How Android Security Works: Threats, Models, and Protection Strategies

1. Android Platform Security Landscape

Android faces a high volume of malicious apps and diverse malware types, driven by mobile device characteristics such as broad attack surfaces, fragmentation, and extensive user privacy exposure.

Attack entry points: browsers, malicious apps, network hijacking, USB

Fragmentation: many device manufacturers and customized Android versions

User privacy: call logs, SMS, app data

2. Android Security Model

Linux kernel security features: standard kernel protections, UID/GID based access control, single‑user system with per‑app UID isolation

Sandbox: each app has a private directory under /data/data and a unique UID (system UIDs start at 1000, third‑party apps at 10000)

Permissions: declared in AndroidManifest.xml, classified, granted at install time (dynamic management after Android 4.3)

IPC: inter‑process communication mechanisms (Intent, Messenger, AIDL)

APK integrity: signature verification

SELinux: kernel‑level mandatory access control introduced in Android 4.3

3. Program Security

Key concerns include preventing reverse engineering, tampering, and code injection. Techniques involve embedding anti‑debug code, using native (SO) libraries for encryption, and enforcing HTTPS for network communication.

4. Data Security

Sensitive data storage: local databases, SharedPreferences, network transmission, SD card, logs, etc.

Network traffic is especially vulnerable to interception and manipulation.

5. System Security

System environment threats: UI hijacking, component exposure, keylogging

System library risks: insecure WebView usage (e.g., addJavascriptInterface with targetSdkVersion ≤ 16)

6. Example of a Tampered APK

The malicious APK modifies its entry point, initializes hidden payment code, downloads a malicious payload, escalates privileges, and installs additional system‑level tools to hijack the device.

7. APK Protection Measures

Shelling and obfuscation: increase analysis difficulty, encrypt code, hide logic, anti‑debug, anti‑reverse engineering

Integrity verification: static checks (certificate validation, hash verification) and dynamic checks (ptrace, anti‑dump, anti‑unpacker)

Code hiding: LLVM‑based encryption, custom SO formats, encrypted resources, DEX shelling, manifest manipulation

Effective protection combines robust shelling, thorough obfuscation, and native‑level safeguards.