a review on androids application security

7/23/2019 A Review on Androids Application Security

1/6

A REVIEW ON ANDROIDS APPLICATION SECURITY

Siti Nur Hakima Binti Mohamed

Faculty Of Computer and Mathematical Sciences

Universiti Teknologi M!Shah lam" Malaysia

hakima#mohamed$%&yahoo'com

(an )a Bin (an Hussin

Faculty Of Computer and Mathematical Sciences

Universiti Teknologi M!Shah lam" Malaysia

*anya&salam'uitm'edu'my

Abstract Security need to be concerned a to enure t!at t!e

yte" can #unction $e%% a t!at uer need& Wit! t!e

increain' o# t!e (aryin' o)eratin' yte" in "art)!one* it

)ro(ide eaier $ay #or uer ue "any #unction %i+e 'a"in'*

$ritin' or readin' and o on and a%o "a+e connection $it!

ot!er de(ice& Android i one o# t!e "ot )o)u%ar o)eratin'

yte"& Android !a dei'ned t!e ecurity "ode% #or

"ec!ani" in order to )rotect t!e uer data or reource&

Per"iion,baed "ode% i one o# t!e ecurity "ode% t!at

Android de(e%o)& Android and iOS !a(e a"e 'oa% in order to)rotect t!e ecurity in a "art)!one* but iOS )ro(ide

di##erent "ec!ani"& In t!i )a)er* $e "a+e a re(ie$ o#

Android ecurity $!ere $e de#ine t!e $ea+nee on Android

and a%o inc%ude t!e co")arion o# Android and iOS a a"e

UNI- .erne% baed on ecurity a)ect&

Keywords- Android, operating system; Permission-based

model, security, iOS, UNIX Kernel

+' +NT!O,UCT+ON

Security -ecomes a very important area in order toprotect data and information from any kind of threat"

*hether from human and technical errors" disasters or

accidents" fraud and so on' s for many -usinessesdepending on their information system for -usiness

process" soft*are application and information system

-ecome an important part in every field of life' The

organi.ation uses to store important data electronically

/%0' pplications and system need to -e secure to esta-lishtrust from the users and organi.ations /%0' Therefore" the

security is an important concept in the design and analysis

for secured system'

Such like smartphones" there is a variety of soft*areoperating system running on such as ndroid" iOS"

(indo* phone and so on' +n order to make secure system

for smartphones" the organi.ation -uilds the operating

system that provides security mechanism' The smartphoneis not 1ust a common mo-ile phone that has a -asic

feature phone' This is a mo-ile phone has an a-ility to

provide -etter and advance of computing a-ility and

connectivity' ndroid is one of the most popular mo-ileoperating system on the market since the -eginning of the

first ndroid in Octo-er 2334 /20'

ccording to a 5artner study" android -ecome the

second6most popular operating system in the *orld and it*ill challenge the num-er one -ecause of the gro*ing at a

fast rate /70' The ndroid Market has e8perienced high

development since the improvement of the application haspermitted user to upload applications to the market'

9eople like to use android device is -ecause ndroid is an

open source operating system' The open source means

that people can -uild or get the source code and creatingfor applications' Ho*ever" ndroid has high market share

and it also the open source architecture *hich makes it -e

the most vulnera-le mo-ile operating system to securityattack /:0' ndroid;s increasing popularity is one of thefactors that turn it into the one of most targets for many

malicious num-ers of applications /


2/6

s *e understand" any soft*are or system -uilds *ill

need to have security aspect' Security can -e taken as the

important part of the system in the organi.ation in order to

protect the data and information' +t is *here users or peoplehave trust*orthy to the system' Confidentiality" integrity

and availa-ility are the main attri-utes in security /40' These

attri-utes can -e enforced in any variety places *ithin an

enterprise /40'

Confidentiality is a-out preventing or protect

from unauthori.ed disclosure of data /40'

Integrity is close to confidentiality *here the

integrity is a-out to protect or prevent from

unauthori.ed modification of data /40'

Availability is a-out protecting from loss of

access to data and resources /40'

Ho*ever" the design of the system should not -e too high

or hard for users to use' The more comple8 the securitymechanism -ecomes" the less guarantee levels of the

security mechanism /40' The system like military system istrue to have high security in order to protect from others

attack' Therefore" the military system needs to -e morecomple8 or more secure to make common users hard to use'

The more comple8 of the system -ecomes" the more users

una-le to conduct the system -ecause of the hardness in

understanding the process or flo* of the system' Forsmartphone" there should not -e a comple8 security -ecause

many different levels of users used the smartphone' There

are -e a certain different level of comple8ity of the soft*are

depend on ho* confidential the system is' +t is needed to -emore useful and easier'

B. Smartphone securitySmartphone contain components of the computing

platform *hich are an operating system" applications and

hard*are /$0' s *hat *e kno*" the smartphone has thea-ility to connect to various su-1ect" 9C" internet and also to

other mo-ile phones using *ireless net*ork /%30' This all

features give users more desire to use it' Ho*ever" this

feature looks like to invite the malicious attacker or soft*areto make the threat of smartphones in various paths' There

are some applications that need to use the internet to

connect *ith *e- or other devices and also to various*ireless net*orks'

The studies have defined that smartphone contains assets

that considered to -e the target for the vulnera-ilities andattack /%30' The assets consist of three *hich are

9rivate information *hich is information that

have in smartphones included all data that store

or transmitted out to smartphones'

device *hich is the smartphones itself /%30' +t

is -ecause the smartphone can create a

connection that cause the threat' +nstance" if the

phone lost" then malicious user can cause

overcharging /%30'

The applications *hich can -e defined in t*o

types of application' There are applications that

are freely distri-uted -y user or online

application store and the other one is

commercially used *ith digital rights /%30'

The attacks make users -ecome afraid to make any

transaction or connection using the smartphone' Therefore"

security companies have provided some security solution'll the security applications can -e found and get on an

online market' Besides making money" the companies help

users in protecting the resources in Smartphones'

9roviding the security application is not enough to makesure that the smartphone is secure' The security applications

provided only to prevent attack or threat from outside such

as mal*are' To make the smartphone more secure" there is

certain security mechanism that needs to -e adopted such asplatform modification" regular update and so on /%30'

+++' +SSU@S ON N,!O+, BS@, SM!T9HON@

+n any system or soft*are" there *ill -e certain

*eaknesses that *ill lead to the lo* of performance' +n

order to descri-e more a-out the issues in ndroid" thefocus *ill -e on revie* of the ndroids architecture' The

ndroid security mechanism defines to understand the

features of the security that has -uilt on ndroid' ndroid is

a ?inu86-ased open source soft*are stack for mo-iledevices' +t consists of an operating system" middle*are and

key applications that have 9+ li-raries /%0" /%20" /%70'

A. Android architecture

The architecture in ndroid is a hierarchical architecture/%:0' The ndroid operating system;s goals are to secure the

user data and system resources and also give an application

isolation /=0' Therefore" ndroid provides security features

to achieve these goals'n open development platform is provided -y ndroid

and it offers the developers; a-ility to develop incredi-ly

rich and imaginative applications' ,evelopers are free to

take advantage to -e the superiority of access locationinformation" device hard*are" run -ackground service and

add inform to status -ar /% an applicationlevel permission model Dndroid

9ermissionE and a kernel6level sand-o8ing and isolationmechanism' ll applications are run in a sand-o8 and


3/6

permissions are declared in order to access the resources in

smartphones and it is a'

1) Sandboing mechanism

@very application runs on its o*n process *ith its o*n

user and group +, create it a sand-o8' Therefore" the

application cannot interact *ith each other -ecause they donot share the resources' The application has access to

limited system resources as it runs on application sand-o8'

t the time of application installation" the +, or U+, *as

assigned /%=0' This is to make sure that there *ill no moreapplications can run in the same process ' The share!serId

is used *hen the applications need to share the same

process' The application needs to reuest a specific U+,'

Ho*ever" the applications also need to -e signed *ith thesame signature if reuest to share the same U+,' This design

is to ensure that the private information of the application

*ill not -e accessed -y other applications'

") Application permission

mechanism

9ermissions used in ndroid to protect from malicious

application' 9ermission model reuires an application to

reuest the permission that needs to access the resourcesand perform its activities -efore installing' n application is

needed to declare it necessary capa-ilities and get

confirmation from users upon installation /%A0' Users *ill

notified during installations *hat the permissions thatapplication reuest for and receive' +f users install the

application" then they need to grant the permission'

Other*ise" they can stop the installation if they deny

accepting the permission of the application'The permission -ased model gives a controlled access to

many system resources and restrict access to others /-ing0'ccording to hmed Ben yed" there are three protection

levels that categori.ed -ased on %


4/6

,iscretionary access control D,CE to restrict the use of

system facilities -y applications /%70' +t is also used to

isolate applications from one another /%70'

Figure 2' n e8ample of ho* pplication communicates /270

Figure 7' n e8ample of ndroidManifest'8ml /2:0

No*" ndroid makes an enhancement *ith replaces the

access control -y developing the S@?inu8 as a Mandatoryccess ControlDMCE mechanism for ?inu8' +t is as

improvement to overcome the shortcomings of ,C /%70'

MC provides privileges that are limited for

su-1ectsDprocessesE and o-1ectsDdevice" file" etcE /%20' MCallo*s the applications privileges to -e controlled during

installation and runtime /%20' S@?inu8 is fit for limiting the

privileged ndroid system daemons to shield them from

a-use and to limit the harm that should -e possi-le throughthem'

C. Androids vulnerabilities

' ccording to 5oogle report /2


5/6

Using the third party techniue" the traditional drive6

do*nload gives another space for vulnera-ilities' The attack

actually attracts the users to do*nload Jfeature6richK or

JinterestingK app that *ill lead users to the attack ofmalicious /2A0' s an e8ample" users click to the

advertisement link" then *ill -e directed through to the

malicious *e-site' This *e-site asking for accessing the

location permission of the user;s phone and then *ill directthrough to fake ndroid Market to do*nload the

applications'

There are some of the vulnera-ilities arise from the

concept of sharing the U+, that discussed -efore' !ecentstudies stated that the permission systems suffer the pro-lem

of the *here developers reuesting more un*anted

permissions than *hat needed /730' 9ermission re6

delegation happened *hen an application that haspermissions is performing a privilege task on -ehalf of an

application *ithout that permission /730' This is *hen there

t*o different applications that are sharing the same user +,'

The sharing user +, causes each of the applications can

easily to access to the -oth resources' This threat is mainlyimportant for *e- -ro*sers' Figure : sho*n the permission

delegation process'

Figure :' 9ermission delegation flo*/7%0

+L' CONC?US+ON

Based on *hat have -een discussed a-out the ndroidsecurity model" the need for security is proven' Security

-ecomes the main attri-ute in order to make system -ecomestronger' Security models are needed in order to make thesystem have more protection and make user satisfied andhave trust in the system'

ndroid has designed the security model in order toprevent from other malicious attacks' One of securitymechanisms that ndroid designed is permission6-ased

model' lthough permission help gives *arning to usersa-out the malicious application" it is not enough to preventfrom the malicious threat' +t depends on user" *hether or notto allo* the application to install' Ho*ever" users do nothave authority to modify the application permission'

5oogle;s ndroid and pple;s iOS are some of the mostordinary and popular Mo-ile operating system' These t*ooperating system gets high popularity' Thus" *e are going todiscuss a-out these t*o operating systems and make acomparison -ased on security aspects' ' lthough ndroidand iOS are on the same UN+ Iernel" there are differences

in security permission that apply on this t*o operatingsystem'

There are some applications that freely to -edo*nloaded' Ho*ever" in iOS the applications cannotcommunicate directly *ith other applications' pple has

-een defined the application sand-o8ing for the iOS' Theapplication sand-o8ing has defined as a set of fine6grained

controls' Fine6grained control means that the application islimited to only access to the file system" net*ork hard*are/720' developer cannot reuest more than *hat have -eenset in order to ensure that there *ill no unauthori.ed accessfrom unauthori.ed users'

+n iOS" permission reuests and sends to user anotification on a pop6up *indo* /770' +OS do not havee8plicit permission interface' Ho*ever" the applicationreuests not possess standardi.ed permission lists' +OS donot use Jll or nothingK permission to display the

permissions like ndroid" -ut iOS use Gtake it or leave it;permission /770' Users are given a decision to allo* certain-asic permissions and users can manage the permission onsetting section'

+OS look more secured *hen users allo* accessing the

system file in the root and also the setting phone not in eachapplication /720' The -est thing is" pple *ill make a revie*first on the application -efore the application is availa-le onpplication store' (ithout the approval or signed from

private encryption key" users cannot install and run theapplication /7:0'

Based on the comparison" *e can see that iOS morerestrict in security' +OS only gives users to install theapplications only from their market' There are no third6

parties involved in order to protect from the threat' Ho*ever"this *ill create a limitation on installing the application'ndroid gives a chance for users to get more application ontheir market and also from the third6parties' This freedom*ay" ho*ever" gives an opportunity for threat' Therefore"there are pro and cons in these t*o platforms'

ndroid and iOS have different *ay in controlling thepermissions' +n iOS" the application needs to pass pple;scheck -efore can -e stored in their market' pple *ill makethe vetting process in order to scan for the applications thatdetect to have threat' ,evelopers do not get the signature likethe ndroid" -ut pple itself *ill digitally sign the code foreach application' (ith this restriction" it looks like the iOsmore -etter and secure' Ho*ever" this gives effect to theapplications' !esearch studies define that a-out $3 ofsu-mission of applications to pple pp Store are -eingdenied or re1ected -ecause the applications do not fulfill thereuirements of *hat needed to do /7


6/6

The security mechanism that provide -y ndroid isgood" -ut there are certain limitations or *eaknesses *hich

-lock the users to do *hat they need in order to protect theirresources' Based on revie* in this paper" *e think that the

permission model has certain design fla* that need to -eemphasi.ed' ndroid needs to concern more on the

permission model to help users and developers get to access

the system -ased on their roles and prevent the unauthori.edaccess'

!@F@!@NC@S

/%0 afar" Saad and Meh-oo-" Mis-ah and Naveed" sma and Malik" BP

ushra D23%7E Security uality model> an e8tension of ,romey;s

model' Soft*are Quality Rournal' pp' %62 !isks and @8ploitation

/:0 Tse" ,'" ?iu" '" Nusaputra" C'" Hu" B'" (ang" )'" ing" M' ('

D23%:E' ST!T@5+@S +N +M9!OL+N5 N,!O+, S@CU!+T)'

/ Bringing Fle8i-le MC to ndroid' +n N,SS DLol' 7%3" pp'23674E'

/%:0 hou" '" ?ee" )'" hang" N'" Naveed" M'" (ang" ' D23%:" MayE'

The peril of fragmentation> Security ha.ards in android device driver

customi.ations' +n Security and 9rivacy DS9E" 23%: +@@@ Symposium

on Dpp' :3$6:27E' +@@@'/%

a review on androids application security

Documents