HOW SMART IS YOUR ANDROID SMARTPHONE? A Project Report Presented to The Faculty of the Department of Computer Science San José State University In Partial Fulfillment of the Requirements for the Degree Master of Computer Science by Deepika Mulani May 2010SAN JOSÉ STATE UNIVERSITY The Undersigned Project Committee Approves the Project Titled HOW SMART IS YOUR ANDROID SMARTPHONE? by Deepika Mulani APPROVED FOR THE DEPARTMENT OF COMPUTER SCIENCE Dr. Mark Stamp Department of Computer Science Date Dr. Jon Pearce Department of Computer Science Date Dr. Chris Pollett Department of Computer Science Date APPROVED FOR THE UNIVERSITY Associate Dean Office of Graduate Studies and Research DateABSTRACT HOW SMART IS YOUR ANDROID SMARTPHONE? by Deepika Mulani Smart phones are ubiquitous today. These phones generally have access to sensitive personal information and, consequently, they are a prime target for attackers. A virus or worm that spreads over the network to cell phone users could be particularly damaging. Due to a rising demand for secure mobile phones, manufacturers have increased their emphasis on mobile security. In this project, we address some security issues relevant to the current Android smartphone framework. Specifically, we demonstrate an exploit that targets the Android telephony service. In addition, as a defense against the loss of personal information, we provide a means to encrypt data stored on the external media card. While smartphones remain vulnerable to a variety of security threats, this encryption provides an additional level of security.iv ACKNOWLEDGEMENT I would like to thank to Dr. Mark Stamp, my project advisor, for his guidance and support throughout my Masters’ degree and project. I would like to thank him especially for his belief in me to work on this project. I would like to thank Dr. Chris Pollett and Dr. Jon Pearce for their guidance and suggestions while I was working on this project. And special thanks to my dear husband Kamlesh for believing in me and being my pillar of support in all my endeavors. I thank him for being a constant source of encouragement to realize my potential and providing timely help and support in my work.v TABLE OF CONTENTS 1.0 Introduction............................................................................................................. 1 1.1 Objective of the Project....................................................................................... 2 1.2 Order of the Project.............................................................................................2 2.0 Android Framework ................................................................................................ 3 2.1 Introduction ......................................................................................................... 3 2.2 Application behavior...........................................................................................4 2.3 Application components......................................................................................5 2.4 Application level security framework................................................................. 6 2.5 Files and preferences...........................................................................................8 2.6 Android limitation...............................................................................................8 3.0 iPhone and Symbian Mobile Frameworks .............................................................. 9 3.1 iPhone security architecture ................................................................................ 9 3.2 Symbian’s security framework..........................................................................10 4.0 Mobile Phone Risks .............................................................................................. 13 5.0 Best Practices ........................................................................................................14 6.0 Experiment Details and Results ............................................................................15 6.1 Exploiting telephony security............................................................................15 6.2 Tapping incoming call.......................................................................................17 6.3 Aborting outgoing voice call............................................................................. 21 6.4 Validation..........................................................................................................21 7.0 Security Feature for Android.................................................................................22 7.1 Encryption of files stored on SD card ............................................................... 23vi 7.2 Encryption limitations.......................................................................................26 7.3 Decryption algorithm ........................................................................................28 7.4 Validation..........................................................................................................30 8.0 Conclusion.............................................................................................................31 References ......................................................................................................................... 32vii LIST OF FIGURES Figure 1. Android architecture ....................................................................................................... 4 Figure 2. Android applications component IPC ............................................................................. 6 Figure 3. Symbian certification and signing process ...................................................................12 Figure 4. XML Permissions for telephony exploitation................................................................16 Figure 5. Install time notification of permissions ......................................................................... 17 Figure 6. Code for receiving incoming voice call number and registering for notification..........18 Figure 7. Message sent on new incoming call