Analysis of Android Security
2. Application Signing and Distribution
• ANDROID-
Application signing is done to maintain the identity of the author or the developer of the application. Google ensures that the author or the vendor of the application signs the application with their key as their identity. Developers are required to sign their applications digitally using their private key and through this signature, trust is developed between Google and developers. All applications must be signed. Signature makes applications more tamper resistant because they are difficult to be broken. Once the application is developed, its .apk file is created and is signed with the private key of the developer. The embedded certs are self-signed by the …show more content…
Android version greater than 3.0 supports whole disk encryption. Though it is not mandatory and only if the user chooses to encrypt the device he can do so from the device settings. Device Encryption has become mandatory for Android’s latest version 5.0. Various cryptographic algorithms are used for encryption. It also uses hardware based storage for the key using Trusted Execution Environment (TEE) signing capability. It uses 128 bit AES as the encryption algorithm with Cipher Block Chaining and SHA256. In version 5.0, when the device is booted for the first time, a 128 bit master key is generated using which the data on the device is encrypted. This master key is then encrypted with the device password (a default password if device is booted for the first time) and a stored salt. The resultant key is also signed through a TEE. The resultant is then used to encrypt and decrypt the master key. When a user changes the device password/pin or pattern, the disk master key is re-encrypted with the new password. Disk encryption makes the data safe on the device and protects it from someone to extract the data from it.
But as the password is used for encryption and if someone is successful in installing a key logger on the device one can get access to the passcode which is also used as a key to encrypt the device master
2. Application Signing and Distribution
• ANDROID-
Application signing is done to maintain the identity of the author or the developer of the application. Google ensures that the author or the vendor of the application signs the application with their key as their identity. Developers are required to sign their applications digitally using their private key and through this signature, trust is developed between Google and developers. All applications must be signed. Signature makes applications more tamper resistant because they are difficult to be broken. Once the application is developed, its .apk file is created and is signed with the private key of the developer. The embedded certs are self-signed by the …show more content…
Android version greater than 3.0 supports whole disk encryption. Though it is not mandatory and only if the user chooses to encrypt the device he can do so from the device settings. Device Encryption has become mandatory for Android’s latest version 5.0. Various cryptographic algorithms are used for encryption. It also uses hardware based storage for the key using Trusted Execution Environment (TEE) signing capability. It uses 128 bit AES as the encryption algorithm with Cipher Block Chaining and SHA256. In version 5.0, when the device is booted for the first time, a 128 bit master key is generated using which the data on the device is encrypted. This master key is then encrypted with the device password (a default password if device is booted for the first time) and a stored salt. The resultant key is also signed through a TEE. The resultant is then used to encrypt and decrypt the master key. When a user changes the device password/pin or pattern, the disk master key is re-encrypted with the new password. Disk encryption makes the data safe on the device and protects it from someone to extract the data from it.
But as the password is used for encryption and if someone is successful in installing a key logger on the device one can get access to the passcode which is also used as a key to encrypt the device master