The Android working framework is an open source and source code discharge by Google under Apache permit license, based on Linux-Kernel designed for smartphones and tablets. Android is one of the most popular operating systems for smartphones [1,2]. Designed to be a complete software stack, Android includes an operating system, middleware, and core applications. Furthermore, it comes with an SDK that provides the tools and APIs necessary to develop new applications for the platform in Java.Android does not distinguish between its core applications and new applications developed with the SDK; in particular, all applications can potentially interact with the underlying mobile device and share their functionality with other applications. Device loss is a pervasive problem with mobile devices and leads to severe attacks. Android KeyStore System minimizes drawback of encryption approach but still leak the data on the device. For securing data on the device, we propose the Hybrid Encryption Approach with case studies. Android allows create and store data within the application.This section describes SharedPreference interface, possible data security vulnerabilities with the help of test application. We discuss encryption approach taken to minimize the vulnerability and its drawback.A. SharedPreferences InterfacesAndroid's SharedPreferences [3] interface provides a general framework that allows us to access and modify key-value pairs of primitive data types. This data persists across user sessions, even if the application is closed. By default, Android stores thisdata in an unencrypted XML file within the app's directory on the device's filesystem, with permissions that allow only the app to access this file. This is part of the concept known as "application sandboxing."In Android, shared preferences are used to store user’s preferences for Android application such as display name, notification settings, vibration on/off, etc.B. Data Security VulnerabilitiesDevelopers can use Shared Preferences to store data on a device, and an attacker can access this data from a device as well. The need of protecting it is of much importance. Tools such as Android Debug Bridge (ADB) [4] can be used to navigate to the directory where SharedPreferences are created.ADB -Android Debug Bridge (ADB) is a versatile command-line tool that lets you communicate with a device. The ADBcommand facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.ADB is included in the Android SDK Platform-Tools package. An attacker can download this package with the SDK Manager, which installs it at location android_sdk/platform-tools/.As it provides access to Unix shell of Android device, it helps anattacker to navigate to data directory and read or modify any unencrypted data including Shared Preferences.CodeShoppy
rogrammers found the solution to this problem with the encryption. All the values can be encrypted just before storing to SharedPreferences. There are open source librarieslike EncryptedPreferences [11]. These libraries allow generating SharedPreferences, which are encrypted. However, EncryptedPreferences requires a password to encrypt text. Even if we implement AES encryption, there is often the need for a “secret.”If this password or “secret” is hard-coded into the appor uses some system value like MAC address, anyone looking through a decompiled version of the code can easily decipher what it takes to decrypt the Strings. We could generate a random long password, but if we put it in regular SharedPreferences, it will get persisted in plain text in a while. Approach took to hide password or secret key which is used to encrypt SharedPreference data is with the Obfuscation technique.Obfuscation makes it difficult for a reverse engineer, but as Obfuscation can only make it difficult, and not impossible to guess the secret key, the threat still exists.To solve the problem of data getting leaked from Androidphone’s internal memory, we propose the Hybrid Encryption Approach.Table 1 shows the threat, previous approached, and the proposed Hybrid Encryption Approach. Hybrid Encryption Approach uses Android KeyStore System to minimize drawback of encryption approachAndroid Keystore SystemThe Android Keystore system[6]allows storingcryptographic keys in a container to make it more difficult to extract from the device. Once keys are in the Keystore, they can be used for cryptographic operations with the key material remaining non-exportable. Moreover, it offers facilities to restrict when and how keys can be used, such as requiring the user authentication for key use or restricting keys to be used only in certain cryptographic modes. Android Keystore system protects the key material from unauthorized use. Firstly, Android Keystore mitigates unauthorized use of key material outside of the Android device by preventing extraction of the key material from the application processes and from the Android device as a whole. Secondly, Android KeyStore mitigates unauthorized use of key material on the Android device by making apps specify authorized uses of their keys and then enforcing these restrictions outside of the apps' processes.The Keystore itself is encrypted using the user’s own lockscreen pin/password, hence, when the device screen is locked the Keystore is unavailable.
Comments