Introduction to the Android Operating System and Android Security Features (including Android Application Security)
Android is a Linux kernel mobile platform. Android runs on a wide range of devices, from mobile smartphones and tablets, to set-top boxes. The Android mobile operating system is dependent upon the mobile device’s processer capabilities for its performance.
Security is a major part of any Android device. Android was created with openness in mind, and is conducive to the use of third-party applications and cloud-based services. Android seeks to be a secure and usable operating system for mobile platforms.
Android's Five Key Security Features:
1. Security at the operating system level through the Linux kernel
2. Mandatory application sandbox
3. Secure interprocess communication
4. Application signing
5. Application-defined and user-granted permissions
Android Security: System-Level Security Features
The Linux kernel provides Android with a set of security measures. It grants the operating system a user-based permissions model, process isolation, a secure mechanism for IPC, and the ability to remove any unnecessary or potentially insecure parts of the kernel. It further works to prevent multiple system users from accessing each other’s resources and exhausting them.
Android Application Security Features
This user-based protection allows Android to create an “Application Sandbox.” Each Android app is assigned a unique user ID, and each runs as a separate process. Therefore, each application is enforced at the process level through the Linux kernel, which does not allow applications to interact with one another, and gives them only limited access to the Android operating system. This gives the user permission-based access control, and he/she is presented with a list of the activities the Android application will perform and what it will require to do them, before the app is even downloaded. The same goes for filesystem permissions – each application (or user) has its own files, and unless a developer explicitly exposes files to another Android application, files created by one application cannot be read or altered by another.
Android Application Security Scans
When building and testing the security of Android apps, developers should follow Android security best practices and keep the following in mind when performing security tests:
- Inbound SMS listeners (command and control)
- Unsafe file creation
- Improper database storage
- Unsafe use of shared preferences
- Storage of sensitive data on mass storage device
- Content provider SQL injection
- APN or proxy modification
Android Security: Geared Towards User-Friendly Security
All of Android’s more technical security features are designed to be simply presented to the user, meaning that they can be easily controlled through the interface. Straightforward methods of improving your Android device’s security can include: using a password or pin, setting your phone to lock after a period of inactivity, only enabling wireless connections that you use, and only installing Android apps you trust and have personally vetted.
Google also only allows tested and proven secure Android applications into its marketplace, meaning that the user has less of a chance of installing a malicious app. Furthermore, the Android security system prompts the user to allow the installation of an application, meaning that it is impossible to remotely install and run an application. Users can further ensure that their Android device is secure by regularly installing system updates.
1. Android Open Source Project. "Security Overview." Tech Info. N.p., 2012. Web. 18 June 2012. http://source.android.com/tech/security/index.html.
Written by: Neil DuPaul