book

Android Security Internals

Name: Android Security Internals
Author: Nikolay Elenkov
ISBN: 9781593275815

by Nikolay Elenkov

October 2014

Intermediate to advanced

432 pages

13h 48m

English

No Starch Press

Read now

Unlock full access

Android Security Internals: An In-Depth Guide to Android’s Security Architecture
About the AuthorAbout the Technical Reviewer
Foreword
Acknowledgments
Introduction
Who This Book Is ForPrerequisitesAndroid VersionsHow Is This Book Organized?Conventions
1. Android’s Security Model
Android’s ArchitectureLinux KernelNative UserspaceDalvik VMJava Runtime LibrariesSystem ServicesInter-Process CommunicationBinderBinder ImplementationBinder SecurityBinder IdentityCapability-Based SecurityBinder TokensAccessing Binder ObjectsOther Binder FeaturesAndroid Framework LibrariesApplicationsSystem AppsUser-Installed AppsAndroid App ComponentsAndroid’s Security ModelApplication SandboxingPermissionsIPCCode Signing and Platform KeysMulti-User SupportSELinuxSystem UpdatesVerified BootSummary
2. Permissions
The Nature of PermissionsRequesting PermissionsPermission ManagementPermission Protection LevelsnormaldangeroussignaturesignatureOrSystemPermission AssignmentPermissions and Process AttributesProcess Attribute AssignmentPermission EnforcementKernel-Level EnforcementNative Daemon-Level EnforcementFramework-Level EnforcementDynamic EnforcementStatic EnforcementActivity and Service Permission EnforcementContent Provider Permission EnforcementBroadcast Permission EnforcementProtected and Sticky BroadcastsSystem PermissionsSignature PermissionsDevelopment PermissionsShared User IDCustom PermissionsPublic and Private ComponentsActivity and Service PermissionsBroadcast PermissionsContent Provider PermissionsStatic Provider PermissionsDynamic Provider PermissionsPending IntentsSummary
3. Package Management
Android Application Package FormatCode signingJava Code SigningImplementationJAR File SigningJAR File VerificationViewing or Extracting Signer InformationAndroid Code SigningAndroid Code Signing ToolsOTA File Code SigningAPK Install ProcessLocation of Application Packages and DataActive ComponentsPackageInstaller System Applicationpm commandPackageManagerServiceInstaller classinstalld DaemonMountServicevold daemonMediaContainerServiceAppDirObserverInstalling a Local PackageParsing and Verifying the PackageAccepting Permissions and Starting the Install ProcessCopying to the Application DirectoryThe Package ScanCreating Data DirectoriesGenerating Optimized DEXFile and Directory StructureAdding the New Package to packages.xmlPackage AttributesUpdating Components and PermissionsUpdating a PackageSignature VerificationUpdating Non-System AppsUpdating System AppsInstalling Encrypted APKsCreating and Installing an Encrypted APKImplementation and Encryption ParametersInstalling an Encrypted APK with Integrity CheckForward LockingAndroid 4.1 Forward Locking ImplementationEncrypted App ContainersInstalling Forward-Locked APKsEncrypted Apps and Google PlayPackage VerificationAndroid Support for Package VerificationGoogle Play ImplementationSummary
4. User Management
Multi-User Support OverviewTypes of UsersThe Primary User (Owner)Secondary UsersRestricted ProfilesUser RestrictionsApplying RestrictionsAccess to Online AccountsGuest UserUser ManagementCommand-Line ToolsUser States and Related BroadcastsUser MetadataThe User List FileUser Metadata FilesUser System DirectoryPer-User Application ManagementApplication Data DirectoriesApplication SharingExternal StorageExternal Storage ImplementationsMulti-User External StorageAdvanced Linux Mount FeaturesAndroid ImplementationExternal Storage PermissionsOther Multi-User FeaturesSummary
5. Cryptographic Providers
JCA Provider ArchitectureCryptographic Service ProvidersProvider ImplementationStatic Provider RegistrationDynamic Provider RegistrationJCA Engine ClassesObtaining an Engine Class InstanceAlgorithm NamesSecureRandomMessageDigestSignatureCipherBlock Cipher Modes of OperationObtaining a Cipher InstanceUsing a CipherMacKeySecretKey and PBEKeyPublicKey, PrivateKey, and KeyPairKeySpecKeyFactorySecretKeyFactoryKeyPairGeneratorKeyGeneratorKeyAgreementKeyStoreKeyStore TypesPKCS#12 File-Backed KeyStoresCertificateFactory and CertPathCertPathValidator and CertPathBuilderAndroid JCA ProvidersHarmony’s Crypto ProviderAndroid’s Bouncy Castle ProviderAndroidOpenSSL ProviderOpenSSLUsing a Custom ProviderSpongy CastleSummary

6. Network Security and PKI
PKI and SSL OverviewPublic Key CertificatesDirect Trust and Private CAsPublic Key InfrastructureCertificate RevocationJSSE IntroductionSecure SocketsPeer AuthenticationHostname VerificationAndroid JSSE ImplementationCertificate Management and ValidationSystem Trust StoresAndroid 4.x System Trust StoreUsing the System Trust StoreSystem Trust Store APIsCertificate BlacklistingHandling CA Key CompromisesHandling End Entity Key CompromisesAndroid Certificate BlacklistingReexamining the PKI Trust ModelTrust Problems in Today’s PKIRadical SolutionsConvergence and Trust AgilityCertificate PinningCertificate Pinning in AndroidSummary
7. Credential Storage
VPN and Wi-Fi EAP CredentialsAuthentication Keys and CertificatesThe System Credential StoreCredential Storage ImplementationThe keystore ServiceKey Blob Versions and TypesAccess Restrictionskeymaster Module and keystore Service ImplementationNexus 4 Hardware-Backed ImplementationFramework IntegrationPublic APIsThe KeyChain APIThe KeyChain ClassInstalling a PKCS#12 FileUsing a Private KeyInstalling a CA CertificateDeleting Keys and User CertificatesGetting Information about Supported AlgorithmsKeyChain API ImplementationControlling Access to the KeystoreKeyChainBroadcastReceiverCredential and Trust Store SummaryAndroid Keystore ProviderSummary
8. Online Account Management
Android Account Management OverviewAccount Management ImplementationAccountManagerService and AccountManagerAuthenticator ModulesThe Authenticator Module CacheAccountManagerService Operations and PermissionsListing and Authenticating AccountsManaging AccountsUsing Account CredentialsRequesting Authentication Token AccessThe Accounts DatabaseTable SchemaTable AccessPassword SecurityMulti-User SupportPer-User Account DatabasesShared AccountsAdding an Authenticator ModuleGoogle Accounts SupportThe Google Login ServiceGoogle Services Authentication and AuthorizationClientLoginOAuth 2.0Google Play ServicesSummary
9. Enterprise Security
Device AdministrationImplementationPrivilege ManagementPolicy PersistencePolicy EnforcementAdding a Device AdministratorImplementing a Device AdministratorSetting the Device OwnerManaged DevicesEnterprise Account IntegrationMicrosoft Exchange ActiveSyncGoogle AppsVPN SupportPPTPL2TP/IPSecIPSec XauthSSL-Based VPNsLegacy VPNImplementationProfile and Credential StorageAccessing CredentialsAlways-On VPNApplication-Based VPNsDeclaring a VPNPreparing the VPNEstablishing a VPN ConnectionNotifying the User About the VPN ConnectionMulti-User SupportLinux Advanced RoutingMulti-User VPN ImplementationWi-Fi EAPEAP Authentication MethodsAndroid Wi-Fi ArchitectureEAP Credentials ManagementAdding an EAP Network with WifiManagerSummary
10. Device Security
Controlling OS Boot-Up and InstallationBootloaderRecoveryVerified Bootdm-verity OverviewAndroid ImplementationEnabling Verified BootDisk EncryptionCipher ModeKey DerivationDisk Encryption PasswordChanging the Disk Encryption PasswordEnabling EncryptionControlling Device Encryption Using System PropertiesUnmounting /dataTriggering the Encryption ProcessUpdating the Crypto Footer and Encrypting DataBooting an Encrypted DeviceObtaining the Disk Encryption PasswordDecrypting and Mounting /dataStarting All System ServicesScreen SecurityLockscreen ImplementationKeyguard Unlock MethodsFace UnlockPattern UnlockPIN and Password UnlockPIN and PUK UnlockBrute-Force Attack ProtectionSecure USB DebuggingADB OverviewThe Need for Secure ADBSecuring ADBSecure ADB ImplementationADB Authentication KeysVerifying the Host Key FingerprintAndroid BackupAndroid Backup OverviewCloud BackupLocal BackupBackup File FormatBackup EncryptionControlling Backup ScopeSummary
11. NFC and Secure Elements
NFC OverviewAndroid NFC SupportReader/Writer ModeRegistering for Tag DispatchTag TechnologiesReading a TagUsing Reader ModePeer-to-Peer ModeCard Emulation ModeSecure ElementsSE Form Factors in Mobile DevicesUICCmicroSD-Based SEEmbedded SEAccessing the Embedded SEGranting Access to the eSEUsing the NfcExecutionEnvironment APIeSE-Related BroadcastsAndroid SE Execution EnvironmentSE Communication ProtocolsQuerying the eSE Execution EnvironmentUICC as a Secure ElementSIM Cards and UICCsUICC ApplicationsUICC Application Implementation and InstallationAccessing the UICCUsing the OpenMobile APISoftware Card EmulationAndroid 4.4 HCE ArchitectureAPDU RoutingSpecifying Routing for HCE ServicesSpecifying Routing for SE AppletsWriting an HCE ServiceSecurity of HCE ApplicationsSummary
12. Selinux
SELinux IntroductionSELinux ArchitectureMandatory Access ControlSELinux ModesSecurity ContextsSecurity Context Assignment and PersistenceSecurity PolicyPolicy StatementsType and Attribute StatementsUser and Role StatementsObject Class and Permission StatementsType Transition RulesDomain Transition RulesAccess Vector Rulesallow Rulesauditallow Rulesdontaudit Rulesneverallow RulesAndroid ImplementationKernel ChangesUserspace ChangesLibraries and ToolsSystem InitializationLabeling FilesLabeling System PropertiesLabeling Application ProcessesMiddleware MACDevice Policy FilesPolicy Event LoggingAndroid 4.4 SELinux PolicyPolicy OverviewEnforcing DomainsUnconfined DomainsApp DomainsSummary
13. System Updates and Root Access
BootloaderUnlocking the BootloaderFastboot ModeAndroid Partition LayoutThe Fastboot ProtocolFastboot CommandsRecoveryStock RecoveryControlling the RecoverySideloading an OTA PackageOTA Signature VerificationStarting the System Update ProcessApplying the UpdateCopying and Patching FilesSetting File Ownership, Permissions, and Security LabelsFinishing the UpdateUpdating the RecoveryCustom RecoveriesRoot AccessRoot Access on Engineering BuildsStarting ADB as RootUsing the su CommandRoot Access on Production BuildsRooting by Changing the boot or system ImageRooting by Flashing an OTA PackageSuperSUHow SuperSU Is InitializedRoot Access on Custom ROMsRooting via ExploitsSummary
Index
Copyright

Content preview from Android Security Internals

Chapter 13. System Updates and Root Access

In the preceding chapters, we introduced Android’s security model and discussed how integrating SELinux into Android has reinforced it. In this chapter, we take a bit of a right turn and introduce methods that can be used to circumvent Android’s security model.

In order to perform a full OS update or to restore the device to its factory state, it’s necessary to escape the security sandbox and gain full access to a device, because even the most privileged Android components are not given complete access to all system partitions and storage devices. Additionally, while having full administrative (root) access at runtime is clearly against Android’s security design, executing with root privileges can be useful ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781457185496Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Android Security Internals

by Nikolay Elenkov

Chapter 13. System Updates and Root Access

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.