外文译文android security.docx

外文译文android security.docx

《外文译文android security.docx》由会员分享，可在线阅读，更多相关《外文译文android security.docx（17页珍藏版）》请在冰点文库上搜索。

外文译文androidsecurity

UnderstandingAndroidSecurity

--WILLIAMENCKMACHIGARONGRANG,McDANIELPennsylvaniaStateUniversity

Thenextgenerationofopenoperatingsystemswon’tbeondesktopsormainframesbutonthesmallmobiledeviceswecarryeveryday.Theopennessofthesenewenvironmentswillleadtonewapplicationsandmarketsandwillenablegreaterintegrationwithexistingonlineservices.However,astheimportanceofthedataandservicesourcellphonessupportincreases,sotoodotheopportunitiesforvulnerability.It’sessentialthatthisnextgenerationofplatformsprovidesacomprehensiveandusablesecurityinfrastructure.

DevelopedbytheOpenHandsetAlliance（visiblyledbyGoogle）,Androidisawidelyanticipatedopensourceoperatingsystemformobiledevicesthatprovidesabaseoperatingsystem,anapplicationmiddlewarelayer,aJavasoftwaredevelopmentkit（SDK）,andacollectionofsystemapplications.AlthoughtheAndroidSDKhasbeenavailablesincelate2007,thefirstpubliclyavailableAndroidready“G1”phonedebutedinlateOctober2008.Sincethen,Android’sgrowthhasbeenphenomenal:

T-Mobile’sG1manufacturerHTCestimatesshipmentvolumesofmorethan1millionphonesbytheendof2008,andindustryinsidersexpectpublicadoptiontoincreasesteeplyin2009.Manyothercellphoneprovidershaveeitherpromisedorplantosupportitinthenearfuture.

AlargecommunityofdevelopershasorganizedaroundAndroid,andmanynewproductsandapplicationsarenowavailableforit.OneofAndroid’schiefsellingpointsisthatitletsdevelopersseamlesslyextendonlineservicestophones.Themostvisibleexampleofthisfeatureis,unsurprisingly,thetightintegrationofGoogle’sGmail,Calendar,andContactsWebapplicationswithsystemutilities.Androiduserssimplysupplyausernameandpassword,andtheirphonesautomaticallysynchronizewithGoogleservices.Othervendorsarerapidlyadaptingtheirexistinginstantmessaging,socialnetworks,andgamingservicestoAndroid,andmanyenterprisesare

lookingforwaystointegratetheirowninternaloperations（suchasinventorymanagement,purchasing,receiving,andsoforth）intoitaswell.

Traditionaldesktopandserveroperatingsystemshavestruggledtosecurelyintegratesuchpersonalandbusinessapplicationsandservicesonasingleplatform.AlthoughdoingsoonamobileplatformsuchasAndroidremainsnontrivial,manyresearchershopeitprovidesacleanslatedevoidofthecomplicationsthatlegacysoftwarecancause.

Androiddoesn’tofficiallysupportapplicationsdevelopedforotherplatforms:

applicationsexecuteontopofaJavamiddlewarelayerrunningonanembeddedLinuxkernel,sodeveloperswishingtoporttheirapplicationtoAndroidmustuseitscustomuserinterfaceenvironment.

Additionally,AndroidrestrictsapplicationinteractiontoitsspecialAPIsbyrunningeachapplicationasitsownuseridentity.Althoughthiscontrolledinteractionhasseveralbeneficialsecurityfeatures,ourexperiencesdevelopingAndroidapplicationshaverevealedthatdesigningsecureapplicationsisn’talwaysstraightforward.Androidusesasimplepermissionlabelassignmentmodeltorestrictaccesstoresourcesandotherapplications,butforreasonsofnecessityandconvenience,itsdesignershaveaddedseveralpotentiallyconfusingrefinementsasthesystemhasevolved.

ThisarticleattemptstounmaskthecomplexityofAndroidsecurityandnotesomepossibledevelopmentpitfallsthatoccurwhendefininganapplication’ssecurity.Weconcludebyattemptingtodrawsomelessonsandidentifyopportunitiesforfutureenhancementsthatshouldaidinclarityandcorrectness.

AndroidApplications

TheAndroidapplicationframeworkforcesastructureondevelopers.Itdoesn’thaveamain（）functionorsingleentrypointforexecution—instead,developersmustdesignapplicationsintermsofcomponents.

ExampleApplication

WedevelopedapairofapplicationstohelpdescribehowAndroidapplicationsoperate.InterestedreaderscandownloadthesourcecodefromourWebsite（http:

//siis.cse.psu.

edu/android_sec_tutorial.html）.

Let’sconsideralocation-sensitivesocialnetworkingapplicationformobilephonesinwhichuserscandiscovertheirfriends’locations.Wesplitthefunctionalityintotwoapplications:

onefortrackingfriendsandoneforviewingthem.AsFigure1shows,theFriendTrackerapplicationconsistsofcomponentsspecifictotrackingfriendlocations（forexample,viaaWebservice）,storinggeographiccoordinates,andsharingthosecoordinateswithotherapplications.TheuserthenusestheFriendViewerapplicationtoretrievethestoredgeographiccoordinatesandviewfriendsonamap.

Bothapplicationscontainmultiplecomponentsforperformingtheirrespectivetasks;thecomponentsthemselvesareclassifiedbytheircomponenttypes.AnAndroiddeveloperchoosesfrompredefinedcomponenttypesdependingonthecomponent’spurpose（suchasinterfacingwithauserorstoringdata）.

ComponentTypes

Androiddefinesfourcomponenttypes:

•Activitycomponentsdefineanapplication’suserinterface.Typically,anapplicationdeveloperdefinesoneactivityper“screen.”Activitiesstarteachother,possiblypassingandreturningvalues.Onlyoneactivityonthesystemhaskeyboardandprocessingfocusatatime;allothersaresuspended.

•Servicecomponentsperformbackgroundprocessing.Whenanactivityneedstoperformsomeoperationthatmustcontinueaftertheuserinterfacedisappears（suchasdownloadafileorplaymusic）,itcommonlystartsaservicespecificallydesignedforthataction.

Thedevelopercanalsouseservicesasapplication-specificdaemons,possiblystartingonboot.ServicesoftendefineaninterfaceforRemoteProcedureCall（RPC）thatothersystemcomponentscanusetosendcommandsandretrievedata,aswellasregistercallbacks.

•Contentprovidercomponentsstoreandsharedatausingarelationaldatabaseinterface.Eachcontentproviderhasanassociated“authority”describingthecontentitcontains.OthercomponentsusetheauthoritynameasahandletoperformSQLqueries（suchasSELECT,INSERT,orDELETE）toreadandwritecontent.Althoughcontentproviderstypicallystorevaluesindatabaserecords,dataretrievalisimplementationspecific—forexample,filesarealsosharedthroughcontentproviderinterfaces.

•Broadcastreceivercomponentsactasmailboxesformessagesfromotherapplications.Commonly,applicationcodebroadcastsmessagestoanimplicitdestination.Broadcastreceiversthussubscribetosuchdestinationstoreceivethemessagessenttoit.Applicationcodecanalsoaddressabroadcastreceiverexplicitlybyincludingthenamespaceassignedtoitscontainingapplication.

Figure1showstheFriendTrackerandFriendViewerapplicationscontainingthedifferentcomponenttypes.Thedeveloperspecifiescomponentsusingamanifestfile.Therearenorestrictionsonthenumberofcomponentsanapplicationdefinesforeachtype,butasaconvention,onecomponenthasthesamenameastheapplication.Frequently,thisisanactivity,asintheFriendViewerapplication.Thisactivityusuallyindicatestheprimaryactivitythatthesystemapplicationlauncherusestostarttheuserinterface;however,thespecificactivitychosenonlaunchismarkedbymetainformationinthemanifest.

IntheFriendTrackerapplication,forexample,theFriendTrackerControlactivityismarkedasthe

mainuserinterfaceentrypoint.Inthiscase,wereservedthename“FriendTracker”fortheservicecomponentperformingthecoreapplicationlogic.

TheFriendTrackerapplicationcontainseachofthefourcomponenttypes.TheFriendTrackerservicepollsanexternalservicetodiscoverfriends’locations.Inourexamplecode,wegeneratelocationsrandomly,butextendingthecomponenttointerfacewithaWebserviceisstraightforward.TheFriendProvidercontentprovidermaintainsthemostrecentgeographiccoordinatesforfriends,theFriendTrackerControlactivitydefinesauserinterfaceforstartingandstoppingthetrackingfunctionality,andtheBootReceiverbroadcastreceiverobtainsanotificationfromthesystemonceitboots（theapplicationusesthistoautomaticallystarttheFriendTrackerservice）.

TheFriendViewerapplicationisprimarilyconcernedwithshowinginformationaboutfriends’locations.TheFriendVieweractivitylistsallfriendsandtheirgeographiccoordinates,andtheFriendMapactivitydisplaysthemonamap.TheFriendReceiverbroadcastreceiverwaitsformessagesthatindicatethephysicalphoneisnearaparticularfriendanddisplaysamessagetotheuseruponsuchanevent.AlthoughwecouldhaveplacedthesecomponentswithintheFriendTrackerapplication,wecreatedaseparateapplicationtodemonstratecross-applicationcommunication.Additionally,byseparatingthetrackinganduserinterfacelogic,wecancreatealternativeuserinterfaceswithdifferentdisplaysandfeatures—thatis,manyapplicationscanreusethelogicperformedinFriendTracker.

ComponentInteraction

Theprimarymechanismforcomponentinteractionisanintent,whichissimplyamessageobjectcontainingadestinationcomponentaddressanddata.TheAndroidAPIdefinesmethodsthatacceptintentsandusesthatinformationtostartactivities（startActivity（Intent））,startservices（startService（Intent））,and（sendBroadcast（Intent））.TheinvocationofthesemethodstellstheAndroidframeworktobeginexecutingcodeinthetargetapplication.Thisprocessofintercomponentcommunicationisknownasanaction.Simplyput,anintentobjectdefinesthe“intent”toperforman“action.”

OneofAndroid’smostpowerfulfeaturesistheflexibilityallowedbyitsintent-addressingmechanism.Althoughdevelopersca