Skip to main content

Journey to eMAPT Part 1: Android Basics

Note:

Welcome to my journey of mastering Android security! As I prepare for the eMAPT certification, I'll be sharing insights, notes, and tested applications to help fellow learners navigate this exciting field.



What is Android?

Android is an open-source operating system developed by Google and the Open Handset Alliance. It is designed for mobile devices and offers a customizable platform for developers to create applications. It is based on the Linux kernel and supports features like a user-friendly interface, access to the Google Play Store, and integration with Google services. It is used in smartphones, tablets, smart TVs, smartwatches, and other devices, and has a large developer community contributing to its growth and availability of apps.

Since it is used by almost all devices, that means that bug hunters have a huge scope.

Android Architecture

The Android architecture is composed of several layers that work together to provide a complete operating system for mobile devices.

From bottom to top, they are:

Linux Kernel: This layer is the underlying layer that ties all the other layers. Android is built on top of the Linux kernel, which provides core operating system services such as memory management, process management, power management and device drivers.

Hardware Abstraction Layer (HAL): This layer acts as an interface between the hardware-specific drivers and the rest of the Android system. It allows the Android framework to communicate with various hardware components like camera, display, and sensors, regardless of the underlying hardware implementation. This layer helps developers to build applications without paying much heed to the underlying hardware of the device. It provides a standardized set of interfaces and APIs that allow the Android framework and applications to interact with various hardware components.

Native Libraries: This layer includes libraries written in C and C++, which provide core functionalities such as graphics rendering, SQLite database management, multimedia processing, and networking. Not all things can be achieved using the standardized set of interfaces and APIs defined in HAL, for specific functions or performance critical functions, developers may choose to implement critical components using native libraries.

Android Runtime (ART): ART is the runtime environment in which Android applications run. It includes the Just-In-Time (JIT) compiler and the Ahead-Of-Time (AOT) compiler, which convert the application bytecode into machine code that can be executed by the device's processor.

Java API Framework: This layer provides a set of reusable components and services that developers can leverage to build Android applications. It includes various libraries for handling user interfaces, graphics, data storage, connectivity, and more.

System Services: This layer provides a set of system services that handle core functionalities such as power management, security, telephony, location, and notifications. These services are accessible to both system components and third-party applications.

Application Framework: This layer exposes system APIs for common functionality that is used by applications. It includes components like Activity Manager, Content Providers, Resource Manager, and Package Manager, which help manage the application lifecycle, access data and resources, and handle inter-process communication.

Applications: This layer is where, all applications we install and run reside. They are built using the Android framework.

Android Virtual Machines

Android uses Process Virtual Machines, they are designed to execute computer programs in a platform-independent environment.

Dalvik Virtual Machine or DVM is a Process VM for android. It compiles .java files to DEX bytecode (optimized for Android). And this code is then run on DVM.

DVM has been discontinued since the introduction of Android v4.4 Kitkat and is now no longer supported.

For more information on Dalvik bytecode, please refer to this link "https://source.android.com/docs/core/runtime/dalvik-bytecode"

Android Runtime or ART is the managed runtime used by apps and system services on Android. Replacing the predecessor Dalvik, ART performs the translation of the app’s bytecode into native instructions that are later executed by the device’s runtime environment. To maintain backward compatibility, ART also uses the same input bytecode as Dalvik ".dex" files.

Some of the advantages of using ART:

  • Optimized Garbage Collector
  • Faster Native calls
  • Better battery life
  • Faster runtime

Android Security

There are a lot of applications installed on our Android devices, but these applications do not generally communicate with each other. For example, does the calculator communicate with your banking app. The answer is generally no unless it is a malicious app installed on your mobile to get your bank details.

To prohibit the applications to access each other's data a separate UID (user ID) is created and assigned to each application at the time of installation. Thus the applications can only access the files owned by its UID, and no others, unless shared with by another application or OS.

Since a higher privilege user "root" can access the all application folders and files. Android decided to implement mandatory access control (MAC).

From Android version 5.0 Android started using Security-Enhanced Linux (SELinux) to enforce MAC over all processes, even processes running with root/superuser privileges (Linux capabilities).

SELinux operates on the principle of default denial: Anything not explicitly allowed is denied.

Have any thoughts or questions? Drop them in the comments—I’d love to discuss Android security with you!

Labels:

Comments

Post a Comment

Popular posts from this blog

Journey to eMAPT Part 3: Exploiting Static Vulnerabilities in Android Using Drozer

Introduction Drozer is a powerful Android security assessment tool used to identify and exploit vulnerabilities in Android applications. In this blog, we will focus on exploiting static vulnerabilities in Android apps using Drozer, covering misconfigured exported components, insecure content providers, broadcast receivers, services, and debuggable applications. Prerequisites A rooted Android device or an emulator (e.g., Genymotion or Android Studio AVD with root access) Drozer installed on both the host machine and Android device/emulator A vulnerable Android app (such as InsecureBank or a custom test app) ` Step 1: Setting Up Drozer Install Drozer on your machine: pip install drozer Install the Drozer agent APK on your Android device/emulator and start it: adb install drozer-agent.apk Forward the Drozer agent connection: adb forward tcp:31415 tcp:31415 Launch Drozer: drozer console connect Step 2: Identifying the App’s Attack Surface The first step in any as...
Post a Comment
Read more

Journey to eMAPT Part 2: Android Application Fundamentals

Activity Lifecycle: onCreate() : Called when the activity is created. onStart() : Called when the activity becomes visible to the user. onResume() : Called when the activity starts interacting with the user. onPause() : Called when the activity is partially visible (but not in focus). onStop() : Called when the activity is no longer visible. onDestroy() : Called before the activity is destroyed. Layouts and Views: Layouts define the structure of the user interface. Views are widgets (buttons, text fields, etc.) that are placed inside layouts. Intents: Intents are messages used to communicate between different components of an application or between different applications. Explicit Intents: Specifies the target component directly. Implicit Intents: Declares an action without a recipient, and the android system resolves the appropriate component to handle it. Data sent by the application could be stolen by a malicious app as it doesn’t specify a recipient. An int...
Post a Comment
Read more