ANDROID PENTESTING SERIES PART 3 : Overview of Android Security
Android is a Linux-based operating system designed primarily for touch screen mobile devices. Android is a powerful open source operating system which runs on a wide range of devices such as mobile smartphones, tablets, set-top box etc. Security is a major part of android operating system. Android operating system was created with the openness is mind, and is conducive to the use of third party applications and cloud based services. The security features provided by android operating system are :
The Android platform takes advantage of the Linux user-based protection to identify and isolate app resources. This user-based protection allows Android to create an “Application Sandbox”. The android operating system installs every android application with a unique user ID. Each application file is private to this generated user ID and other application can not access this file. In addition, each android application is started in its own process, which is enforced at the process level through the linux kernel, which does not allow applications to interact with one another, and gives them only limited access to the android operating system. If the data should be shared between two applications, then it must be done explicitly via an android component such as a service or a connect provider.
Every application that run on the android platform must be signed by the developer. App signing allows the developers to identify the author of the application and provide a more streamline process to update the application without creating any complicated interfaces and permissions. Application that attempts to install on a device without being signed will be rejected by google play or the package installer. App signing is the first step to placing an application in the application sandbox.
Permission Concept in Android
Android contains a permission system and predefined permissions for certain tasks. Every application can request required permissions. For example, an application may declare that it requires network access. It can also define new permissions.
There are two types of permissions in android run-time and install time. Before API 23 (API 22 – Android 5.1.1) the permission is requested at the installation time at the Google Play Store. If the user Accepts the permissions, the app is installed. Else the app installation is canceled. But from API 23 (Android 6) the permission is requested at the run time during the running of the app. If the user Accepts the permissions, then that feature of the app can be used. Else to use the feature, the app requests permission again.
An Android application declares the required permissions in its AndroidManifest file.