Professional Documents
Culture Documents
Android Security
Android Security
mohammed.pasha@reva.edu.in
PREREQUISITES
1. Before taking this course, Android Overview training or any other Android class
that contains Android Overview module is required.
2. It is highly recommended that participants be familiar with basics of Java, C/C+
+, and Linux administration to fully take advantage of this course.
3. Additionally, "bootcamp-level" knowledge of Android Studio and the Gradle
build system is required.
2
COURSE OUTCOME
1. Identify various malwares and understand the behavior of malwares in real world
applications.
2. Implement different malware analysis techniques.
3. Understand the malware behavior in android.
4. Understand the purpose of malware analysis.
5. Identify the various tools for malware analysis.
3
SYLLABUS
UNIT I
4
SYLLABUS
UNIT II
5
SYLLABUS
UNIT III
ENTERPRISE LEVEL SECURITY FOR MOBILE DEVICES: Security enhancement for Android,
Device administration, Customizable secure boot, Knox security, Knox container, TIMA Trust Zone-
based Integrity Measurement Architecture, Wi-Fi EAP
6
SYLLABUS
UNIT IV
References:
1. Erik Hellman, Android Programming Pushing the Limits, Wiley Publishers, 2014.(ISBN : 978-1-118-71737-0)
2. Keith Makan, Scott Alexander-Bown, Android Security Cookbook, Packt Publishers, 2013.
7
SECURITY IN GENERAL
Apple security is highly celebrated in the world but Android has very little credibility in
terms of security
• Google security is known as Titan
• Apple security is known as systems on chip (SoCs)
• Samsung security is known as Knox security
Knox Suite is a bundled offering of Knox solutions for enterprise mobility designed to address
organizations' needs related to security and management throughout the entire device lifecycle.
8
KNOX SECURITY
• Knox's features fall within three categories: data security, device manageability, and VPN capability
• Knox also provides web-based services for organizations to manage their devices.
• Organizations can customize their managed mobile devices by configuring various functions
https://samsungcarecentre.com/samsung-knox-security/
9
KNOX SECURITY
10
KNOX SECURITY
An isolated, tamper-proof, secure subsystem with its own processor and memory, Knox Vault stores
sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key,
Knox Vault
biometric data, and blockchain credentials. It runs security-critical code that authenticates users with
increasing timeouts between failures and controls access to keys depending on authentication.
https://samsungcarecentre.com/samsung-knox-security/
11
KNOX SECURITY
Real-Time Kernel Protection (RKP)
Drastically limits possible attacks on Samsung devices with best-in-class kernel attack prevention features:
•Kernel Text Protection (KTP): Protects against any attempt to forge or manipulate Kernel text (code and RO data).
•Page Table Protection (PTP): Protects against any attempt to forge or manipulate the Kernel and user page table.
•Kernel Data Protection (KDP): Protects against any attempt to forge or manipulate the Kernel
namespace/credential/security ID/double map including kernel code, kernel data, and kernel control flow protections.
•Control Flow Protection (CFP): Prevents Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP)
attacks that re-use existing kernel logic to piece together exploits from the kernel’s own code.
https://samsungcarecentre.com/samsung-knox-security/
12
KNOX SECURITY
https://samsungcarecentre.com/samsung-knox-security/
https://docs.samsungknox.com/admin/efota-common/welcome.htm
https://www.codeproof.com/integrations/knox-mobile-enrollment/
13
WI-FI EAP
Virtual Private Networks (VPNs) are the preferred way to offer remote access to private enterprise services.
Extensible Authentication Protocol (EAP) is an authentication framework frequently used in wireless networks
and point-to-point (P2P) connections.
• Master Key
• Blob
14
15
TIMA: Trust Zone-based Integrity Measurement Architecture
Two components ensure that are secure booting : Samsung Trusted Boot and kernel integrity checking through
TrustZone-based Integrity Management Architecture (TIMA)
Secure boot is a common Android mechanism that is used to keep Android devices from booting unapproved software.
Samsung smartphones go beyond the basic Android checks with a series of Samsung proprietary security features that
TIMA combines active and passive protections and runs within the protected world of the TrustZone TEE.
https://www.samsungknox.com/en/blog/samsung-trusted-boot-and-trustzone-integrity-management-explained
16
Java Decompiler
The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later
versions.
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed
source code with the JD-GUI for instant access to methods and fields.
JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process,
even if you do not have them all.
JD-Core is a library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost
source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type
“enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library.
JD-Core, JD-GUI & JD-Eclipse are open source projects released under the GPLv3 License.
http://java-decompiler.github.io/
Java Decompiler
http://java-decompiler.github.io/
Java Decompiler
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse
the reconstructed source code with the JD-GUI for instant access to methods and fields.
http://java-decompiler.github.io/
Java Decompiler
http://java-decompiler.github.io/
CFF Explorer
CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s
internal structure. This application includes a series of tools which might help not only reverse engineers but also
CFF Explorer is the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata’s
fields and flags. If you’re programming something that has to do with .NET metadata, you will need this tool. The resource
viewer supports .NET image formats like icons, bitmaps, pngs. You’ll be able to analyze .NET files without having to
install the .NET framework, this tool has its own functions to access the .NET format.
CFF Explorer
Features: Features:
•Powerful scripting language •Process Viewer
•Dependency Walker •Drivers Viewer
•Quick Disassembler (x86, x64, MSIL) •Windows Viewer
•Name Unmangler •PE and Memory Dumper
•Extension support •Full support for PE32/64
•File Scanner •Special fields description and modification (.NET supported)
•Directory Scanner •PE Utilities
•Deep Scan method •Hex Editor
•Recursive Scan method •Import Adder
•Multiple results •PE integrity checks
•Report generation •Extension support
•Signatures Manager •Visual Studio Extensions Wizard
•Signatures Updater •Signatures Retriever
•Signatures Collisions Checker
Customizable secure boot
Secure Boot can be customized to meet the needs of different environments. Customization enables
administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-
rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility
reasons.
Secure boot
Secure boot is a security standard developed by members of the PC industry to help make sure that a device
boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the
firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as
Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the
firmware gives control to the operating system.
Screen Security
Pattern Unlock
Face Unlock
uses the device’s front-facing camera to register an image of the owner’s face and
Quick notes
Full device backups can be encrypted with a key derived from a user-supplied password, making it harder to access
device data that has been extracted into a backup. To achieve a higher level of device security, all supported security
Android has included a powerful device interaction toolkit that allows interactive debugging and inspecting device state,