On Aug 13, 2009, at 3:19 PM, [hardjono] wrote:
On Aug 13, 2:48 am, Chris Palmer <[email protected]> wrote:
As always, I don't speak for my employer or any of my employer's
clients.
On Mon, Aug 3, 2009 at 6:43 AM, juanfe<[email protected]> wrote:
http://www.mail-archive.com/[email protected]
...
Have you tried this scenario recently, with Cupcake or the latest
SDK?
http://www.mail-archive.com/[email protected]
...
http://developer.android.com/guide/topics/security/security.html
Android's API safety comes primarily from the Permission system and
from the user's informed decision to install a given application.
Certificates cryptographically link Permissions to sources of code
and
optionally to a Linux UID. In any case, CAs do not provide any
measure
of trustworthiness. CAs were supposed to help people link online
identities with real-world identities, which is a distinct thing.
People seem to want to trust a central authority. That baffles me,
given the performance of global, public CAs so far. (Google for "md5
considered harmful today" or "moxie marlinspike", or try to buy a
certificate with the CN "email" and think about how bad it is that
you
were able to.) As security engineers we are trying to reduce the
number of entities we have to trust, and the degree to which we have
to trust them. Android's design helps users do both.
Android's security design is very different from that of PC operating
systems. The user interface tells the user what they need to know to
decide if they want to trust the application with the stated
Permissions. This design allows Android users to put a smaller amount
of trust in their applications; by contrast, PC operating systems
typically require users to fully trust their applications.
Therefore trustworthiness is arguably less of an issue, since users
place less trust in Android applications.
I want to learn more about the security architecture of Android (both
h/w and s/w). Where can I find such info?
PS. Telling the user about what user what they need to know (to decide
if they want to trust the application with the stated Permissions)
does not guarantee trustworthiness. It could be that there
is malware inserted between the platform and the app. I think only
when Android is deployed at the scale of Windows (and is deployed for
high-value transactions) will we hear about attacks and hear about
flaws. Has the Android team looked at Intel's TXT technology and
related h/w security from BRCM?
Thanks.
/thomas/
I've found the source to be a great way to learn about Android
security (http://source.android.com/download).
For the high level s/w, following the package installation flow is a
pretty good way to start learning about permissions and signatures.
The PackageInstaller (packages/apps/PackageInstaller) is the app that
prompts the user about requested permissions. Once the user okays the
install the package is passed to
PackageManagerService.installPackage() (frameworks/base/services/java/
com/android/server/PackageManagerService). When PackageInstaller
calls the PackageManagerService it's an ipc/binder call and so the
service has to check whether the caller has the INSTALL_PACKAGE
permission. This is how the system ensures that the user prompting
hasn't been bypassed. You'll see at the beginning of the
installPackage method a call to enforceCallingOrSelfPermission.
-- dirk
