外文译文android security.docx
《外文译文android security.docx》由会员分享,可在线阅读,更多相关《外文译文android security.docx(17页珍藏版)》请在冰点文库上搜索。
外文译文androidsecurity
UnderstandingAndroidSecurity
--WILLIAMENCKMACHIGARONGRANG,McDANIELPennsylvaniaStateUniversity
Thenextgenerationofopenoperatingsystemswon’tbeondesktopsormainframesbutonthesmallmobiledeviceswecarryeveryday.Theopennessofthesenewenvironmentswillleadtonewapplicationsandmarketsandwillenablegreaterintegrationwithexistingonlineservices.However,astheimportanceofthedataandservicesourcellphonessupportincreases,sotoodotheopportunitiesforvulnerability.It’sessentialthatthisnextgenerationofplatformsprovidesacomprehensiveandusablesecurityinfrastructure.
DevelopedbytheOpenHandsetAlliance(visiblyledbyGoogle),Androidisawidelyanticipatedopensourceoperatingsystemformobiledevicesthatprovidesabaseoperatingsystem,anapplicationmiddlewarelayer,aJavasoftwaredevelopmentkit(SDK),andacollectionofsystemapplications.AlthoughtheAndroidSDKhasbeenavailablesincelate2007,thefirstpubliclyavailableAndroidready“G1”phonedebutedinlateOctober2008.Sincethen,Android’sgrowthhasbeenphenomenal:
T-Mobile’sG1manufacturerHTCestimatesshipmentvolumesofmorethan1millionphonesbytheendof2008,andindustryinsidersexpectpublicadoptiontoincreasesteeplyin2009.Manyothercellphoneprovidershaveeitherpromisedorplantosupportitinthenearfuture.
AlargecommunityofdevelopershasorganizedaroundAndroid,andmanynewproductsandapplicationsarenowavailableforit.OneofAndroid’schiefsellingpointsisthatitletsdevelopersseamlesslyextendonlineservicestophones.Themostvisibleexampleofthisfeatureis,unsurprisingly,thetightintegrationofGoogle’sGmail,Calendar,andContactsWebapplicationswithsystemutilities.Androiduserssimplysupplyausernameandpassword,andtheirphonesautomaticallysynchronizewithGoogleservices.Othervendorsarerapidlyadaptingtheirexistinginstantmessaging,socialnetworks,andgamingservicestoAndroid,andmanyenterprisesare
lookingforwaystointegratetheirowninternaloperations(suchasinventorymanagement,purchasing,receiving,andsoforth)intoitaswell.
Traditionaldesktopandserveroperatingsystemshavestruggledtosecurelyintegratesuchpersonalandbusinessapplicationsandservicesonasingleplatform.AlthoughdoingsoonamobileplatformsuchasAndroidremainsnontrivial,manyresearchershopeitprovidesacleanslatedevoidofthecomplicationsthatlegacysoftwarecancause.
Androiddoesn’tofficiallysupportapplicationsdevelopedforotherplatforms:
applicationsexecuteontopofaJavamiddlewarelayerrunningonanembeddedLinuxkernel,sodeveloperswishingtoporttheirapplicationtoAndroidmustuseitscustomuserinterfaceenvironment.
Additionally,AndroidrestrictsapplicationinteractiontoitsspecialAPIsbyrunningeachapplicationasitsownuseridentity.Althoughthiscontrolledinteractionhasseveralbeneficialsecurityfeatures,ourexperiencesdevelopingAndroidapplicationshaverevealedthatdesigningsecureapplicationsisn’talwaysstraightforward.Androidusesasimplepermissionlabelassignmentmodeltorestrictaccesstoresourcesandotherapplications,butforreasonsofnecessityandconvenience,itsdesignershaveaddedseveralpotentiallyconfusingrefinementsasthesystemhasevolved.
ThisarticleattemptstounmaskthecomplexityofAndroidsecurityandnotesomepossibledevelopmentpitfallsthatoccurwhendefininganapplication’ssecurity.Weconcludebyattemptingtodrawsomelessonsandidentifyopportunitiesforfutureenhancementsthatshouldaidinclarityandcorrectness.
AndroidApplications
TheAndroidapplicationframeworkforcesastructureondevelopers.Itdoesn’thaveamain()functionorsingleentrypointforexecution—instead,developersmustdesignapplicationsintermsofcomponents.
ExampleApplication
WedevelopedapairofapplicationstohelpdescribehowAndroidapplicationsoperate.InterestedreaderscandownloadthesourcecodefromourWebsite(http:
//siis.cse.psu.
edu/android_sec_tutorial.html).
Let’sconsideralocation-sensitivesocialnetworkingapplicationformobilephonesinwhichuserscandiscovertheirfriends’locations.Wesplitthefunctionalityintotwoapplications:
onefortrackingfriendsandoneforviewingthem.AsFigure1shows,theFriendTrackerapplicationconsistsofcomponentsspecifictotrackingfriendlocations(forexample,viaaWebservice),storinggeographiccoordinates,andsharingthosecoordinateswithotherapplications.TheuserthenusestheFriendViewerapplicationtoretrievethestoredgeographiccoordinatesandviewfriendsonamap.
Bothapplicationscontainmultiplecomponentsforperformingtheirrespectivetasks;thecomponentsthemselvesareclassifiedbytheircomponenttypes.AnAndroiddeveloperchoosesfrompredefinedcomponenttypesdependingonthecomponent’spurpose(suchasinterfacingwithauserorstoringdata).
ComponentTypes
Androiddefinesfourcomponenttypes:
•Activitycomponentsdefineanapplication’suserinterface.Typically,anapplicationdeveloperdefinesoneactivityper“screen.”Activitiesstarteachother,possiblypassingandreturningvalues.Onlyoneactivityonthesystemhaskeyboardandprocessingfocusatatime;allothersaresuspended.
•Servicecomponentsperformbackgroundprocessing.Whenanactivityneedstoperformsomeoperationthatmustcontinueaftertheuserinterfacedisappears(suchasdownloadafileorplaymusic),itcommonlystartsaservicespecificallydesignedforthataction.
Thedevelopercanalsouseservicesasapplication-specificdaemons,possiblystartingonboot.ServicesoftendefineaninterfaceforRemoteProcedureCall(RPC)thatothersystemcomponentscanusetosendcommandsandretrievedata,aswellasregistercallbacks.
•Contentprovidercomponentsstoreandsharedatausingarelationaldatabaseinterface.Eachcontentproviderhasanassociated“authority”describingthecontentitcontains.OthercomponentsusetheauthoritynameasahandletoperformSQLqueries(suchasSELECT,INSERT,orDELETE)toreadandwritecontent.Althoughcontentproviderstypicallystorevaluesindatabaserecords,dataretrievalisimplementationspecific—forexample,filesarealsosharedthroughcontentproviderinterfaces.
•Broadcastreceivercomponentsactasmailboxesformessagesfromotherapplications.Commonly,applicationcodebroadcastsmessagestoanimplicitdestination.Broadcastreceiversthussubscribetosuchdestinationstoreceivethemessagessenttoit.Applicationcodecanalsoaddressabroadcastreceiverexplicitlybyincludingthenamespaceassignedtoitscontainingapplication.
Figure1showstheFriendTrackerandFriendViewerapplicationscontainingthedifferentcomponenttypes.Thedeveloperspecifiescomponentsusingamanifestfile.Therearenorestrictionsonthenumberofcomponentsanapplicationdefinesforeachtype,butasaconvention,onecomponenthasthesamenameastheapplication.Frequently,thisisanactivity,asintheFriendViewerapplication.Thisactivityusuallyindicatestheprimaryactivitythatthesystemapplicationlauncherusestostarttheuserinterface;however,thespecificactivitychosenonlaunchismarkedbymetainformationinthemanifest.
IntheFriendTrackerapplication,forexample,theFriendTrackerControlactivityismarkedasthe
mainuserinterfaceentrypoint.Inthiscase,wereservedthename“FriendTracker”fortheservicecomponentperformingthecoreapplicationlogic.
TheFriendTrackerapplicationcontainseachofthefourcomponenttypes.TheFriendTrackerservicepollsanexternalservicetodiscoverfriends’locations.Inourexamplecode,wegeneratelocationsrandomly,butextendingthecomponenttointerfacewithaWebserviceisstraightforward.TheFriendProvidercontentprovidermaintainsthemostrecentgeographiccoordinatesforfriends,theFriendTrackerControlactivitydefinesauserinterfaceforstartingandstoppingthetrackingfunctionality,andtheBootReceiverbroadcastreceiverobtainsanotificationfromthesystemonceitboots(theapplicationusesthistoautomaticallystarttheFriendTrackerservice).
TheFriendViewerapplicationisprimarilyconcernedwithshowinginformationaboutfriends’locations.TheFriendVieweractivitylistsallfriendsandtheirgeographiccoordinates,andtheFriendMapactivitydisplaysthemonamap.TheFriendReceiverbroadcastreceiverwaitsformessagesthatindicatethephysicalphoneisnearaparticularfriendanddisplaysamessagetotheuseruponsuchanevent.AlthoughwecouldhaveplacedthesecomponentswithintheFriendTrackerapplication,wecreatedaseparateapplicationtodemonstratecross-applicationcommunication.Additionally,byseparatingthetrackinganduserinterfacelogic,wecancreatealternativeuserinterfaceswithdifferentdisplaysandfeatures—thatis,manyapplicationscanreusethelogicperformedinFriendTracker.
ComponentInteraction
Theprimarymechanismforcomponentinteractionisanintent,whichissimplyamessageobjectcontainingadestinationcomponentaddressanddata.TheAndroidAPIdefinesmethodsthatacceptintentsandusesthatinformationtostartactivities(startActivity(Intent)),startservices(startService(Intent)),and(sendBroadcast(Intent)).TheinvocationofthesemethodstellstheAndroidframeworktobeginexecutingcodeinthetargetapplication.Thisprocessofintercomponentcommunicationisknownasanaction.Simplyput,anintentobjectdefinesthe“intent”toperforman“action.”
OneofAndroid’smostpowerfulfeaturesistheflexibilityallowedbyitsintent-addressingmechanism.Althoughdevelopersca