**3. The android attack surface**

Briefly described, *Google Play* is a collection of services that allow users to discover, install, and purchase applications from their Android device or the web. It also provides community review, application license verification, application security scanning, and other security services. The *Android update service* delivers new capabilities and security updates to selected Android devices, including updates through the web or over the air (OTA). The *Application services* term refers to a set of frameworks that allow Android applications to use cloud capabilities such as (backing up) application data and settings and cloud-to-device messaging (C2DM) for push messaging. The *Verify Apps* service warns or automatically blocks the installation of harmful applications, and continually scan applications on the device, warning about or removing harmful apps. *SafetyNet* is a privacy preserving intrusion detection system to assists Google tracking and mitigating known security threats in addition to identify new security threats. The *SafetyNet Attestation* is a third-party API to determine whether a device is CTS compatible. Attestation can also assist to identify the Android application communicating with the application server. Finally, the Android device manager is a Web and Android

As it can be observed from the previous description, Android has become a continuously evolving complex ecosystem composed of multiple subsystems and services that put together an enormous challenge in terms of security. In this context, in the following section, a brief discussion of some attempts to conceptualize and characterize the Android attack surface and key security challenges is presented prior to the later discussion of some of the main malware analysis and detection techniques, as an initial landmark from where techniques and research approaches presented later on may be better referred to or mapped to specific security aspects

application to locate lost or stolen devices [1].

**Figure 3.** The primary Google security services.

202 Smartphones from an Applied Research Perspective

of the Android ecosystem.

An attack surface is a term used to identify the characteristics of a target that makes it vulnerable to attack. An attack vector generally refers to the means by which an attacker performs an attack. In other words, an attack surface refers to the code that an attacker can execute and therefore can attack. In contrast to an attack vector, an attack surface does not depend on the attackers' actions or require a vulnerability to be present, it describes where in code vulnerabilities might be waiting to be discovered. Generally, the size of a target's attack surface is directly proportional to how much it interfaces with other system. Similar to attack vectors, attack surfaces can be discussed both in general and in increasingly specific terms. It is a common result that by studying one particular attack surface, additional attack surfaces are revealed [9].

By focusing on particular risky attack surfaces, a system can be attacked or secured more quickly. Several properties are important when identifying attack surfaces, some of them are: attack vectors, privileged gained, memory safety, and complexity. Because Android devices have such a large and complex set of attack surfaces, it is necessary to divide them [9]. **Figure 4** exemplifies some of the more general attack surfaces for Android devices together with some attack vectors and propagation mechanisms.

The remote attack surface is the largest and most attractive attack surface exposed by an Android device. This name, which is also an attack vector classification, aims to express the fact that the attacker does not need to be physically located near the victim. Instead, attacks are executed over a computer network, usually the Internet. Various properties further divide this surface into distinct groups, see **Figure 4**. The Remote attack surface address the various attack surfaces exposed to code that is already executing on a device. The privileges required to access these attack surfaces vary depending on how the various endpoints are secured. When an attacker has achieved arbitrary code execution on a device, the next logical step is to escalate privileges, either in the kernel space or under the root or system user. The physical attack surfaces give name to the attacks that require physically touching a device, in contrast to physical adjacency where the attacker only needs to be within a certain range of the target. Third-party modification attack surface relates to attack surfaces associated to the modification of various parts of an Android device system, as many parties involved in creating Android devices tend to make extensive changes as a part of their integration process [9].

Unfortunately, on the top of this complexity, Android's security analysis also requires to take into account a set of Android's security challenges such as: fragmentation, malware, management tool selection, user behavior, and compartmentalization [10]. Fragmentation challenge refers to the complexity associated to the wide range of Android-modified versions implemented on different devices. Malware challenge advocates to the rapid increase of malicious applications development and sophistication targeting the Android OS. Management tool selection challenge relates to the selection of management tools, which can avoid overlapping or conflicting features, as well as to maximize IT productivity. The user behavior challenge refers to the need for encouraging users to comply with good security policies and practices. Lastly, compartmentalization describes the challenge of providing dual personal and mobile virtualization, which separates a single device into different personal environments [11].

**Figure 4.** Android's main attack surfaces, based on descriptions in [9].
