Trending

Android Application Security Testing Part-8: Android Sandbox

September 26, 2018


Android Sandbox
·         As we know Android is built upon the Linux kernel.
·         Under Linux, processes belong to users, where each user has a unique user ID (UID). A user ID (UID) is a unique positive integer assigned by a Unix-like operating system to each user. Each user is identified to the system by its UID. The operating system prevents a process belonging to one UID from reading the files and data belonging to another UID, unless the second UID has explicitly shared the data with the first UID.
·         Android takes this further. Rather than each UID belonging to a distinct person, e.g. multiple users logged into a server, in Android each app is given a unique UID
·         From the perspective of the Linux kernel, each Android app corresponds to a distinct ‘user’. This makes sense as each Android device only has one real physical user 
·         This separation of apps into different UIDs provides the main security mechanism of Android. Each app by virtue of its unique UID is sandboxed from other apps. Other apps are prevented by the Linux kernel from accessing its memory, or reading and writing its files (by default files created by an app are not globally      readable or writeable).
·         Once installed on a device, each Android app lives in its own security sandbox: – The Android operating system is a multi-user Linux system in which each app is a different user.
·         By default, the system assigns each app a unique Linux user ID (the ID is used only by the system and is unknown to the app). The system sets permissions for all the files in an app so that only the user ID assigned to that app can access them.
·         Each process has its own virtual machine (VM), so an app’s code runs in isolation from other apps.
·         By default, every app runs in its own Linux process. Android starts the process when any of the app’s components need to be executed, then shuts down the process when it’s no longer needed or when the system must recover memory for other apps
·         Every Android app runs in its own sandbox environment and cannot affect other apps by default but two apps can have same Linux User ID and can also share the same Dalvik VM if they are signed with the same Certificates.
·         The Android Application Sandbox, which isolates your app data and code execution from other apps.
·         Each application’s private data directory is marked with the file permissions that only allow the application’s user to access

Useful Links
http://www.linfo.org/uid.html


No comments

Subscribe to: Post Comments ( Atom )