This paper concerned itself with educating the public of the existing security paradigms in Android applications and the reasons for their implementation. It opens with a rather extended example of a “friend finding” application, and is followed by a short summary of Android components. An Activity defines the user interface, and only one is allowed screen and processing resources at one time. Service defines a component that performs background processing after an activity has ended. Content Providers are databases that may be accessed via SQL queries. The final type is Broadcast Receivers which handle the communication between applications.
For the most part inter-component communication or ICC is handled by the examination of security permissions labels that are located in a security manifest document. Here users may explicity state whether each component is private, public, or requiring a specific permission. All defined permission policies are set at install time and cannot be changed without a reinstall. Most components including broadcasts have only one permissions label to be defined by the developer. Content Providers have two to allow for both read and write permissions control. There is also a tertiary feature called service hooks which allow developers to define additional security measures within their coding. This is particularly useful in the case of a Service, which is only allowed one permission label to govern both starting, stopping, and rebinding the component.
These permissions are themselves protected by application levels attributed to them. These are namely “system”, “normal”, “dangerous”, and “signature”. System level permissions are required to modify the telephony API. Normal permissions are public and distributed to any application that requests them. Dangerous permissions are granted to a user only after they successfully identify themselves. Signature permissions are only granted when an application is “signed by the same developer key as the package defining the permission.” Enck, W.; Ongtang, M.; McDaniel, P.; , "Understanding Android Security," Security & Privacy, IEEE , vol.7, no.1, pp.50-57, Jan.-Feb. 2009
doi: 10.1109/MSP.2009.26
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4768655&isnumber=4768640
No comments:
Post a Comment