Hello Rahul, Yes, you're totally right. I have to flash a new Android OS kernel which is set to fire off a malware finder task in the background. If it false-positives some App and suspends it, I must warn the user but let the user override and resume the App if they want. Thank you very much for the advice. I really appreciate it.
Fal On Sep 16, 12:37 pm, Rahul Potharaju <[email protected]> wrote: > Adding to what David said: > > 1. I must create a rules set of acceptable function call flows > > > which every App must conform to. Any App that starts executing a > > strange function call sequence is considered malware and gets killed. > > Can I create this rule set with the on-device SQLite RDB? > > There is no fool-proof way of doing this and should you succeed in such an > approach, make sure that you verify the false positive rate because these > "strange function call" sequences can actually be valid in some cases > depending on the intended purpose of the application. For instance, sending > information out of the phone might not be acceptable for a wallpaper > application but perfectly valid for a gaming application. > > Regards, > Rahul > > On Fri, Sep 16, 2011 at 4:15 AM, David Herges <[email protected]>wrote: > > > > > > > > > Hi, can't give you answers for all questions, but from what I know: > > > 2. I must create a service component running in the background. > >> This must periodically poll every running App and compare its function > >> call flow against my rule set RDB. > > >> Ouh...don't think so. The Android maxime is a bit of "all applications are > > equal" and I can't imagine how an application could be capable of reading > > another application's programmatic control flow; would basically need to > > analyse the DVM call stack?! But the VMs are sandboxed from each other...so > > even if it was possible in theory, android's security architecture would not > > allow this. > > >> 3. Can I achieve all this with just the Android SDK? Or will I > >> have to use the Android NDK as well? I don't want to use the NDK > >> unless I have to. > > >> I doubt that it is possible by any kind of monitoring application. > > Probably, you need to modify the framework itself. But I don't know exactly. > > >> 4. I went through the very helpful tutorial "Understanding > >> Android's Security Framework" by William Enck and Patrick McDaniel. > >> Is this a new Framework introduced into the Android Libraries layer? > > >> That's just a description how Android's security architecture works. > > There's also some papers from Shabtai et al. that focus on Android's > > security model. > > > Cheers, > > David > > > -- > > You received this message because you are subscribed to the Google Groups > > "Android Security Discussions" group. > > To view this discussion on the web visit > >https://groups.google.com/d/msg/android-security-discuss/-/tgeF6zy9BRwJ. > > > To post to this group, send email to > > [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > >http://groups.google.com/group/android-security-discuss?hl=en. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
