Tuesday, May 28, 2013

Controlling App Permissions

Last week I wrote a script that would control which permissions an app had access to. It did this by unpacking the app with APKTool, editing the AndroidManifest.XML file to remove the unwanted permissions, then repackaging the whole thing. This works because if the app doesn't request a permission in its manifest, the system will not give it that permission, effectively limiting the app. There are a few cases in which the app cannot run without a certain permission, but I was not able to determine when this would occur or prevent it.
I also had some fun learning about how to incorporate command line arguments into a script, and I made this script accept the name of the app to edit in the terminal so that users wouldn't have to edit the app's name for the script to recognize it.

Here is the script, by the way:
Posted by at No comments:

Monday, May 20, 2013

Getting Back Into the Swing of Things

For my first day back I am starting by looking at how Android sandboxes applications. The security section of Android's open source documentation (at https://source.android.com/tech/security/) does a fair job of documenting the basics. The most interesting portion of the description that I found explains that all of Android's applications run as separate users. This gives each one the flexibility to make system calls and utilize all of android's services while not being able to interact with one another. It is also deeply ingrained in the Linux kernel (which android is based off of) that users must not be able to affect one another, helping to ensure that if one application is exploited, the attacker will not be able to affect other programs unless he/she finds a vulnerability in the Linux kernel. Understanding that the system is set up this way also helps to explain why having root makes the whole system vulnerable. Because root has permissions to access all other users' files, any program with root access can read, write, and execute all other applications' files, breaching the sandbox and allowing an attacker to influence all programs on a phone.
Posted by at No comments:
Subscribe to: Comments (Atom)