Samsung’s first Tizen-based devices are set to launch in the middle of 2015. This paper presents the research outcome on the security analysis of Tizen OS and it’s underlying security architecture.
The paper begins with a quick introduction to Tizen architecture and explains the various components of Tizen OS. This will be followed by Tizen’s security model where application sandboxing and resource access control will be explained. Moving on, an overview of Tizen’s Content Security Framework which acts as an in-built malware detection API will be covered.
Various vulnerabilities in Tizen will be discussed including issues like Tizen WebKit2 address spoofing and content injection, Tizen WebKit CSP bypass and issues in Tizen’s memory protection (ASLR and DEP).
Applications in Tizen can be written in HTML5/JS/CSS or natively using C/C++. As a bonus, an overview of pentesting Tizen applications will also be presented along with some of the security implications. There will be comparisons made to traditional Android applications and how these security issues differ with Tizen.