我的书签
添加书签
移除书签From: eLinux.org
Android Security
Contents
- 1 Overview
- 2 Kernel-level security
- 3 Application-level security
- 4 Tutorial
- 5 Security Analysis
- 6 Security Investigations
- 7 Security Tricks
Overview
The overall architecture of Android security is described at:
http://developer.android.com/guide/topics/security/security.html
Each application is given its own Linux user id (UID) and group ID
Kernel-level security
Users and groups
Each application is assigned a uid and gid at install time. Application
data files are stored in /data/data/\
read-writable only by that application process.
Sample File Permissions
Here is an example from my ADP1 phone (lots of lines omitted to reduce
noise):
(Oh, and yes, I’m using busybox - find, xargs, and sort are not
available otherwise)
# find /data/data -type f | xargs ls -l | sort -k3 -n-rw------- 1 1000 1000 1954 Nov 12 01:10 /data/data/com.android.providers.subscribedfeeds/files/sslcache/android.clients.google.com.443-rw-r--r-- 1 1000 1000 147608 Apr 6 2009 /data/data/com.google.tts/lib/libspeechsynthesis.so-rw-rw---- 1 1000 1000 65 Nov 5 02:01 /data/data/com.google.android.systemupdater/shared_prefs/system_update_helper.xml-rw-rw---- 1 1000 1000 679 Nov 11 23:18 /data/data/com.android.settings/shared_prefs/com.android.settings_preferences.xml-rw-rw---- 1 1000 1000 2000 May 14 20:07 /data/data/com.google.android.location/files/DATA_Preferences-rw-rw---- 1 1000 1000 6144 Dec 19 2008 /data/data/com.android.settings/databases/webviewCache.db-rw-rw---- 1 1000 1000 11264 Nov 12 01:10 /data/data/com.android.providers.subscribedfeeds/databases/subscribedfeeds.db-rw-rw---- 1 1000 1000 14336 Dec 19 2008 /data/data/com.android.settings/databases/webview.db-rw-rw---- 1 1000 1000 36864 Nov 12 18:23 /data/data/com.android.providers.settings/databases/settings.db-rw-rw---- 1 1000 1000 129024 Nov 12 18:45 /data/data/com.google.android.server.checkin/databases/checkin.db-rw-rw-r-- 1 1000 1000 120 Nov 12 01:09 /data/data/com.android.providers.subscribedfeeds/shared_prefs/subscribedFeeds.xml-rwxrwx--- 1 1000 1000 54052 Dec 20 2008 /data/data/com.android.settings/files/wallpaper-rw------- 1 1001 1001 4 Oct 31 21:09 /data/data/com.android.providers.telephony/app_parts/PART_1257023388570-rw------- 1 1001 1001 4 Oct 31 21:10 /data/data/com.android.providers.telephony/app_parts/PART_1257023445796...-rw-rw---- 1 1001 1001 103 May 13 2009 /data/data/com.android.providers.telephony/shared_prefs/preferred-apn.xml-rw-rw---- 1 1001 1001 122 Oct 28 17:37 /data/data/com.android.phone/shared_prefs/com.android.phone_preferences.xml-rw-rw---- 1 1001 1001 126 Sep 3 2008 /data/data/com.android.phone/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 1001 1001 7168 Nov 5 02:01 /data/data/com.android.providers.telephony/databases/telephony.db-rw-rw---- 1 1001 1001 69632 Nov 6 01:58 /data/data/com.android.providers.telephony/databases/mmssms.db-rw-rw---- 1 10000 10000 114 Apr 20 2009 /data/data/com.android.alarmclock/shared_prefs/AlarmClock.xml-rw-rw---- 1 10000 10000 4096 Dec 19 2008 /data/data/com.android.alarmclock/databases/alarms.db-rw-rw---- 1 10001 10001 7168 Nov 12 18:43 /data/data/org.koxx.forecast_weather.v2/databases/forecasts.db-rw-rw---- 1 10002 10002 489 Nov 11 23:19 /data/data/com.android.calculator2/files/calculator.data-rw-rw---- 1 10003 10003 683 Jun 10 19:27 /data/data/com.android.camera/shared_prefs/com.android.camera_preferences.xml-rw-rw---- 1 10003 10003 5120 Dec 20 2008 /data/data/com.android.providers.drm/databases/drm.db-rw-rw---- 1 10003 10003 10240 Nov 1 16:24 /data/data/com.android.providers.downloads/databases/downloads.db-rw-rw---- 1 10003 10003 37888 May 13 2009 /data/data/com.android.providers.media/databases/internal.db-rw-rw---- 1 10003 10003 37888 Sep 4 23:25 /data/data/com.android.camera/databases/launcher.db-rw-rw---- 1 10003 10003 60416 Nov 12 19:01 /data/data/com.android.providers.media/databases/external-39636438.db-rw-r--r-- 1 10004 10004 0 Jun 12 01:13 /data/data/com.android.providers.im/databases/im.db-mj76B91FF8-rw-r--r-- 1 10004 10004 0 Jun 12 04:05 /data/data/com.android.providers.im/databases/im.db-mj0AB1E39C...-rw-rw---- 1 10004 10004 105 Dec 18 2008 /data/data/com.android.providers.contacts/shared_prefs/owner-info.xml-rw-rw---- 1 10004 10004 125 Nov 11 16:37 /data/data/com.android.contacts/shared_prefs/dialtacts.xml-rw-rw---- 1 10004 10004 126 Dec 19 2008 /data/data/com.android.contacts/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 10004 10004 146 Aug 28 16:02 /data/data/com.android.contacts/shared_prefs/com.android.contacts_preferences.xml-rw-rw---- 1 10004 10004 169 Nov 5 02:01 /data/data/com.android.launcher/shared_prefs/launcher.xml-rw-rw---- 1 10004 10004 4096 Jan 30 2009 /data/data/com.android.providers.userdictionary/databases/user_dict.db-rw-rw---- 1 10004 10004 20480 Oct 31 21:12 /data/data/com.android.launcher/databases/launcher.db-rw-rw---- 1 10004 10004 21504 Nov 12 18:45 /data/data/com.android.providers.im/databases/im.db-rw-rw---- 1 10004 10004 110592 Nov 12 02:08 /data/data/com.android.providers.contacts/databases/contacts.db-rw------- 1 10005 10005 270 Jun 13 03:36 /data/data/com.android.email/databases/0c180cf8-fb7b-4d3e-b994-4282611af63a.db_att/32-rw-r--r-- 1 10005 10005 1418240 Nov 5 02:01 /data/data/com.android.email/databases/0c180cf8-fb7b-4d3e-b994-4282611af63a.db-rw-rw---- 1 10005 10005 1866 Dec 20 2008 /data/data/com.android.email/shared_prefs/AndroidMail.Main.xml-rw-rw---- 1 10005 10005 6144 Sep 8 01:35 /data/data/com.android.email/databases/webviewCache.db-rw-rw---- 1 10005 10005 14336 May 14 17:58 /data/data/com.android.email/databases/webview.db-rw-rw---- 1 10006 10006 126 Dec 18 2008 /data/data/com.google.android.gm/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 10006 10006 199 Jan 22 2009 /data/data/com.google.android.gm/shared_prefs/Gmail.xml-rw-rw---- 1 10006 10006 6144 Dec 19 2008 /data/data/com.google.android.gm/databases/gmail.db-rw-rw---- 1 10006 10006 6144 Dec 23 2008 /data/data/com.google.android.gm/databases/webviewCache.db-rw-rw---- 1 10006 10006 14336 Dec 23 2008 /data/data/com.google.android.gm/databases/webview.db-rw------- 1 10007 10007 1888 Nov 12 17:09 /data/data/com.google.android.apps.gtalkservice/files/sslcache/mtalk.google.com.5228-rw------- 1 10007 10007 1954 Nov 12 18:43 /data/data/com.google.android.providers.gmail/files/sslcache/android.clients.google.com.443-rw-rw---- 1 10007 10007 6144 Oct 23 22:43 /data/data/com.google.android.googleapps/databases/webviewCache.db-rw-rw---- 1 10007 10007 7168 May 13 2009 /data/data/com.google.android.providers.settings/databases/googlesettings.db-rw-rw---- 1 10007 10007 13312 Nov 11 20:37 /data/data/com.google.android.googleapps/databases/accounts.db-rw-rw---- 1 10007 10007 14336 May 13 2009 /data/data/com.google.android.googleapps/databases/webview.db-rw-rw---- 1 10007 10007 502784 Nov 12 18:45 /data/data/com.google.android.providers.gmail/databases/mailstore.tbird20d@gmail.com.db-rw-rw---- 1 10009 10009 126 Sep 3 2008 /data/data/com.android.mms/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 10009 10009 585 Sep 3 2008 /data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml-rw-rw-rw- 1 10010 10010 310 Sep 18 01:12 /data/data/com.android.music/shared_prefs/Music.xml-rw-rw---- 1 10015 10015 126 Apr 29 2009 /data/data/com.google.android.street/shared_prefs/com.google.android.street.StreetView.xml-rw------- 1 10017 10017 35 Nov 12 16:49 /data/data/com.android.browser/cache/webviewCache/c24b0576-rw------- 1 10017 10017 43 Nov 12 16:47 /data/data/com.android.browser/cache/webviewCache/5446c8f2...-rw------- 1 10017 10017 1204872 May 13 2009 /data/data/com.android.browser/app_plugins/gears.so-rw-r--r-- 1 10017 10017 512 Nov 12 19:18 /data/data/com.android.browser/databases/webviewCache.db-journal-rw-r--r-- 1 10017 10017 8192 May 14 19:15 /data/data/com.android.browser/gears/geolocation.db-rw-r--r-- 1 10017 10017 18432 Dec 19 2008 /data/data/com.android.browser/gears/localserver.db-rw-r--r-- 1 10017 10017 20480 Dec 19 2008 /data/data/com.android.browser/gears/permissions.db-rw-r--r-- 1 10017 10017 48128 Nov 12 19:01 /data/data/com.android.browser/app_icons/WebpageIcons.db-rw-rw---- 1 10017 10017 851 May 29 13:53 /data/data/com.android.browser/shared_prefs/com.android.browser_preferences.xml-rw-rw---- 1 10017 10017 32768 Nov 12 16:49 /data/data/com.android.browser/databases/webviewCache.db-rw-rw---- 1 10017 10017 68608 Nov 12 16:49 /data/data/com.android.browser/databases/browser.db-rw-rw---- 1 10017 10017 257024 Nov 12 17:09 /data/data/com.android.browser/databases/webview.db-rw-rw-rw- 1 10017 10017 0 Nov 12 16:48 /data/data/com.android.browser/app_plugins/gears-0.5.17.0/gearstimestamp-rw-rw---- 1 10018 10018 126 Sep 3 2008 /data/data/com.android.calendar/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 10018 10018 539 Nov 11 23:19 /data/data/com.android.calendar/shared_prefs/com.android.calendar_preferences.xml-rw-rw---- 1 10018 10018 375808 Nov 12 09:58 /data/data/com.android.providers.calendar/databases/calendar.db-rw-rw---- 1 10019 10019 48 Nov 7 06:11 /data/data/com.google.android.apps.maps/files/DATA_Tiles-rw-rw---- 1 10019 10019 483 Nov 11 03:58 /data/data/com.google.android.apps.maps/shared_prefs/com.google.android.maps.MapsActivity.xml-rw-rw---- 1 10019 10019 708 Nov 12 17:09 /data/data/com.google.android.apps.maps/shared_prefs/friend_finder.xml-rw-rw---- 1 10019 10019 2000 Nov 11 03:58 /data/data/com.google.android.apps.maps/files/DATA_Preferences-rw-rw---- 1 10019 10019 6144 May 13 2009 /data/data/com.google.android.apps.maps/databases/webviewCache.db-rw-rw---- 1 10019 10019 6144 Nov 1 21:28 /data/data/com.google.android.apps.maps/databases/search_history.db-rw-rw---- 1 10019 10019 8192 Nov 11 03:52 /data/data/com.google.android.apps.maps/databases/friends.db-rw-rw---- 1 10019 10019 14336 May 13 2009 /data/data/com.google.android.apps.maps/databases/webview.db-rw-rw---- 1 10019 10019 16048 Nov 7 06:11 /data/data/com.google.android.apps.maps/files/DATA_Tiles_1-rw-rw-rw- 1 10019 10019 65 Nov 11 03:52 /data/data/com.google.android.apps.maps/shared_prefs/extra-features.xml-rw-rw---- 1 10021 10021 435 Oct 30 17:09 /data/data/com.android.vending/shared_prefs/vending_preferences.xml-rw-rw---- 1 10021 10021 5120 Oct 6 19:38 /data/data/com.android.vending/databases/suggestions.db-rw-rw---- 1 10021 10021 6144 May 14 17:17 /data/data/com.android.vending/databases/webviewCache.db-rw-rw---- 1 10021 10021 14336 May 14 17:21 /data/data/com.android.vending/databases/webview.db-rw-rw---- 1 10021 10021 17408 Oct 6 19:39 /data/data/com.android.vending/databases/assets.db-rw------- 1 10022 10022 50077 Nov 12 05:34 /data/data/com.google.android.youtube/cache/videos?vq=peter+sellers+inspector&format=2&restriction=us&start-index=18&max-results=8-rw------- 1 10022 10022 53110 Nov 12 05:33 /data/data/com.google.android.youtube/cache/videos?vq=peter+sellers+inspector&format=2&restriction=us&start-index=10&max-results=8-rw------- 1 10022 10022 57403 Nov 12 05:33 /data/data/com.google.android.youtube/cache/videos?vq=peter+sellers+inspector&format=2&restriction=us&start-index=1&max-results=9-rw------- 1 10022 10022 63761 Nov 12 05:32 /data/data/com.google.android.youtube/cache/recently_featured?format=2&start-index=1&max-results=9-rw-rw---- 1 10022 10022 739 Nov 12 16:45 /data/data/com.google.android.youtube/shared_prefs/youtube.xml-rw-rw---- 1 10022 10022 5120 Nov 12 05:34 /data/data/com.google.android.youtube/databases/suggestions.db-rw-rw---- 1 10025 10025 114 May 13 2009 /data/data/com.google.android.voicesearch/shared_prefs/com.google.android.voicesearch_preferences.xml-rw-rw---- 1 10025 10025 126 May 13 2009 /data/data/com.google.android.voicesearch/shared_prefs/_has_set_default_values.xml-rw-rw---- 1 10025 10025 2000 May 13 2009 /data/data/com.google.android.voicesearch/files/DATA_Preferences-rw-rw---- 1 10025 10025 8192 Jun 10 03:25 /data/data/com.google.android.voicesearch/databases/webviewCache.db-rw-rw---- 1 10025 10025 14336 May 13 2009 /data/data/com.google.android.voicesearch/databases/webview.db-rw-rw---- 1 10026 10026 688 Jan 10 2009 /data/data/com.quirkconsulting/shared_prefs/TouchTipv2.xml-rw-rw---- 1 10026 10026 6144 Dec 19 2008 /data/data/com.quirkconsulting/databases/webviewCache.db-rw-rw---- 1 10026 10026 14336 Dec 19 2008 /data/data/com.quirkconsulting/databases/webview.db-rw------- 1 10027 10027 4326 Aug 8 01:03 /data/data/com.a0soft.gphone.aCurrency/app_db/currency.db-rw-rw---- 1 10027 10027 170 Aug 8 01:04 /data/data/com.a0soft.gphone.aCurrency/shared_prefs/com.a0soft.gphone.aCurrency_preferences.xml-rw-rw---- 1 10027 10027 740 Dec 20 2008 /data/data/com.a0soft.gphone.aCurrency/shared_prefs/pref2.xml-rw-rw---- 1 10027 10027 801 Aug 8 01:05 /data/data/com.a0soft.gphone.aCurrency/shared_prefs/pref3.xml-rw-rw---- 1 10027 10027 6144 Aug 8 01:03 /data/data/com.a0soft.gphone.aCurrency/databases/webviewCache.db-rw-rw---- 1 10027 10027 14336 Aug 8 01:03 /data/data/com.a0soft.gphone.aCurrency/databases/webview.db-rw-rw---- 1 10028 10028 14336 Sep 19 22:17 /data/data/com.stylem.movies/databases/webview.db-rw-rw---- 1 10028 10028 53248 Sep 19 22:18 /data/data/com.stylem.movies/databases/webviewCache.db-rw-rw---- 1 10029 10029 241 Jan 10 2009 /data/data/com.capaci.android.flashlight/shared_prefs/SettingsFile.xml-rw-rw---- 1 10030 10030 233 Jun 15 15:02 /data/data/com.weather.Weather/files/tile-Radar-023010230-200906151450-twc.png-rw-rw---- 1 10030 10030 233 Jun 15 15:02 /data/data/com.weather.Weather/files/tile-Radar-023010231-200906151450-twc.png-rw-rw---- 1 10030 10030 233 Jun 15 15:02 /data/data/com.weather.Weather/files/tile-Radar-023010232-200906151450-twc.png-rw-rw---- 1 10030 10030 233 Mar 18 2009 /data/data/com.weather.Weather/files/tile-Radar-023010221-200903181940-twc.png-rw-rw---- 1 10030 10030 233 Mar 18 2009 /data/data/com.weather.Weather/files/tile-Radar-023010223-200903181940-twc.png-rw-rw---- 1 10030 10030 233 Mar 18 2009 /data/data/com.weather.Weather/files/tile-Radar-023010230-200903181940-twc.png-rw-rw---- 1 10030 10030 233 Mar 18 2009 /data/data/com.weather.Weather/files/tile-Radar-023010232-200903181940-twc.png
When Dalvik (actually, the ‘zygote’ process’) loads an application, it
changes to the uid and gid for the application, so that the process is
running in the correct security context.
Sample Process List
If you compare the Uids below with the above list, you’ll see the
correspondence between the assigned UID and the running processes. (For
example, 10017 is the browser).
# psPID Uid VSZ Stat Command1 0 288 S /init[kernel threads omitted...]30 1000 808 S /system/bin/servicemanager31 0 848 S /system/bin/vold32 0 668 S /system/bin/debuggerd33 1001 7888 S /system/bin/rild34 0 70548 S zygote /bin/app_process -Xzygote /system/bin --zygote35 1013 30032 S /system/bin/mediaserver36 1002 1172 S /system/bin/dbus-daemon --system --nofork37 0 816 S /system/bin/installd39 0 744 S /system/bin/sh /runme.sh40 1008 1304 S /system/bin/akmd41 0 3340 S /sbin/adbd64 1000 171284 S system_server108 1001 122172 S com.android.phone110 10004 129936 S android.process.acore387 10004 101668 S com.android.inputmethod.latin6721 10017 158272 S com.android.browser6901 10019 96340 S com.google.android.apps.maps7166 0 740 S /system/bin/sh -7635 10007 123776 S com.google.process.gapps7727 10000 91284 S com.android.alarmclock7753 0 872 S sleep 37754 0 2104 R ps
Paranoid network-ing
Android adds a “paranoid network” option to the Linux kernel, which
restricts access to some networking features depending on the group of
the calling process.
The list of groups that are allowed access to networking features is in
the kernel source file: /include/linux/android_aids.h
Here is the list:
| #define | GID | Capability |
| AID_NET_BT_ADMIN | 3001 | Can create an RFCOMM, SCO, or L2CAPP Bluetooth socket |
| AID_NET_BT | 3002 | Can create a Bluetooth socket |
| AID_INET | 3003 | Can create IPv4 or IPv6 socket |
| AID_NET_RAW | 3004 | Can create certain kinds of IPv4 sockets?? |
| AID_NET_ADMIN* | 3005 | Allow CAP_NET_ADMIN permissions for process |
Note: * Added in Donut (not in original Android 1.0)
Application-level security
Android also uses a user-space level security system to regulate
communication and interaction among applications and system components.
This is described at:
http://developer.android.com/guide/topics/security/security.html
Tutorial
See
http://siis.cse.psu.edu/android-tutorial.html
(With an abridged version at:
http://siis.cse.psu.edu/android_sec_tutorial.html)
Security Analysis
See a good analysis of Android security at:
http://www.isecpartners.com/files/iSEC_Android_Exploratory_Blackhat_2009.pdf
Security Investigations
TOMOYO Linux investigation
Presentation
- “Learning, Analyzing and Protecting Android with TOMOYO Linux
(JLS2009)”
(Japan Linux Symposium 2009, Oct. 2009) - “TOMOYO Linux on
Android”
(Smartbook/Netbook/Mobile Application Conference Taipei
2009, Oct. 2009) “TOMOYO Linux on
Android”
(CELF Japan Technical Jamboree 28, Jun. 2009)- all English slides PDFs of TOMOYO
Linux
Code
Contact
Security Tricks
Changing application security permissions after installation
Some applications request more permissions than they really need. You
can alter the set of permissions granted to an application by editing
/data/system/pacakges.xml.
lbcoder wrote this on the android-platform mailing list:
Go into /data/system/packages.xml and you can remove permission lines.
Immediately after saving the packages.xml, reboot the phone (otherwise
the file will get overwritten by the system again). The newly reduced
permissions will be read on boot.
