Exploring SE for Android (2015)

Preface

This book introduces the Security Enhancements (SE) for Android open source project and walks you through the process of securing new embedded systems with SE for Android. To our knowledge, this book is the first source to document such a process in its entirety so that students, DIY hobbyists, and engineers can create custom systems secured by SE for Android. Generally, only original equipment manufacturers (OEMs) do this, and quite commonly, the target device is a phone or tablet. We truly hope our book will change that, engaging a wide audience in development so they can use and understand these modern security tools.

We worked very hard to ensure this text is not just a step-by-step technology book. Specifically, we've chosen a model that directs you to fail your way to success. You will first gain appropriate theoretical understanding of how security is gained and enforced. Then we will introduce a system that has never been secured that way (not even by us, prior to writing this book). Next, we'll guide you through all our intelligent guesswork, embracing unexpected failures for the newly found idiosyncrasies they expose, and eventually enforcing our custom security policies. It requires you to learn to resolve differences between major open source projects such as SELinux, SE for Android, and Google Android, each of which has independent goals and deployment schedules. This prepares you to secure other devices, the process for which is always different, but hopefully, will now be more accessible.

What this book covers

Chapter 1Linux Access Controls, discusses the basics of Discretionary Access Control (DAC), how some Android exploits leverage DAC problems, and demonstrate the need for more robust solutions.

Chapter 2Mandatory Access Controls and SELinux, examines Mandatory Access Control (MAC) and its manifestation in SELinux. This chapter also explores tangible policy to control SELinux object interaction.

Chapter 3Android Is Weird, introduces the Android security model and investigates binder, zygote, and the property service.

Chapter 4Installation on the UDOO, walks through building and deploying Android from source to the UDOO-embedded board and turns on SELinux support.

Chapter 5Booting the System, follows the boot process from the policy loading perspective and corrects issues to get SELinux to a usable state on the UDOO.

Chapter 6Exploring SELinuxFS, examines the SELinuxFS filesystem and how it provides the kernel-to-userspace interface for higher-level idioms.

Chapter 7Utilizing Audit Logs, investigates the audit subsystem, revealing how to interpret SELinux audit logs for the benefit of policy writing.

Chapter 8Applying Contexts to Files, teaches you how filesystems and filesystem objects get their labels and contexts, demonstrating techniques to change them, including dynamic type transitions.

Chapter 9Adding Services to Domains, emphasizes process labeling, notably the Android services run and managed by init.

Chapter 10Placing Applications in Domains, shows you how to properly label the private data directories of applications, as well as application runtime contexts via configuration files and SELinux policy.

Chapter 11Labeling Properties, demonstrates how to create and label new and existing properties, and some of the anomalies that occur when doing so.

Chapter 12Mastering the Tool Chain, covers how the various components that control policy on the device are actually built and created. This chapter reviews the Android.mk components, detailing how the heart of the build and configuration management works.

Chapter 13Getting to Enforcing Mode, utilizes all the skills you learned in the earlier chapters to respond to audit logs from CTS and get the UDOO in enforcing mode.

AppendixThe Development Environment, walks you through the necessary steps of setting up a Linux environment suitable for you to follow all the activities in this book.

What you need for this book

Hardware requirements include:

·        A UDOO-embedded development board

·        An 8 GB Mini SD card (while you can use a card with greater capacity, we do not recommended it)

·        A minimum of 16GB of RAM

·        At least 80 GB of free hard drive space

Software requirements include:

·        An Ubuntu 12.04 LTS desktop system

·        Oracle JDK 6.0 version 6u45

·        Some additional miscellaneous Linux software is required, but these are described in the book and are available for free.

Who this book is for

This book is intended for developers and engineers who are somewhat familiar with operating system concepts as implemented by Linux. They could be hobbyists wanting to secure their Android-powered creations, OEM engineers building handsets, or engineers from emerging areas where Android is seeing growth. A basic background in C programming will be helpful.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and explanations of their meanings.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows: "Now let's attempt to execute the hello.txt file and see what happens."

A block of code is set as follows:

case INTERFACE_TRANSACTION:

{

reply.writeString(DESCRIPTOR);

return true;

}

Any command-line input or output is written as follows:

$ su testuser

Password:

testuser@ubuntu:/home/bookuser$

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Exit the configuration menus by selecting Exit until you are asked to save your new configuration."

Note

Warnings or important notes appear in a box like this.

Tip

Tips and tricks appear like this.