Understanding the basics of Android App Security
Part 1/8 | Android Hacking Masterclass
The last blog was the introduction blog where we talked about what all are we going to cover in this series. Now, in this blog we are officially going to begin the actual Android Hacking Masterclass.
Now before, we actually dive into hacking, we firstly need to understand the basics of Android Security. First of all we would need to understand about the android’s security model, that how does android apps are secured so that we can later on find flaws in their apps.
Apart from that, we would also need to learn about the different security metrics that score an app’s security and what do each of them mean. So let’s not waste any more time and let’s get started.
Android OS Security Model
Before we dive into the security aspects, it’s essential to understand the Android operating system itself. Android is an open-source operating system developed by Google, designed primarily for mobile devices such as smartphones and tablets. This open nature has both advantages and challenges when it comes to security.
Android on it’s most fundamental level is particularly based on a multi-party consent model which is the most common type of security model which a lot of different OS use, and since Android is primarily based off of linux, it also uses the same model. This model states that :
An action should only happen if all involved parties consent to it.
If any party does not consent, then the safe-by-default choice is for that action to be blocked. This is different to the security models that more traditional operating systems implement, which are focused on user access control and do not explicitly consider other stakeholders.
While the multi-party model has implicitly informed architecture and design of the Android platform from the beginning, it has been refined and extended based on experience gathered from past releases.
So, in the above image you can see the multi-level architecture of an Android system. Let’s first try to discuss about each aspect.
The Linux Kernel: The Brain of Android
Picture this: If Android were a superhero, the Linux kernel would be its super-smart brain. The kernel is like the boss behind the scenes, making sure everything runs smoothly. It handles tasks like letting your phone multitask (run many apps at once) and manages your device’s memory, so it doesn’t run out of space. Plus, Linux is known for its top-notch security, which keeps your device safe from bad stuff.
But what makes Linux super cool is that it’s a well-known system, like a world-famous actor. This means companies can make hardware that works perfectly with Android. Imagine your Android device is a car, and the Linux kernel is the driver — it’s steering the car and making sure it gets you where you want to go. So, in the grand Android orchestra, the kernel is the conductor, making sure all the different parts play together harmoniously.
Hardware Abstraction Layer (HAL): Your Device’s Translator
Your Android device is full of incredible hardware, like cameras and Bluetooth chips. But how do apps talk to these hardware gizmos? Well, that’s where the Hardware Abstraction Layer (HAL) comes in. Imagine the HAL as a magical translator that lets your apps communicate with your device’s hardware.
For example, when you take a picture on your device, the camera app asks the HAL to talk to the camera hardware. The HAL then translates the app’s requests into a language the camera understands. This way, your camera takes photos just the way you want. It’s like having a personal assistant who ensures your message gets across.
So, while the HAL doesn’t get the spotlight like the camera app, it’s the unsung hero working behind the scenes, making sure you can snap those awesome photos or connect to Bluetooth devices without a hitch.
Android Runtime (ART): The App Magician
You know when you open an app on your Android device, and it starts working like magic? Well, that’s thanks to Android Runtime (ART). It’s the wizard behind the scenes that turns your app’s code into actions on your device.
Imagine ART as a backstage magician at a grand show. Each app has its magic trick (code), and ART knows how to perform it. But here’s the impressive part: it does this for many apps at the same time. It’s like a multitasking master. And ART is smart enough to ensure your apps don’t hog all the memory, so your device runs smoothly.
ART has many tricks up its sleeve, like efficient memory management and powerful debugging tools. So, when you’re tapping away on your favorite apps, remember, there’s a magician named ART making it all happen smoothly.
Native C/C++ Libraries: The Builders of Android’s Core
Ever wondered how your Android device can deliver stunning graphics and interact with other gadgets? Well, it’s all thanks to the Native C/C++ Libraries. Think of them as the skilled builders constructing the core elements of Android.
These libraries are like the master architects of your device’s software world. They create the solid foundations for essential components like the Android Runtime (ART) and Hardware Abstraction Layer (HAL). When you play graphics-intensive games or use apps that require high-performance computing, you’re tapping into the power of these C/C++ libraries.
But there’s a neat twist: even if you’re not a professional coder, you can use the Android NDK (Native Development Kit) to build apps that talk directly to these native libraries. It’s like having a secret toolbox that lets you create apps with advanced features and high-speed performance.
Java API Framework: Building Blocks for App Magic
The Java API Framework is like a treasure chest filled with building blocks for creating Android apps. These building blocks, written in the Java language, are the secret ingredients behind your favorite apps’ functionality.
Imagine the Java API Framework as a toolbox for app developers. Inside, there are tools to create user interfaces (UIs), access resources like images and strings, and manage notifications. Whether it’s designing a sleek app interface or handling background tasks, these APIs do the heavy lifting for app creators.
The fantastic part is that app developers don’t need to reinvent the wheel. They can use these pre-made building blocks to assemble their apps quickly. So, every time you play a game, send a message, or check your calendar, remember that a set of Java tools is making it all happen.
System Apps: The Heroes with Special Powers
System apps are like superheroes in the Android world. They come pre-installed on your device and serve various essential purposes. These apps handle tasks like sending emails, managing calendars, browsing the internet, and keeping your contacts organized.
Here’s the exciting part: while system apps are there to assist users, they also offer superpowers to other apps. Let’s say you want to send an SMS message. You don’t need to create an SMS-sending feature from scratch. Instead, your app can simply ask the system’s SMS app to handle the message delivery. It’s like calling in a superhero for a particular task.
What’s cool is that system apps are interchangeable. You can set a third-party app as your default web browser, SMS messenger, or even keyboard. This flexibility gives you control and allows you to personalize your Android experience. So, while system apps may seem like humble sidekicks, they’re the unsung heroes making your device versatile and user-friendly.
Right, so now we have a basic understanding of what all things happen behind the scenes in an Android device. So where does the concept of multi-level consent comes into play ?
Well, to understand this, we’ll simplify the architecture a little. We will abstract all the above layers into one single layer. So, now any action that the user takes, will basically form down to only 3 different layers.
So, we said that for an action to take place, all the parties must agree to it, in Android. So for ease of understanding, we squished all the layers of the operating system into one.
Now to understand the multi-party consent, let’s understand this by an example. Let’s say in a file sender app, a user wants to send the files to another user using bluetooth.
For the first part, when the user sends the file, the app will firstly ask for the bluetooth permission, that we are going to send the files. Are you sure you want to do this. The user agrees to the action.
Now, once the user agrees, the application agrees on the user action and relays that to the Android OS. Now, the OS will look into the action and see if the action is getting called properly as per the standards or not. In this case, the Android runtime will verify that mobile device is compatible or not, the code is not trying to execute anything malicious etc. Then it will, talk to the linux kernel pass the information along after agreeing to the action. Otherwise, it will throw an error.
So, this was a short example, but this happens in everything we do on android, from network calls to database calls everything is based on multiple parties agreeing to it.
Now, one question arises, that if multiple parties have to agree on a single action to happen in android, the hackers might try to raise malicious actions which are disguised so that the OS is not able to catch that and might try to agree to this, and you would not be wrong that things like this happen, but Android has a lot of security measures that try to prevent them as much as possible.
Let’s take a look at the multiple security protocols android follows in order to prevent itself from being attacked and keep the users data safe.
App Sandbox: Locking Apps in Their Own Worlds
Imagine your Android device as a vibrant kingdom where every app has its own castle. This smart system, called the “App Sandbox,” assigns each app a special User ID (UID) and a personal space, just like sandbox castles for kids. This amazing feature acts like a friendly neighbor who ensures that no app intrudes into another’s territory. So, while your messaging app chats away, your photo editor won’t sneakily check your messages or photos.
The App Sandbox is like a protective wall, separating these app castles and keeping them from peeking into each other’s business. It’s the reason your games don’t mess with your email, and your music app won’t crash your web browser. This unique setup maintains order in the kingdom of your Android device, ensuring that each app behaves well and plays nicely with others. So, whether you’re chatting with friends or editing photos, rest assured that your Android device’s App Sandbox is working hard to keep everything in its place.
App Signing : The seal of trust
Think of Android’s “App Signing” as the royal seal of trust for your favorite apps. Just like how you trust your friendly neighbor, you can trust that every app developer signs their creation. This digital signature identifies the app’s author and guarantees that the app is genuine and hasn’t been tampered with. So, when your beloved app gets a shiny new update, it’s like seeing your trustworthy neighbor in a new outfit — the same friendly character with some fresh improvements.
App Signing ensures that app updates are seamless and secure. It’s like getting a welcome upgrade from your favorite local store without worrying about any unexpected surprises. You can embrace these changes with confidence, knowing that the seal of trust remains intact, and your digital experience is in good hands. Just like a friendly neighbor, your apps are always looking out for your best interests, making your Android experience not only enjoyable but also secure.
Authentication : Proving you are who you say you are
In the world of Android, authentication is like proving your identity to the royal kingdom. It’s a bit like showing your identification papers at the kingdom’s entrance — only this time, your unique fingerprint or secret pattern serves as your magical key. This key ensures that you, and only you, have the power to unlock your device. It’s a bit like having a secret handshake that opens the gates to your digital treasure.
Picture your device as a secure fortress, and authentication is the guardian that decides who gets in. Whether you’re using your fingerprint or a special pattern, it’s like having your own personalized key to the kingdom. And for the most critical tasks, like making payments, Android’s “Protected Confirmation” adds an extra layer of protection. It’s like having a trusted knight by your side to ensure no impostors can access your valuable assets.
Biometrics : Your personal bodyguard
Biometrics, like a magic spell, adds an extra layer of security to your Android device. Starting from Android 9 and above, there’s a special tool called the “BiometricPrompt API.” Imagine it as a versatile wizard’s wand for app developers. This nifty tool allows them to incorporate biometric authentication into their apps seamlessly, making it super easy for you to unlock your device and access your apps. It works with various devices and modes, so whether you have a fingerprint sensor, face recognition, or any other strong biometric feature, the BiometricPrompt API has got your back.
Picture it like this: when you use your fingerprint or face to unlock your device or confirm important actions, you’re basically casting a protective enchantment. Only the rightful owner, meaning you, can wield this magic, ensuring that no one else can access your digital kingdom. So, whether you’re using your finger’s unique pattern or your face’s magical charm, Android’s BiometricPrompt API keeps your device locked down tight.
With this technology, Android ensures that your biometric data is used wisely and securely. It’s like having a trusty guardian that watches over your device, making sure only your biometrics can unlock its secrets, adding an extra layer of enchantment to your digital life.
Encryption: Safeguarding Your Digital World
Imagine your Android device as a vault full of your most precious digital possessions — photos, messages, and documents. Encryption acts as an unbreakable spell, turning everything within into a code only you can comprehend. When your device is encrypted, all your data undergoes this transformation as soon as it’s saved, and when you need it, it’s just as swiftly decoded. So, even if a curious intruder attempts to snoop, all they’ll find are unsolvable puzzles. Encryption serves as the unyielding guardian of your digital treasures, ensuring they remain shielded from prying eyes.
Android Keystore : The digital Fortknox
The Android Keystore is like a super secure vault in your Android device. It’s like a fortress where your device keeps important keys and passwords needed to unlock your apps and data. This vault is so strong that it can keep your most precious secrets safe from anyone who might try to snoop or steal them. The Keystore can make keys, handle different ways of making information secret and opening it again, and, most importantly, it makes sure your keys are super well protected. With the Keystore on your side, you can be sure that your digital fortress is totally safe, and your secrets are locked up really, really tight.
Imagine the Android Keystore as your own super-secure vault inside your Android phone. It’s like a fortress where your device stores important keys and passwords needed to unlock your apps and data. This vault is incredibly tough and can keep your most valuable secrets safe from any prying eyes or sneaky intruders. The Keystore can create keys, manage different methods of encrypting and decrypting data, and, most importantly, it ensures that your keys are wrapped in layers of digital protection. With the Keystore protecting your information, you can be confident that your digital fortress is impenetrable, and your secrets are kept securely.
Security-Enhanced Linux (SELinux): The Guardian of the Kingdom
In the world of Android, even the most important security has its own protector. Android has a guardian called Security-Enhanced Linux, or SELinux for short, which watches over all the important processes, even the ones with high-level powers like root. You can think of SELinux as a vigilant sentinel for your digital kingdom, making sure that no process misbehaves or goes rogue. It’s like having a super attentive guard that never takes a break, keeping your Android world safe and sound.
Imagine SELinux as a special protector in the land of Android. It’s like a super-guardian that keeps an eye on all the important stuff, even the ones with the most power. SELinux, or Security-Enhanced Linux, is there to make sure that nothing bad happens. It’s like having a superhero guardian that never stops watching, making sure your Android world is safe and sound. It adds an extra layer of security, making it really tough for anything sneaky to happen.
Trusty Trusted Execution Environment (TEE): The Hidden Treasure Chamber
Hidden deep inside your Android device, there’s a special place known as the Trusty Trusted Execution Environment, or TEE for short. It’s like a secret chamber that deals with important tasks like your fingerprint or face recognition. This chamber works on the same brain as your Android system but is completely separate, both in the hardware and the software. It’s kind of like your device has a super secure, separate room just for keeping really important stuff safe. Trusty TEE is like the guardian of the most valuable treasures, making sure no intruder can ever touch your most precious digital belongings.
Picture the Trusty Trusted Execution Environment (TEE) as a hidden treasure chamber inside your Android gadget. It’s a bit like a secret hideout where the device handles sensitive jobs like unlocking your phone with your fingerprint or face scan. This special chamber works on the same “brain” as your Android operating system, but it’s totally separated, kind of like a hidden room with extra-strong walls and a secret code to enter. Trusty TEE acts like the guardian of the most valuable digital treasures, making sure no sneaky intruder can ever lay a finger on them. It’s a secure, secret place for your most precious stuff.
Verified Boot: Protecting the Kingdom’s Gates
When your Android device starts up, it’s like the gates of a fortress opening to welcome the trusted protectors. “Verified Boot” is like the gatekeeper making sure only code from reliable sources, usually the device maker, can come inside. It creates a chain of trust that starts with a strong, locked root, and then goes through the bootloader, the boot partition, and other really important parts. This process makes sure that your device is safe from any attackers or sneaky changes. Verified Boot is like the watchful guardian right at the kingdom’s gates, making sure only the right code can enter, keeping your device safe and your data unharmed.
Think of “Verified Boot” as the gatekeeper of your Android device. It’s like the protector who checks that only trusted code, usually from the device’s maker, is allowed inside. This gatekeeper sets up a chain of trust that begins with a super secure starting point, then moves through the bootloader, the boot partition, and other vital parts of your device. This whole process makes sure that your device stays safe and away from any harm caused by hackers or bad changes. Verified Boot is like the diligent guard standing at the fortress gates, making sure only the right code can come in, keeping your device secure and your information intact.
So, now that we have a high level overview of the Android OS itself, we are now made sure that the android ecosystem in itself is pretty secure. Moreover, since Android is an open source project, it becomes naturally exceptionally hard for any hacker to hack the OS or the device itself.
So, if this is the case, how do attackers hack into your mobile phones ? Well, the Android ecosystem is pretty secure and sort of impenetrable (not un-hackable though, nothing in this world is un-hackable as per say), but still the apps are not, and that is how the attackers are able to get into a mobile device.
And more than the apps, for any website/app, it’s users are always the weakest links to compromise any kinds of softwares. Now, if a black hat hacker would want to compromise your device, the easiest thing for them would be to simply pull off a simple phishing / social engineering attack on you to get your passwords etc., however in the bug bounty world this is not the case.
In the bug bounty world, the programs would almost never offer you bounties for phishing/social engineering attacks as they are not considered in the scope and often considered a flaw from users side. Any bug bounty program would only offer you bounties for the bugs you are able to find inside of their app.
So we know, that all 3 parties must agree on an action for it to happen. So, making the Android OS agree to an action is impossibly hard, but that is not the case with apps. Let’s consider an example.
Let’s say the android OS itself is storing the files in an encrypted format and user wants to read it. Obviously an app would request the android OS to get the file decrypt it and allow the user to read it. But if that app is not secure, an attacker could easily impersonate as that user and read any files from the system on his behalf.
So, for an attacker to get to read the file directly from the android OS, it could have been an extremely hectic task, but since he simply attacked the app that was doing the same, and if that app was vulnerable, he could simply do it on a user’s behalf, without the need to actually break the OS, and that is precisely why an app needs to be secure on it’s own end, because an app’s carelessness in security can lead to compromization of users security.
With this, we come to an end of part 1 of this masterclass. In this blog, we learnt about the basics of android Security model and what all components actually come into action for the security of the device. However, this was just the tip of the iceberg. We still have a long road ahead, where we still have to discuss about the different types of vulnerabilities that actually make the app vulnerable. So stay tuned.
In the next blog, we are going to cover the concept of security metrics in android app and why are they important in the first place.
