B21DCS313: Android Security

School of Computer Science – Bsc (Cyber Security)

mohammed.pasha@reva.edu.in
PREREQUISITES

1. Before taking this course, Android Overview training or any other Android class
that contains Android Overview module is required.
2. It is highly recommended that participants be familiar with basics of Java, C/C+
+, and Linux administration to fully take advantage of this course.
3. Additionally, "bootcamp-level" knowledge of Android Studio and the Gradle
build system is required.

2
COURSE OUTCOME

1. Identify various malwares and understand the behavior of malwares in real world
applications.
2. Implement different malware analysis techniques.
3. Understand the malware behavior in android.
4. Understand the purpose of malware analysis.
5. Identify the various tools for malware analysis.

3
SYLLABUS

UNIT I

INTRODUCTION TO ANDROID OPERATING SYSTEMS: Introduction to Android, Android

API, DVM, APK File Structure Basic Analysis of an APK, Dex structure, Parsing, APK install process,
Android Root.

APPLICATION SECURITY: Inspecting the AndroidManifest.xml file - Introduction to Android

Debugging Tools and Their Usage, Interacting with the Activity Manager via ADB - Extracting
Application Resources via ADB, Inspecting Application Certificates and Signatures - Verifying
Application Signatures - Signing Android Applications. Mobile Security - IOS vs Android vs Windows

4
SYLLABUS

UNIT II

ANDROID’S SECURITY MODEL: Android’s Architecture, Android’s Security Model.

PERMISSIONS: Nature of Permissions, Permission Management, Permission Assignment,

Permission Enforcement, System Permissions, Custom Permissions, Content Provider Permissions

ANDROID MALWARE VULNERABILITY: Master Key Vulnerability - File Name Length

Vulnerability Introduction to Obfuscation - DEX Code Obfuscation

5
SYLLABUS

UNIT III

ENTERPRISE LEVEL SECURITY FOR MOBILE DEVICES: Security enhancement for Android,
Device administration, Customizable secure boot, Knox security, Knox container, TIMA Trust Zone-
based Integrity Measurement Architecture, Wi-Fi EAP

REVERSE ENGINEERING APPLICATIONS: Introduction Decompiling DEX Files to Java

Interpreting the Dalvik Bytecode Decompiling the applications native libraries, Debugging Android
process, CFF explorer, dex2Jar, Hex Editor, JD- GUI

6
SYLLABUS

UNIT IV

DEVICE ADMINISTRATION POLICIES: Introduction - Using Cryptography Libraries - Screen

Security - Secure USB Debugging, Device Security: Controlling OS Boot-Up and Installation, Verified
Boot, Disk Encryption, Screen Security, Contemporary Issues: RECENT TRENDS.

References:

1. Erik Hellman, Android Programming Pushing the Limits, Wiley Publishers, 2014.(ISBN : 978-1-118-71737-0)

2. Keith Makan, Scott Alexander-Bown, Android Security Cookbook, Packt Publishers, 2013.

(ISBN: 978 -1-78- 216716-7)

7
SECURITY IN GENERAL

Apple security is highly celebrated in the world but Android has very little credibility in
terms of security
• Google security is known as Titan
• Apple security is known as systems on chip (SoCs)
• Samsung security is known as Knox security

Knox Suite is a bundled offering of Knox solutions for enterprise mobility designed to address
organizations' needs related to security and management throughout the entire device lifecycle.

8
 KNOX SECURITY

• Knox's features fall within three categories: data security, device manageability, and VPN capability

• Knox also provides web-based services for organizations to manage their devices.

• Organizations can customize their managed mobile devices by configuring various functions

• Includes pre-loaded applications, settings, boot-up animations, home screens, and lock screens

https://samsungcarecentre.com/samsung-knox-security/

9
KNOX SECURITY

10
KNOX SECURITY

An isolated, tamper-proof, secure subsystem with its own processor and memory, Knox Vault stores

sensitive data such as hardware-backed Android Keystore keys, the Samsung Attestation Key,
Knox Vault
biometric data, and blockchain credentials. It runs security-critical code that authenticates users with

increasing timeouts between failures and controls access to keys depending on authentication.

https://samsungcarecentre.com/samsung-knox-security/

11
KNOX SECURITY
Real-Time Kernel Protection (RKP)

Drastically limits possible attacks on Samsung devices with best-in-class kernel attack prevention features:

•Kernel Text Protection (KTP): Protects against any attempt to forge or manipulate Kernel text (code and RO data).

•Page Table Protection (PTP): Protects against any attempt to forge or manipulate the Kernel and user page table.

•Kernel Data Protection (KDP): Protects against any attempt to forge or manipulate the Kernel
namespace/credential/security ID/double map including kernel code, kernel data, and kernel control flow protections.

•Control Flow Protection (CFP): Prevents Return-Oriented Programming (ROP) and Jump-Oriented Programming (JOP)
attacks that re-use existing kernel logic to piece together exploits from the kernel’s own code.

https://samsungcarecentre.com/samsung-knox-security/

12
KNOX SECURITY
https://samsungcarecentre.com/samsung-knox-security/

Knox Enterprise Firmware-Over-The-Air (E-FOTA) 

https://docs.samsungknox.com/admin/efota-common/welcome.htm

Knox Mobile Enrollment (KME)

https://www.codeproof.com/integrations/knox-mobile-enrollment/

13
WI-FI EAP
Virtual Private Networks (VPNs) are the preferred way to offer remote access to private enterprise services.

Extensible Authentication Protocol (EAP) is an authentication framework frequently used in wireless networks
and point-to-point (P2P) connections.

Authentication Keys and Certificates

The System Credential Store

Credential Storage Implementation

• Master Key
• Blob

14
15
TIMA: Trust Zone-based Integrity Measurement Architecture

Two components ensure that are secure booting : Samsung Trusted Boot and kernel integrity checking through
TrustZone-based Integrity Management Architecture (TIMA)

Secure boot is a common Android mechanism that is used to keep Android devices from booting unapproved software.

Samsung smartphones go beyond the basic Android checks with a series of Samsung proprietary security features that

add integrity checking to Android, known as TIMA.

Two components of the TIMA real-time protections: real-time kernel protection (RKP) and periodic kernel
measurement (PKM).

TIMA combines active and passive protections and runs within the protected world of the TrustZone TEE.

https://www.samsungknox.com/en/blog/samsung-trusted-boot-and-trustzone-integrity-management-explained

16
Java Decompiler

The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later
versions.
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed
source code with the JD-GUI for instant access to methods and fields.
JD-Eclipse is a plug-in for the Eclipse platform. It allows you to display all the Java sources during your debugging process,
even if you do not have them all.
JD-Core is a library that reconstructs Java source code from one or more “.class” files. JD-Core may be used to recover lost
source code and explore the source of Java runtime libraries. New features of Java 5, such as annotations, generics or type
“enum”, are supported. JD-GUI and JD-Eclipse include JD-Core library.
JD-Core, JD-GUI & JD-Eclipse are open source projects released under the GPLv3 License.

http://java-decompiler.github.io/
Java Decompiler

How do I decompile a DEX file?

First you need a tool to extract all the (compiled) classes on the DEX to a JAR. There's one called dex2jar,
which is made by a chinese student. Then, you can use jd-gui to decompile the classes on the JAR to source
code. The resulting source should be quite readable, as dex2jar applies some optimizations.

What is the use of DEX file in Android?

What is a Dex file? A Dex file contains code which is ultimately executed by the Android Runtime. Every APK
has a single classes. dex file, which references any classes or methods used within an app.

http://java-decompiler.github.io/
Java Decompiler

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse
the reconstructed source code with the JD-GUI for instant access to methods and fields.

http://java-decompiler.github.io/
Java Decompiler

How do I decompile a DeX file on Android?

You can use these three tools to decompile an APK file:
•Dex2jar - Tools to work with android . dex and java . class files.
•ApkTool - A tool for reverse engineering Android apk files.
•JD-GUI - Java Decompiler is a tool to decompile and analyze Java 5 “byte code” and the later versions.

http://java-decompiler.github.io/
CFF Explorer

CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s

internal structure. This application includes a series of tools which might help not only reverse engineers but also

programmers. It offers a multi-file environment and a switchable interface.

CFF Explorer
 CFF Explorer

CFF Explorer is the first PE editor with full support for the .NET file format. With this tool you can easily edit metadata’s

fields and flags. If you’re programming something that has to do with .NET metadata, you will need this tool. The resource

viewer supports .NET image formats like icons, bitmaps, pngs. You’ll be able to analyze .NET files without having to

install the .NET framework, this tool has its own functions to access the .NET format.
CFF Explorer

Features: Features:
•Powerful scripting language •Process Viewer
•Dependency Walker •Drivers Viewer
•Quick Disassembler (x86, x64, MSIL) •Windows Viewer
•Name Unmangler •PE and Memory Dumper
•Extension support •Full support for PE32/64
•File Scanner •Special fields description and modification (.NET supported)
•Directory Scanner •PE Utilities
•Deep Scan method •Hex Editor
•Recursive Scan method •Import Adder
•Multiple results •PE integrity checks
•Report generation •Extension support
•Signatures Manager •Visual Studio Extensions Wizard
•Signatures Updater •Signatures Retriever
•Signatures Collisions Checker
Customizable secure boot

Secure Boot can be customized to meet the needs of different environments. Customization enables
administrators to realize the benefits of boot malware defenses, insider threat mitigations, and data-at-
rest protections. Administrators should opt to customize Secure Boot rather than disable it for compatibility
reasons.

Secure boot

Secure boot is a security standard developed by members of the PC industry to help make sure that a device
boots using only software that is trusted by the Original Equipment Manufacturer (OEM). When the PC starts, the
firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as
Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the
firmware gives control to the operating system.
 Screen Security

Stock Android provides several keyguard unlock methods (also called

security modes in Android’s source code). Of these, five can be directly

selected in the Choose screen lockscreen: Slide, Face Unlock, Pattern,

PIN, and Password,

Directly selectable keyguard unlock methods

Screen Security

Pattern Unlock

Configuring the Patternunlock method

Screen Security

Face Unlock

Face Unlock is a relatively new unlock method introduced in Android 4.0. It

uses the device’s front-facing camera to register an image of the owner’s face and

relies on image recognition technology to recognize

the face captured when unlocking the device.

Face Unlock setup screen

 Screen Security

Brute-Force Attack Protection

Because complex passwords can be tricky to input on a touch

screen keyboard, users typically use relatively short unlock
credentials, which can easily be guessed or brute-forced.

Rate limiting after five subsequent failed authentication attempts

 Screen Security

Quick notes

Full device backups can be encrypted with a key derived from a user-supplied password, making it harder to access

device data that has been extracted into a backup. To achieve a higher level of device security, all supported security

measures should be enabled and configured accordingly.

Secure USB Debugging (P-304)

Android has included a powerful device interaction toolkit that allows interactive debugging and inspecting device state,

called the Android Debug Bridge (ADB).

ADB keeps track of all devices (or emulators) connected to a host, and offers various services to its clients
Secure USB Debugging (P-304)

A selective list of things ADB lets you do:

• Copy files to and from the device

• Debug apps running on the device (using JWDP or adbserver)

• Execute shell commands on the device

• Get the system and apps logs

• Install and remove apps