Android and ItsSecurity MeasuresAndroid is an open-source,Linux-based mobile OS from the Open Handset Alliance, which is led by Google.Android apps are written in Java and compiled to Dalvik byte code (.dex), whichis a byte code format designed for Android. In addition to Java code, an appmay contain native libraries, which are invoked from the Java code through theJava Native Interface (JNI).
All files belonging to an app are packaged andthen signed as a single APK file. To make app distribution easy to mobileusers, app markets host third-party apps that can be downloaded into a device.Besides Google Play (formerly known as Android Market) as the official Androidapp market, a number of alternative markets are available. Once installed on adevice, an app runs as an instance of a Dalvik Virtual Machine (DVM) An Androidapp internally consists of multiple app components.
There are four differenttypes of app components, namely activity, service, broadcast receiver and contentprovider. Inter-component communication (ICC) is performed using intent, which is amessaging object that contains the destination component’s address or action string,and possibly data. Besides facilitating unicast-based ICC between twocomponents, intent is also used to deliver a broadcast to multiple interestedbroadcast receivers. Android system itself delivers various broadcasts forsystem events, such as upon completion of system boot-up. Unlike regular Javaprograms that have a single entry point, Android apps can have multiple entrypoints. Android app developers write their code by overriding the lifecyclemethods of app components.
The Android framework interacts with different appcomponents independently, and calls a component’s lifecycle methods based onthe app execution environment.Android OS deploys varioussecurity measures. Two main measures are app sandboxingand Android permission model. The formerprovides app isolation and containment by taking advantage of Linux accesscontrol and process protection mechanisms.
The latter restricts an app’scapability by regulating sensitive API calls that accessAndroid protected resources.Other deployed security measures include app signing to verify that differentapps come from the same developer and app component encapsulation whichrestricts access to a component.