Android vulnerability study

50 %
50 %
Information about Android vulnerability study

Published on March 2, 2014

Author: SriHarsha1508



A keynote on Vulnerability study

Vulnerability Study of the Android Ryan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson (Group 8)

Overview • • • • • Architecture of the Android Scope of Vulnerabilities for the Android Known Vulnerabilities for the Android General Vulnerabilities of Mobile Devices Organizations Supporting the Android

Architecture • It is a software stack which performs several OS functions. • The Linux kernel is the base of the software stack. • Core Java libraries are on the same level as other libraries. • The virtual machine called the Dalvik Virtual Machine is on this layer as well. • The application framework is the next level.

Parts of Applications • Activity An activity is needed to create a screen for a user application. • Intents Intents are used to transfer control from one activity to another. • Services It doesn't need a user interface. It continues running in the background with other processes run in the foreground.

• Content Provider This component allows the application to share information with other applications.

Security Architecture - Overview

Scope of Vulnerabilities Refinements to MAC Model • • • • Delegation Public and Private Components Provision - No Security Access to Public Elements Permission Granting Using User's Confirmation Solutions ??? Precautions by Developers Special Tools for Users

Known Vulnerabilities • Image Vulnerablities o GIF o PNG o BMP • Web Browser

GIF Image Vulnerability • Decode function uses logical screen width and height to allocate heap • Data is calculated using actual screen width and height • Can overflow the heap buffer allowing hacker can allow a hacker to control the phone

PNG Image Vulnerability • Uses an old libpng file • This file can allow hackers to cause a Denial of Service (crash)

BMP Image Vulnerability • Negative offset integer overflow • Offset field in the image header used to allocate a palette • With a negative value carefully chosen you can overwrite the address of a process redirecting flow

Web Browser Vulnerability • Vulnerability is in the multimedia subsystem made by PacketVideo • Due to insufficient boundary checking when playing back an MP3 file, it is possible to corrupt the process's heap and execute arbitrary code on the device • Can allow a hacker to see data saved on the phone by the web browser and to peek at ongoing traffic • Confined to the "sandbox"

General Mobile Phone Vulnerabilities • GSM o SMS o MMS • CDMA • Bluetooth • Wireless vulnerabilities

GSM Vulnerabilities • GSM o Largest Mobile network in the world o 3.8 billion phones on network • David Hulton and Steve Muller Developed method to quickly crack GSM encryption Can crack encryption in under 30 seconds Allows for undetectable evesdropping • Similar exploits available for CDMA phones o o o

SMS Vulnerabilities • SMS Short Messaging System Very commonly used protocol Used to send "Text Messages" GSM uses 2 signal bands, 1 for "control", the other for "data". SMS operates entirely on the "control" band. High volume text messaging can disable the "control" band, which also disables voice calls. Can render entire city 911 services unresponsive. o o o • • • •

MMS Vulnerabilities • MMS Unsecure data protocol for GSM Extends SMS, allows for WAP connectivity • Exploit of MMS can drain battery 22x faster o Multiple UDP requests are sent concurrently, draining the battery as it responds to request • Does not expose data • Does make phone useless o o

Bluetooth Vulnerabilities • Bluetooth Short range wireless communication protocol Used in many personal electronic devices Requires no authentication • An attack, if close enough, could take over Bluetooth device. • Attack would have access to all data on the Bluetooth enabled device • Practice known as bluesnarfing o o o

Organizations Supporting Android • • • • • Google Open Handset Alliance 3rd Parties (ex: Mocana) Users Hackers

Organizations Supporting Android

Open Handset Alliance

Open Handset Alliance Objective: To build a better mobile phone to enrich the lives of countless people across the globe.

3rd Party Partners Mocana -- NanoPhone • Secure Web Browser • VPN • FIPS Encryption • Virus & Malware Protection • Secure Firmware Updating • Robust Certificate Authentication

Hackers for Android • Hackers make Android stronger • White hats want to plug holes • Example o Browser Threat reported by Independent Security Evaluators o Jailbreak hole fixed by Google over-the-air

Conclusion • Android is New & Evolving • Openness of Android o Good in the long-run o Strong Community • Robust Architecture • Powerful Computing Platform

Add a comment

Related presentations

Related pages

Home - Android Vulnerabilities

Submit vulnerability; Scores out of ten. Nexus devices: ... Study confirms Android devices vulnerable due to lack of patches;
Read more

87% of Android devices insecure - Manufacturers fail to ...

Thursday 8th October 2015 87% of Android devices insecure Manufacturers fail to provide security updates. A new study by researchers at the University of ...
Read more

The Dangerous Vulnerabilities Hiding In The Heart Of Android

I’ve spoken before on Forbes about the inability of the Android ecosystem to cope with the vulnerabilities and malicious exploits that are ...
Read more

NCSU study says Android vulnerabilities are mostly from ...

NCSU study says Android vulnerabilities are mostly from ... a vulnerability was defined as ... said the study is a warning to Android users that ...
Read more

Android vulnerability study - Education -

1. Vulnerability Study of the AndroidRyan Selley, Swapnil Shinde, Michael Tanner, Madhura Tipnis, Colin Vinson (Group 8) 2. Overview ...
Read more

A study of vulnerabilities on Android systems -

A study of vulnerabilities on Android systems Author: Vicente Javier Mozos Pérez Directors: Dr. David de Andrés Martínez DISCA-UPV, Spain Dr. Jesús ...
Read more

Security Metrics for the Android Ecosystem (pdf)

Security Metrics for the Android Ecosystem Daniel R. Thomas Alastair R. Beresford Computer Laboratory University of Cambridge Cambridge, United Kingdom
Read more

Study: 90 percent of Google Android devices vulnerable ...

Nearly 90 percent of Google's Android devices have been exposed to critical vulnerabilities, according a new study. Unfortunately something has gone wrong ...
Read more

Cambridge University study finds 87 percent of Android ...

Android handset makers’ failure to deliver timely security updates leaves almost everyone open to attack. That’s among the conclusions of a study from ...
Read more