Vous êtes sur la page 1sur 25


The number of smartphone users is rapidly increasing worldwide, especially the of
Android OS users devices most often used for IT. Services are changing from PCs
laptops to smartphones and tablets. These devices need to be small for increased
portability. The technologies are convenient, but as the devices start to contain
increasing amounts of important personal information, better security is required.
Security systems are rapidly being developed. The aim of the project is to develop
anandroid-basedsmart phone application. Today more people using simple and
cheaper hardware such as mobiles and handheld
devices we can communicate & also we can do business transactions. It provides
much better mobility than PCs. Technology is moving towards mobiles which has
wide spread usage and
acceptability. Lot of protocols and softwares has been developed. The recent surge in
popularity of smart handheld devices, includingsmart-phonesand tablets, has given rise
to new
challenges in protection of Personal Identifiable Information (PII). Indeed modern
mobile devices store PII for applications that span from email to SMS and from social
media to location- based services increasing the concerns of the end user s privacy.
Therefore,there is a clear need and expectation for PII data to be protected in the case of
loss, theft, or capture of the portable device.

Android is a software platform and operating system for










developed by Google and the Open Handset Alliance. It allows

developers to write managed code in a java like language that
utilizes Google- developed Java libraries, but does not support
programs developed in native code. It includes an operating
system, middleware and key applications. The Android SDK
provides the tools and APIs necessary to begin developing
applications on the Android platform using the Java programming
language. It allows developers to write managed code in aJavalikelanguage that utilizesGoogle-developedJava libraries, but does
not support programs developed in native code.
The unveiling of the Android platform on 5 November 2007 was
announced with the founding of the Open Handset Alliance, a
consortium of 34 hardware, software and telecom companies devoted
to advancing open standards for mobile devices. When released in
2008, most of the Android platform will be made available under the

free-softwareand open source license. Currently Android represents

31.2 percent of the U.S Smartphonemarket

. Android has a large

community of developers writing application programs. There are

currently over 150,000 apps available for Android. Android Market
is the online app store run by Google, though apps can also be
downloaded from third party sites.

The aim of the project is to provide more security to the handheld devices.
Now a days smart phones contains a large number of official data s that should be
secured. The future electronic payment is through smart phones authentication and
facial recognition Card less Mobile Cash Access (MCA) solution, which not only
eliminates the threat of card skimming at the ATM, but also allowsfinancial
institutions to provide a secure mobile wallet solution without installing additional

hardware on ATMs orpoint-of-sale(POS) terminals.Smart phones are becoming

increasingly more deployed and as such new possibilities for utilizing. The smart
phones many capabilities for public and private use are arising. This project will
investigate the possibility of using smart phones as a platform for authentication by
using android.

To gain a more practical understanding of the challenges mobile authentication
Encounters, The case study performed in this project.
Create a secure centralised authentication where all the users cannot access data as
per their respective privileges.
To ensure that user data is not abused, all requests for access must be approved by
the account holder.
Access control has two components, authentication and authorization.
Services allow users to sign in to your application. And any application that
requires access to a user's data must be authorized by the user.
The authentication made should be sensitive and it should prevent the intruders
acting on it.

Analyzing the implications of faulty authentication in that area. There are numerous
applications for Android.

Traditional approaches to authentication involving strong passwords have several

limitations in the context of mobile phones. Miniature keypad (and in latest
deviceson-screentouchkeypad) tend to motivate users to choose simpler, and thus
weaker, passwords.

Android is the name of the Linux based operating system that is backed by
Google and the other members of the open handset alliance .because of the androids
opens source nature. Android based smart phones should be cheaper to produce than
those to use operating system such as Microsoft windows mobile that require a

loyalty fee to be paid for such use. T mobile G1 was the first android Os smart phone
to be officially introduced to themarket

.Android phones typically come with

severalbuilt-inapplication and also supportthird-partyprograms. Developers can create

programs for Android using the free Android SDK (Software Developer Kit). Android
programs are written in Java and run through Google's "Davlik" virtual machine, which
is optimized for mobile devices. Users can download Android "apps" from the online

.Since several manufacturers makeAndroid-basedphones, it is not

always easy to tell if a phone is running the Android operating system. If you are unsure
what operating system a phone uses, you can often find the system information by
selecting "About" in the Settings menu.

PKI Public key infrastructure
PIN Personal identification number
SIM Subscriber identity module
QoS Quality of Service
OTP One time password
MITM Man in themiddle
Confidentiality, Integrity and

Sql database


In android operating system, there are four layers. Android has its own
libraries; it is helpful for developing and designing any application of android
platform.These libraries are written in C/C++. Linux kernel is the 1 stlayer which is
written in C. Linux also helps to wrap the application.
The unveiling of the Android platform on 5 November 2007 was

announced with the founding of the Open Handset Alliance, a consortium of 34

hardware, software and telecom companies devoted to advancing open standards for
mobile devices. When released in 2008, most of the Android platform will be made
available under the Apachefree-softwareand open source license. Currently Android
represents 31.2 percent of the U.S Smartphonemarket

. Android has a large

community of developers writing application programs. There are currently over

150,000 apps available for Android. Android Market is the online app store run by
Google, though apps can also be downloaded from third party sites.

1.8 Features of Android

Application Framework enabling reuse and replacement of components.
Dalvik Virtual Machine optimized for mobile devices
Integrated browser based on the open source Web Kit engine
SQLite for structured data storage








GSM Telephony(hardware dependent)
Bluetooth,EDGE,3G, andWi-Fi(hardwaredependent)

Camera, GPS, Compass and accelerometer(hardware dependent)

1.9 Android Architecture

The following diagram shows the major components of the Android
operating system. Each section is described in more detail below:
Application Framework
Android Runtime


Application Components
Application components are the essential building blocks of
an Android application. Not all components are actual entry points
for the user and some depend on each other, but each one exists
as its own entity and plays a specificrole-eachone is a unique
building block that helps define your applications overall behavior.
There are four different types of application components. Each type
serves a distinct purpose and has a distinct lifecycle that defines
how the component is created and destroyed.

The SRS includes two sections namely:
Overall Description:
This section will describe major components of the system, interconnections and
external interfaces.
Specific Requirement

This describes the contents that the available authentications present in the
smarphones and
the type of the authentication given.

2.1 Authentication
Authentication is usually divided into two services, peer entity authentication
data origin authentication.
The prover, and the verifier. The prover needs to present proof of the association

between the principal and identity and the verifier is responsible for verifying the
correctness of the proof.
When dealing with authentication systems, there are four essential issues that must
be considered:
Effectiveness, usability, cost and impersonation attacks. As we have discussed
previously in this section it is very difficult to achieve perfect and absolute
security and the same applies to authentication, due to technical and nontechnical
Impersonation attacks in which a prover attempts to demonstrate a false identity
claim, must be considered.
In general masquerades can be achieved by replaying or relaying valid sequences,
during authentication .
The prover has to provide information to the verifier which usually takes the form
of credentials or items of value to really prove the claim of who the prover is.
The items of value or credential are based on several unique factors that show
something you know, something have, or something you are.
The first authentication factor consists of using a secret which a human subject
mentally possesses, or in the case of a device such as a smartcard a key stored in
secure. This memory could be a password or a key, which is only known by the
prover and the verifier.
The secrets have to be hard to guess to avoid guessing attacks such as dictionary
attacks and this is why people are encouraged to use difficult to guess passwords.
Characteristics of the subject such as voice, fingerprints or iris patterns. subjects
and relates to the biometric.

Authenticating a principal based on the first authentication factor (something

achieved using three families of mechanisms:
you know), can be
authentication, Onetime passwords and Challenge response.
Basic authentication consists of a reusable password which is shared between the
prover and the verifier, the prover must reveal the password to the verifier to be


Fig:2.1 Flowchart


Design and Implementation of Improved Authentication System
Slide Lock: No security
Glass Lock: No security.
Keypad Lock: Requires afour-digitpassword, so it provides key space of about
10,000 (0 to 9999). Brute force attack is easy.

Pattern Lock: There are nine dots on the screen, each of which can be touched and
dragged one dot at a time to make a password. It provides approximately one
million (= 9P4 + 9P5 + 9P6 + 9P7 + 9P8 + 9!) of key space. Better than Keypad
Lock but not very secure.
Lock Screen: It has about ten million (6^9 = 10077696) key spaces with 9 inputs. It

can also be made larger by increasing the number of repetitive touches. The bigger
the key space, the more difficult is a brute force attack.


Redundancy input(re-touchingthe circle) is allowed.
When the circle is touched more than once, it changes colour (maximum
of seven times) so that the user can identify the correct input.
This Lock Screen system has about ten million (6^9 = 10077696) key
spaces. It can also be made larger by increasing the number of
repetitive touches.
The security power depends upon the size of the key space; the bigger
the key space, the more difficult is a brute force attack.
To control the usage, besides entering the password, the acceleration
sensor (shaking the mobile phone) can be used. Touching is not

Fig:2.2 Authentication System

Android is a widely anticipated open source operating system for mobile

devices that provides a base operating system, an application middleware layer, a

Java software development kit (SDK), and a collection of system applications.
Android mobile application development is based on Java language codes, as it
allows developers to write codes in the Java language.

Fig : 2.3 Structure

Android will ship with a set of core applications including an email client, SMS
program, calendar, maps, browser, contacts and others. All applications are written
using the Java programming language.

3.2 Application Framework

After that, there is Application Framework, written in Java language. It is a
toolkit that all applications use, ones which come with mobile device like contacts or

SMS box, or applications written by Google and any Android developer. It has
several components.
The Activity Manager manages the life circle of the applications and provides
a common navigation back stack for applications, which are running in different
processes. The Package Manager keeps track of the applications, which are installed
in the device.The Windows Manager is Java programming language abstraction on
the top of lower level services that are provided by the Surface Manager.

3.3 Android Runtime

At the same level there is Android Runtime, where the main component
Dalvik Virtual Machine is located. It was designed specifically for Android running
in limited environment, where the limited battery, CPU, memory and data storage are
the main issues.
Android gives an integrated tool dx, which converts generated byte code from .jar
to.dex file, after this byte code becomes much more efficient to run on the small
processors. As a result, it is possible to have multiple instances of Dalvik virtual
machine running on the single device at the same time. The core libraries are written
in Java language and contains of the collection classes, the utilities, IO and other

Fig 2.5: Conversion from .java to .dex file

3.4 Application Components

Application components are the essential building blocks of an Android
application. Not all components are actual entry points for the user and some depend
on each other, but each one exists as its own entity and plays a specificrole-eachone
is a unique building block that helps define your applications overall
behavior.There are four different types of application components. Each type serves
a distinct purpose and has a distinct lifecycle that defines how the component is
created and destroyed


3.4.1 Activities
An activity represents a single screen with a user interface. Although the
activities work together to form a cohesive user experience in the email application,
each one is independent of the others. As such, a different application can start any
one of these activities.An activity is implemented as a subclass of Activity and you
can learn more about it in the Activities developer guide

3.4.2 Services
A service is a component that runs in the background to performlongrunningoperations or to perform work for remote processes. A service does not
provide a user interface. Another component, such as an activity, can start the service
and let it run or bind to it in order to interact with it.A service is implemented as a
subclass of service and you can learn more about it in the Services developer guide.

3.4.3 Content Providers

A content provider manages a shared set of application data. Data can be
stored in the file system, a SQLite database, on the web, or any other persistent
storage location, the application can access. Through the content provider, other
applications can query or even modify the data. As such, any application with the
proper permissions can query part of the content provider (such as Contacts
Contract. Data) to read and write information about a particular person.Content
providers are also useful for reading and writing data that is private to the application
and not shared.

3.5 Eclipse IDE

Eclipse is amulti-languagesoftware development environment comprising an
integrated development environment (IDE) and an extensibleplug-insystem. It is
written mostly in Java. It can be used to develop applications in Java and, by means
of various plug- ins, other programming languages including Ada, C, C++, COBOL,
Perl, PHP, Python, Ruby (including Ruby on Rails framework), Scala, Clojure,
Groovy and Scheme. Development environments include the Eclipse Java

development tools (JDT) for Java, Eclipse CDT for C/C++ and Eclipse PDT for
PHP, among others.


The initial codebase originated from Visual Age. The Eclipse SDK (which
includes the Java development tools) is meant for Java developers. Users can extend
its abilities by installingplug-inswritten for the Eclipse Platform, such as
development toolkits for other programming languages, and can write and contribute
their ownplug-inmodules.
Released under the terms of the Eclipse Public License, Eclipse SDK is free
and open source software. It was one of the first IDEs to run under GNU Class path
and it runs without issues under Iced Tea.
Android is thehead-to-headcompetitor for iOS (Apple) created by Google
Inc. and Open Handset Alliance. Nowadays its becoming more and more popular
among the mobile app developers because of its simplicity, reliability and ease of
There are many ways to develop Android applications on your PC. The
easiest way is integrating the ADT (Android Developing Tools) with the Eclipse

3.6 Architecture
The Eclipse Platform usesplug-insto provide all functionality within and on
top of the runtime system, in contrast to some other applications, in which
functionality is hard coded. The Eclipse Platform's runtime system is based on
Equinox, an implementation of the OSGi core framework specification.

Thisplug-inmechanism is a lightweight software component framework. In

addition to allowing the Eclipse Platform to be extended using other programming
languages such as C and Python, theplug-inframework allows the Eclipse Platform to
work with typesetting languages like LaTeX, networking applications such as telnet
and database management systems. Theplug-inarchitecture supports writing any
desired extension to the environment, such as for configuration management. Java
and CVS support is provided in the Eclipse SDK, with support for other version
control systems provided bythird-partyplug-ins.


4.1 Android with Eclipse
It provides the following:
The Android project wizard, which generates all the required project files.
Android-specificresource editors.
The Android SDK and AVD (Android Virtual Devices) Manager.
The Eclipse DDMS perspective for monitoring and debugging Android
Integration with Android Log Cat logging.
Automated builds and application deployment to Android emulators and
Application packaging and code signing tools for release deployment.

4.2 Creating Android Projects

The Android Project Wizard creates all the required files for an Android application.
Eclipse and follow these steps to create a new project:

Choose File, New, Android Project or click the Android Project reactor icon,
looks like a folder (with the letteraand a plus sign :) on the Eclipse toolbar.
Choose a project name. In this case, name the project Droid1.
Choose a location for the project. Because this is a new project
Create New Project in Workspace radio button. Check the Use Default
Location checkbox.
Select a build target for your application. For most applications, you want to
select the
version of Android most appropriate for the devices used by your target audience and
needs of your application
Specify an application name. This name is what users will see. In this case,
call the application Droid #1.
Specify a package name, following standard package namespace
conventions for Java. Because all code in this book falls under the
com.androidbook.namespace, use the package name com. androidbook.droid1.
Check the Create Activity check box. This will instruct the wizard to create
a default launch Activity class for the application. Call your activity Droid


Confirm that the Min SDK Version field is correct. This field will be set to
the API level of the build target. If you want to support older versions of the
Android SDK, you need to change this field.
However, in this case, we can leave it as its default value.
Click the Next button.
The Android project wizard allows you to create a test project in
conjunction with your Android application. For this example, a test project is
However, you can always add a test project later by clicking the Android
Test Project creator icon, which is to the right of the Android project wizard
icon on the Eclipse toolbar.
Test projects are discussed in detail in Hour 22, Testing Android Applications.
Click the Finish button.

4.3 JAVA
Java is a programming language. The language derives much of its syntax
from C and C++ but has a simpler object model and fewerlow-levelfacilities than
either C or C++.Java applications are typically compiled to byte code(class file) that
can run on any Java Virtual Machine(JVM) regardless of computer architecture.
Java is a programming language and computing platform first released by
Sun Microsystems in 1995.It Is the underlying technology that powers
state_of_the_art programs including utilities, games and business applications. Java
runs on more than 850 million personal computers worldwide, including Mobile and
TV devices.

Why do we need Java?

There are lots of applications and websites that wont work unless you have
java installed and more are created every day. Java is fast, secure and reliable. From
laptops to datacenters, game consoles to scientific supercomputers, cell phones to the

4.4 SQLite Database





systemconta0ined in a small (~275kB)Cprogramminglibrary.SQLite implements

most of theSQLstandard, using a dynamically and weakly typed SQL syntax that
does not guarantee thedomain integrity.In contrast to other database management
systems, SQLite is not a separate

process that is accessed from the client application, but an integral part of it. SQLite
read operations can be multitasked, though writes can only be performed
sequentially. Thesource codefor SQLite is in thepublic domain.SQLite is a popular
choice for local/client storage onweb browsers.It has manybindingsto programming
languages. It is arguably the most widely deployed database engine, as it is used
today by several widespread browsers, operating systems, and embedded systems,
among others.

SQLite is an open source embeddable database engine written in C by D.

Richard Hipp. It is entirelyself-containedwith no external dependencies. It was

introduced as an option in PHP V4.3 and is built into PHP V5. SQLite supports much
of the SQL92 standard, runs on all major operating systems, and has support for the
major computer languages. SQLite is also surprisingly robust. Its creator
conservatively estimates that it can handle a Web site with a load of up to 100,00 hits
a day, and there have been cases where SQLite has handled a load 10 times that.
Databases have been an integral part of software applications since the dawn of the
commercial application market several decades ago. As crucial as database
management systems are, they also come with a large footprint, and considerable
overhead in system resources and administration complexity. As software
applications become less monolithic and more modular, a new type of database can
be a better fit than the larger and more complex traditional database management
systems. Embeddable databases run directly in the application process, offerzeroconfigurationrun modes, and have very small footprints. This article introduces the
popular SQLite database engine and describes how to use it in application
development. SQLite's support of the SQL92 standard includes indices, limitations,
triggers, and views. SQLite does not support foreign key constraints, but supports
Atomic, Consistent, Isolated, and Durable (ACID) transactions.


Dalvik is theprocess virtual machine(VM) inGoogle'sAndroid operating
system.It is the software that runs theappson Android devices. Dalvik is thus an
integral part of
Android, which is typically used on mobile devices such asmobile phonesandtablet
computersas well as more recently on embedded devices such as smart TVs and
media streamers. Programs are commonly written inJavaand compiled tobyte
code.They are then
converted fromJava VirtualMachine-compatible.classfiles toDalvik-compatible .dex
(Dalvik Executable) files before installation on a device. The compact Dalvik
Executable format is designed to be suitable for systems that are constrained in terms

ofmemoryandprocessorspeed. Dalvik isopen-sourcesoftware.It was originally written

by Dan Bornstein, who named it after the fishing village ofDalvikinIceland,where
some of his ancestors lived.

4.6 Design
Unlikeclientserverdatabase management systems, the SQLite engine has no
standaloneprocesseswith which the application program communicates. Instead, the
SQLitelibraryislinked inand thus becomes an integral part of the application
program. The library can also be called dynamically. The application program uses
SQLite's functionality through simplefunction calls,which reducelatencyin database
access: function calls within a single process are more efficient thaninterprocesscommunication.SQLite stores the entire database (definitions, tables, indices,
and the data itself) as a singlecross-platformfileon a host machine. It implements this
simple design bylockingthe entire database file during writing.

4.7 Use in mobile devices

Due to its small size, SQLite is well suited to embedded systems, and is also
included in:
Apple'siOS(where it is used for the SMS/MMS, Calendar, Call history and
Contacts storage)
Symbian OS
Linux Foundation'sMeeGo
Androids Java interface to its relational database, SQLite. It supports an
SQL implementation rich enough for anything youre likely to need in a mobile
application including a cursor facility.

Application layer:

It is the most upper layer in android architecture. All the applications like camera,

Google maps, browser, sms, calendars, contacts are native applications. These
applications works with end user with the help of application framework to operate.
Application framework:
Android applications which are developing, this layer contain needed classes and
services. Developers can reuse and extend the components already present in API. In
this layer, there are managers which enable the application for accessing data. These
are as follows:
Activity manager:
It manages the lifecycle of applications. It enables proper management of all the
activities are controlled by activity manager.
Resource manager:
It provides access to noncoderesources such as graphics etc.
Notification manager:
It enables all applications to display custom alerts in status bar.
Location manager:
It fires alerts when user enters of leaves a specified geographical location.
Package manager:
It is use to retrieve the data about installed packages on device.
Window manager:
It is use to create views and layouts.
Telephony manager:
It is use to handle settings of network connection and all information about services
on device.
Android runtime:
In this section, all the android applications are executed. Android has its own virtual
DVM (Dalvik Virtual Machine), which is used to
execute the
With this
DVK, users are able to execute multiple applications at same time.
Android has its own libraries, which is written in C/C++. These libraries cannot be
accessed directly. With the help of application framework, we can access these
libraries.There are many libraries like web libraries to access web browsers, libraries
for android and video formats etc.


Linux kernel:
This layer is core of android architecture. It provides service like power
management, memory. Management, security etc. It helps in software or hardware
binding for better communication.


Provides strong security for websites, web and mobile applications, and mobile
devices through the use ofone-timepasswords andout-of-band,twofactorauthentication.
Decreases Tech Support costs by reducing the number ofpassword-relatedsupport
Decreases IT costs by delivering securetwo-factorauthentication without the need
for costly hardware tokens, smart cards or biometrics.
Improves the user experience, which can help drive loyalty and increase
Meets regulatory compliance requirements for strong authentication, including
FFIEC authentication guidelines.
Helps prevent phishing, fraud, security breaches related to stolen login credentials,
identity theft and spam.
Can be used as a unique messaging or advertising platform by including your own
images within theimage-basedauthentication and verification challenges.

4.9Deployment Options
Confident KillSwitch is an optional feature that can be used with any of our imagebased authentication solutions. Administrators can determine how many
KillSwitch categories users should establish, how many failed authentication
attempts are allowed, and what action should be taken when the KillSwitch is

As acloud-basedtechnology, it can be easily integrated with risk engines, frauddetection platforms and other adaptive security systems to provide those systems
actionable data about the attack as its happening and determine a course of
action. It is available forwhite-labelintegrations by security vendors, application
developers and businesses wanting to incorporateimage-basedauthentication in
their own mobile applications, web services or security offerings.






Use Case Name





The user account is existing in the database

the user is not yet logged in.

Basic Path
1. The user enters the username and password
and clicks submit.
2. This information is validated and then sent
the database for authentication.
3. If authenticated, the user is granted
permission and is logged in.
If the user enters incorrect
Alternate Path
an error message is displayed and the user is
requested tore-entercredentials.
If the user forgot password, the user clicks the
Forgot Password button and the password will
be send to the users email address.
Postconditio The user is logged in and has access to all
privileges that have been assigned.

Use Case NameLogout






Android is being installed in tablets and many other IT devices that require good
security systems.By dividing the mode of entry, users convenience and security have
been improved. The use of this improved authentication system ensures protection of
personal information. But this is not the ultimate solution. This can be improved further.
The devices used for IT services are changing from PCs and laptops to smartphones
and tablets. Smartphones are characterized by low efficiency and low power . They need
to be small for increased portability. They do not support the security software which
require continuous monitoring to detect threats. As these devices start to contain
increasing amounts of important personal information, better security is required.
Security systems are rapidly being developed, however, even with these, major problems
could result after a device is lost. Thus, strong authentication mechanisms are required to
protect important personal information, even after the device is lost.


1.Professional Android Application Development,Reto Meier,Wiley
Publishing, 2009
2.Database Design,GioWiederhold,McGraw-Hill,1989
3.Android Application Development,Rick Rogers, John Lombardo,
ZigurdMednieks, andBlake Meike, OReilly Media, 2009
4.Android Cookbook,Ian F. Darwin, OReilly Media, 2010
5.The Busy Coder's Guide to Advanced Android Development,Mark L.
Murphy, Commons Ware, 2009
6.Design and Implementation of Improved Authentication System for Android
Smartphone Users,Kwang Il Shin, J. S. (2012).26th International Conference on
Advanced Information Networking and Applications Workshops.