Android Mobile Appliction Security. This document describes the Android Security Model and provides the context required to understand the tools and techniques that will be demonstrated by Jesse Burns at his Black Hat USA talk, currently scheduled for July 30th, 2009. Updates are available on the iSEC Partners website. Android is a Linux platform programmed with Java and enhanced with its own security mechanisms tuned for a mobile environment. Android combines OS features like efficient shared memory, preemptive multi-tasking, Unix user identifiers (UIDs) and file permissions with the type safe Java language and its familiar class library. The resulting security model is much more like a multi-user server than the sandbox found on the J2ME or Blackberry platforms. Unlike in a desktop computer environment where a user’s applications all run as the same UID, Android applications are individually siloed from each other. Android applications run in separate processes under distinct UIDs each with distinct permissions. Programs can typically neither read nor-write each other’s data or code, and sharing data between applications must be done explicitly. The Android GUI environment has some novel security features that help support this isolation.

Download PDF Android Mobile Appliction Security