本科毕业设计(论文)译文
题目名称
学
二○一二 年 五 月 三十一 日
译文题目:原文题目: Understanding Android Security 原文出处:http://ishare.iask.sina.com.cn/f/7293546.
2010.2 作者:
深入理解安卓系统的安全性
下一代开放操作系统的主流将不会在桌面上,但是将会出现在我们每天携带的手机上。这些开放性的环境将会带领这些新的应用可能集成这些已经存在的在线服务,当然随着日以具增的数据与服务在手机上的支持,手机上的安全缺陷也越发明显。下一代操作系统本质在于是否提供一个完整综合的安全平台。
由开放手机联盟(open Handset Alliance 谷歌领导)所开发的android 系统是一个被广泛看好的一个手机开源系统,该系统提供一个基本的操作系统,一个中间件应用层,一个java开发工具和一个系统应用收集器(collection of system applications )。尽管android SDK自2007年就发布了,但是第一部android 手机却在2008年10月才诞生。自从这时起谷歌开起了自己的时代,T-Mobile的G1的制造商台湾 HTC估算G1的发货量在2008年底已经超过100万部。据业内人士预期该G1手机的销量将会在2009年继续保持。不久的将来其他许多手机供应商要计划支持这个系统。
一个围绕android庞大的开发者社区已经建立,同时很多新的产品和应用已经可以在android上使用。一个Android的主要卖点是它使开发人员无缝把在线服务扩展到手机。这方面最明显的例子是谷歌的紧密集成Gmail,日历和联系人Web应用程序通过该系统。用户只需提供一个android用户名和密码,其手机自动同步与谷歌的服务。其他厂商正在迅速适应自己的现有的即时通讯,社交网络和游戏服务。Android和许多企业寻找新途径来整合他们的自己已有的业务到android上。
传统的台式机和服务器的操作系统一直在努力进行安全功能的集成。这些个人和商业应用在单一平台的很出色,然而这一块业务一个手机平台上像android上不是很有用。它给了许多研究人员希望。Android没有停在为其他平台体用应用支持:应用的执行依赖于顶层JAVA中间件,这个中间件运行在嵌入式Linux 内核之上。所以开发人员要把他们的应用部署到Android必须使用其自定义的用户界面环境。
此外,android系统应用限制各应用相互调用API协作,并且对方为自己的
用户应用进行身份验证。尽管这些应用有一定的安全特性,我们一些有经验的开发人员开发android应用人士透露,设计安全应用程序并不总是直线前进的。Android使用一个简单的 许可标签分配模式限制访问的资源,但其他应用程序的原因必要性和便利,其 设计师们增加了困惑对这个系统。本文试图对Android的安全的复杂性进行讲解,并注意一些可能的发展缺陷以及应用程序的安全。我们通过尝试得出一些经验教训,希望对未来的安全有用。
Android Application
Android应用程序框架对开发者来说是一个强制架构。
它没有一个main()函数功能或单一入口点执行,相反,开发人员 必须在设计方面的应用组件。我们开发的应用对android的sdk的帮助的API Example Application。
我们开发了一个描述如何创建android的应用。有兴趣的读者可以去我们的站点下载让我们考虑一个基于位置的社交网络应用,其中手机用户可以通过本应用发现他们的朋友们位置。我们进行功能拆分, 分成两个应用程序:一个用于跟踪查看朋友和常看他们。如图1所示, FriendTracker应用包括跟踪的组件specifc朋友的位置(例如,通过一个Web服务),储存地理坐标,并分享这些合作统筹与其他应用程序。然后用户使用友情查看器应用程序来检索地理坐标和储存在地图上查看朋友。
这两个应用程序包含的多个组件包括展示自己任务,他们组件是由他们组件类型所决定的。 。一个Android 开发者选择从根据不同的组件类型组件的目的决定 (如与一个用户或存储数据接口)。
图1。例如Android应用程序。FriendTracker和FriendViewer应用由多个不同类型的组件,每个提供一个不同的组功能。Activity提供一个用户界面,Service执行后台处理,Content提供存储,Broadcast receiver接收机其他应用程序的信息。
Component Types
android系通定义了4种组件类型。
Activity
组件定义应用程序的用户界面。通常,应用程序开发者定义每一个活动“画面。”Activity可以自己开始,也可能通过传递和返回值。在一时间只有一个键盘的系统Activity可以进行处理,在这个时候所有其他的Activity都会被暂停。
Service
组件执行后台处理。当一个活动需要进行一些操作,在用户界面消失以后(如下载一个文件或播放音乐),它通常采取此种动作特殊设计的服务。开发人员还可以在系统启动使用特殊的守护进程,Service通常定义一个远程过程调用(RPC),其他系统组件可以用来传送接口命令和检索数据,以及注册一个回调函数。
Content
组件存储和共享数据 用关系数据库接口。每个Content供应者都有一个关联的“权限”来形容它的内容包含。其他组件使用时作为一个handle执行SQL查询(如 的SELECT,INSERT或DELETE内容。虽然Content供应者通常存储把数值放在数据库记录中,数据检索是实现特殊的例子,文件也同时通过内容提供商共享接口。
Broadcast receiver
该组件作为为从邮件信箱发送信息给他应用程序。通常,广播消息的应用程序代码隐含的目的地。因此,广播接收器订阅这些目的地接收发送给它的消息。应用程序代码也可以解决明确广播接收机包括命名空间分配。
图1显示了FriendTracker和FriendViewer应用所包含的不同的组件类型。开发者组件使用一个主要定义文件(也用于定义权限,稍后介绍)。上有一个应用程序的组件的数量没有限制定义每种类型,但作为习惯,一组件应具有相同的名称该应用程序。通常情况下,这是作为在FriendViewer activity中进行注册。这一动作通常指示主activity作为该系统应用程序启动器用于启动用户界面;然而,如果需要启动特定的activity,开发者需要者在选择配置manifest 信息来实现这一个功能。在在FriendTracker应用,例如,FriendTrackerControl活动被标记为主用户界面的启动点。 在这种情况下,我们保留名称“FriendTracker”为服务执行的核心组成部分的应
用程序逻辑。
在FriendTracker应用包含四种类型的组件。在FriendTracker服务搜寻调查外部服务并发现好友的位置。在我们的示例代码中,位置是我们随机生成的,但直接通过网络连接组件接口的服务。该FriendProvider Content 提供保持最新的朋友地理坐标, FriendTrackerControl活动用于启动和用户界面停止跟踪好友功能,该系统一旦启动 BootReceiver通知从广播系统启动。
该FriendViewer应用主要是显示有关好友的位置的信息。每个启动的FriendViewer将会列出了所有的朋友和他们的地理坐标,FriendMap显示他们在地图上的位置。FriendReceiver将会等待接收附近的手机发送的消息这个消息来一个所指定的朋友。尽管我们可以在这些组件内放置在FriendTracker应用,但是我们仍然创建了一个单独的应用程序来展示跨应用的沟通。此外,通过 分离程序功能和接口,我们可以创建不同的显示和功能,可选用户界面 是,许多应用程序可以重用这些来自FriendTracker的功能。
Component Interaction
该组件交互的主要机制是一个intent ,这是一个简单的消息对象,其中包含一个目的地组件的地址和数据。 Android的API定义了他的方法中传入intent ,并使用该信息来启动一个activity例如开始一个activity(startActivity(intent)),启动服务(startService(intent))和广播信息(sendBroadcast(intent))。 Android框架来通知这些方法的调用开始执行在目标应用程序代码。这个过程中 内部组件通信称为一个动作。简单地说, Intent对象定义的“Intent”以执行“action”。Android的一个最强大的特点是允许的多种intent寻址机制。开发人员可以解决一个目标组件使用其应用的空间,他们也可以指定一个隐含的名称。在后一种情况下,系统决定了一个action的最佳组件,通过考虑安装的应用程序和用户的选择 。
这个隐含的名字被称为动作字符串因为他特殊的类型的请求动作。例如一个view动作字符串,在一个intent中和数据域指向一个图像文件,系统将会直接指首选图像浏览器、
开发者也能使用动作字符串进行大量广播发送和接收。在接收端的接收者,
开发者使用一intent 过滤器来定制特殊的动作字符串。Android系包括附加目标的决议规则,但可选的数据操作字符串类型是最常见的。
显示了组件之间的FriendTracker和FriendViewer应用程序和组件的交互作用在应用程序中定义为基础的Android发布的一部分。在每一种情况下,发起一个组件与其他的沟通。为了简单起见,我们称这个为件间通信(ICC)。在许多方面,ICC是类似于进程间通信(IPC)在基于Unix的系统中。对于开发人员,ICC的功能相同无论目标是在相同或不同的应用与界定将在下文的安全规则中说明。
可用的ICC的动作取决于目标的组成部分。每个组件类型支持自己的类型 例如,当FriendViewer开始FriendMap的FriendMap活动出现在屏幕上。 服务组件支持启动,停止,并结合行动,所以FriendTrackerControl活动, 例如,可以启动和停止FriendTracker服务在后台运行。Action的绑定组件之间建立连接,使启动执行的服务定义的RPC。在我们的例子,FriendTracker结合到系统中的服务器位置的管理。
Understand android security
the next generation of open operating systems won’t be on desktops or mainframes but on the small mobile devices we carry every day. The openness of these new environments will lead to new applications and markets and will enable greater integration with existing online services.
However, as the importance of the data and services our cell phones support increases, so too do the opportunities for vulnerability. It’s essential that this next generation of platforms provide a comprehensive and usable security infrastructure.Developed by the Open Handset Alliance (visibly led by Google), Android is a widely anticipated open source operating system for mobile devices that provides a base operating system, an application middleware layer, a Java software development kit (SDK), and a collection of system applications. Although the Android SDK has been available since late 2007, the frst publicly available Android-ready “G1” phone debuted in late October 2008. Since then, Android’s
growth has been phenomenal: TMobile’s G1 manufacturer HTC estimates shipment volumes of more than 1 million phones by the end of 2008, and industry insiders expect public adoption to increase steeply in 2009. Many other cell phone providers have either promised or plan to support it in the near future.
A large community of developers has organized around Android, and many new products and applications are now available for it. One of Android’s chief selling points is that it lets developers seamlessly .
extend online services to phones. The most visible example of this feature is—unsurprisingly—the tight integration of Google’s Gmail, Calendar, and Contacts Web applications with system utilities. Android users simply supply a username and password, and their phones automatically synchronize with Google services. Other vendors are rapidly adapting their existing instant messaging, social networks, and gaming services to Android, and many enterprises are looking for ways to integrate their own internal operations (such as inventory management, purchasing, receiving,
and so forth) into it as well.Traditional desktop and server operating systems have struggled to securely integrate such personal and business applications and services on a single platform; although doing so on a mobile platform such as Android remains nontrivial, many researchers hope it provides a clean slate devoid of the complications that legacy software can cause. Android doesn’t ofcially support applications eloped for other platforms: applications execute on top of a Java middleware layer running on an embedded Linux kernel, so developers wishing to port their application to Android must use its custom user interface environment. Additionally, Android restricts application interaction to its special APIs by running each application as its own user identity. Although this controlled interaction has several benefcial security features, our experiences developing Android applications have revealed that designing secure forward. Android uses a simple permission label assignment model to restrict access to resources and other applications, but for reasons of necessity and convenience, its designers have added several potentially confusing refnements as the system has evolved.This article attempts to unmask the complexity of Android security and note some possible development pitfalls that occur when defning an application’s security. We conclude by attempting to draw some lessons and identify opportunities for future enhancements that should aid in clarity and correctness.Android Applications The Android application framework forces a structure on developers. It doesn’t have a main() function or single entry point for execution—instead, developers must design applications in terms of components. Example Application.
We developed a pair of applications to help describe how Android applications operate. Interested readers can download the source code from our web sitepttp://siis.cse.psu.edu/android_sec_tutorial.html).
Let’s consider a location-sensitive social networking application for mobile phones in which users can discover their friends’locations. We split the functionality into two applications: one for tracking friends and one for viewing them. As Figure 1 shows, the FriendTracker application consists of components specifc to tracking friend locations (for example, via a Web service), storing geographic coordinates, and
sharing those coordinates with other applications. The user then uses the FriendViewer application to retrieve the stored geographic coordinates and view friends on a map.Both applications contain multiple components for performing their respective tasks; the components themselves are classifed by their component types. An Android developer chooses from predefned component types depending on the component’s purpose (such as interfacing with a user or storing data).Component TypesAndroid defnes four component types:Activity• components defne an application’s user interface. Typically, an application developer defnes one activity per “screen.” Activities start each other, possibly passing and returning values. Only one activity on the system has keyboard and ocessing focus at a time; all others are suspended.Service components perform background processing. When an activity needs to perform some operation that must continue after the user interface disappears (such as download a fle or play music), it commonly starts a service specifcally designed for that action. The developer can also use services as application-specifc daemons, possibly starting on boot. Services often define an interface for Remote Procedure Call (RPC) that other system components can use to send commands and retrieve data, as well as register callbacks. Content provider
• components store and share data using a relational database interface. Each content provider has an associated “authority” describing the content it contains. Other components use the authority name as a handle to perform SQL queries (such as SELECT, INSERT, or DELETE) to read and write content. Although content providers typically store values in database records, data retrieval is implementation-specifc—for example, fles are also shared through content provider interfaces.Broadcast receiver• components act as mailboxes for messages from other applications. Commonly, application code broadcasts messages to an implicit destination. Broadcast receivers thus sub-scribe to such destinations to receive the messages sent to it. Application code can also address a broadcast receiver explicitly by including the namespace assigned to its containing application.
Figure 1 shows the FriendTrack-er and FriendViewer applications containing the diferent component types. The developer specifes components using a manifest fle
(also used to defne policy as described later). There are no restrictions on the number of components an application defnes for each type, but as a convention, one component has the same name as the application. Frequently, this is an activity, as in the FriendViewer application. This activity usually indicates the primary activity that the system application launcher uses to start the user interface; however, the specifc activity cho-sen on launch is marked by meta information in the manifest. In the FriendTracker application, for example, the FriendTrackerControl activity is marked as the main user interface entry point.
In this case, we reserved the name “FriendTracker” for the service component performing the core application logic.The FriendTracker application contains each of the four component types. The FriendTracker service polls an external service to discover friends’ locations. In our example code, we generate locaFriendTracker application BootReceiver Broadcast receiver ActivityFriendTracker FriendProvider Content provider Service FriendTracker control FriendViewer application FriendReceiver Broadcast receiver Activity FriendTracker Activity FriendViewer Figure 1. Example Android application. The FriendTracker and FriendViewer applications consist of multiple components of different types, each of which provides a different set of functionalities. Activities provide a user interface, services execute background processing, content providers are data storage facilities, and broadcast receivers act as mailboxes for messages from other applications.tions randomly, but extending the component to interface with a Web service is straightforward. The FriendProvider content provider maintains the most recent geographic coordinates for friends, the FriendTrackerControl activity defnes a user interface for starting and stopping the tracking functionality, and the BootReceiver broadcast receiver obtains a notifcation from the system once it boots (the application uses this to utomatically start the FriendTracker service).The FriendViewer application bis primarily concerned with showing information about friends’ locations. The FriendViewer activity lists all friends and their geographic coordinates, and the FriendMap activity displays them on a map. The FriendReceiver broadcast receiver waits for messages that indicate the physical phone is near a particular friend and displays a message to the user upon
such an event. Although we could have placed these components within the FriendTracker application, we created a separate application to demonstrate cross-application communication. dditionally, by separating the tracking and user interface logic, we can create alternative user interfaces with different displays and features—that is, many applications can reuse the logic performed in FriendTracker.Component Interaction The primary mechanism for component interaction is an intent, which is simply a message object containing a destination component address and data.
The Android API defnes methods that accept intents, and uses that information to start activities (startActivity(Intent)), start services (startService (Intent)), and broadcast messages (sendBroadcast(Intent)). The invocation of these methods tells the Android framework to begin executing code in the target application. This process of intercomponent communication is known as an action. Simply put, an intent object defnes the “intent” to perform an “action.”One of Android’s most powerful features is the fexibility allowed by its intent-addressing mechanism. Although developers can uniquely address a target component using its application’s namespace, they can also specify an implicit name.
In the latter case, the system determines the best component for an action by considering the set of installed applications and user choices. The implicit name is called an action string because it specifes the type of requested action—for example, if the “VIEW” action string is specifed in an intent with data felds pointing to an image fle, the system will direct the intent to the preferred image viewer. Developers also use action strings to broadcast a message to a group of broadcast receivers. On the receiving end, developers use an intent flter to subscribe to specifc action strings. Android includes additional destination resolution rules, but action strings with optional data types are the most common.Figure 2 shows the interaction between components in the FriendTracker and FriendViewer applications and with components in applications defned as part of the base Android distribution. In each case, one component initiates communication with another. For simplicity, we call this inter-component communication (ICC). In many ways, ICC is analogous to
interprocess communication (IPC) in Unix-based systems. To the developer, ICC functions identically regardless of whether the target is in the same or diferent application, with the exception of the security rules defned later in this article.The available ICC actions depend on the target component.
Each component type supports interaction specifc to its type for example, when FriendViewer starts FriendMap, the FriendMap activity appears on the screen. Service components support start, stop, and bind actions, so the FriendTrackerControl activity, for instance, can start and stop the FriendTracker service that runs in the background. The bind action establishes a connection between components, allowing the initiator to execute RPCs defned by the service. In our example, FriendTracker binds to the location manager in the system server.
本科毕业设计(论文)译文
题目名称
学
二○一二 年 五 月 三十一 日
译文题目:原文题目: Understanding Android Security 原文出处:http://ishare.iask.sina.com.cn/f/7293546.
2010.2 作者:
深入理解安卓系统的安全性
下一代开放操作系统的主流将不会在桌面上,但是将会出现在我们每天携带的手机上。这些开放性的环境将会带领这些新的应用可能集成这些已经存在的在线服务,当然随着日以具增的数据与服务在手机上的支持,手机上的安全缺陷也越发明显。下一代操作系统本质在于是否提供一个完整综合的安全平台。
由开放手机联盟(open Handset Alliance 谷歌领导)所开发的android 系统是一个被广泛看好的一个手机开源系统,该系统提供一个基本的操作系统,一个中间件应用层,一个java开发工具和一个系统应用收集器(collection of system applications )。尽管android SDK自2007年就发布了,但是第一部android 手机却在2008年10月才诞生。自从这时起谷歌开起了自己的时代,T-Mobile的G1的制造商台湾 HTC估算G1的发货量在2008年底已经超过100万部。据业内人士预期该G1手机的销量将会在2009年继续保持。不久的将来其他许多手机供应商要计划支持这个系统。
一个围绕android庞大的开发者社区已经建立,同时很多新的产品和应用已经可以在android上使用。一个Android的主要卖点是它使开发人员无缝把在线服务扩展到手机。这方面最明显的例子是谷歌的紧密集成Gmail,日历和联系人Web应用程序通过该系统。用户只需提供一个android用户名和密码,其手机自动同步与谷歌的服务。其他厂商正在迅速适应自己的现有的即时通讯,社交网络和游戏服务。Android和许多企业寻找新途径来整合他们的自己已有的业务到android上。
传统的台式机和服务器的操作系统一直在努力进行安全功能的集成。这些个人和商业应用在单一平台的很出色,然而这一块业务一个手机平台上像android上不是很有用。它给了许多研究人员希望。Android没有停在为其他平台体用应用支持:应用的执行依赖于顶层JAVA中间件,这个中间件运行在嵌入式Linux 内核之上。所以开发人员要把他们的应用部署到Android必须使用其自定义的用户界面环境。
此外,android系统应用限制各应用相互调用API协作,并且对方为自己的
用户应用进行身份验证。尽管这些应用有一定的安全特性,我们一些有经验的开发人员开发android应用人士透露,设计安全应用程序并不总是直线前进的。Android使用一个简单的 许可标签分配模式限制访问的资源,但其他应用程序的原因必要性和便利,其 设计师们增加了困惑对这个系统。本文试图对Android的安全的复杂性进行讲解,并注意一些可能的发展缺陷以及应用程序的安全。我们通过尝试得出一些经验教训,希望对未来的安全有用。
Android Application
Android应用程序框架对开发者来说是一个强制架构。
它没有一个main()函数功能或单一入口点执行,相反,开发人员 必须在设计方面的应用组件。我们开发的应用对android的sdk的帮助的API Example Application。
我们开发了一个描述如何创建android的应用。有兴趣的读者可以去我们的站点下载让我们考虑一个基于位置的社交网络应用,其中手机用户可以通过本应用发现他们的朋友们位置。我们进行功能拆分, 分成两个应用程序:一个用于跟踪查看朋友和常看他们。如图1所示, FriendTracker应用包括跟踪的组件specifc朋友的位置(例如,通过一个Web服务),储存地理坐标,并分享这些合作统筹与其他应用程序。然后用户使用友情查看器应用程序来检索地理坐标和储存在地图上查看朋友。
这两个应用程序包含的多个组件包括展示自己任务,他们组件是由他们组件类型所决定的。 。一个Android 开发者选择从根据不同的组件类型组件的目的决定 (如与一个用户或存储数据接口)。
图1。例如Android应用程序。FriendTracker和FriendViewer应用由多个不同类型的组件,每个提供一个不同的组功能。Activity提供一个用户界面,Service执行后台处理,Content提供存储,Broadcast receiver接收机其他应用程序的信息。
Component Types
android系通定义了4种组件类型。
Activity
组件定义应用程序的用户界面。通常,应用程序开发者定义每一个活动“画面。”Activity可以自己开始,也可能通过传递和返回值。在一时间只有一个键盘的系统Activity可以进行处理,在这个时候所有其他的Activity都会被暂停。
Service
组件执行后台处理。当一个活动需要进行一些操作,在用户界面消失以后(如下载一个文件或播放音乐),它通常采取此种动作特殊设计的服务。开发人员还可以在系统启动使用特殊的守护进程,Service通常定义一个远程过程调用(RPC),其他系统组件可以用来传送接口命令和检索数据,以及注册一个回调函数。
Content
组件存储和共享数据 用关系数据库接口。每个Content供应者都有一个关联的“权限”来形容它的内容包含。其他组件使用时作为一个handle执行SQL查询(如 的SELECT,INSERT或DELETE内容。虽然Content供应者通常存储把数值放在数据库记录中,数据检索是实现特殊的例子,文件也同时通过内容提供商共享接口。
Broadcast receiver
该组件作为为从邮件信箱发送信息给他应用程序。通常,广播消息的应用程序代码隐含的目的地。因此,广播接收器订阅这些目的地接收发送给它的消息。应用程序代码也可以解决明确广播接收机包括命名空间分配。
图1显示了FriendTracker和FriendViewer应用所包含的不同的组件类型。开发者组件使用一个主要定义文件(也用于定义权限,稍后介绍)。上有一个应用程序的组件的数量没有限制定义每种类型,但作为习惯,一组件应具有相同的名称该应用程序。通常情况下,这是作为在FriendViewer activity中进行注册。这一动作通常指示主activity作为该系统应用程序启动器用于启动用户界面;然而,如果需要启动特定的activity,开发者需要者在选择配置manifest 信息来实现这一个功能。在在FriendTracker应用,例如,FriendTrackerControl活动被标记为主用户界面的启动点。 在这种情况下,我们保留名称“FriendTracker”为服务执行的核心组成部分的应
用程序逻辑。
在FriendTracker应用包含四种类型的组件。在FriendTracker服务搜寻调查外部服务并发现好友的位置。在我们的示例代码中,位置是我们随机生成的,但直接通过网络连接组件接口的服务。该FriendProvider Content 提供保持最新的朋友地理坐标, FriendTrackerControl活动用于启动和用户界面停止跟踪好友功能,该系统一旦启动 BootReceiver通知从广播系统启动。
该FriendViewer应用主要是显示有关好友的位置的信息。每个启动的FriendViewer将会列出了所有的朋友和他们的地理坐标,FriendMap显示他们在地图上的位置。FriendReceiver将会等待接收附近的手机发送的消息这个消息来一个所指定的朋友。尽管我们可以在这些组件内放置在FriendTracker应用,但是我们仍然创建了一个单独的应用程序来展示跨应用的沟通。此外,通过 分离程序功能和接口,我们可以创建不同的显示和功能,可选用户界面 是,许多应用程序可以重用这些来自FriendTracker的功能。
Component Interaction
该组件交互的主要机制是一个intent ,这是一个简单的消息对象,其中包含一个目的地组件的地址和数据。 Android的API定义了他的方法中传入intent ,并使用该信息来启动一个activity例如开始一个activity(startActivity(intent)),启动服务(startService(intent))和广播信息(sendBroadcast(intent))。 Android框架来通知这些方法的调用开始执行在目标应用程序代码。这个过程中 内部组件通信称为一个动作。简单地说, Intent对象定义的“Intent”以执行“action”。Android的一个最强大的特点是允许的多种intent寻址机制。开发人员可以解决一个目标组件使用其应用的空间,他们也可以指定一个隐含的名称。在后一种情况下,系统决定了一个action的最佳组件,通过考虑安装的应用程序和用户的选择 。
这个隐含的名字被称为动作字符串因为他特殊的类型的请求动作。例如一个view动作字符串,在一个intent中和数据域指向一个图像文件,系统将会直接指首选图像浏览器、
开发者也能使用动作字符串进行大量广播发送和接收。在接收端的接收者,
开发者使用一intent 过滤器来定制特殊的动作字符串。Android系包括附加目标的决议规则,但可选的数据操作字符串类型是最常见的。
显示了组件之间的FriendTracker和FriendViewer应用程序和组件的交互作用在应用程序中定义为基础的Android发布的一部分。在每一种情况下,发起一个组件与其他的沟通。为了简单起见,我们称这个为件间通信(ICC)。在许多方面,ICC是类似于进程间通信(IPC)在基于Unix的系统中。对于开发人员,ICC的功能相同无论目标是在相同或不同的应用与界定将在下文的安全规则中说明。
可用的ICC的动作取决于目标的组成部分。每个组件类型支持自己的类型 例如,当FriendViewer开始FriendMap的FriendMap活动出现在屏幕上。 服务组件支持启动,停止,并结合行动,所以FriendTrackerControl活动, 例如,可以启动和停止FriendTracker服务在后台运行。Action的绑定组件之间建立连接,使启动执行的服务定义的RPC。在我们的例子,FriendTracker结合到系统中的服务器位置的管理。
Understand android security
the next generation of open operating systems won’t be on desktops or mainframes but on the small mobile devices we carry every day. The openness of these new environments will lead to new applications and markets and will enable greater integration with existing online services.
However, as the importance of the data and services our cell phones support increases, so too do the opportunities for vulnerability. It’s essential that this next generation of platforms provide a comprehensive and usable security infrastructure.Developed by the Open Handset Alliance (visibly led by Google), Android is a widely anticipated open source operating system for mobile devices that provides a base operating system, an application middleware layer, a Java software development kit (SDK), and a collection of system applications. Although the Android SDK has been available since late 2007, the frst publicly available Android-ready “G1” phone debuted in late October 2008. Since then, Android’s
growth has been phenomenal: TMobile’s G1 manufacturer HTC estimates shipment volumes of more than 1 million phones by the end of 2008, and industry insiders expect public adoption to increase steeply in 2009. Many other cell phone providers have either promised or plan to support it in the near future.
A large community of developers has organized around Android, and many new products and applications are now available for it. One of Android’s chief selling points is that it lets developers seamlessly .
extend online services to phones. The most visible example of this feature is—unsurprisingly—the tight integration of Google’s Gmail, Calendar, and Contacts Web applications with system utilities. Android users simply supply a username and password, and their phones automatically synchronize with Google services. Other vendors are rapidly adapting their existing instant messaging, social networks, and gaming services to Android, and many enterprises are looking for ways to integrate their own internal operations (such as inventory management, purchasing, receiving,
and so forth) into it as well.Traditional desktop and server operating systems have struggled to securely integrate such personal and business applications and services on a single platform; although doing so on a mobile platform such as Android remains nontrivial, many researchers hope it provides a clean slate devoid of the complications that legacy software can cause. Android doesn’t ofcially support applications eloped for other platforms: applications execute on top of a Java middleware layer running on an embedded Linux kernel, so developers wishing to port their application to Android must use its custom user interface environment. Additionally, Android restricts application interaction to its special APIs by running each application as its own user identity. Although this controlled interaction has several benefcial security features, our experiences developing Android applications have revealed that designing secure forward. Android uses a simple permission label assignment model to restrict access to resources and other applications, but for reasons of necessity and convenience, its designers have added several potentially confusing refnements as the system has evolved.This article attempts to unmask the complexity of Android security and note some possible development pitfalls that occur when defning an application’s security. We conclude by attempting to draw some lessons and identify opportunities for future enhancements that should aid in clarity and correctness.Android Applications The Android application framework forces a structure on developers. It doesn’t have a main() function or single entry point for execution—instead, developers must design applications in terms of components. Example Application.
We developed a pair of applications to help describe how Android applications operate. Interested readers can download the source code from our web sitepttp://siis.cse.psu.edu/android_sec_tutorial.html).
Let’s consider a location-sensitive social networking application for mobile phones in which users can discover their friends’locations. We split the functionality into two applications: one for tracking friends and one for viewing them. As Figure 1 shows, the FriendTracker application consists of components specifc to tracking friend locations (for example, via a Web service), storing geographic coordinates, and
sharing those coordinates with other applications. The user then uses the FriendViewer application to retrieve the stored geographic coordinates and view friends on a map.Both applications contain multiple components for performing their respective tasks; the components themselves are classifed by their component types. An Android developer chooses from predefned component types depending on the component’s purpose (such as interfacing with a user or storing data).Component TypesAndroid defnes four component types:Activity• components defne an application’s user interface. Typically, an application developer defnes one activity per “screen.” Activities start each other, possibly passing and returning values. Only one activity on the system has keyboard and ocessing focus at a time; all others are suspended.Service components perform background processing. When an activity needs to perform some operation that must continue after the user interface disappears (such as download a fle or play music), it commonly starts a service specifcally designed for that action. The developer can also use services as application-specifc daemons, possibly starting on boot. Services often define an interface for Remote Procedure Call (RPC) that other system components can use to send commands and retrieve data, as well as register callbacks. Content provider
• components store and share data using a relational database interface. Each content provider has an associated “authority” describing the content it contains. Other components use the authority name as a handle to perform SQL queries (such as SELECT, INSERT, or DELETE) to read and write content. Although content providers typically store values in database records, data retrieval is implementation-specifc—for example, fles are also shared through content provider interfaces.Broadcast receiver• components act as mailboxes for messages from other applications. Commonly, application code broadcasts messages to an implicit destination. Broadcast receivers thus sub-scribe to such destinations to receive the messages sent to it. Application code can also address a broadcast receiver explicitly by including the namespace assigned to its containing application.
Figure 1 shows the FriendTrack-er and FriendViewer applications containing the diferent component types. The developer specifes components using a manifest fle
(also used to defne policy as described later). There are no restrictions on the number of components an application defnes for each type, but as a convention, one component has the same name as the application. Frequently, this is an activity, as in the FriendViewer application. This activity usually indicates the primary activity that the system application launcher uses to start the user interface; however, the specifc activity cho-sen on launch is marked by meta information in the manifest. In the FriendTracker application, for example, the FriendTrackerControl activity is marked as the main user interface entry point.
In this case, we reserved the name “FriendTracker” for the service component performing the core application logic.The FriendTracker application contains each of the four component types. The FriendTracker service polls an external service to discover friends’ locations. In our example code, we generate locaFriendTracker application BootReceiver Broadcast receiver ActivityFriendTracker FriendProvider Content provider Service FriendTracker control FriendViewer application FriendReceiver Broadcast receiver Activity FriendTracker Activity FriendViewer Figure 1. Example Android application. The FriendTracker and FriendViewer applications consist of multiple components of different types, each of which provides a different set of functionalities. Activities provide a user interface, services execute background processing, content providers are data storage facilities, and broadcast receivers act as mailboxes for messages from other applications.tions randomly, but extending the component to interface with a Web service is straightforward. The FriendProvider content provider maintains the most recent geographic coordinates for friends, the FriendTrackerControl activity defnes a user interface for starting and stopping the tracking functionality, and the BootReceiver broadcast receiver obtains a notifcation from the system once it boots (the application uses this to utomatically start the FriendTracker service).The FriendViewer application bis primarily concerned with showing information about friends’ locations. The FriendViewer activity lists all friends and their geographic coordinates, and the FriendMap activity displays them on a map. The FriendReceiver broadcast receiver waits for messages that indicate the physical phone is near a particular friend and displays a message to the user upon
such an event. Although we could have placed these components within the FriendTracker application, we created a separate application to demonstrate cross-application communication. dditionally, by separating the tracking and user interface logic, we can create alternative user interfaces with different displays and features—that is, many applications can reuse the logic performed in FriendTracker.Component Interaction The primary mechanism for component interaction is an intent, which is simply a message object containing a destination component address and data.
The Android API defnes methods that accept intents, and uses that information to start activities (startActivity(Intent)), start services (startService (Intent)), and broadcast messages (sendBroadcast(Intent)). The invocation of these methods tells the Android framework to begin executing code in the target application. This process of intercomponent communication is known as an action. Simply put, an intent object defnes the “intent” to perform an “action.”One of Android’s most powerful features is the fexibility allowed by its intent-addressing mechanism. Although developers can uniquely address a target component using its application’s namespace, they can also specify an implicit name.
In the latter case, the system determines the best component for an action by considering the set of installed applications and user choices. The implicit name is called an action string because it specifes the type of requested action—for example, if the “VIEW” action string is specifed in an intent with data felds pointing to an image fle, the system will direct the intent to the preferred image viewer. Developers also use action strings to broadcast a message to a group of broadcast receivers. On the receiving end, developers use an intent flter to subscribe to specifc action strings. Android includes additional destination resolution rules, but action strings with optional data types are the most common.Figure 2 shows the interaction between components in the FriendTracker and FriendViewer applications and with components in applications defned as part of the base Android distribution. In each case, one component initiates communication with another. For simplicity, we call this inter-component communication (ICC). In many ways, ICC is analogous to
interprocess communication (IPC) in Unix-based systems. To the developer, ICC functions identically regardless of whether the target is in the same or diferent application, with the exception of the security rules defned later in this article.The available ICC actions depend on the target component.
Each component type supports interaction specifc to its type for example, when FriendViewer starts FriendMap, the FriendMap activity appears on the screen. Service components support start, stop, and bind actions, so the FriendTrackerControl activity, for instance, can start and stop the FriendTracker service that runs in the background. The bind action establishes a connection between components, allowing the initiator to execute RPCs defned by the service. In our example, FriendTracker binds to the location manager in the system server.