book

Android Security Internals

by Nikolay Elenkov

October 2014

Intermediate to advanced

432 pages

13h 48m

English

No Starch Press

Read now

Unlock full access

About the AuthorAbout the Technical Reviewer
Who This Book Is ForPrerequisitesAndroid VersionsHow Is This Book Organized?Conventions
Android’s ArchitectureLinux KernelNative UserspaceDalvik VMJava Runtime LibrariesSystem ServicesInter-Process CommunicationBinderBinder ImplementationBinder SecurityBinder IdentityCapability-Based SecurityBinder TokensAccessing Binder ObjectsOther Binder FeaturesAndroid Framework LibrariesApplicationsSystem AppsUser-Installed AppsAndroid App ComponentsAndroid’s Security ModelApplication SandboxingPermissionsIPCCode Signing and Platform KeysMulti-User SupportSELinuxSystem UpdatesVerified BootSummary
The Nature of PermissionsRequesting PermissionsPermission ManagementPermission Protection LevelsnormaldangeroussignaturesignatureOrSystemPermission AssignmentPermissions and Process AttributesProcess Attribute AssignmentPermission EnforcementKernel-Level EnforcementNative Daemon-Level EnforcementFramework-Level EnforcementDynamic EnforcementStatic EnforcementActivity and Service Permission EnforcementContent Provider Permission EnforcementBroadcast Permission EnforcementProtected and Sticky BroadcastsSystem PermissionsSignature PermissionsDevelopment PermissionsShared User IDCustom PermissionsPublic and Private ComponentsActivity and Service PermissionsBroadcast PermissionsContent Provider PermissionsStatic Provider PermissionsDynamic Provider PermissionsPending IntentsSummary
Android Application Package FormatCode signingJava Code SigningImplementationJAR File SigningJAR File VerificationViewing or Extracting Signer InformationAndroid Code SigningAndroid Code Signing ToolsOTA File Code SigningAPK Install ProcessLocation of Application Packages and DataActive ComponentsPackageInstaller System Applicationpm commandPackageManagerServiceInstaller classinstalld DaemonMountServicevold daemonMediaContainerServiceAppDirObserverInstalling a Local PackageParsing and Verifying the PackageAccepting Permissions and Starting the Install ProcessCopying to the Application DirectoryThe Package ScanCreating Data DirectoriesGenerating Optimized DEXFile and Directory StructureAdding the New Package to packages.xmlPackage AttributesUpdating Components and PermissionsUpdating a PackageSignature VerificationUpdating Non-System AppsUpdating System AppsInstalling Encrypted APKsCreating and Installing an Encrypted APKImplementation and Encryption ParametersInstalling an Encrypted APK with Integrity CheckForward LockingAndroid 4.1 Forward Locking ImplementationEncrypted App ContainersInstalling Forward-Locked APKsEncrypted Apps and Google PlayPackage VerificationAndroid Support for Package VerificationGoogle Play ImplementationSummary
Multi-User Support OverviewTypes of UsersThe Primary User (Owner)Secondary UsersRestricted ProfilesUser RestrictionsApplying RestrictionsAccess to Online AccountsGuest UserUser ManagementCommand-Line ToolsUser States and Related BroadcastsUser MetadataThe User List FileUser Metadata FilesUser System DirectoryPer-User Application ManagementApplication Data DirectoriesApplication SharingExternal StorageExternal Storage ImplementationsMulti-User External StorageAdvanced Linux Mount FeaturesAndroid ImplementationExternal Storage PermissionsOther Multi-User FeaturesSummary
JCA Provider ArchitectureCryptographic Service ProvidersProvider ImplementationStatic Provider RegistrationDynamic Provider RegistrationJCA Engine ClassesObtaining an Engine Class InstanceAlgorithm NamesSecureRandomMessageDigestSignatureCipherBlock Cipher Modes of OperationObtaining a Cipher InstanceUsing a CipherMacKeySecretKey and PBEKeyPublicKey, PrivateKey, and KeyPairKeySpecKeyFactorySecretKeyFactoryKeyPairGeneratorKeyGeneratorKeyAgreementKeyStoreKeyStore TypesPKCS#12 File-Backed KeyStoresCertificateFactory and CertPathCertPathValidator and CertPathBuilderAndroid JCA ProvidersHarmony’s Crypto ProviderAndroid’s Bouncy Castle ProviderAndroidOpenSSL ProviderOpenSSLUsing a Custom ProviderSpongy CastleSummary

PKI and SSL OverviewPublic Key CertificatesDirect Trust and Private CAsPublic Key InfrastructureCertificate RevocationJSSE IntroductionSecure SocketsPeer AuthenticationHostname VerificationAndroid JSSE ImplementationCertificate Management and ValidationSystem Trust StoresAndroid 4.x System Trust StoreUsing the System Trust StoreSystem Trust Store APIsCertificate BlacklistingHandling CA Key CompromisesHandling End Entity Key CompromisesAndroid Certificate BlacklistingReexamining the PKI Trust ModelTrust Problems in Today’s PKIRadical SolutionsConvergence and Trust AgilityCertificate PinningCertificate Pinning in AndroidSummary
VPN and Wi-Fi EAP CredentialsAuthentication Keys and CertificatesThe System Credential StoreCredential Storage ImplementationThe keystore ServiceKey Blob Versions and TypesAccess Restrictionskeymaster Module and keystore Service ImplementationNexus 4 Hardware-Backed ImplementationFramework IntegrationPublic APIsThe KeyChain APIThe KeyChain ClassInstalling a PKCS#12 FileUsing a Private KeyInstalling a CA CertificateDeleting Keys and User CertificatesGetting Information about Supported AlgorithmsKeyChain API ImplementationControlling Access to the KeystoreKeyChainBroadcastReceiverCredential and Trust Store SummaryAndroid Keystore ProviderSummary
Android Account Management OverviewAccount Management ImplementationAccountManagerService and AccountManagerAuthenticator ModulesThe Authenticator Module CacheAccountManagerService Operations and PermissionsListing and Authenticating AccountsManaging AccountsUsing Account CredentialsRequesting Authentication Token AccessThe Accounts DatabaseTable SchemaTable AccessPassword SecurityMulti-User SupportPer-User Account DatabasesShared AccountsAdding an Authenticator ModuleGoogle Accounts SupportThe Google Login ServiceGoogle Services Authentication and AuthorizationClientLoginOAuth 2.0Google Play ServicesSummary
Device AdministrationImplementationPrivilege ManagementPolicy PersistencePolicy EnforcementAdding a Device AdministratorImplementing a Device AdministratorSetting the Device OwnerManaged DevicesEnterprise Account IntegrationMicrosoft Exchange ActiveSyncGoogle AppsVPN SupportPPTPL2TP/IPSecIPSec XauthSSL-Based VPNsLegacy VPNImplementationProfile and Credential StorageAccessing CredentialsAlways-On VPNApplication-Based VPNsDeclaring a VPNPreparing the VPNEstablishing a VPN ConnectionNotifying the User About the VPN ConnectionMulti-User SupportLinux Advanced RoutingMulti-User VPN ImplementationWi-Fi EAPEAP Authentication MethodsAndroid Wi-Fi ArchitectureEAP Credentials ManagementAdding an EAP Network with WifiManagerSummary
Controlling OS Boot-Up and InstallationBootloaderRecoveryVerified Bootdm-verity OverviewAndroid ImplementationEnabling Verified BootDisk EncryptionCipher ModeKey DerivationDisk Encryption PasswordChanging the Disk Encryption PasswordEnabling EncryptionControlling Device Encryption Using System PropertiesUnmounting /dataTriggering the Encryption ProcessUpdating the Crypto Footer and Encrypting DataBooting an Encrypted DeviceObtaining the Disk Encryption PasswordDecrypting and Mounting /dataStarting All System ServicesScreen SecurityLockscreen ImplementationKeyguard Unlock MethodsFace UnlockPattern UnlockPIN and Password UnlockPIN and PUK UnlockBrute-Force Attack ProtectionSecure USB DebuggingADB OverviewThe Need for Secure ADBSecuring ADBSecure ADB ImplementationADB Authentication KeysVerifying the Host Key FingerprintAndroid BackupAndroid Backup OverviewCloud BackupLocal BackupBackup File FormatBackup EncryptionControlling Backup ScopeSummary
NFC OverviewAndroid NFC SupportReader/Writer ModeRegistering for Tag DispatchTag TechnologiesReading a TagUsing Reader ModePeer-to-Peer ModeCard Emulation ModeSecure ElementsSE Form Factors in Mobile DevicesUICCmicroSD-Based SEEmbedded SEAccessing the Embedded SEGranting Access to the eSEUsing the NfcExecutionEnvironment APIeSE-Related BroadcastsAndroid SE Execution EnvironmentSE Communication ProtocolsQuerying the eSE Execution EnvironmentUICC as a Secure ElementSIM Cards and UICCsUICC ApplicationsUICC Application Implementation and InstallationAccessing the UICCUsing the OpenMobile APISoftware Card EmulationAndroid 4.4 HCE ArchitectureAPDU RoutingSpecifying Routing for HCE ServicesSpecifying Routing for SE AppletsWriting an HCE ServiceSecurity of HCE ApplicationsSummary
SELinux IntroductionSELinux ArchitectureMandatory Access ControlSELinux ModesSecurity ContextsSecurity Context Assignment and PersistenceSecurity PolicyPolicy StatementsType and Attribute StatementsUser and Role StatementsObject Class and Permission StatementsType Transition RulesDomain Transition RulesAccess Vector Rulesallow Rulesauditallow Rulesdontaudit Rulesneverallow RulesAndroid ImplementationKernel ChangesUserspace ChangesLibraries and ToolsSystem InitializationLabeling FilesLabeling System PropertiesLabeling Application ProcessesMiddleware MACDevice Policy FilesPolicy Event LoggingAndroid 4.4 SELinux PolicyPolicy OverviewEnforcing DomainsUnconfined DomainsApp DomainsSummary
BootloaderUnlocking the BootloaderFastboot ModeAndroid Partition LayoutThe Fastboot ProtocolFastboot CommandsRecoveryStock RecoveryControlling the RecoverySideloading an OTA PackageOTA Signature VerificationStarting the System Update ProcessApplying the UpdateCopying and Patching FilesSetting File Ownership, Permissions, and Security LabelsFinishing the UpdateUpdating the RecoveryCustom RecoveriesRoot AccessRoot Access on Engineering BuildsStarting ADB as RootUsing the su CommandRoot Access on Production BuildsRooting by Changing the boot or system ImageRooting by Flashing an OTA PackageSuperSUHow SuperSU Is InitializedRoot Access on Custom ROMsRooting via ExploitsSummary

Content preview from Android Security Internals

Chapter 12. Selinux

While previous chapters mentioned Security-Enhanced Linux (SELinux) and its Android integration, our discussion of Android’s security model up until now has focused on Android’s “traditional” sandbox implementation, which relies heavily on Linux’s default discretionary access control (DAC). The Linux DAC is lightweight and well understood, but it has certain disadvantages, most notably the coarse granularity of DAC permissions, the potential for misconfigured programs to leak data, and the inability to apply fine-grained privilege constraints to processes that run as the root user. (While POSIX capabilities, which are implemented as an extension to the traditional DAC in Linux, offer a way to grant only certain privileges to ...