With the number of security flaws and exploits discovered and released every day constantly on the rise, knowing how to write secure and reliable applications is become more and more important every day.Written by Ilia Alshanetsky, one of the foremost experts on PHP security in the world, php|architect’s Guide to PHP Security focuses on providing you with all the tools and knowledge you need to both secure your existing applications and writing new systems with security in mind.This book gives you a step-by-step guide to each security-related topic, providing you with real-world examples of proper coding practices and their implementation in PHP in an accurate, concise and complete way. ¸ Provides techniques applicable to any version of PHP, including 4.x and 5.x ¸ Includes a step-by-step guide to securing your applications ¸ Includes a comprehensive coverage of security design ¸ Teaches you how to defend yourself from hackers ¸ Shows you how to distract hackers with a “tar pit” to help you fend off potential attacks Foreword by Rasmus Lerdorf PHP|ARCHITECT’S GUIDE TO PHP SECURITYby Ilia Alshanetsky php|architect’s Guide to SecurityContents Copyright © 2005 Ilia Alshanetsky – All Rights ReservedBook and cover layout, design and text Copyright © 2005 Marco Tabini & Associates, Inc. – All Rights ReservedFirst Edition: First EditionISBN 0-9738621-0-6Produced in CanadaPrinted in the United StatesNo part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, with-out the prior written permission of the publisher, except in the case of brief quotations embedded in critical reviews or articles.DisclaimerAlthough every effort has been made in the preparation of this book to ensure the accuracy of the information contained therein, this book is provided “as-is” and the publisher, the author(s), their distributors and retailers, as well as all af-filiated, related or subsidiary parties take no responsibility for any inaccuracy and any and all damages caused, either directly or indirectly, by the use of such information.We have endeavoured to properly provide trademark information on all companies and products mentioned in this book by the appropriate use of capitals. However, we cannot guarantee the accuracy of such Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University Outline I II III IV V Introduction Android Applications Security Enforcement Security Refinements Lessons in Defining Policy Introduction  Next generation open operation system will be developed on small mobile devices  Android (Google) -a widely anticipated open source operating system for mobile devices -it provide base operation system, application middleware layer, Java software development kit and a collection of system applications Introduction (cont.) Feature of Android Doesn’t support applications developed for other platforms Restricts application interaction to its special APIs by running each application as its own user identity Uses a simple permission label assignment model to restrict access to resources and other applications Android Applications - Example Example of location-sensitive social networking application for mobile phones in which users can discover their friends’ locations Activities provide a user interface, Services execute background processing, Content providers are data storage facilities, and Broadcast receivers act as mailboxes for messages from other applications Android Applications - Example Application(cont.) Take FriendTracker application for example, FriendTracker (Service) polls an external service to discover friends’ locations FriendProvider (Content provider) maintains the most recent geographic coordinates for friends FriendTrackerControl (Activity) defines a user interface for starting and stopping the tracking functionality BootReceiver (Broadcast receiver) gets a notification from the system once it boots (the application uses this to automatically start the FriendTracker service) Android Applications Component Interaction  Intent - is the primary mechanism for component interaction, which is simply a message object containing a destination component address and data  Action - the process of inter-components communication Android Applications Component Interaction (cont.) Example: Interaction between components in applications and with components in system applications Interactions occur primarily at the component level Android Applications Component Interaction (cont.) Each component type supports interaction specific to its type For example, Service components support start , stop, and bind actions, so the FriendTrackerControl (Activity) can start and stop the FriendTracker (Service) that runs in the background Security Enforcement  Android protect application at system level and at the Inter-component communication (ICC) level This article focus on the ICC level enforcement  Each application runs as a unique user identity, which lets Android limit the potential damage of programming flaws Security Enforcement (cont.) Example: Protection Security enforcement in Android occurs in two places: each application executes as its own user identity, allowing the underlying Linux system to provide system-level isolation; and the Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC) Security Enforcement (cont.) • • • • Core idea of Android security enforcement - labels assignment to applications and components A reference monitor provides mandatory access control (MAC) enforcement of how applications access components Access to each component is restricted by assigning it an access permission label; applications are assigned collections of permission labels When a component initiates ICC, the reference monitor looks at the permission labels assigned to its containing application and— if the target component’s access permission label is in that collection— allows ICC establishment to proceed Security Enforcement (cont.) Example: Access permission logic The Android middleware implements a reference monitor providing mandatory access control (MAC) enforcement about how applications access components The basic enforcement model is the same for all component types Component A’s ability to access components B and C is determined by comparing the access permission labels on B and C to the collection of labels assigned to application Security Enforcement Conclusion  Assigning permission labels to an application specifies its protection domain Assigning permissions to the components in an application specifies an access policy to protect its resources  Android’s policy enforcement is mandatory, all permission labels are set at install time and can’t change until the application is reinstalled  Android’s permission label model only restricts access to components and doesn’t currently provide information flow guarantees Security Refinements - Public vs Private Components  Applications often contain components that another application should never access For example, component related to password storing The solution is to define private component  This significantly ...Android Apps Security Sheran A. Gunasekera Create apps that are safe from hacking, attacks, and security breaches www.it-ebooks.info For your convenience Apress has placed some of the front matter material after the index. Please use the Bookmarks and Contents at a Glance links to access them. www.it-ebooks.info v Contents at a Glance About the Author ��������������������������������������������������������������������������������������������������������� xiii About the Technical Reviewer �������������������������������������������������������������������������������������� xv Acknowledgments ������������������������������������������������������������������������������������������������������ xvii Chapter 1: Android Architecture ■ ���������������������������������������������������������������������������������� 1 Chapter 2: Information: The Foundation of an App ■ ����������������������������������������������������13 Chapter 3: Android Security Architecture ■ �����������������������������������������������������������������31 Chapter 4: Concepts in Action – Part 1 ■ ����������������������������������������������������������������������47 Chapter 5: Data Storage and Cryptography ■ ��������������������������������������������������������������� 55 Chapter 6: Talking to Web Apps ■ ���������������������������������������������������������������������������������87 Chapter 7: Security in the Enterprise ■ ���������������������������������������������������������������������� 121 Chapter 8: Concepts in Action: Part 2 ■ ����������������������������������������������������������������������137 Chapter 9: Publishing and Selling Your Apps ■ ����������������������������������������������������������163 Chapter 10: Malware and Spyware ■ �������������������������������������������������������������������������203 Appendix A: Android Permission Constants ��������������������������������������������������������������� 213 Index ��������������������������������������������������������������������������������������������������������������������������� 223 www.it-ebooks.info 1 Chapter 1 Android Architecture Google entered the mobile phone market in a style that only multibillion-dollar companies can afford: it bought a company. In 2005, Google, Inc. purchased Android, Inc. At the time, Android was relatively unknown, despite having four very successful people as its creators. Founded by Andy Rubin, Rich Miner, Chris White, and Nick Sears in 2003, Android flew under the radar, developing an operating system for mobile phones. With a quest to develop a smarter mobile phone that was more aware of its owner’s preferences, the team behind the Android operating system toiled away in secrecy. Admitting only that they were developing software for mobile phones, the team remained quiet about the true nature of the Android operating system until the acquisition in 2005. With the full might of Google’s resources behind it, Android development increased at a rapid pace. By the second quarter of 2011, Android had already captured nearly a 50% market share in mobile phone operating systems shipped to end users. The four founders stayed on after the acquisition, with Rubin taking the lead as Senior Vice President of Mobile. The official launch of version 1.0 of Android took place on September 23, 2008, and the first device to run it was the HTC Dream (see Figure 1-1). www.it-ebooks.info CHAPTER 1: Android Architecture2 One of the unique features of the Android operating system that has allowed it to grow rapidly has been that the binaries and source code are released as open source software. You can download the entire source code of the Android operating system, and it takes up approximately 2.6 GB of disk space. In theory, this allows anyone to design and build a phone that runs Android. The idea www.it-ebooks.info www.it-ebooks.info Application Security for the Android Platform Jeff Six Beijing • Cambridge • Farnham • Köln • Sebastopol • Tokyo www.it-ebooks.info Application Security for the Android Platform by Jeff Six Copyright © 2012 Jeff Six. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://my.safaribooksonline.com). For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com. Editors: Andy Oram and Mike Hendrickson Production Editor: Melanie Yarbrough Proofreader: Melanie Yarbrough Cover Designer: Karen Montgomery Interior Designer: David Futato Illustrator: Robert Romano Revision History for the First Edition: 2011-12-02 First release See http://oreilly.com/catalog/errata.csp?isbn=9781449315078 for release details. Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of O’Reilly Media, Inc., Application Security for the Android Platform, the image of a red gunard, and related trade dress are trademarks of O’Reilly Media, Inc. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information con- tained herein. ISBN: 978-1-449-31507-8 [LSI] 1322594274 www.it-ebooks.info Table of Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Application Security: Why You Should Care 2 The Current State of Mobile Application Security on Android 3 Security: Risk = Vulnerability + Threat + Consequences 4 Evolution of Information Security: Why Applications Matter the Most 7 Your Role: Protect the Data 8 Secure Software Development Techniques 9 Unique Characteristics of Android 10 Moving On 12 2. Android Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Introduction to the Android Architecture 14 The Linux Security Model 15 The Resulting Android Security Model 15 Application Signing, Attribution, and Attestation 16 Process Design 18 Android Filesystem Isolation 21 Android Preferences and Database Isolation 22 Moving up the Layers to System API and Component Permissions 24 3. Application Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Android Permission Basics 27 Using Restricted System APIs and the User Experience 29 Custom Permissions 32 4. Component Security and Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 The Types of Android Components 37 Intercomponent Signaling Using Intents 38 Public and Private Components 41 iii www.it-ebooks.info Imposing Restrictions on Access to Components 42 Securing Activities 42 Securing Services 42 Securing Content Providers 44 Securing Broadcast Intents 49 Putting It All Together: Securing Communications in a Understanding Android Understanding Android Security Security Yinshu Wu Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University Pennsylvania State University I. Introduction II. Android Applications III. Security Enforcement IV. Security Refinements V. Lessons in Defining Policy Outline Outline Introduction Introduction  Next generation open operation system will be developed on small mobile devices.  Android (Google) -a widely anticipated open source operating system for mobile devices -it provide base operation system, application middleware layer, Java software development kit and a collection of system applications. Introduction (cont.) Introduction (cont.) Feature of Android 1. Doesn’t support applications developed for other platforms 2. Restricts application interaction to its special APIs by running each application as its own user identity 3. Uses a simple permission label assignment model to restrict access to resources and other applications Android Applications Example Android Applications Example Example of location-sensitive social networking application for mobile phones in which users can discover their friends’ locations. Activities provide a user interface, Services execute background processing, Content providers are data storage facilities, and Broadcast receivers act as mailboxes for messages from other applications. Android Applications Example Android Applications Example Application(cont.) Application(cont.) Take FriendTracker application for example, FriendTracker ( Service ) polls an external service to discover friends’ locations FriendProvider ( Content provider ) maintains the most recent geographic coordinates for friends FriendTrackerControl ( Activity ) defines a user interface for starting and stopping the tracking functionality BootReceiver ( Broadcast receiver ) gets a notification from the system once it boots (the application uses this to automatically start the FriendTracker service). Android Applications Android Applications Component Interaction Component Interaction  Intent - is the primary mechanism for component interaction , which is simply a message object containing a destination component address and data  Action - the process of inter-components communication Android Applications Android Applications Component Interaction (cont.) Component Interaction (cont.) Example: Interaction between components in applications and with components in system applications. Interactions occur primarily at the component level. Android Applications Android Applications Component Interaction (cont.) Component Interaction (cont.) Each component type supports interaction specific to its type. For example, Service components support start , stop, and bind actions, so the FriendTrackerControl ( Activity ) can start and stop the FriendTracker ( Service ) that runs in the background. Security Enforcement Security Enforcement  Android protect application at system level and at the Inter-component communication (ICC) level. This article focus on the ICC level enforcement.  Each application runs as a unique user identity, which lets Android limit the potential damage of programming flaws. [...].. .Security Enforcement (cont.) Example: Protection Security enforcement in Android occurs in two places: each application executes as its own user identity, allowing the underlying Linux system to provide system-level isolation; and the Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC) Security Enforcement (cont.)... one to update the contents but for other applications to be able to read them  Android allows such a security policy assigning read or write permissions Security Refinements - Protected APIs  Not all system resources(for example, network) are accessed through components —instead, Android provides direct API access  Android protects these sensitive APIs with additional permission label checks: an... an access permission listed in its manifest definition, Android permits any application to access it Security Refinements - Broadcast Intent Permissions  Sending the unprotected intent is a privacy risk  Android API for broadcasting intents optionally allows the developer to specify a permission label to restrict access to the intent object Security Refinements - Content Provider Permissions ... to application 1 Security Enforcement Conclusion  Assigning permission labels to an application specifies its protection domain Assigning permissions to the components in an application specifies an access policy to protect its resources  Android s policy enforcement is mandatory, all permission labels are set at install time and can’t change until the application is reinstalled  Android s permission... doesn’t currently provide information flow guarantees Security Refinements - Public vs Private Components  Applications often contain components that another application should never access For example, component related to password storing The solution is to define private component  This significantly reduces the attack surface for many applications Security Refinements - Implicitly Open Components... permission labels assigned to its containing application and— if the target component’s access permission label is in that collection— allows ICC establishment to proceed Security Enforcement (cont.) Example: Access permission logic The Android middleware implements a reference monitor providing mandatory access control (MAC) enforcement about how applications access components The basic enforcement model... system-level isolation; and the Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC) Security Enforcement (cont.) • • • • Core idea of Android security enforcement - labels assignment to applications and components A reference monitor provides mandatory access control (MAC) enforcement of how applications access components Access to each... in its manifest file to use them Security Refinements Permission  The permission protection levels provide a Protection Levels means of controlling how developers assign permission labels Signature permissions ensure that only the framework developer can use the specific functionality (only Google applications can directly interface the telephony API, for example) Security Refinements - Pending... reference pointer that can pass to another application  Pending intents allow applications included with the framework to integrate better with third-party applications Lessons in Defining Policy Android security policy begins with a relatively easy-to-understand MAC enforcement model, but the number and subtlety of refinements make it difficult to discover an application’s policy  The label itself ... Introduction Android Applications Security Enforcement Security Refinements Lessons in Defining Policy Introduction  Next generation open operation system will be developed on small mobile devices  Android. .. unique user identity, which lets Android limit the potential damage of programming flaws Security Enforcement (cont.) Example: Protection Security enforcement in Android occurs in two places: each... and the Android middleware contains a reference monitor that mediates the establishment of inter-component communication (ICC) Security Enforcement (cont.) • • • • Core idea of Android security