A Study of Android Application Security

A Study of Android Application Security William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri Systems and Internet Infrastructure Security Laboratory Department of Computer Science and Engineering The Pennsylvania State University enck, octeau, mcdaniel, swarat @cse.psu.edu < >Abstract ingly desire it, markets are not in a position to provide security in more than a superficial way [30]. The lack of The fluidity of application markets complicate smart- a common definition for security and the volume of ap- phone security. Although recent efforts have shed light plications ensures that some malicious, questionable, and on particular security issues, there remains little insight vulnerable applications will find their way to market. into broader security characteristics of smartphone ap- In this paper, we broadly characterize the security of plications. This paper seeks to better understand smart- applications in the Android Market. In contrast to past phone application security by studying 1,100 popular studies with narrower foci, e.g., [14, 12], we consider a free Android applications. We introduce the ded decom- breadth of concerns including both dangerous functional- piler, which recovers Android application source code ity and vulnerabilities, and apply a wide range of analysis directly from its installation image. We design and exe- techniques. In this, we make two primary contributions: cute a horizontal study of smartphone applications based on static analysis of 21 million lines of recovered code. We design and implement a Dalvik decompilier, • Our analysis uncovered pervasive use/misuse of person- ded. ded recovers an application’s Java source al/phone identifiers, and deep penetration of advertising solely from its installation image by inferring lost and analytics networks. However, we did not find ev- types, performing DVM-to-JVM bytecode retarget- idence of malware or exploitable vulnerabilities in the ing, and translating class and method structures. studied applications. We conclude by considering the We analyze 21 million LOC retrieved from the top • implications of these preliminary findings and offer di- 1,100 free applications in the Android Market using rections for future analysis. automated tests and manual inspection. Where pos- sible, we identify root causes and posit the severity 1 Introduction of discovered vulnerabilities. Our popularity-focused security analysis provides in- The rapid growth of smartphones has lead to a renais- sight into the most frequently used applications. Our sance for mobile services. Go-anywhere applications findings inform the following broad observations. support a wide array of social, financial, and enterprise services for any user with a cellular data plan. Appli- 1. Similar to past studies, we found wide misuse of cation markets such as Apple’s App Store and Google’s privacy sensitive information—particularly phone Android Market provide point and click access to hun- identifiers and geographic location. Phone iden- dreds of thousands of paid and free applications. Mar- tifiers, e.g., IMEI, IMSI, and ICC-ID, were used kets streamline software marketing, installation, and for everything from “cookie-esque” tracking to ac- update—therein creating low barriers to bring applica- counts numbers. tions to market, and even lower barriers for users to ob- 2. We found no evidence of telephony misuse, back- tain and use them. ground recording of audio or video, abusive connec- The fluidity of the markets also presents enormous se- tions, or harvesting lists of installed applications. curity challenges. Rapidly developed and deployed ap- 3. Ad and analytic network libraries are integrated plications [40], coarse permission systems [16], privacy- with 51% of the applications studied, with Ad Mob invading behaviors [14, 12, 21], malware [20, 25, 38], (appearing in 29.09% of apps) and Google Ads (ap- and limited security models [36, 37, 27] have led to ex- pearing in 18.72% of apps) dominating. Many ap- ploitable phones and applications. Although users seem- plications include more than one ad library. 4. Many developers fail to securely use Android APIs. Installed Applications System Applications Display These failures generally fall into the classification Application Application Application Application Application Application Application of insufficient protection of privacy sensitive infor- Bluetooth mation. However, we found no exploitable vulnera- bilities that can lead malicious control of the phone. DVM DVM DVM DVM DVM DVM DVM GPS Receiver This paper is an initial but not final word on An- Cellular Binder droid application security. Thus, one should be cir- Radio cumspect about any interpretation of the following re- Embedded Linux sults as a definitive statement about how secure appli- cations are today. Rather, we believe these results are Figure 1: The Android system architecture indicative of the current state, but there remain many it. Permission assignment—and indirectly the security aspects of the applications that warrant deeper analy- policy for the phone—is largely delegated to the phone’s sis. We plan to continue with this analysis in the fu- owner: the user is presented a screen listing the permis- ture and have made the decompiler freely available at sions an application requests at install time, which they http://siis.cse.psu.edu/ded/ to aid the broader can accept or reject. security community in understanding Android security. The following sections reflect the two thrusts of this Dalvik Virtual Machine: Android applications are writ- work: Sections 2 and 3 provide background and detail ten in Java, but run in the DVM. The DVM and Java byte- our decompilation process, and Sections 4 and 5 detail code run-time environments differ substantially: the application study. The remaining sections discuss our Application Structure. Java applications are composed limitations and interpret the results. of one or more .class files, one file per class. The JVM loads the bytecode for a Java class from the associated 2 Background .class file as it is referenced at run time. Conversely, a Dalvik application consists of a single .dex file contain- Android: Android is an OS designed for smartphones. ing all application classes. Depicted in Figure 1, Android provides a sandboxed ap- Figure 2 provides a conceptual view of the compila- plication execution environment. A customized embed- tion process for DVM applications. After the Java com- ded Linux system interacts with the phone hardware and piler creates JVM bytecode, the Dalvik dx compiler con- an off-processor cellular radio. The Binder middleware sumes the .class files, recompiles them to Dalvik byte- and application API runs on top of Linux. To simplify, code, and writes the resulting application into a single an application’s only interface to the phone is through .dex file. This process consists of the translation, recon- these APIs. Each application is executed within a Dalvik struction, and interpretation of three basic elements of Virtual Machine (DVM) running under a unique UNIX the application: the constant pools, the class definitions, uid. The phone comes pre-installed with a selection of and the data segment. A constant pool describes, not sur- system applications, e.g., phone dialer, address book. prisingly, the constants used by a class. This includes, Applications interact with each other and the phone among other items, references to other classes, method through different forms of IPC. Intents are typed inter- names, and numerical constants. The class definitions process messages that are directed to particular appli- consist in the basic information such as access flags and cations or systems services, or broadcast to applications class names. The data element contains the method code subscribing to a particular intent type. Persistent content executed by the target VM, as well as other information provider data stores are queried through SQL-like inter- related to methods (e.g., number of DVM registers used, faces. Background services provide RPC and callback local variable table, and operand stack sizes) and to class interfaces that applications use to trigger actions or ac- and instance variables. cess data. Finally user interface activities receive named action signals from the system and other applications. Register architecture. The DVM is register-based, Binder acts as a mediation point for all IPC. Access whereas existing JVMs are stack-based. Java bytecode to system resources (e.g., GPS receivers, text messag- can assign local variables to a local variable table before ing, phone services, and the Internet), data (e.g., address pushing them onto an operand stack for manipulation by books, email) and IPC is governed by permissions as- opcodes, but it can also just work on the stack without signed at install time. The permissions requested by the explicitly storing variables in the table. Dalvik bytecode 16 application and the permissions required to access the assigns local variables to any of the 2 available regis- application’s interfaces/data are defined in its manifest ters. The Dalvik opcodes directly manipulate registers, file. To simplify, an application is allowed to access a rather than accessing elements on a program stack. resource or interface if the required permission allows Instruction set. The Dalvik bytecode instruction set is Java dx Compiler ison for these purposes: a comparison between two in- Class1.class .dex file Constant Pool Header tegers, and a comparison of an integer and zero, respec- Class Info tively. This requires the decompilation process to recover Data Constant Pool types for integer comparisons used in DVM bytecode. Java Source Code Class1 definition (.java files) Storage of primitive types in arrays. The Dalvik byte- ClassN.class code uses ambiguous opcodes to store and retrieve el- Constant Pool ClassN definition Class Info Data ements in arrays of primitive types (e.g., aget for in- Data t/float and aget-wide for long/double) whereas the cor- responding Java bytecode is unambiguous. The array type must be recovered for correct translation. Figure 2: Compilation process for DVM applications 3 The ded decompiler substantially different than that of Java.

Recommended publications Opentext Product Security Assurance Program

The Information Company ™ Product Security Assurance Program Contents Objective 03 Scope 03 Sources 03 Introduction 03 Concept and design 04 Development 05 Testing and quality assurance 07 Maintain and support 09 Partnership and responsibility 10 Privavy and Security Policy 11 Product Security Assurance Program 2/11 Objective The goals of the OpenText Product Security Assurance Program (PSAP) are to help ensure that all products, solutions, and services are designed, developed, and maintained with security in mind, and to provide OpenText customers with the assurance that their important assets and information are protected at all times. This document provides a general, public overview of the key aspects and components of the PSAP program. Scope The scope of the PSAP includes all software solutions designed and developed by OpenText and its subsidiaries. All OpenText employees are responsible to uphold and participate in this program. Sources The source of this overview document is the PSAP Standard Operating Procedure (SOP). This SOP is highly confidential in nature, for internal OpenText consumption only. This overview document represents the aspects that are able to be shared with OpenText customers and partners. Introduction OpenText is committed to the confidentiality, integrity, and availability of its customer information. OpenText believes that the foundation of a highly secure system is that the security is built in to the software from the initial stages of its concept, design, development, deployment, and beyond. In this respect,

The OWASP Application Security Program Quick Start Guide

Quick Start Guide The OWASP Application Security Program Quick Start Guide Five Days to Setting Up an Application Security Program Quickstart Guide About this Guide This guide is intended to be a short, straightforward introductory guide to standing-up or improving an Application Security Program1. The intended goal of the AppSec program is to implement measures throughout the code’s life- cycle to prevent gaps in the application security policy or the underlying system through flaws in the design, development, deployment, upgrade, or maintenance of the application. The application security program should effectively manage the security of its application systems, protecting information from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality and availability. A fundamental component of this improved application security management is the ability to demonstrate acceptable levels of risk based on defined KPIs, including but limited to: 1. The number of vulnerabilities present in an application 2. The time to fix vulnerabilities 3. The remediation rate of vulnerabilities 4. The time vulnerabilities remain open The application security program deliverables include a holistic view of the state of security for each application, identifying the risks associated with the application and the countermeasures implemented to mitigate those risks, explaining how security is implemented, planning for system downtimes and emergencies, and providing a formal plan to improve the security in one or more of these areas. Audience The intended audience of this document is anyone from security engineers, developers, program managers, senior managers or a senior executive. This guide should be considered the start of a comprehensive approach, it is intended to give the basic questions and answers that should be asked by those who are in charge of the application security program in your organization, this includes those responsible for managing the risk of the entire organization.

Cybersecurity in a Digital Era.Pdf

Digital McKinsey and Global Risk Practice Cybersecurity in a Digital Era June 2020 Introduction Even before the advent of a global pandemic, executive teams faced a challenging and dynamic environ- ment as they sought to protect their institutions from cyberattack, without degrading their ability to innovate and extract value from technology investments. CISOs and their partners in business and IT functions have had to think through how to protect increasingly valuable digital assets, how to assess threats related to an increasingly fraught geopolitical environment, how to meet increasingly stringent customer and regulatory expectations and how to navigate disruptions to existing cybersecurity models as companies adopt agile development and cloud computing. We believe there are five areas for CIOs, CISOs, CROs and other business leaders to address in particular: 1. Get a strategy in place that will activate the organization. Even more than in the past cybersecurity is a business issue – and cybersecurity effectiveness means action not only from the CISO organiza- tion, but also from application development, infrastructure, product development, customer care, finance, human resources, procurement and risk. A successful cybersecurity strategy supports the business, highlights the actions required from across the enterprise – and perhaps most importantly captures the imagination of the executive in how it can manage risk and also enable business innovation. 2. Create granular, analytic risk management capabilities. There will always be more vulnerabilities to address and more protections you can consider than you will have capacity to implement. Even companies with large and increasing cybersecurity budgets face constraints in how much change the organization can absorb.

Digital Finance and Data Security

Digital Finance and Data Security How Private and Secure Is Data Used in Digital Finance? September 2018 AUTHOR Patrick Traynor Acknowledgements Introduction 1 We gratefully acknowledge the Data Privacy and Security Issues in Online Lending 1 generous support provided by the Digital Finance Providers Evaluated 3 Center for Financial Inclusion at Accion, without which this work 1. Privacy Analysis 5 would not have been possible. We Methodology 5 would particularly like to thank Sonja Results 7 Kelly, Director of Research, and Pablo Antón Díaz, Research Manager, for not Conclusions 10 only helping us to work productively with security stakeholders around 2. Security Analysis 11 the world, but also for their tireless Methodology 11 efforts to ensure that these issues are Results 17 prioritized and addressed. Conclusions 25 We also wish to thank Jasmine Bowers, Kevin Butler, and Imani 26 Sherman of the University of Florida, 3. Terms of Service Analysis all of whom made significant contributions to the successful 4. Conclusions and Recommendations 28 completion of this work. Annex A Word Count vs. Average Reading Grade Level of Privacy Policies 30 Annex B Digital Lenders Evaluated and Analyses Performed 32 Notes 33 Introduction Data Privacy and Security Issues Amounts and loan maturities vary from very in Online Lending short-term “nano” loans of a few dollars to Mobile phones and networks are transforming medium-term small business loans of a few the world of finance, creating opportunities hundred or some thousands of dollars. Some for widespread financial inclusion, especially companies have grown to substantial — even among neglected regions and groups.

Coleman-Coding-Freedom.Pdf

Coding Freedom !" Coding Freedom THE ETHICS AND AESTHETICS OF HACKING !" E. GABRIELLA COLEMAN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright © 2013 by Princeton University Press Creative Commons Attribution- NonCommercial- NoDerivs CC BY- NC- ND Requests for permission to modify material from this work should be sent to Permissions, Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TW press.princeton.edu All Rights Reserved At the time of writing of this book, the references to Internet Web sites (URLs) were accurate. Neither the author nor Princeton University Press is responsible for URLs that may have expired or changed since the manuscript was prepared. Library of Congress Cataloging-in-Publication Data Coleman, E. Gabriella, 1973– Coding freedom : the ethics and aesthetics of hacking / E. Gabriella Coleman. p. cm. Includes bibliographical references and index. ISBN 978-0-691-14460-3 (hbk. : alk. paper)—ISBN 978-0-691-14461-0 (pbk. : alk. paper) 1. Computer hackers. 2. Computer programmers. 3. Computer programming—Moral and ethical aspects. 4. Computer programming—Social aspects. 5. Intellectual freedom. I. Title. HD8039.D37C65 2012 174’.90051--dc23 2012031422 British Library Cataloging- in- Publication Data is available This book has been composed in Sabon Printed on acid- free paper. ∞ Printed in the United States of America 1 3 5 7 9 10 8 6 4 2 This book is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE !" We must be free not because we claim freedom, but because we practice it.

NIST SP 800-163 Rev.1

NIST Special Publication 800-163 Revision 1 Vetting the Security of Mobile Applications Michael Ogata Josh Franklin Jeffrey Voas Vincent Sritapan Stephen Quirolgico This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1 C O M P U T E R S E C U R I T Y NIST Special Publication 800-163 Revision 1 Vetting the Security of Mobile Applications Michael Ogata Vincent Sritapan Software and Systems Division Office of Science and Technology Information Technology Laboratory U.S. Department of Homeland Security Josh Franklin* Stephen Quirolgico Applied Cybersecurity Division Office of the Chief Information Officer Information Technology Laboratory U.S. Department of Homeland Security Jeffrey Voas *Former employee; all work for this Computer Security Division publication was done while at NIST Information Technology Laboratory This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-163r1 April 2019 U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology Authority This publication has been developed by NIST in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems.

WHO ARE COMPUTER CRIMINALS? by Kevin W. Jennings, M.S.C.J. A

WHO ARE COMPUTER CRIMINALS? by Kevin W. Jennings, M.S.C.J. A dissertation submitted to the Graduate Council of Texas State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy with a Major in Criminal Justice August 2014 Committee Members: Brian L. Withrow, Chair Bob Edward Vásquez Jay D. Jamieson Matthew Draper Jose R. Agustina COPYRIGHT by Kevin W. Jennings 2014 FAIR USE AND AUTHOR’S PERMISSION STATEMENT Fair Use This work is protected by the Copyright Laws of the United States (Public Law 94-553, section 107). Consistent with fair use as defined in the Copyright Laws, brief quotations from this material are allowed with proper acknowledgment. Use of this material for financial gain without the author’s express written permission is not allowed. Duplication Permission As the copyright holder of this work I, Kevin Jennings, authorize duplication of this work, in whole or in part, for educational or scholarly purposes only. DEDICATION To Hal Jennings, Judy Jennings, and Matthew Draper, for showing me the path. To Sara Jennings, for joining me on the journey. ACKNOWLEDGEMENTS This dissertation never would have been possible without the support of many people who have guided me and cheered me on throughout this process. Dr. Brian Withrow was an excellent chair, and Doctors Vasquez, Jamieson, Draper, and Agustina all did their part in making this paper possible. Thank you for helping me, but even more important, thank you for putting up with me. I also need to give a big thank you to my mentor Dr. Tomas Mijares, who could not be on my committee but helped and guided me throughout the process of learning, teaching, and growing at Texas State University.

Zerohack Zer0pwn Youranonnews Yevgeniy Anikin Yes Men

Zerohack Zer0Pwn YourAnonNews Yevgeniy Anikin Yes Men YamaTough Xtreme x-Leader xenu xen0nymous www.oem.com.mx www.nytimes.com/pages/world/asia/index.html www.informador.com.mx www.futuregov.asia www.cronica.com.mx www.asiapacificsecuritymagazine.com Worm Wolfy Withdrawal* WillyFoReal Wikileaks IRC 88.80.16.13/9999 IRC Channel WikiLeaks WiiSpellWhy whitekidney Wells Fargo weed WallRoad w0rmware Vulnerability Vladislav Khorokhorin Visa Inc. Virus Virgin Islands "Viewpointe Archive Services, LLC" Versability Verizon Venezuela Vegas Vatican City USB US Trust US Bankcorp Uruguay Uran0n unusedcrayon United Kingdom UnicormCr3w unfittoprint unelected.org UndisclosedAnon Ukraine UGNazi ua_musti_1905 U.S. Bankcorp TYLER Turkey trosec113 Trojan Horse Trojan Trivette TriCk Tribalzer0 Transnistria transaction Traitor traffic court Tradecraft Trade Secrets "Total System Services, Inc." Topiary Top Secret Tom Stracener TibitXimer Thumb Drive Thomson Reuters TheWikiBoat thepeoplescause the_infecti0n The Unknowns The UnderTaker The Syrian electronic army The Jokerhack Thailand ThaCosmo th3j35t3r testeux1 TEST Telecomix TehWongZ Teddy Bigglesworth TeaMp0isoN TeamHav0k Team Ghost Shell Team Digi7al tdl4 taxes TARP tango down Tampa Tammy Shapiro Taiwan Tabu T0x1c t0wN T.A.R.P. Syrian Electronic Army syndiv Symantec Corporation Switzerland Swingers Club SWIFT Sweden Swan SwaggSec Swagg Security "SunGard Data Systems, Inc." Stuxnet Stringer Streamroller Stole* Sterlok SteelAnne st0rm SQLi Spyware Spying Spydevilz Spy Camera Sposed Spook Spoofing Splendide

The Ten Most Critical API Security Risks TOC Table of Contents

The Ten Most Critical API Security Risks TOC Table of Contents Table of Contents About OWASP TOC Table of Contents. 2 The Open Web Application Security Project FW Foreword. 3 (OWASP) is an open community dedicated to I Introduction. 4 enabling organizations to develop, purchase, and RN Release Notes. 5 maintain applications and APIs that can be trusted. RISK API Security Risk. 6 At OWASP, you'll find free and open: T10 OWASP API Security Top 10 - 2019. 7 API1:2019 Broken Object Level Authorization. 8 • Application security tools and standards. API2:2019 Broken User Authentication. 10 • Complete books on application security API3:2019 Excessive Data Exposure. 12 testing, secure code development, and secure API4:2019 Lack of Resources & Rate Limiting. 14 code review. API5:2019 Broken Function Level Authorization. 16 • Presentations and videos. API6:2019 Mass Assignment. 18 • Cheat sheets on many common topics. API7:2019 Security Misconfiguration. 20 • Standard security controls and libraries. API8:2019 Injection. 22 • Local chapters worldwide . API9:2019 Improper Assets Management. 24 • Cutting edge research.

Best Practices: Use of Web Application Firewalls

OWASP Papers Program Best Practice: Use of Web Application Firewalls Best Practices: Use of Web Application Firewalls Version 1.0.5, March 2008, English translation 25. May 2008 Author: OWASP German Chapter with collaboration from: Maximilian Dermann Mirko Dziadzka Boris Hemkemeier Achim Hoffmann Alexander Meisel Matthias Rohr Thomas Schreiber OWASP Papers Program Best Practice: Use of Web Application Firewalls Abstract Web applications of all kinds, whether online shops or partner portals, have in recent years increasingly become the target of hacker attacks. The attackers are using methods which are specifically aimed at exploiting potential weak spots in the web application software itself – and this is why they are not detected, or are not detected with sufficient accuracy, by traditional IT security systems such as network firewalls or IDS/IPS systems. OWASP develops tools and best practices to support developers, project managers and security testers in the development and operation of secure web applications. Additional protection against attacks, in particular for already productive web applications, is offered by what is still a emerging category of IT security systems, known as Web Application Firewalls (hereinafter referred to simply as WAF), often also called Web Application Shields or Web Application Security Filters. One of the criteria for meeting the security standard of the credit card industry currently in force (PCI DSS - Payment Card Industry Data Security Standard v.1.1) for example, is either a regular source code review or the use of a WAF. The document is aimed primarily at technical decision-makers, especially those responsible for operations and security as well as application owners (specialist department, technical application managers) evaluating the use of a WAF.

Introduction

Introduction Toward a Radical Criminology of Hackers In the expansive Rio Hotel and Casino in Las Vegas, I stood in line for around an hour and a half to pay for my badge for admittance into DEF CON 21, one of the largest hacker conventions in the world. The wad of cash in my hand felt heavier than it should have as I approached the badge vendor. DEF CON is an extravagant affair and attendees pay for it (though, from my own readings, the conference administrators work to keep the costs reduced). The line slowly trickled down the ramp into the hotel con- vention area where the badge booths were arranged. As I laid eyes on the convention, my jaw dropped. It was packed. Attendees were already mov- ing hurriedly throughout the place, engaged in energetic conversations. Black t- shirts— a kind of hacker uniform— were everywhere. Las Vegas- and gambling- themed décor lined the walls and floors. Already, I could see a line forming at the DEF CON merchandise booth. Miles, a hacker I had gotten to know throughout my research, mentioned that if I wanted some of the “swag” or “loot” (the conference merchandise), I should go ahead and get in line, a potential three- to four-hour wait. Seemingly, everyone wanted to purchase merchandise to provide some evidence they were in attendance. Wait too long and the loot runs out. After winding through the serpentine line of conference attendees wait- ing for admittance, I approached the badge vendors and (dearly) departed with almost $200. Stepping into the convention area, I felt that loss in the pit of my stomach.

Improved Mobile Application Security Mechanism Based on Kerberos

2019 4th International Workshop on Materials Engineering and Computer Sciences (IWMECS 2019) Improved Mobile Application Security Mechanism based on Kerberos Jiabin Sun, Zhao Gao International School, Beijing University of Posts and Telecommunications, Beijing, 100876, China Keywords: Kerberos, security mechanism, keys. Abstract: This paper focuses on the improvement of mobile application security mechanism. Security problem of mobile application is a great challenge nowadays. This paper proposes a security model of mobile application which is based on Kerberos authentication. In this improved security model, every request from the client will be authenticated by the Kerberos server, but the authentication will be different between users with different access. And the classification of the users can be implemented by using different kinds of keys in the ticket-granting server. 1. Introduction With the popularity and serious security challenges for the mobile application, it is necessary to discuss how to improve the security mechanism and prevent potential attacks. The paper discuss the issue from the following aspect. In the first part, the mobile application security model will be discussed. This includes the main threats and the currently used security for mobile application. And in the second part the paper will have a briefly introduction about the Kerberos authentication system, on which the improved model based. And in the third part, the paper will introduce how the mechanism of Kerberos can be introduced in mobile application