Scribd Logo
Upload

Welcome to Scribd!

  • MDD08 Security

    Uploaded by

    jack.johnson.jj1234
    16 views24 pages

    Original Title

    MDD08-security

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    16 views24 pages

    MDD08 Security

    Uploaded by

    jack.johnson.jj1234

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 24

    + MDD08 Security

    08A Android Security


    Architecture
    08B App Permissions
    08C Mobile Attacks
    08D Usable Security

    CS2002S: Mobile Development and


    Design

    CSC2002S Melissa Densmore, UCT

    Face Authentication diagram https://source.android.com/security/biometric/face-


    authentication

    1
    All aps share the content providers, notification
    system etc and need to be explicitly secured

    Android Application Runtime: Android apps are most often written in the Java programming language and run in the Android runtime (ART).
    However, many apps, including core Android services and apps, are native apps or include native libraries. Both ART and native apps run within
    the same security environment, contained within the Application Sandbox. Apps get a dedicated part of the file system in whic h they can write
    private data, including databases and raw files.

    https://source.android.com/security

    2
    Here we can see the application runtime
    using the shared space on the android
    System to start new activities (screens)

    3
    4

    Melissa Densmore, UCT CSC2002S

    4
    Implicit intents do not name a specific component, but instead declare a general action to perform, which
    allows a component from another app to handle it. For example, if you want to show the user a location on a
    map, you can use an implicit intent to request that another capable app show a specified location on a map.

    Explicit intents specify which application will satisfy the intent, by supplying either the target app's package
    name or a fully-qualified component class name. You'll typically use an explicit intent to start a component in
    your own app, because you know the class name of the activity or service you want to start. For example, you
    might start a new activity within your app in response to a user action, or start a service to download a file in the
    background.

    5
    6

    Melissa Densmore, UCT CSC2002S

    6
    7

    Melissa Densmore, UCT CSC2002S

    7
    8
    9
    10

    Melissa Densmore, UCT CSC2002S

    10
    + MDD08 Security
    08A Android Security
    Architecture
    08B App Permissions
    08C Mobile Attacks
    08D Usable Security

    CS2002S: Mobile Development and


    Design

    CSC2002S Melissa Densmore, UCT

    11
    12

    Install Time Run Time Special


    Permissions Permissions Permissions

    Normal/ Dangerous
    Signature

    Limited access to Additional access to Special permissions


    restricted data restricted data correspond to
    Minimally affect more substantially particular app
    the system or other affect the system operations. Only the
    apps. automatically and other apps. platform and
    grants your app the OEMs can define
    permissions when Many runtime special
    the user installs your permissions permissions.
    app access private user
    data
    REQUEST

    Melissa Densmore, UCT CSC2002S

    12
    13

    Melissa Densmore, UCT CSC2002S

    13
    14

    https://developer.android.com/guide/topics/permissions/overview

    Melissa Densmore, UCT CSC2002S

    14
    + MDD08 Security
    08A Android Security
    Architecture
    08B App Permissions
    08C Mobile Attacks
    08D Usable Security

    CS2002S: Mobile Development and


    Design

    CSC2002S Melissa Densmore, UCT

    Skull and crossbones from:


    https://techgenix.com/mobile-security-threats/
    Lock and Key
    https://www.mobileappdaily.com/most-common-mobile-cyber-security-threats

    15
    Intent Vulnerabilities
    There are two main ways that the security of intents can be compromised:
    • Intent interception involves a malicious app receiving an intent that was
    not intended for it. This can cause a leak of sensitive information, but more
    importantly it can result in the malicious component being activated
    instead of the legitimate component. For example, if a malicious activity
    intercepted an intent then it would appear on the screen instead of the
    legitimate activity.
    • Intent spoofing is an attack where a malicious application induces
    undesired behavior by forging an intent.

    16
    “Cyber Defense company counted more than 4.18
    million malicious Android apps in 2019. New
    negative record value for Android malware: The
    experts at G DATA CyberDefense counted more than
    4.18 million malicious apps in 2019, with an
    average of around 11,500 new Android malicious
    apps appearing every day. The focus is on adware, in
    order to access personal data and resell it.”

    Melissa Densmore, UCT CSC2002S

    17
    Melissa Densmore, UCT CSC2002S

    18
    19

    https://www.itworldcanada.com/blog/understanding -android-malware-families-uamf-the-foundations-
    article-1/441562
    Melissa Densmore, UCT CSC2002S

    19
    20

    Melissa Densmore, UCT https://mobsf.github.io/docs/#/ CSC2002S

    20
    + 21

    Sample Test

    Melissa Densmore, UCT CSC2002S

    21
    + 22

    CSC2002S

    22
    + MDD08 Security
    08A Android Security
    Architecture
    08B App Permissions
    08C Mobile Attacks
    08D Usable Security

    CS2002S: Mobile Development and


    Design

    CSC2002S Melissa Densmore, UCT

    23
    24
    Informative Permission Aim for SPAs
    Rationales

    Keep your user


    Security by Design informed

    Ask only what you Byte size chunks of


    need security information

    Transparency Simplicity

    Required Reading: https://developer.android.com/topic/security/best -practices

    Melissa Densmore, UCT CSC2002S

    24

    You might also like