• Secure Inter-App Communication
  • Securing Android Intents
  • Sender Risks and Mitigations
  • Receiver Risks and Mitigations
  • Securing Content Providers
  • Application Update Process
  • Non-Android SDK Applications
  • AAndroid Manifest Permissions
  • Mitre technical report




    Download 0.77 Mb.
    bet5/6
    Sana21.03.2020
    Hajmi0.77 Mb.
    #8283
    TuriReport
    1   2   3   4   5   6

    Parameter Content


    Even when using end-to-end encryption, it is best not to abuse sensitive information. Sensitive phone information such as phone number, serial number, and device ID should not be used to identify connections19. It is not uncommon for information such as this to be used as HTTP parameters or as device fingerprints because it provides quick access to a unique number. However, this practice is discouraged as it makes more personally identifiable information available to be captured than necessary.
    1. Secure Inter-App Communication


    Android provides mechanisms that enable communication between applications. These mechanisms have great utility but also introduce security risks. This section describes how to secure inter-application communication. The sources for this information include Chin, et al.’s “Analyzing Inter-Application Communication in Android” paper20, the iSEC Partners document titled “A Study of Android Application Security”21, and the iSEC Partners white paper “Developing Secure Mobile Applications for Android”22.
      1. Securing Android Intents


    Intents are an Android OS mechanism used for both intra-application and inter-application communication. Explicit Intents specify a particular component to be delivered to, while implicit Intents are delivered by the system to any of the components that declares support for the requested operation. We describe the potential risks that apply to Intent senders and to Intent receivers along with suggested mitigations.
        1. Sender Risks and Mitigations


    This section describes the risks that apply to Intent senders along with suggested mitigations.
          1. Implicit Intents


    Implicit Intents can potentially be intercepted by malicious applications. A malicious application could receive implicit Intents by declaring wide-ranging Intent filters. The malicious application would gain access to the data in the Intent, and the malicious application could potentially be able to conduct other attacks. For example, a malicious application could conduct a phishing attack in the case of an Intent that signals activation of a password prompt or credit card prompt display. Also, when Intents are used to signal an Activity or Service, the Activity or Service has the ability to return information to the sender. If a malicious Activity or Service is inadvertently called, the responses could be malicious and be used to trigger attacks against the sender if not handled properly.

    To mitigate these threats, applications should use explicit Intents when it is possible to address Intents to a specific component, and must use explicit Intents if the Intent is for an internal component (intra-application communication).

    When sending broadcast Intents, applications can define custom permissions and only send the Intent to receivers that hold the permission. Permissions are an effective security mechanism when they are combined with an effective enterprise management approach that provides control over the permissions held by other installed applications to ensure that they do not maliciously request the permission. For additional protection, the custom permission could be declared as a "signature" level permission, which would require both applications be signed by the same private key (usually meaning they are both written by the same developer).

    The same permissions approach is not available for sending implicit Intents to an Activity or Service. Explicit Intents should be used when possible, but if an implicit Intent is necessary, applications should avoid placing sensitive information in implicit Intents sent to an Activity or Service and should perform input validation on any received responses.


          1. Explicit Intents


    Explicit Intents are safer than implicit Intents because they are addressed to a specific component. Explicit Intents should be used when possible but may not always be appropriate because of their lack of flexibility. Explicit Intents still present some risks. A malicious application could be installed that takes the name of another intended component. A potential mitigation against this risk is enterprise management control over installed applications. Also, before sending an explicit Intent to another component, an application can verify that the other component has a required permission. Taken from iSEC Partners guidance23, this code verifies that the other package has the required permission:

    res = getPackageManager().checkPermission(permToCheck, name.getPackageName());

    then compare res with PackageManager.PERMISSION_GRANTED or PackageManager.PERMISSION_DENIED

    As described in the above section, an enterprise management approach is needed to control the permissions held by other installed applications to ensure that they do not maliciously request the permission.

    Another, stronger approach is to obtain the receiving application's package signature and ensure that it matches an expected value.

        1. Receiver Risks and Mitigations


    This section describes the risks that apply to Intent receivers along with suggested mitigations. Intent receivers could receive unanticipated Intents from malicious sender applications, known as spoofed Intents.

    Many application components are only used internally and have no need to be invoked by external applications. To be safe, developers should declare these components in the manifest as explicitly internal:



    android:exported="false">



    24

    As described in Enck, et al., applications must perform null checks on all received objects. Otherwise, an unintended dereference of a null variable, potentially provided by a malicious application through an Intent, may cause the application to crash.

    Broadcast Receivers are at risk of attack. As described by Chin, et al., certain Intents are supposed to be broadcast by only the operating system (rather than by any application), so these Intents may be given more trust by the application. However, when applications declare the ability to receive broadcast messages from the system, they are able to receive messages from any other application, not just the system. Applications must be sure to explicitly ensure that the received message matches a system action (which can only be sent by the operating system) before proceeding:

    public void onReceive(Context ctxt, Intent i){

    if (i.getAction().equals("expected.action"))

    return;


    }25

    Intent filters are not a security mechanism. Even if an Intent recipient (such as an Activity, Service, or BroadcastReceiver) declares an IntentFilter, a malicious sender can still send an explicit Intent to invoke the activity with an Intent that does not match the filter. Recipients must be prepared to receive unexpected data in Intents and appropriately filter their contents.

    Recipients can use permissions to control who can invoke them. These permissions are checked by the Activity Manager to ensure the sender meets the requirements to send the Intent before delivering it.

    For example, the following activity can only be invoked by applications that hold the custom permission "my.permission":



    android:exported="true">

    android:permission="my.permission">







    26

    Permissions are an effective strategy when combined with an enterprise management ability to control the permissions held by installed applications. A stronger approach is for the invoked application to use the PackageManager class to obtain the sending application's package name and package signature and ensure that they both match an expected value.


        1. Sticky Intent


    Sticky Intents are sent and received through sticky Broadcasts. They are intended to share information about the system state27. Applications cannot limit access to sticky Intents based on permissions. The result is that any application with the BROADCAST_STICKY permission has full access to all sticky Intents. Therefore, sticky Intents should not be used. Sensitive data could be easily captured y by any listening application. A malicious application could also simply remove the Intent, breaking down the communication channel.
        1. Intent Reflection


    When an application sends an Intent in response to receiving an Intent, it is at risk of intent reflection. Intent reflection occurs when an application has another application send an Intent on its behalf28. An application can use this to send Intents it may not otherwise be able to send, which is a form of privilege escalation. This is avoided by accepting a PendingIntent instead of an Intent. PendingIntents are sent as the creating process, and are thus rejected if the process does not have permission to send the Intent. When sending PendingIntents, it is important to trust the application the PendingIntent is sent to, as the application will be sending the Intent on the caller's behalf.
      1. Securing Content Providers


    Android's ContentProvider mechanism can be used to share data with other applications or internally with the same application. Content Providers must only be exported if other applications have a need to use them. If exported, the application developer must define read and write permissions to prevent the ContentProvider from being misused by malicious applications. Just as described earlier, permissions are only effective if combined with an effective enterprise management strategy to ensure that each application only requests and obtains appropriate permissions.
    1. Application Update Process


    Although not detailed in this guide, a process for application maintenance and sustainment is critical for complete application lifecycle. A formal change management process should be documented based on program expectations on maintenance and sustainment. Two important areas to be included in the application update process are:

    • Creation of secure/strong process for updating apps.

    • Ability to rapidly updates/patches which adhere to CVE (or other identified vulnerabilities).
    1. Non-Android SDK Applications

      1. Browser-based Apps


    Android's permissions scheme is implemented at the kernel level. Any browser-based apps will only be able to do what the browser lets them do; and in turn, the browser will be beholden to the usual permissions scheme. Therefore, browser-based apps can safely be treated with the same rigor than native apps.
      1. Adobe Air Apps


    Adobe’s Flash technology now allows mobile application development for cross-platform usage, including Android. Air/Flex/Flash does not allow for access to Manifest permissions, which is restricting of device permissions an application is granted. We are assessing the Air/Flex/Flash permission model to determine if the Adobe application development will be viable for DoD mobile apps.

    At this writing, Adobe Air applications should not be deemed acceptable offerings in the Android app store.



    This page intentionally left blank.
    AAndroid Manifest Permissions

    This list is derived from SDK documentation at the Android Developers portal.

    Constants

    ACCESS_CHECKIN_PROPERTIES

    Allows read/write access to the "properties" table in the checkin database, to change values that get uploaded.

    ACCESS_COARSE_LOCATION

    Allows an application to access coarse (e.g., Cell-ID, WiFi) location

    ACCESS_FINE_LOCATION

    Allows an application to access fine (e.g., GPS) location

    ACCESS_LOCATION_EXTRA_COMMANDS

    Allows an application to access extra location provider commands

    ACCESS_MOCK_LOCATION

    Allows an application to create mock location providers for testing

    ACCESS_NETWORK_STATE

    Allows applications to access information about networks

    ACCESS_SURFACE_FLINGER

    Allows an application to use SurfaceFlinger's low level features

    ACCESS_WIFI_STATE

    Allows applications to access information about Wi-Fi networks

    ACCOUNT_MANAGER

    Allows applications to call into AccountAuthenticators.

    AUTHENTICATE_ACCOUNTS

    Allows an application to act as an AccountAuthenticator for the AccountManager

    BATTERY_STATS

    Allows an application to collect battery statistics

    BIND_APPWIDGET

    Allows an application to tell the AppWidget service which application can access AppWidget's data.

    BIND_DEVICE_ADMIN

    Must be required by device administration receiver, to ensure that only the system can interact with it.

    BIND_INPUT_METHOD

    Must be required by an InputMethodService, to ensure that only the system can bind to it.

    BIND_REMOTEVIEWS

    Must be required by a RemoteViewsService, to ensure that only the system can bind to it.

    BIND_WALLPAPER

    Must be required by a WallpaperService, to ensure that only the system can bind to it.

    BLUETOOTH

    Allows applications to connect to paired bluetooth devices

    BLUETOOTH_ADMIN

    Allows applications to discover and pair bluetooth devices

    BRICK

    Required to be able to disable the device (very dangerous!).

    BROADCAST_PACKAGE_REMOVED

    Allows an application to broadcast a notification that an application package has been removed.

    BROADCAST_SMS

    Allows an application to broadcast an SMS receipt notification

    BROADCAST_STICKY

    Allows an application to broadcast sticky intents.

    BROADCAST_WAP_PUSH

    Allows an application to broadcast a WAP PUSH receipt notification

    CALL_PHONE

    Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call being placed.

    CALL_PRIVILEGED

    Allows an application to call any phone number, including emergency numbers, without going through the Dialer user interface for the user to confirm the call being placed.

    CAMERA

    Required to be able to access the camera device.

    CHANGE_COMPONENT_ENABLED_STATE

    Allows an application to change whether an application component (other than its own) is enabled or not.

    CHANGE_CONFIGURATION

    Allows an application to modify the current configuration, such as locale.

    CHANGE_NETWORK_STATE

    Allows applications to change network connectivity state

    CHANGE_WIFI_MULTICAST_STATE

    Allows applications to enter Wi-Fi Multicast mode

    CHANGE_WIFI_STATE

    Allows applications to change Wi-Fi connectivity state

    CLEAR_APP_CACHE

    Allows an application to clear the caches of all installed applications on the device.

    CLEAR_APP_USER_DATA

    Allows an application to clear user data

    CONTROL_LOCATION_UPDATES

    Allows enabling/disabling location update notifications from the radio.

    DELETE_CACHE_FILES

    Allows an application to delete cache files.

    DELETE_PACKAGES

    Allows an application to delete packages.

    DEVICE_POWER

    Allows low-level access to power management

    DIAGNOSTIC

    Allows applications to RW to diagnostic resources.

    DISABLE_KEYGUARD

    Allows applications to disable the keyguard

    DUMP

    Allows an application to retrieve state dump information from system services.

    EXPAND_STATUS_BAR

    Allows an application to expand or collapse the status bar.

    FACTORY_TEST

    Run as a manufacturer test application, running as the root user.

    FLASHLIGHT

    Allows access to the flashlight

    FORCE_BACK

    Allows an application to force a BACK operation on whatever is the top activity.

    GET_ACCOUNTS

    Allows access to the list of accounts in the Accounts Service

    GET_PACKAGE_SIZE

    Allows an application to find out the space used by any package.

    GET_TASKS

    Allows an application to get information about the currently or recently running tasks: a thumbnail representation of the tasks, what activities are running in it, etc.

    GLOBAL_SEARCH

    This permission can be used on content providers to allow the global search system to access their data.

    HARDWARE_TEST

    Allows access to hardware peripherals.

    INJECT_EVENTS

    Allows an application to inject user events (keys, touch, trackball) into the event stream and deliver them to ANY window.

    INSTALL_LOCATION_PROVIDER

    Allows an application to install a location provider into the Location Manager

    INSTALL_PACKAGES

    Allows an application to install packages.

    INTERNAL_SYSTEM_WINDOW

    Allows an application to open windows that are for use by parts of the system user interface.

    INTERNET

    Allows applications to open network sockets.

    KILL_BACKGROUND_PROCESSES

    Allows an application to call killBackgroundProcesses(String).

    MANAGE_ACCOUNTS

    Allows an application to manage the list of accounts in the AccountManager

    MANAGE_APP_TOKENS

    Allows an application to manage (create, destroy, Z-order) application tokens in the window manager.

    MASTER_CLEAR




    MODIFY_AUDIO_SETTINGS

    Allows an application to modify global audio settings

    MODIFY_PHONE_STATE

    Allows modification of the telephony state - power on, mmi, etc.

    MOUNT_FORMAT_FILESYSTEMS

    Allows formatting file systems for removable storage.

    MOUNT_UNMOUNT_FILESYSTEMS

    Allows mounting and unmounting file systems for removable storage.

    NFC

    Allows applications to perform I/O operations over NFC

    PERSISTENT_ACTIVITY

    This constant is deprecated. This functionality will be removed in the future; please do not use. Allow an application to make its activities persistent.

    PROCESS_OUTGOING_CALLS

    Allows an application to monitor, modify, or abort outgoing calls.

    READ_CALENDAR

    Allows an application to read the user's calendar data.

    READ_CONTACTS

    Allows an application to read the user's contacts data.

    READ_FRAME_BUFFER

    Allows an application to take screen shots and more generally get access to the frame buffer data

    READ_HISTORY_BOOKMARKS

    Allows an application to read (but not write) the user's browsing history and bookmarks.

    READ_INPUT_STATE

    Allows an application to retrieve the current state of keys and switches.

    READ_LOGS

    Allows an application to read the low-level system log files.

    READ_PHONE_STATE

    Allows read only access to phone state.

    READ_SMS

    Allows an application to read SMS messages.

    READ_SYNC_SETTINGS

    Allows applications to read the sync settings

    READ_SYNC_STATS

    Allows applications to read the sync stats

    REBOOT

    Required to be able to reboot the device.

    RECEIVE_BOOT_COMPLETED

    Allows an application to receive the ACTION_BOOT_COMPLETED that is broadcast after the system finishes booting.

    RECEIVE_MMS

    Allows an application to monitor incoming MMS messages, to record or perform processing on them.

    RECEIVE_SMS

    Allows an application to monitor incoming SMS messages, to record or perform processing on them.

    RECEIVE_WAP_PUSH

    Allows an application to monitor incoming WAP push messages.

    RECORD_AUDIO

    Allows an application to record audio

    REORDER_TASKS

    Allows an application to change the Z-order of tasks

    RESTART_PACKAGES

    This constant is deprecated. The restartPackage(String) API is no longer supported.

    SEND_SMS

    Allows an application to send SMS messages.

    SET_ACTIVITY_WATCHER

    Allows an application to watch and control how activities are started globally in the system.

    SET_ALARM

    Allows an application to broadcast an Intent to set an alarm for the user.

    SET_ALWAYS_FINISH

    Allows an application to control whether activities are immediately finished when put in the background.

    SET_ANIMATION_SCALE

    Modify the global animation scaling factor.

    SET_DEBUG_APP

    Configure an application for debugging.

    SET_ORIENTATION

    Allows low-level access to setting the orientation (actually rotation) of the screen.

    SET_PREFERRED_APPLICATIONS

    This constant is deprecated. No longer useful, see addPackageToPreferred(String) for details.

    SET_PROCESS_LIMIT

    Allows an application to set the maximum number of (not needed) application processes that can be running.

    SET_TIME

    Allows applications to set the system time

    SET_TIME_ZONE

    Allows applications to set the system time zone

    SET_WALLPAPER

    Allows applications to set the wallpaper

    SET_WALLPAPER_HINTS

    Allows applications to set the wallpaper hints

    SIGNAL_PERSISTENT_PROCESSES

    Allow an application to request that a signal be sent to all persistent processes

    STATUS_BAR

    Allows an application to open, close, or disable the status bar and its icons.

    SUBSCRIBED_FEEDS_READ

    Allows an application to allow access the subscribed feeds ContentProvider.

    SUBSCRIBED_FEEDS_WRITE




    SYSTEM_ALERT_WINDOW

    Allows an application to open windows using the type TYPE_SYSTEM_ALERT, shown on top of all other applications.

    UPDATE_DEVICE_STATS

    Allows an application to update device statistics.

    USE_CREDENTIALS

    Allows an application to request authtokens from the AccountManager

    USE_SIP

    Allows an application to use SIP service

    VIBRATE

    Allows access to the vibrator

    WAKE_LOCK

    Allows using PowerManager WakeLocks to keep processor from sleeping or screen from dimming

    WRITE_APN_SETTINGS

    Allows applications to write the apn settings

    WRITE_CALENDAR

    Allows an application to write (but not read) the user's calendar data.

    WRITE_CONTACTS

    Allows an application to write (but not read) the user's contacts data.

    WRITE_EXTERNAL_STORAGE

    Allows an application to write to external storage

    WRITE_GSERVICES

    Allows an application to modify the Google service map.

    WRITE_HISTORY_BOOKMARKS

    Allows an application to write (but not read) the user's browsing history and bookmarks.

    WRITE_SECURE_SETTINGS

    Allows an application to read or write the secure system settings.

    WRITE_SETTINGS

    Allows an application to read or write the system settings.

    WRITE_SMS

    Allows an application to write SMS messages.

    WRITE_SYNC_SETTINGS

    Allows applications to write the sync settings




    Download 0.77 Mb.
    1   2   3   4   5   6




    Download 0.77 Mb.