首页
社区
课程
招聘
[原创]android 4.4安全更新
发表于: 2013-11-7 14:22 10633

[原创]android 4.4安全更新

2013-11-7 14:22
10633

http://blog.csdn.net/u011069813/article/details/14223337
图没贴过来。想看图的到上面的blog。
http://developer.android.com/about/versions/kitkat.html

http://developer.android.com/about/versions/android-4.4.html

1、恶意订购

ios根本就没有第三方应用能直接发短信和拦截短信。android号称开放。。一直不忍心阉割!

4.4先来一把手术刀。以后逐渐阉割。

4.4版本,只有被用户设置为缺省的短消息程序才能直接发短信、拦截短信。 让用户把第三方程序设置为缺省的短消息程序既需要勇气、也考验智商。不能直接发短信意味着恶意订购如何完成啊!

The Telephony content provider (the "SMS Provider") allows apps to read and write SMS and MMS messages on the device. It includes tables for SMS and MMS messages received, drafted, sent, pending, and more.

Beginning with Android 4.4, the system settings allow users to select a "default SMS app." Once selected, only the default SMS app is able to write to the SMS Provider and only the default SMS app receives theSMS_DELIVER_ACTION broadcast when the user receives an SMS or theWAP_PUSH_DELIVER_ACTION broadcast when the user receives an MMS. The default SMS app is responsible for writing details to the SMS Provider when it receives or sends a new message.

Other apps that are not selected as the default SMS app can only read the SMS Provider, but may also be notified when a new SMS arrives by listening for theSMS_RECEIVED_ACTION broadcast, which is a non-abortable broadcast that may be delivered to multiple apps. This broadcast is intended for apps that---while not selected as the default SMS app---need to read special incoming messages such as to perform phone number verification.

但是拦截短信这个功能对于**这样的国家确实很有价值啊,要不然广告泛滥啊。android很暧昧的说了一句,其它程序可以读取短信,但可能不能拦截。。。说明google内部还是有中国通,对中国房地产短信广告了解很深入。。。。

, but may also be notified when a new SMS arrives by listening for the SMS_RECEIVED_ACTION broadcast, which is a non-abortable broadcast that may be delivered to multiple apps

2、读取SD卡需要权限

长期以来,SD卡承担了存储的脏活累活,但一直当私生子。任何人都可以蹂躏她。

这次Google承认了他的地位,读写SD卡也需要申请权限。

Your app can not read shared files on the external storage when running on Android 4.4, unless your app has theREAD_EXTERNAL_STORAGE permission. That is, files within the directory returned bygetExternalStoragePublicDirectory() are no longer accessible without the permission. However, if you need to access only your app-specific directories, provided bygetExternalFilesDir(), then you do not need theREAD_EXTERNAL_STORAGE permission.

3、增加了几个权限

其实创建和删除快捷方式都可能被滥用的。。。。

The following are new permissions that your app must request with the <uses-permission> tag to use certain new APIs:

INSTALL_SHORTCUT
Allows an application to install a shortcut in Launcher
UNINSTALL_SHORTCUT
Allows an application to uninstall a shortcut in Launcher
TRANSMIT_IR
Allows an applicaiton to use the device's IR transmitter, if available
4、通知栏广告、垃圾的完善。

Notification listener services can now see more information about  incoming notifications that were constructed using the notification  builder APIs. Listener services can access a notification's actions as well  as new extras fields — text, icon, picture, progress, chronometer, and  many others — to extract cleaner information about the notification and  present the information in a different way.

以后可以开发程序更细粒度的读取通知栏信息,以便过滤垃圾,维护祖国平安。

5、webkit

Chromium WebView来了。换了主帅的原因!
其实将内部的实现从当前缺省WebKit内核变了Chromium的内核。研究这部分的人注意了!

Android 4.4 includes a completely  new implementation of WebView that's based onChromium. The new  Chromium WebView gives you the latest in standards support, performance, and  compatibility to build and display your web-based content.

  Chromium WebView provides broad support for HTML5, CSS3, and JavaScript. It  supports most of the HTML5 features available in Chrome for Android 30. It  also brings an updated version of the JavaScript Engine (V8) that delivers  dramatically improved JavaScript performance.

6、Common Encryption for DASH   DRM是毫无意义的。。。关键是商业模式!
Android now supports the Common Encryption (CENC) for  MPEG-DASH, providing a standard, multiplatform DRM scheme for managing  protecting content. Apps can take advantage of CENC through Android's modular  DRM framework and platform APIs for supporting DASH.

--------------------------------------------------------------------------------

7、SELinux (enforcing mode)  总算启用了,最关心的就是缺省策略是啥,以及OEM该如何定制!
Android 4.4 updates its SELinux  configuration from "permissive" to "enforcing." This means potential policy  violations within a SELinux domain that has an enforcing policy will be  blocked.

8、Improved cryptographic algorithms 添加了椭圆曲线签名
  Android has improved its security further by adding support for two more  cryptographic algorithms. Elliptic Curve Digital Signature Algorithm (ECDSA)  support has been added to the keystore provider improving security of digital  signing, applicable to scenarios such as signing of an application or a data  connection. The Scrypt

scrypt是由著名的FreeBSD黑客 Colin Percival为他的备份服务 Tarsnap开发的。
scrypt不仅计算所需时间长,而且占用的内存也多,使得并行计算多个摘要异常困难,因此利用rainbow table进行暴力攻击更加困难。scrypt没有在生产环境中大规模应用,并且缺乏仔细的审察和广泛的函数库支持。但是,scrypt在算法层面只要没有破绽,它的安全性应该高于PBKDF2和bcrypt
key derivation function is implemented to protect the  cryptographic keys used for full-disk encryption.

目前用于全盘加密的密钥是通过pin经过PBKDF2(Password-Based Key Derivation Function)计算的,以后会是scrypt

9、Other enhancements VPN改进  老霸道了,我看懂了google下的一步大棋,你看懂了吗?
多用户模式,目前是平板,可以让一个用户的数据全部走VPN。

  On multiuser devices, VPNs are now applied per user. This can allow a user to  route all network traffic through a VPN without affecting other users on the  device. Also, Android now supports FORTIFY_SOURCE level 2, and all code is  compiled with those protections. FORTIFY_SOURCE has been enhanced to work  with clang.

FORTIFY_SOURCE阻止内存破坏不便评论,linux早有了。。。


[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 5
支持
分享
最新回复 (6)
雪    币: 185
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
2
原贴是老王的啊?这也写个原创?

好吧。 你就是老王。
2013-11-7 15:18
0
雪    币: 33
活跃值: (145)
能力值: ( LV7,RANK:100 )
在线值:
发帖
回帖
粉丝
3
老王来了!
2013-11-7 15:32
0
雪    币: 8
活跃值: (26)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
4
膜拜老王!
2013-11-10 13:49
0
雪    币: 322
活跃值: (113)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
5
膜拜老王~~
2013-11-19 17:04
0
雪    币: 190
活跃值: (40)
能力值: ( LV3,RANK:20 )
在线值:
发帖
回帖
粉丝
6
膜拜ing
2013-11-19 20:00
0
雪    币: 19
活跃值: (25)
能力值: ( LV2,RANK:10 )
在线值:
发帖
回帖
粉丝
7
好厉害的感觉…
不明觉厉
2013-11-26 15:46
0
游客
登录 | 注册 方可回帖
返回
//